Agency risk A misalignment of interests between management and the primary stakeholders.
Basel Accords Guidelines developed by a group of global banking regulators in an attempt to improve risk management practices. Basel II, an international guideline for risk management, influenced the advancement of ERM practices in the financial services sector.
Baseline risk scenario The risk scenario which is neither upside nor downside but where the risk event occurs precisely as expected in the baseline strategic plan financial projection. Technically, this is not a risk, but it is tracked as one for ERM modeling purposes.
Capital requirements Requirements by external stakeholders, such as regulators or rating agencies, to hold a certain amount of capital as a buffer against existing liabilities.
Chief risk officer (CRO) Head of the ERM team, an executive who champions the ERM program development, maintenance, and enhancement.
Competitor risk Unexpected change in competitive landscape, such as new entrants, aggressive competitor actions against the company, and price wars.
Compliance risk Level of compliance not matching expectations, such as financial reports are not as accurate as expected.
Component risk driver One of the driving factors in the financial impact of a risk scenario, and whose marginal impact is quantified with an attribution calculation, which is used to focus mitigation efforts.
Concentration risk Definition 1: A misnomer, because this is not a source of risk. Concentration risk refers to a high level of risk exposure from one particular risk source or group of sources. Definition 2: A concentration of power, such as in the form of a critical supplier, a large customer, or a large distributor.
Conduct risk Unexpected conduct by management, staff, board member, or other person identified with the company. Some examples include unseemly public behavior, criminal conduct, and fraud.
Corporate ERM See ERM team.
Correlation See Risk correlation.
COSO An internal control framework, developed in the early 1990s, intended as a process to help achieve effectiveness and efficiency of operations, reliability of financial reporting, and compliance.
Credible worst-case scenario A scenario whose likelihood of occurrence is remote, but not out of the realm of possibility, and where the severity of impact would be significant. This is used in qualitative risk assessment scoring and risk scenario development.
Credit risk Unexpected changes in credit markets (availability), prices (credit spreads), or creditworthiness of issuers, related to (a) general credit market movements (although the source for this is often economic risk) or (b) a specific issuer of a fixed income security on the company’s balance sheet or (c) a counterparty to whom the company has extended credit.
CRO See Chief risk officer.
Deterministic risk scenarios Individual risk scenarios, selected using human judgment, and which remain static with each run of the ERM model.
Disaster risk Unexpected natural or man-made disasters, such as weather related (for example, hurricane, flood, tornado, earthquake, and drought), health-related (such as pandemic), accidental (such as fire), general acts of destruction (such as war, terrorism, and rioting), and specific acts of destruction against the company (such as product tampering, attack on employees, and sabotage). This also includes unexpected man-made disasters caused by company employees or agents, such as environment damage.
Downside risk event The occurrence of a risk scenario where results are below expected, or baseline projections.
Downside risk scenario A risk scenario where results are below expected, or
Economic capital (EC) A measurement, commonly used in the insurance sector, of the amount of capital needed on hand today to limit the probability of ruin, over a given time horizon, to within a given small predefined likelihood.
Economic risk Unexpected changes in the economy. This is often the source of risk that triggers multiple simultaneous unexpected changes in other items, such as consumer disposable income (impacting demand for the company’s products or services), employment markets (impacting the company’s fixed expenses), inflation/deflation (impacting the company’s variable costs), items related to market risk, and items related to credit risk.
Emerging risk identification The third component of the risk identification ERM process step, this is a process to (a) monitor known non-key risks for any changes that might increase their ranking enough to become key risks; and (b) to scan the environment for unknown risks.
Enterprise risk exposure A calculation that reflects the current aggregate enterprise-level risk exposure, in the form of a distribution representing the full range of possible combinations of individual risk scenarios. The graph form depicts the entire distribution. The table form expresses select ‘‘pain points’’ in terms of their likelihood of occurrence and severity of impact.
Enterprise risk management (ERM) The process by which companies identify, measure, manage, and disclose all key risks to increase value to stakeholders. See Value-based enterprise risk management and Entity risk management.
Entity risk management (ERM) A generalized version of enterprise risk management used for non-corporate entities (NCEs) such as non-profit organizations, government bodies, and individuals. See Objectives-based entity risk management and Enterprise risk management.
ERM See Enterprise risk management or Entity risk management.
ERM committee An executive-level committee, often chaired by either the CEO or the CRO, which has a primary role of defining risk appetite and risk limits and managing enterprise risk exposure to within these tolerance limits.
ERM framework The functional structure of ERM, describing what activities take place, in what order they take place, and how they interact.
ERM model A financial model, which, in a value-based ERM approach, is in the form of a spreadsheet-based tool that calculates the baseline values for the key metrics, as well as changes in these baseline values resulting from one or more individual key risk scenarios occurring at a time.
ERM process cycle The continuous, evolving, and integrated process cycle involving four ERM process steps, including risk identification, risk quantification, risk decision making, and risk messaging.
ERM team The chief risk officer (CRO), or equivalent head of the ERM program, and supporting team members.
ERO See Executive risk owner.
Execution risk Strategy is not implemented as expected.
Executive risk owner (ERO) An executive formally designated by the CRO to be the point person for coordinating efforts across the enterprise with regard to one particular risk.
External fraud risk Unexpected change in the amount of fraud by external parties.
External relations risk Unexpected changes in the company’s relationship with external stakeholders with public voices, such as the media, consumer advocates, equity analysts, rating agencies, regulators, and politicians.
Failure modes and effects analysis (FMEA) A technique adapted from the manufacturing sector used to develop risk scenarios in the risk quantification ERM process step by interviewing subject matter experts.
Financial risk A category of risks related to unexpected changes in external markets, prices, rates, and liquidity supply and demand. Examples include market risk, credit risk, and liquidity risk.
Governance, risk, and compliance (GRC) A repackaging by audit firms of three service offerings: corporate governance; an expanded version of SOX activities (erroneously relabeled as ERM); and compliance.
Governance risk Governance is not functioning as expected.
GRC See Governance, risk, and compliance.
Gross risk exposure The amount of exposure before mitigation is taken into account. This is also called inherent risk or pre-mitigation risk exposure.
Hard limits Part of the risk appetite and risk limit definition, hard limits are the maximum limits which risk exposures should rarely, if ever, exceed.
Heat map A type of risk status report, often used for senior management or the board of directors, which involves a simple chart listing key risks and scoring them at a high level, usually with color coding (such as red, yellow, and green).
Hedge A position that offsets an existing risk exposure. This is a common form of risk mitigation.
Human resources risk Human resources (i.e., people) are not performing as expected, such as unexpected changes in talent management, performance, productivity, and conduct.
I/T risk See Technology risk.
Individual risk exposures The potential financial impacts on key metrics, and the corresponding likelihood, related to individual risk scenarios occurring one at a time.
Industry practices risk Widespread abusive practices unexpectedly discovered in the company’s industry sector.
Inherent risk exposure See Gross risk exposure.
Insurance risk A category of risks involving poor performance of the pricing, underwriting, reserving, or setting of required capital for insurance products.
International risk Unexpected changes in the business environment of foreign countries in which the company operates, such as unexpected changes in the government’s stability, attitude towards foreign companies, and tariffs.
Key risk committee A committee formed by the key risk executive risk owner (ERO) and his or her subject matter experts (SMEs) to help them perform their ERM roles and responsibilities, and to share information more effectively within committees, between committees, and upstream to the CRO and the ERM committee.
Key risk indicator (KRI) A leading indicator which is highly correlated with a risk’s exposure metric, and serves as an advance warning to management about a likely impending change in the level of exposure.
Key risks The approximately 20 to 30 risks representing the most significant threats to the organization, initially based on the qualitative risk assessment, and later replaced by the quantification of key risk scenarios, in terms of their potential impact on key metrics.
KRI See Key risk indicator.
Legislative/regulatory risk Unexpected changes in laws or regulations.
Likelihood of occurrence The probability, or chances, that a risk event involving one or more individual risk scenarios will occur.
Liquidity risk Unexpected changes in liquidity supply or demand, related to three different levels of impact on the company: (a) untimely asset sales; (b) inability to meet contractual demands; or (c) default. A change in liquidity supply involves an unexpected change in the ability to sell assets as expected in the market, in terms of price, volume, or timeliness. A change in liquidity demand involves an unexpected change in demand for liquidity by option-holders, such as bondholders exercising early put options or ‘‘run-on-the-bank’’ situations for financial services companies, where account-holders suddenly request the withdrawal of funds from their accounts, en masse.
Litigation risk Unexpected civil suits or judgments against the company.
Mandatory risk disclosures Public risk disclosures required by law or regulation.
Market risk Unexpected changes in external markets (such as stock markets), prices (such as commodity prices), or rates (such as interest rates), related to (a) general market movements (although the source for this is often economic risk) or (b) a specific asset on the company’s balance sheet. Some examples include equity market risk, interest rate risk, and currency risk.
Mitigation See Risk mitigation.
Mitigation in place Mitigation already present in the organization, such as the compliance department or insurance coverage.
Net risk exposure The amount of exposure after mitigation is taken into account. This is also called residual risk or post-mitigation risk exposure.
Objectives-based entity risk management A generalized version of value-based enterprise risk management used for non-corporate entities (NCEs), such as non-profit organizations, government bodies, and individuals. See Value-based enterprise risk management.
Operational risk A category of risks related to unexpected changes in elements related to operations, such as human resources, technology, processes, and disasters.
Pain points Risk tolerance thresholds, for which management wants the likelihood of crossing them to be quite small, used to convert the graph form of enterprise risk exposure into the table form, and to define risk appetite.
Performance risk Management or staff not performing their function as expected, such as related to research and development or the finance department activities (including accuracy of financial reporting).
Post-mitigation risk exposure See Net risk exposure.
Pre-mitigation risk exposure See Gross risk exposure.
Probability The chances, or odds, of something occurring. See Likelihood of occurrence.
Process risk Company processes not functioning as expected.
Productivity risk Management, staff, or non-employees upon whom the company depends, not performing at the level of productivity expected.
Qualitative risk assessment The second component of the risk identification ERM process step, the qualitative risk assessment involves prioritizing the list of potential risks and narrowing them down to the list of key risks. This involves soliciting input from internal personnel regarding the organization’s
key risks, and a high-level qualitative scoring of each potential key risk’s likelihood of occurrence and severity of impact.
Qualitative risk assessment consensus meeting A meeting where qualitative risk assessment survey participants arrive at a consensus regarding the scoring of potential key risks, and finalize the selection of the key risks.
Rating agency capital See Required capital.
RCD tool See Risk categorization and definition tool.
Regulatory capital See Required capital.
Regulatory risk See Legislative/regulatory risk.
Required capital For financial services companies, this is the amount of capital that is required to remain on the balance sheet in support of existing business on the books, and cannot be used to support future growth. This can refer to required capital defined by management, by rating agencies, or by regulators.
Reputational risk A misnomer, since this is not a source of risk, this refers to the intermediate impact of reputation damage, which can be caused by multiple sources of risk, and which may, or may not, trigger financial impacts.
Residual risk exposure See Net risk exposure.
Risk Uncertainty which can cause a deviation, either upside or downside, from expected results.
Risk appetite A management-defined quantitative expression of the level of enterprise risk exposure that is acceptable, at the limit. Also sometimes referred to as risk tolerance. See Hard limits and Soft limits.
Risk appetite consensus meeting Meeting at which the ERM committee comes to a consensus definition of risk appetite and risk limits. Risk appetite document A document that contains the definitions of risk appetite and risk limits, a comparison of current and historical risk exposures to risk tolerance thresholds at the enterprise level (risk appetite) as well as below enterprise level (risk limits), and the delegation of authority for increasing risk exposures.
Risk capital See Required capital.
Risk categorization and definition The first component of the risk identification ERM process step, which produces the risk categorization and definition (RCD) tool.
Risk categorization and definition (RCD) tool A tool with several applications in the ERM process, the RCD tool includes a risk categorization hierarchy (such as risk categories, risk subcategories, and risk divisions), the risks themselves, and a definition of the risk.
Risk correlation The tendency of two risk scenarios to occur together. Some risk scenario pairs are more likely to occur together (positively correlated) than the multiplication of their probabilities would otherwise indicate, some are less likely to occur together (negatively correlated), and some are independent of each other.
Risk culture The extent to which ERM is integrated into decision making (including strategic planning, strategic decisions, tactical decisions, and transactions), business performance analysis, and incentive compensation.
Risk decision making The third step in the ERM process cycle, this involves defining risk appetite and risk limits, managing risk exposure levels to within these tolerance limits, and integrating ERM into strategic planning and other business decision making.
Risk disclosures Communications with external stakeholders, such as shareholders, rating agencies, and regulators, involving ERM information.
Risk event database A database about risk events that have occurred in the company, capturing information such as the originating source of the risk, how the event emerged and unfolded, management actions, and the ultimate financial impacts. This information can be used to enhance the development of risk scenarios, and enhance the entire ERM program through what is often referred to as risk learnings.
Risk experts Those who are designated or recognized as risk experts in a particular source of risk and have a routine involvement with the ERM program. These are the executive risk owners (EROs) and the subject matter experts (SMEs).
Risk exploitation Risk exploitation is no different from any routine business decision that simply involves taking on more risk. However, in an ERM context, risk exploitation refers to the conscious decision to take on additional risk exposure, as part of a risk-priority decision either to increase the overall enterprise risk exposure of the firm (closer to the soft limit of risk appetite, for a better overall risk-return profile) or to increase the individual risk exposure (closer to its risk limit) of a specific risk, where the company has a competitive advantage in taking such exposure and expects a profitable risk-return trade-off.
Risk exposure An expression of the amount of risk to which the company is currently exposed, in terms of the likelihood of occurrence and severity of impact.
Risk governance The hierarchical structure of ERM, including the roles and responsibilities, organizational procedures, and policies and procedures that govern the ERM program.
Risk identification The first step in the ERM process cycle, this involves determining the key risks, which represent the biggest potential threats to the company. Risk identification includes risk categorization and definition; qualitative risk assessment; and emerging risk identification.
Risk interactivity The level to which two or more risks scenarios occurring simultaneously impact each other.
Risk learnings Lessons learned from past risk events occurring at the company.
Risk limits A management-defined quantitative expression of the level of risk exposure that is acceptable, at the limit, for exposure concentrations below enterprise level.
Risk management See Silo risk management.
Risk messaging The fourth step in the ERM process cycle, this involves internal risk messaging, which is the integration of ERM into business performance analysis and incentive compensation, and external risk messaging, which is the integration of ERM into communications with shareholders, rating agencies, and regulators.
Risk mitigation Implicit or explicit actions that reduce the likelihood and/or severity of risk events.
Risk-priority decisions Decisions whose primary goal is related to managing the level of risk to an appropriate level (up or down), such as managing enterprise risk exposure to within risk appetite.
Risk quantification The second step in the ERM process cycle, this involves quantifying baseline values for key metrics; key risks on an individual basis (producing individual risk exposures); and key risk scenarios on an integrated basis (producing enterprise risk exposure).
Risk-ranking criteria A rule or guideline for combining the qualitative likelihood and severity scores into a single number that is used to rank all the risks identified in the qualitative risk assessment.
Risk scenario A potential future outcome related to a risk source, such as pessimistic (downside), optimistic (upside), or baseline (no risk occurs).
Risk tolerance See Risk appetite and Risk limits.
Sarbanes-Oxley Act (SOX) U.S. legislation passed in 2002 in response to a wave of accounting scandals. SOX significantly increased requirements on publicly-traded companies to ensure the accuracy of their financial reports and to have executives attest to this.
Scoring criteria Guidance provided to qualitative risk assessment survey participants for scoring the likelihood and severity metrics to ensure a consistent form of input from participants.
Seasonal weather risk Unexpected changes in seasonal weather. This is a strategic risk for companies with products or services for which consumer demand is weather-sensitive. For example, a warm winter or cool summer reduces energy usage, and a cold or rainy summer reduces soda consumption.
Severity of impact The magnitude, or amount, of the deviation from expected, or baseline projections, caused by the occurrence of a risk event.
Shock scenario A risk scenario, or scenarios, which result in a deviation from expected or baseline projections.
Silo risk management The traditional approach to risk management whereby each source of risk is managed by separate ‘‘silo’’ departments, and which involves a large volume of risks, the vast majority of which are not significant threats to the company.
Simulation A single picture of future events, where one of the individual risk scenarios (including baseline) is projected to occur for each key risk. Simulations are run with the ERM model to generate the enterprise risk exposure, which represents the distribution of possible outcomes involving one or more risk events occurring simultaneously.
SME See Subject matter expert.
Soft limits Part of the risk appetite and risk limit definitions, soft limits are set as triggers for escalating levels of attention to carefully monitor the risk exposures and ultimately lower them back to within their soft-limit thresholds.
SOX See Sarbanes-Oxley Act.
Stochastic risk scenarios Individual risk scenarios, selected using automation—whose setup involves developing a formula to capture the shape of the risk distribution and a random number generator—and which are randomly changed with each run of the ERM model.
Strategic relationships risk Unexpected change in strategic relationships, such as a parent company or joint venture partner.
Strategic risk A category of risks related to unexpected changes in key elements of strategy formulation or execution. These are highly variable by company and must be customized.
Strategy risk Viability of strategy—such as choice of products, distribution channels, markets, or value proposition—does not match expectations.
Stress test See Risk scenario.
Subject matter expert (SME) A recognized internal expert on subject matter related to a particular risk.
Supplier risk Unexpected changes in supplier environment, such as supplier capacity, supplier failure, or change in the cost of goods or services. This also includes unexpected changes in rating agency ratings or regulatory licenses.
Systemic risk The risk that failures in one part of the economic system can spread contagiously to others, resulting in a cascading set of failures threatening to crash the entire system.
Tail scenario Extremely pessimistic scenarios, which are in the ‘‘tail’’ portion of the distribution.
Talent management risk Unexpected change in the ability to maintain the expected level of talent, involving aspects of human resources such as recruiting and retaining employees, succession planning, maintaining critical knowledge of key employees, and labor or producer relations.
Technology risk Technology not performing as expected. Some examples include data security, data privacy, data integrity, capacity, and reliability.
Uncertainty When there is less than a 100 percent chance that something will occur.
Upside risk event The occurrence of a risk scenario where results are above expected or baseline projections.
Upside risk scenario A risk scenario where results are above expected or baseline projections.
Upside volatility A general reference to the level of upside risk or the range of likelihoods corresponding to results being above baseline projections.
Value-at-Risk (VaR) A measurement of risk exposure, used in the banking sector, often defined as the maximum amount of capital that can be lost in a single day, within a given small predefined likelihood.
Value-based enterprise risk management Definition 1. A synthesis of ERM and value-based management, providing the missing link between risk and return, transforming ERM into a strategic management approach that enhances strategic planning and other business decision making. Definition 2. A practical yet advanced approach to integrate both risk and return information into strategic planning, business decision making, business performance analysis, incentive compensation, and external communications. See Objectives-based entity risk management.
VaR See Value-at-Risk.
Volatility The level to which results are likely to deviate from expected or baseline projections.
Voluntary risk disclosures ERM communications that management chooses to share
Reprinted with permission of John Wiley & Sons.