Risk Management Glossary: 30 ERM Terms You Need to Know

Keeping up with growth and performance targets requires a balancing act of seizing opportunity while managing risk. But developing an enterprise-wide approach to monitoring and managing organizational risk is a complex process. Review some of the most important elements of an effective risk management program with this glossary of enterprise risk management (ERM) terms. 

 

Enterprise Risk Management Terms

Authentication:

The verification of the identity of an individual, system, machine, or any other unique entity

Authorization:

The process of allowing access to specific areas of a system based on the role and needs of the user

Committee Charter:

A document that defines the purposes and responsibilities of the oversight committee

Compliance Risk Profile:

The current and prospective risk to earnings or capital arising from violations of or nonconformance with laws, rules, regulations, prescribed practices, internal policies and procedures, or ethical standards

Control Assessment:

A high-level review and analysis of controls relating to a process; should encompass both current and missing controls

Controls:

Methods that preserve the integrity of important information, meet operational or financial targets, and/or communicate management policies (See also: Key Control, Secondary Control, Tertiary Control)

ERM Policy Statement:

Defines an organization’s approach to and method of enterprise risk management

Governance:

Processes and structures implemented to communicate, manage, and monitor organizational activities

Impact:

The influence and effect of a risk

Inherent Risk:

Risk that is inherent to a process, taking into consideration the likelihood and impact of a risk

Key Control:

A primary control that is essential for a business process; typically takes place during the process it applies to

Key Indicators:

Measurements that are important for organizations to monitor for potential issues; examples include key performance indicators (KPIs) and key risk indicators (KRIs)

Key Performance Indicator (KPI):

A measurement with a defined set of goals and tolerances that gauges the performance of an important business activity

Key Risk Indicator (KRI):

A proactive measurement for future and emerging risks that indicates the possibility of an event that adversely affects business activities

Likelihood:

The probability of a risk occurring

Mitigation Actions:

The necessary steps, or action items, to reduce the likelihood and/or impact of a potential risk

Operation Risk Profile:

1) The risk arising from the execution of an organization’s business processes;
2) The risk of loss resulting from failed or inadequate internal processes, systems, people, or other entities

Price Risk Profile:

The risk to earning or capital arising from adverse changes in portfolio values

Process:

1) The principle elements of essential business functions within work groups or business units;
2) A set of tasks completed by business continuity plan owners within a department

Reputation Risk Profile:

The current and prospective risk to earnings or capital arising from negative public opinion or perception

Residual Risk:

Risk remaining after considering the existing control environment

Risk:

A potential event or action that would have an adverse effect on the organization

Risk Appetite:

A statement that broadly considers the risk levels that management deems acceptable

Risk Assessment:

The prioritization of potential business disruptions based on the impact and likelihood of occurrence; includes an analysis of threats based on the impact to the organization, its customers, and financial markets

Risk Tolerance:

A metric that sets the acceptable level of variation around organizational objectives and provides assurance that the organization remains within its risk appetite

Secondary Control:

An important control that typically takes place after the process it applies to (i.e., reporting or ongoing monitoring)

Strategic Risk Profile:

The current and prospective risk to earnings or capital raising from adverse business decisions, improperly implemented decisions, or lack of responsiveness to industry changes

Tertiary Control:

A non-essential control that can still be applied effectively to a business process

Velocity:

The time it takes a risk event to manifest itself

Vulnerability:

An entity’s susceptibility to a risk event as determined by the entity’s preparedness, agility, and adaptability

---

Is your organization equipped to make strategic decisions?

A data-driven ERM program gives organizations the tools they need to increase risk awareness and connect risk to business strategy and performance — empowering more informed decision-making.

Learn how Quantivate Enterprise Risk Management Software and Services can help you get there.