Risk Management Glossary: 30 ERM Terms You Need to Know

  • January 2, 2019
  • Quantivate

Keeping up with growth and performance targets requires a balancing act of seizing opportunity while managing risk. But developing an enterprise-wide approach to monitoring and managing organizational risk is a complex process. Review some of the most important elements of an effective risk management program with this glossary of enterprise risk management (ERM) terms. 


Enterprise Risk Management Terms


The verification of the identity of an individual, system, machine, or any other unique entity


The process of allowing access to specific areas of a system based on the role and needs of the user

Committee Charter:

A document that defines the purposes and responsibilities of the oversight committee

Compliance Risk Profile:

The current and prospective risk to earnings or capital arising from violations of or nonconformance with laws, rules, regulations, prescribed practices, internal policies and procedures, or ethical standards

Control Assessment:

A high-level review and analysis of controls relating to a process; should encompass both current and missing controls


Methods that preserve the integrity of important information, meet operational or financial targets, and/or communicate management policies (See also: Key Control, Secondary Control, Tertiary Control)

ERM Policy Statement:

Defines an organization’s approach to and method of enterprise risk management


Processes and structures implemented to communicate, manage, and monitor organizational activities


The influence and effect of a risk

Inherent Risk:

Risk that is inherent to a process, taking into consideration the likelihood and impact of a risk

Key Control:

A primary control that is essential for a business process; typically takes place during the process it applies to

Key Indicators:

Measurements that are important for organizations to monitor for potential issues; examples include key performance indicators (KPIs) and key risk indicators (KRIs)

Key Performance Indicator (KPI):

A measurement with a defined set of goals and tolerances that gauges the performance of an important business activity

Key Risk Indicator (KRI):

A proactive measurement for future and emerging risks that indicates the possibility of an event that adversely affects business activities


The probability of a risk occurring

Mitigation Actions:

The necessary steps, or action items, to reduce the likelihood and/or impact of a potential risk

Operation Risk Profile:

1) The risk arising from the execution of an organization’s business processes;
2) The risk of loss resulting from failed or inadequate internal processes, systems, people, or other entities

Price Risk Profile:

The risk to earning or capital arising from adverse changes in portfolio values


1) The principle elements of essential business functions within work groups or business units;
2) A set of tasks completed by business continuity plan owners within a department

Reputation Risk Profile:

The current and prospective risk to earnings or capital arising from negative public opinion or perception

Residual Risk:

Risk remaining after considering the existing control environment


A potential event or action that would have an adverse effect on the organization

Risk Appetite:

A statement that broadly considers the risk levels that management deems acceptable

Risk Assessment:

The prioritization of potential business disruptions based on the impact and likelihood of occurrence; includes an analysis of threats based on the impact to the organization, its customers, and financial markets

Risk Tolerance:

A metric that sets the acceptable level of variation around organizational objectives and provides assurance that the organization remains within its risk appetite

Secondary Control:

An important control that typically takes place after the process it applies to (i.e., reporting or ongoing monitoring)

Strategic Risk Profile:

The current and prospective risk to earnings or capital raising from adverse business decisions, improperly implemented decisions, or lack of responsiveness to industry changes

Tertiary Control:

A non-essential control that can still be applied effectively to a business process


The time it takes a risk event to manifest itself


An entity’s susceptibility to a risk event as determined by the entity’s preparedness, agility, and adaptability

Is your organization equipped to make strategic decisions?

A data-driven ERM program gives organizations the tools they need to increase risk awareness and connect risk to business strategy and performance — empowering more informed decision-making.

Learn how Quantivate Enterprise Risk Management Software and Services can help you get there.