Agency risk  A misalignment of interests between management and the primary stakeholders.

Basel Accords  Guidelines developed by a group of global banking regulators in an attempt to improve risk management practices. Basel II, an international guideline for risk management, influenced the advancement of ERM practices in the financial services sector.

Baseline risk scenario  The risk scenario which is neither upside nor downside but where the risk event occurs precisely as expected in the baseline strategic plan financial projection. Technically, this is not a risk, but it is tracked as one for ERM modeling purposes.

Capital requirements  Requirements by external stakeholders, such as regulators or rating agencies, to hold a certain amount of capital as a buffer against existing liabilities.

Chief risk officer (CRO)  Head of the ERM team, an executive who champions the ERM program development, maintenance, and enhancement.

Competitor risk  Unexpected change in competitive landscape, such as new entrants, aggressive competitor actions against the company, and price wars.

Compliance risk  Level of compliance not matching expectations, such as financial reports are not as accurate as expected.

Component risk driver  One of the driving factors in the financial impact of a risk scenario, and whose marginal impact is quantified with an attribution calculation, which is used to focus mitigation efforts.

Concentration risk  Definition 1: A misnomer, because this is not a source of risk. Concentration risk refers to a high level of risk exposure from one particular risk source or group of sources. Definition 2: A concentration of power, such as in the form of a critical supplier, a large customer, or a large distributor.

Conduct risk  Unexpected conduct by management, staff, board member, or other person identified with the company. Some examples include unseemly public behavior, criminal conduct, and fraud.

Corporate ERM  See ERM team.

Correlation  See Risk correlation.

COSO  An internal control framework, developed in the early 1990s, intended as a process to help achieve effectiveness and efficiency of operations, reliability of financial reporting, and compliance.

Credible worst-case scenario  A scenario whose likelihood of occurrence is remote, but not out of the realm of possibility, and where the severity of impact would be significant. This is used in qualitative risk assessment scoring and risk scenario development.

Credit risk  Unexpected changes in credit markets (availability), prices (credit spreads), or creditworthiness of issuers, related to (a) general credit market movements (although the source for this is often economic risk) or (b) a specific issuer of a fixed income security on the company’s balance sheet or (c) a counterparty to whom the company has extended credit.

CRO  See Chief risk officer.

Deterministic risk scenarios  Individual risk scenarios, selected using human judgment, and which remain static with each run of the ERM model.

Disaster risk  Unexpected natural or man-made disasters, such as weather related (for example, hurricane, flood, tornado, earthquake, and drought), health-related (such as pandemic), accidental (such as fire), general acts of destruction (such as war, terrorism, and rioting), and specific acts of destruction against the company (such as product tampering, attack on employees, and sabotage). This also includes unexpected man-made disasters caused by company employees or agents, such as environment damage.

Downside risk event  The occurrence of a risk scenario where results are below expected, or baseline projections.

Downside risk scenario  A risk scenario where results are below expected, or baseline projections.

Downside volatility  A general reference to the level of downside risk, or the range of likelihoods corresponding to results being below baseline projections.

Economic capital (EC)  A measurement, commonly used in the insurance sector, of the amount of capital needed on hand today to limit the probability of ruin, over a given time horizon, to within a given small predefined likelihood.

Economic risk  Unexpected changes in the economy. This is often the source of risk that triggers multiple simultaneous unexpected changes in other items, such as consumer disposable income (impacting demand for the company’s products or services), employment markets (impacting the company’s fixed expenses), inflation/deflation (impacting the company’s variable costs), items related to market risk, and items related to credit risk.

Emerging risk identification  The third component of the risk identification ERM process step, this is a process to (a) monitor known non-key risks for any changes that might increase their ranking enough to become key risks; and (b) to scan the environment for unknown risks.

Enterprise risk exposure  A calculation that reflects the current aggregate enterprise-level risk exposure, in the form of a distribution representing the full range of possible combinations of individual risk scenarios. The graph form depicts the entire distribution. The table form expresses select ‘‘pain points’’ in terms of their likelihood of occurrence and severity of impact.

Enterprise risk management (ERM)  The process by which companies identify, measure, manage, and disclose all key risks to increase value to stakeholders. See Value-based enterprise risk management and Entity risk management.

Entity risk management (ERM)  A generalized version of enterprise risk management used for non-corporate entities (NCEs) such as non-profit organizations, government bodies, and individuals. See Objectives-based entity risk management and Enterprise risk management.

ERM  See Enterprise risk management or Entity risk management.

ERM committee  An executive-level committee, often chaired by either the CEO or the CRO, which has a primary role of defining risk appetite and risk limits and managing enterprise risk exposure to within these tolerance limits.

ERM framework  The functional structure of ERM, describing what activities take place, in what order they take place, and how they interact.

ERM model  A financial model, which, in a value-based ERM approach, is in the form of a spreadsheet-based tool that calculates the baseline values for the key metrics, as well as changes in these baseline values resulting from one or more individual key risk scenarios occurring at a time.

ERM process cycle  The continuous, evolving, and integrated process cycle involving four ERM process steps, including risk identification, risk quantification, risk decision making, and risk messaging.

ERM team  The chief risk officer (CRO), or equivalent head of the ERM program, and supporting team members.

ERO  See Executive risk owner.

Execution risk  Strategy is not implemented as expected.

Executive risk owner (ERO)  An executive formally designated by the CRO to be the point person for coordinating efforts across the enterprise with regard to one particular risk.

External fraud risk  Unexpected change in the amount of fraud by external parties.

External relations risk  Unexpected changes in the company’s relationship with external stakeholders with public voices, such as the media, consumer advocates, equity analysts, rating agencies, regulators, and politicians.

Failure modes and effects analysis (FMEA)  A technique adapted from the manufacturing sector used to develop risk scenarios in the risk quantification ERM process step by interviewing subject matter experts.

Financial risk  A category of risks related to unexpected changes in external markets, prices, rates, and liquidity supply and demand. Examples include market risk, credit risk, and liquidity risk.

Governance, risk, and compliance (GRC)  A repackaging by audit firms of three service offerings: corporate governance; an expanded version of SOX activities (erroneously relabeled as ERM); and compliance.

Governance risk  Governance is not functioning as expected.

GRC  See Governance, risk, and compliance.

Gross risk exposure  The amount of exposure before mitigation is taken into account. This is also called inherent risk or pre-mitigation risk exposure.

Hard limits  Part of the risk appetite and risk limit definition, hard limits are the maximum limits which risk exposures should rarely, if ever, exceed.

Heat map  A type of risk status report, often used for senior management or the board of directors, which involves a simple chart listing key risks and scoring them at a high level, usually with color coding (such as red, yellow, and green).

Hedge  A position that offsets an existing risk exposure. This is a common form of risk mitigation.

Human resources risk  Human resources (i.e., people) are not performing as expected, such as unexpected changes in talent management, performance, productivity, and conduct.

I/T risk  See Technology risk.

Individual risk exposures  The potential financial impacts on key metrics, and the corresponding likelihood, related to individual risk scenarios occurring one at a time.

Industry practices risk  Widespread abusive practices unexpectedly discovered in the company’s industry sector.

Inherent risk exposure  See Gross risk exposure.

Insurance risk  A category of risks involving poor performance of the pricing, underwriting, reserving, or setting of required capital for insurance products.

International risk  Unexpected changes in the business environment of foreign countries in which the company operates, such as unexpected changes in the government’s stability, attitude towards foreign companies, and tariffs.

Key risk committee  A committee formed by the key risk executive risk owner (ERO) and his or her subject matter experts (SMEs) to help them perform their ERM roles and responsibilities, and to share information more effectively within committees, between committees, and upstream to the CRO and the ERM committee.

Key risk indicator (KRI)  A leading indicator which is highly correlated with a risk’s exposure metric, and serves as an advance warning to management about a likely impending change in the level of exposure.

Key risks  The approximately 20 to 30 risks representing the most significant threats to the organization, initially based on the qualitative risk assessment, and later replaced by the quantification of key risk scenarios, in terms of their potential impact on key metrics.

KRI  See Key risk indicator.

Legislative/regulatory risk  Unexpected changes in laws or regulations.

Likelihood of occurrence  The probability, or chances, that a risk event involving one or more individual risk scenarios will occur.

Liquidity risk  Unexpected changes in liquidity supply or demand, related to three different levels of impact on the company: (a) untimely asset sales; (b) inability to meet contractual demands; or (c) default. A change in liquidity supply involves an unexpected change in the ability to sell assets as expected in the market, in terms of price, volume, or timeliness. A change in liquidity demand involves an unexpected change in demand for liquidity by option-holders, such as bondholders exercising early put options or ‘‘run-on-the-bank’’ situations for financial services companies, where account-holders suddenly request the withdrawal of funds from their accounts, en masse.

Litigation risk  Unexpected civil suits or judgments against the company.

Mandatory risk disclosures  Public risk disclosures required by law or regulation.

Market risk  Unexpected changes in external markets (such as stock markets), prices (such as commodity prices), or rates (such as interest rates), related to (a) general market movements (although the source for this is often economic risk) or (b) a specific asset on the company’s balance sheet. Some examples include equity market risk, interest rate risk, and currency risk.

Mitigation  See Risk mitigation.

Mitigation in place  Mitigation already present in the organization, such as the compliance department or insurance coverage.

Net risk exposure  The amount of exposure after mitigation is taken into account. This is also called residual risk or post-mitigation risk exposure.

Objectives-based entity risk management  A generalized version of value-based enterprise risk management used for non-corporate entities (NCEs), such as non-profit organizations, government bodies, and individuals. See Value-based enterprise risk management.

Operational risk  A category of risks related to unexpected changes in elements related to operations, such as human resources, technology, processes, and disasters.

Pain points  Risk tolerance thresholds, for which management wants the likelihood of crossing them to be quite small, used to convert the graph form of enterprise risk exposure into the table form, and to define risk appetite.

Performance risk  Management or staff not performing their function as expected, such as related to research and development or the finance department activities (including accuracy of financial reporting).

Post-mitigation risk exposure  See Net risk exposure.

Pre-mitigation risk exposure  See Gross risk exposure.

Probability  The chances, or odds, of something occurring. See Likelihood of occurrence.

Process risk  Company processes not functioning as expected.

Productivity risk  Management, staff, or non-employees upon whom the company depends, not performing at the level of productivity expected.

Qualitative risk assessment  The second component of the risk identification ERM process step, the qualitative risk assessment involves prioritizing the list of potential risks and narrowing them down to the list of key risks. This involves soliciting input from internal personnel regarding the organization’s

key risks, and a high-level qualitative scoring of each potential key risk’s likelihood of occurrence and severity of impact.

Qualitative risk assessment consensus meeting  A meeting where qualitative risk assessment survey participants arrive at a consensus regarding the scoring of potential key risks, and finalize the selection of the key risks.

Rating agency capital  See Required capital.

RCD tool  See Risk categorization and definition tool.

Regulatory capital  See Required capital.

Regulatory risk  See Legislative/regulatory risk.

Required capital  For financial services companies, this is the amount of capital that is required to remain on the balance sheet in support of existing business on the books, and cannot be used to support future growth. This can refer to required capital defined by management, by rating agencies, or by regulators.

Reputational risk  A misnomer, since this is not a source of risk, this refers to the intermediate impact of reputation damage, which can be caused by multiple sources of risk, and which may, or may not, trigger financial impacts.

Residual risk exposure  See Net risk exposure.

Risk  Uncertainty which can cause a deviation, either upside or downside, from expected results.

Risk appetite  A management-defined quantitative expression of the level of enterprise risk exposure that is acceptable, at the limit. Also sometimes referred to as risk tolerance. See Hard limits and Soft limits.

Risk appetite consensus meeting  Meeting at which the ERM committee comes to a consensus definition of risk appetite and risk limits. Risk appetite document A document that contains the definitions of risk appetite and risk limits, a comparison of current and historical risk exposures to risk tolerance thresholds at the enterprise level (risk appetite) as well as below enterprise level (risk limits), and the delegation of authority for increasing risk exposures.

Risk capital  See Required capital.

Risk categorization and definition  The first component of the risk identification ERM process step, which produces the risk categorization and definition (RCD) tool.

Risk categorization and definition (RCD) tool  A tool with several applications in the ERM process, the RCD tool includes a risk categorization hierarchy (such as risk categories, risk subcategories, and risk divisions), the risks themselves, and a definition of the risk.

Risk correlation  The tendency of two risk scenarios to occur together. Some risk scenario pairs are more likely to occur together (positively correlated) than the multiplication of their probabilities would otherwise indicate, some are less likely to occur together (negatively correlated), and some are independent of each other.

Risk culture  The extent to which ERM is integrated into decision making (including strategic planning, strategic decisions, tactical decisions, and transactions), business performance analysis, and incentive compensation.

Risk decision making  The third step in the ERM process cycle, this involves defining risk appetite and risk limits, managing risk exposure levels to within these tolerance limits, and integrating ERM into strategic planning and other business decision making.

Risk disclosures  Communications with external stakeholders, such as shareholders, rating agencies, and regulators, involving ERM information.

Risk event database  A database about risk events that have occurred in the company, capturing information such as the originating source of the risk, how the event emerged and unfolded, management actions, and the ultimate financial impacts. This information can be used to enhance the development of risk scenarios, and enhance the entire ERM program through what is often referred to as risk learnings.

Risk experts  Those who are designated or recognized as risk experts in a particular source of risk and have a routine involvement with the ERM program. These are the executive risk owners (EROs) and the subject matter experts (SMEs).

Risk exploitation  Risk exploitation is no different from any routine business decision that simply involves taking on more risk. However, in an ERM context, risk exploitation refers to the conscious decision to take on additional risk exposure, as part of a risk-priority decision either to increase the overall enterprise risk exposure of the firm (closer to the soft limit of risk appetite, for a better overall risk-return profile) or to increase the individual risk exposure (closer to its risk limit) of a specific risk, where the company has a competitive advantage in taking such exposure and expects a profitable risk-return trade-off.

Risk exposure  An expression of the amount of risk to which the company is currently exposed, in terms of the likelihood of occurrence and severity of impact.

Risk governance  The hierarchical structure of ERM, including the roles and responsibilities, organizational procedures, and policies and procedures that govern the ERM program.

Risk identification  The first step in the ERM process cycle, this involves determining the key risks, which represent the biggest potential threats to the company. Risk identification includes risk categorization and definition; qualitative risk assessment; and emerging risk identification.

Risk interactivity  The level to which two or more risks scenarios occurring simultaneously impact each other.

Risk learnings  Lessons learned from past risk events occurring at the company.

Risk limits  A management-defined quantitative expression of the level of risk exposure that is acceptable, at the limit, for exposure concentrations below enterprise level.

Risk management  See Silo risk management.

Risk messaging  The fourth step in the ERM process cycle, this involves internal risk messaging, which is the integration of ERM into business performance analysis and incentive compensation, and external risk messaging, which is the integration of ERM into communications with shareholders, rating agencies, and regulators.

Risk mitigation  Implicit or explicit actions that reduce the likelihood and/or severity of risk events.

Risk-priority decisions  Decisions whose primary goal is related to managing the level of risk to an appropriate level (up or down), such as managing enterprise risk exposure to within risk appetite.

Risk quantification  The second step in the ERM process cycle, this involves quantifying baseline values for key metrics; key risks on an individual basis (producing individual risk exposures); and key risk scenarios on an integrated basis (producing enterprise risk exposure).

Risk-ranking criteria  A rule or guideline for combining the qualitative likelihood and severity scores into a single number that is used to rank all the risks identified in the qualitative risk assessment.

Risk scenario  A potential future outcome related to a risk source, such as pessimistic (downside), optimistic (upside), or baseline (no risk occurs).

Risk tolerance  See Risk appetite and Risk limits.

Sarbanes-Oxley Act (SOX)  U.S. legislation passed in 2002 in response to a wave of accounting scandals. SOX significantly increased requirements on publicly-traded companies to ensure the accuracy of their financial reports and to have executives attest to this.

Scoring criteria  Guidance provided to qualitative risk assessment survey participants for scoring the likelihood and severity metrics to ensure a consistent form of input from participants.

Seasonal weather risk  Unexpected changes in seasonal weather. This is a strategic risk for companies with products or services for which consumer demand is weather-sensitive. For example, a warm winter or cool summer reduces energy usage, and a cold or rainy summer reduces soda consumption.

Severity of impact  The magnitude, or amount, of the deviation from expected, or baseline projections, caused by the occurrence of a risk event.

Shock scenario  A risk scenario, or scenarios, which result in a deviation from expected or baseline projections.

Silo risk management  The traditional approach to risk management whereby each source of risk is managed by separate ‘‘silo’’ departments, and which involves a large volume of risks, the vast majority of which are not significant threats to the company.

Simulation  A single picture of future events, where one of the individual risk scenarios (including baseline) is projected to occur for each key risk. Simulations are run with the ERM model to generate the enterprise risk exposure, which represents the distribution of possible outcomes involving one or more risk events occurring simultaneously.

SME  See Subject matter expert.

Soft limits  Part of the risk appetite and risk limit definitions, soft limits are set as triggers for escalating levels of attention to carefully monitor the risk exposures and ultimately lower them back to within their soft-limit thresholds.

SOX  See Sarbanes-Oxley Act.

Stochastic risk scenarios  Individual risk scenarios, selected using automation—whose setup involves developing a formula to capture the shape of the risk distribution and a random number generator—and which are randomly changed with each run of the ERM model.

Strategic relationships risk  Unexpected change in strategic relationships, such as a parent company or joint venture partner.

Strategic risk  A category of risks related to unexpected changes in key elements of strategy formulation or execution. These are highly variable by company and must be customized.

Strategy risk  Viability of strategy—such as choice of products, distribution channels, markets, or value proposition—does not match expectations.

Stress test See Risk scenario.

Subject matter expert (SME)  A recognized internal expert on subject matter related to a particular risk.

Supplier risk  Unexpected changes in supplier environment, such as supplier capacity, supplier failure, or change in the cost of goods or services. This also includes unexpected changes in rating agency ratings or regulatory licenses.

Systemic risk  The risk that failures in one part of the economic system can spread contagiously to others, resulting in a cascading set of failures threatening to crash the entire system.

Tail scenario  Extremely pessimistic scenarios, which are in the ‘‘tail’’ portion of the distribution.

Talent management risk  Unexpected change in the ability to maintain the expected level of talent, involving aspects of human resources such as recruiting and retaining employees, succession planning, maintaining critical knowledge of key employees, and labor or producer relations.

Technology risk  Technology not performing as expected. Some examples include data security, data privacy, data integrity, capacity, and reliability.

Uncertainty  When there is less than a 100 percent chance that something will occur.

Upside risk event  The occurrence of a risk scenario where results are above expected or baseline projections.

Upside risk scenario  A risk scenario where results are above expected or baseline projections.

Upside volatility  A general reference to the level of upside risk or the range of likelihoods corresponding to results being above baseline projections.

Value-at-Risk (VaR)  A measurement of risk exposure, used in the banking sector, often defined as the maximum amount of capital that can be lost in a single day, within a given small predefined likelihood.

Value-based enterprise risk management  Definition 1. A synthesis of ERM and value-based management, providing the missing link between risk and return, transforming ERM into a strategic management approach that enhances strategic planning and other business decision making. Definition 2. A practical yet advanced approach to integrate both risk and return information into strategic planning, business decision making, business performance analysis, incentive compensation, and external communications. See Objectives-based entity risk management.

VaR  See Value-at-Risk.

Volatility  The level to which results are likely to deviate from expected or baseline projections.

Voluntary risk disclosures  ERM communications that management chooses to share publicly.

Reprinted with permission of John Wiley & Sons. 
Corporate Value of Enterprise Risk Management: The Next Step in Business Management.
Author: Sim Segal, President, SimErgy Consulting.
Copyright © 2011.

Upcoming SimErgy Events

  © 2011 SimErgy, Inc. All Rights Reserved. Privacy Policy