Risk IdentificationRisk identification is the process of identifying risks to an organization and its objectives.
Risk AnalysisRisk analysis is the practice of assessing risk probability, impact and identifying risk treatments and responses.
Risk InventoryA tool for tracking identified risks throughout their lifecycle.
Risk TreatmentEach identified risk is treated with some combination of acceptance, avoidance, transfer, reduction and sharing.
Secondary RiskSecondary risks are the risks that result from your efforts to treat risk. For example, if you introduce a project to address legacy system risks you are taking on project risks and operational risks related to the project.
Risk ResponseA risk response is a plan for dealing with a risk that is realized to become a loss or issue. This can be contrasted with risk treatment that is about avoiding losses before they occur. Note: several enterprise risk management frameworks confusingly use the term "risk response" in place of risk treatment. Whatever the terminology, there are two fundamental types of plan for dealing with risk: preventive and corrective. internal controls required to achieve risk treatment and risk response plans.
Risk MeasurementMeasuring risk metrics such as risk exposure.
Risk AppetiteDeveloping targets for risk measurements, particularly a risk exposure target known as risk appetite.
Risk CommunicationCommunicating risk monitoring and measurement to stakeholders. Risk communication also includes the risk register and any documentation related to risk analysis.
Risk IntegrationIntegrating risk measures into the reporting and measurement tools that are used to manage an organization and business units.
OpportunityEnterprise risk management frameworks often speak of risk as an opportunity. This leads to much confusion as people perceive risk as a negative thing and risk management is indeed about avoiding losses. The inclusion of opportunity as a goal of risk management is to make it clear that it is not an exercise in minimizing risk. Risk taking is the foundation of every business and risk management is designed to make risk taking more efficient. For example, an organization that mitigates risks can often take on more opportunities at the same level of risk exposure. This typically increases revenue.
ComplianceRisk management is often a compliance function that is required as a basic element of corporate governance. Some organizations treat risk management as administrative overhead that doesn't add much value. Others treat it as an opportunity to take better managed risks as a fundamental tool of revenue optimization.
ResiliencyResilience is a class of strategy that reduces or avoids a large number of risks. This can be described as building a healthy business and organization that resists stresses in areas such as disasters, competition and regulation. For example, a data center business that moves closer to energy self sufficiency with solar panels. This may reduce a broad array of risks in areas such as sustainability, reputation, regulatory and operational risk.
SummaryThe following are common elements of enterprise risk management:
OverviewThe following is an overview of enterprise risk management with additional examples.
|Overview: Enterprise Risk Management|
The identification and management of potential losses at the level of an organization.