Risk Identification
Risk identification is the process of identifying risks to an organization and its objectives.Risk Analysis
Risk analysis is the practice of assessing risk probability, impact and identifying risk treatments and responses.Risk Inventory
A tool for tracking identified risks throughout their lifecycle.Risk Treatment
Each identified risk is treated with some combination of acceptance, avoidance, transfer, reduction and sharing.Secondary Risk
Secondary risks are the risks that result from your efforts to treat risk. For example, if you introduce a project to address legacy system risks you are taking on project risks and operational risks related to the project.Risk Response
A risk response is a plan for dealing with a risk that is realized to become a loss or issue. This can be contrasted with risk treatment that is about avoiding losses before they occur. Note: several enterprise risk management frameworks confusingly use the term "risk response" in place of risk treatment. Whatever the terminology, there are two fundamental types of plan for dealing with risk: preventive and corrective.Risk Control
Implementing the internal controls required to achieve risk treatment and risk response plans.Risk Monitoring
Monitoring risk and risk controls.Risk Measurement
Measuring risk metrics such as risk exposure.Risk Appetite
Developing targets for risk measurements, particularly a risk exposure target known as risk appetite.Risk Communication
Communicating risk monitoring and measurement to stakeholders. Risk communication also includes the risk register and any documentation related to risk analysis.Risk Integration
Integrating risk measures into the reporting and measurement tools that are used to manage an organization and business units.Opportunity
Enterprise risk management frameworks often speak of risk as an opportunity. This leads to much confusion as people perceive risk as a negative thing and risk management is indeed about avoiding losses. The inclusion of opportunity as a goal of risk management is to make it clear that it is not an exercise in minimizing risk. Risk taking is the foundation of every business and risk management is designed to make risk taking more efficient. For example, an organization that mitigates risks can often take on more opportunities at the same level of risk exposure. This typically increases revenue.Compliance
Risk management is often a compliance function that is required as a basic element of corporate governance. Some organizations treat risk management as administrative overhead that doesn't add much value. Others treat it as an opportunity to take better managed risks as a fundamental tool of revenue optimization.Resiliency
Resilience is a class of strategy that reduces or avoids a large number of risks. This can be described as building a healthy business and organization that resists stresses in areas such as disasters, competition and regulation. For example, a data center business that moves closer to energy self sufficiency with solar panels. This may reduce a broad array of risks in areas such as sustainability, reputation, regulatory and operational risk.Summary
The following are common elements of enterprise risk management:Overview
The following is an overview of enterprise risk management with additional examples.Overview: Enterprise Risk Management | ||
Type | ||
Definition | The identification and management of potential losses at the level of an organization. | |
Related Concepts |