RIMS Glossary




  • Base case

    the set of reasons, arguments and supporting facts offered in justification of a chosen strategy. It refers to the expected strategic plans an organization will be taking, and what the future outcomes would be if planning assumptions materialize. The concept also may be referred to as a base case scenario.

  • Benchmarking

    The process of measuring the performance of an organization against external standards of reference that frequently come from similar organizations doing similar things.

  • Business model

    conceptual structure that supports the viability a business and explains who the business serves, what it offers, how it offers it and how it achieves its goals, including those it sets for itself. All business processes and policies that a company adopts and follows are part of the business model; a description of how an organization creates, delivers and captures value for its customers, as well as itself. (www.feedough.com/what-is-a-business-model)


  • Control framework

    a management structure that unifies isolated risk control approaches into a collectively motivated control environment in which all control functions are focused on achieving the organizational objectives.

  • Core competency

    A particular strength relative to other organizations that provides the fundamental basis for added value and strategic advantage.

  • Corporate governance

    The system of rules, practices and processes by which a company is directed and controlled. (Investopedia http:www.investopedia.com/terms/c/corporategovernance.asp).


  • Deal-killer risks

    uncertainties that, if left unresolved, could undermine the entire objective or ventures.

  • Dynamic risks

    risks that are known to exist, but may change over time.


  • Emerging risk

    a novel manifestation of risk or type that has not been experienced previously.

  • Emerging risk sensing

    the range of activities carried out to identify and understand evolving sources of risk that could have a significant impact to the organization.

  • Enterprise risk management (ERM)

    a strategic business discipline that supports the achievement of an organization’s objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio.

  • Environmental scanning

    a process of systematically exploring and interpreting a broad array of macro- and micro-surroundings to identify trend indicators to better understand the drivers of change and to gauge their potential future impact on the organization.


  • Gap analysis

    Comparison of an existing process or procedure (current state-what is) to a desired future state (what should be) in order to identify deficiencies or excesses in the existing process (what to consider). (ANSI/ASIS/RIMS Risk Assessment Standard RA.1-2015, p. 45-46)

  • Governing Body

    represented by board of directors, supervisory board, board of trustees, general partners, or owner. (COSO Executive Summary 2017).


  • Key performance indicator (KPI)

    Measure(s) of deviations from expected outcomes to help a firm see how it is performing. (RIMS, Transitioning to ERM, 2014)

  • Key risk indicator (KRI)

    a measure to indicate the potential presence, level or trend of a risk.


  • Lagging indicators

    measures that develop parallel or subsequent to a development or trend (e.g., the development of housing prices is a lagging indicator for the economy).

  • Leading indicators

    measures that develop in advance or in parallel to a development or trend (e.g., the number of orders for heavy equipment and raw supplies is a leading indicator for the economy).


  • Opportunity

    a favorable or advantageous combination of circumstances and/or a pertinent occasion or time that may improve an organization’s position if acted upon.


  • PESTLE analysis

    PESTLE is an acronym for Policitial, Economic, Social, Technological, Legal and Environmental, and identifies categories ustilized to analyze internal and external environments. Other forms of the acronym include "PEST" and "PESTEL".


  • Resilience

    the capability and capacity of an organization to reorganize under change and deliver its mission continually, despite the impact of external or internally generated risks.

  • Risk

    an uncertain future outcome that can either improve or worsen an organization’s position; the effect of uncertainty on objectives (ISO 31000:2018).

  • Risk appetite

    the total exposed amount that an organization wishes to undertake on the basis of risk-return trade-offs for one or more desired and expected outcomes. As such, risk appetite is inextricably linked with—and may vary according to—expected returns. Reflective of an organization’s business strategy, risk strategies and stakeholder expectations, risk appetite generally is set and/or endorsed by the board of directors through discussions with management. Risk appetite statements may be expressed qualitatively and/or quantitatively and managed with respect to either an allocated individual initiative and/or in the aggregate.

  • Risk attitude

    the organizational or individual’s perceived qualitative and quantitative value that may be gained in comparison to the related potential loss or losses. Attitudes toward risk may range along a continuum from risk taking to risk averse.

  • Risk champion

    Any person in an organization who is a leader and influences peers regarding the value that risk management adds to the organization.

  • Risk culture

    The beliefs, values, norms and traditions of behavior of individuals and groups within an organization that determine the way in which they identify, understand, discuss and act on risk(s) that an organization confronts and takes. (RIMS, Exploring Risk Appetite and Risk Tolerance, 2012)

  • Risk driver

    a factor that has a strong influence on the eventual outcome or result, that is, on whether or not key objectives will be achieved.

  • Risk governance

    Encompasses the oversight, practices and respective roles and responsibilities for risk within an organization's unique corporate governance.

  • Risk management

    Coordinated activities to plan, direct, control and make decisions concerning the effects of uncertainty on objectives. (adapted from ISO Guide 31000:2018)

  • Risk owner

    An individual accountable for the identification, assessment, treatment and monitoring of risks in a specific environment. (The Institutes, ARM guide)

  • Risk portfolio

    A broad collection, range and interdependencies of uncertainties that can affect an organization's future..

  • Risk profile

    A depiction (e.g., summary or compilation) of estimated enterprise risks at a point in time usually used to determine how the willingness to take on risk (or aversion to risk) for the purpose of evaluating risks

  • Risk tolerance

    the amount of uncertainty an organization is willing to accept in the aggregate (or more narrowly within a certain business unit or for a specific risk category). Expressed in quantitative terms that can be monitored (such as volatility or deviation measures, for example), risk tolerance often is communicated in terms of acceptable/unacceptable outcomes or as limited levels of risk. Risk tolerance statements identify the specific minimum and maximum levels beyond which the organization is unwilling to accept variations from the expected outcome.

  • Risk treatment

    a decision or process to modify risk (ISO 31073).

  • Root cause

    Underlying or initiating risk source or driver that produces certain outcomes or changes the impact of an outcome or outcomes. Commonly used to describe the point in a chain of events or conditions where an intervention could reasonably be implemented to improve performance or prevent an undesirable outcome. (adapted from ANSI/ASIS/RIMS Risk Assessment Standard, RA.1-2015)

  • Root cause analysis

    a systematic approach for identifying and assessing risks whereby a defined risk is analyzed through questions such as “what can make this happen?”.


  • Scenario planning

    a structured way for individuals or organizations to think about multiple plausible ways in which the future might unfold. The technique is used to inspire imagination and provoke “thinking the unthinkable,” thereby increasing emerging risk sensing. Alternate definition from Art of the Long View, Peter Schwartz (1996): a tool for ordering one’s perceptions about alternative future environments in which one’s decisions might be played out.

  • Stakeholder:

    any individual or organization that is directly or indirectly involved with or affected by an organization’s decisions and activities.

  • Strategic risks

    internal or external uncertainties, whether event or trend driven, that impact an organization’s strategies and/or the implementation of its strategies.

  • Strategic risk assessment

    a systematic and continual process for assessing the strategic risks facing an organization.

  • Strategic risk management (SRM)

    a business discipline that drives deliberation and action regarding uncertainties and untapped opportunities that affect an organization’s strategy and strategic execution.

  • Strategy

    a complete plan of action for whatever situations may arise in achieving an organization’s goals within the established time. An organization’s strategic plans will determine the actions the organization will take at any stage of the planning period as circumstances change.

  • SWOT analysis

    SWOT is an acronym for Strengths, Weaknesses, Opportunities and Threats and is an analytic approach for environmental scanning that combines internal and external context with obstacles and accelerators to success in achieving objectives.


  • Value

    created when an organization makes products or delivers services that people outside the organization find to be worthwhile, useful, convenient, effective or otherwise desirable or of some importance to the processor or user.

  • Value chain

    A high-level model developed by Michael Porter used to describe the process by which businesses receive raw materials, add value to the raw materials through various processes to create a finished product, and then sell that end product to customers. (Investopedia http://www.investopedia.com/terms/v/valuechain.asp)

  • Value chain analysis

    A strategy tool used to analyze internal firm activities. Its goal is to recognize which activities are the most valuable (i.e., are the source of cost or differentiation advantages) to the firm and which ones could be improved to provide competitive advantage. (Strategic Risk Management Insight www.strategicmanagementinsight.com/tools/value-chain-analysis)

  • Values

    an organization’s cultural beliefs and behaviors that form the foundation on which the organization performs its work and the way the people within the organization conduct themselves; sometimes referred to as core values.

  • Volatility

    the level and speed of change over time and against a norm or expected state. Antonym: stability.