the set of reasons, arguments and supporting facts offered in justification of a chosen strategy. It refers to the expected strategic plans an organization will be taking, and what the future outcomes would be if planning assumptions materialize. The concept also may be referred to as a base case scenario.
The process of measuring the performance of an organization against external standards of reference that frequently come from similar organizations doing similar things.
conceptual structure that supports the viability a business and explains who the business serves, what it offers, how it offers it and how it achieves its goals, including those it sets for itself. All business processes and policies that a company adopts and follows are part of the business model; a description of how an organization creates, delivers and captures value for its customers, as well as itself. (www.feedough.com/what-is-a-business-model)
a management structure that unifies isolated risk control approaches into a collectively motivated control environment in which all control functions are focused on achieving the organizational objectives.
A particular strength relative to other organizations that provides the fundamental basis for added value and strategic advantage.
The system of rules, practices and processes by which a company is directed and controlled. (Investopedia http:www.investopedia.com/terms/c/corporategovernance.asp).
uncertainties that, if left unresolved, could undermine the entire objective or ventures.
risks that are known to exist, but may change over time.
a novel manifestation of risk or type that has not been experienced previously.
Emerging risk sensing
the range of activities carried out to identify and understand evolving sources of risk that could have a significant impact to the organization.
Enterprise risk management (ERM)
a strategic business discipline that supports the achievement of an organization’s objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio.
a process of systematically exploring and interpreting a broad array of macro- and micro-surroundings to identify trend indicators to better understand the drivers of change and to gauge their potential future impact on the organization.
Comparison of an existing process or procedure (current state-what is) to a desired future state (what should be) in order to identify deficiencies or excesses in the existing process (what to consider). (ANSI/ASIS/RIMS Risk Assessment Standard RA.1-2015, p. 45-46)
represented by board of directors, supervisory board, board of trustees, general partners, or owner. (COSO Executive Summary 2017).
Key performance indicator (KPI)
Measure(s) of deviations from expected outcomes to help a firm see how it is performing. (RIMS, Transitioning to ERM, 2014)
Key risk indicator (KRI)
a measure to indicate the potential presence, level or trend of a risk.
measures that develop parallel or subsequent to a development or trend (e.g., the development of housing prices is a lagging indicator for the economy).
measures that develop in advance or in parallel to a development or trend (e.g., the number of orders for heavy equipment and raw supplies is a leading indicator for the economy).
a favorable or advantageous combination of circumstances and/or a pertinent occasion or time that may improve an organization’s position if acted upon.
PESTLE is an acronym for Policitial, Economic, Social, Technological, Legal and Environmental, and identifies categories ustilized to analyze internal and external environments. Other forms of the acronym include "PEST" and "PESTEL".
the capability and capacity of an organization to reorganize under change and deliver its mission continually, despite the impact of external or internally generated risks.
an uncertain future outcome that can either improve or worsen an organization’s position; the effect of uncertainty on objectives (ISO 31000:2018).
the total exposed amount that an organization wishes to undertake on the basis of risk-return trade-offs for one or more desired and expected outcomes. As such, risk appetite is inextricably linked with—and may vary according to—expected returns. Reflective of an organization’s business strategy, risk strategies and stakeholder expectations, risk appetite generally is set and/or endorsed by the board of directors through discussions with management. Risk appetite statements may be expressed qualitatively and/or quantitatively and managed with respect to either an allocated individual initiative and/or in the aggregate.
the organizational or individual’s perceived qualitative and quantitative value that may be gained in comparison to the related potential loss or losses. Attitudes toward risk may range along a continuum from risk taking to risk averse.
Any person in an organization who is a leader and influences peers regarding the value that risk management adds to the organization.
The beliefs, values, norms and traditions of behavior of individuals and groups within an organization that determine the way in which they identify, understand, discuss and act on risk(s) that an organization confronts and takes. (RIMS, Exploring Risk Appetite and Risk Tolerance, 2012)
a factor that has a strong influence on the eventual outcome or result, that is, on whether or not key objectives will be achieved.
Encompasses the oversight, practices and respective roles and responsibilities for risk within an organization's unique corporate governance.
Coordinated activities to plan, direct, control and make decisions concerning the effects of uncertainty on objectives. (adapted from ISO Guide 31000:2018)
An individual accountable for the identification, assessment, treatment and monitoring of risks in a specific environment. (The Institutes, ARM guide)
A broad collection, range and interdependencies of uncertainties that can affect an organization's future..
A depiction (e.g., summary or compilation) of estimated enterprise risks at a point in time usually used to determine how the willingness to take on risk (or aversion to risk) for the purpose of evaluating risks
the amount of uncertainty an organization is willing to accept in the aggregate (or more narrowly within a certain business unit or for a specific risk category). Expressed in quantitative terms that can be monitored (such as volatility or deviation measures, for example), risk tolerance often is communicated in terms of acceptable/unacceptable outcomes or as limited levels of risk. Risk tolerance statements identify the specific minimum and maximum levels beyond which the organization is unwilling to accept variations from the expected outcome.
a decision or process to modify risk (ISO 31073).
Underlying or initiating risk source or driver that produces certain outcomes or changes the impact of an outcome or outcomes. Commonly used to describe the point in a chain of events or conditions where an intervention could reasonably be implemented to improve performance or prevent an undesirable outcome. (adapted from ANSI/ASIS/RIMS Risk Assessment Standard, RA.1-2015)
Root cause analysis
a systematic approach for identifying and assessing risks whereby a defined risk is analyzed through questions such as “what can make this happen?”.
a structured way for individuals or organizations to think about multiple plausible ways in which the future might unfold. The technique is used to inspire imagination and provoke “thinking the unthinkable,” thereby increasing emerging risk sensing. Alternate definition from Art of the Long View, Peter Schwartz (1996): a tool for ordering one’s perceptions about alternative future environments in which one’s decisions might be played out.
any individual or organization that is directly or indirectly involved with or affected by an organization’s decisions and activities.
internal or external uncertainties, whether event or trend driven, that impact an organization’s strategies and/or the implementation of its strategies.
Strategic risk assessment
a systematic and continual process for assessing the strategic risks facing an organization.
Strategic risk management (SRM)
a business discipline that drives deliberation and action regarding uncertainties and untapped opportunities that affect an organization’s strategy and strategic execution.
a complete plan of action for whatever situations may arise in achieving an organization’s goals within the established time. An organization’s strategic plans will determine the actions the organization will take at any stage of the planning period as circumstances change.
SWOT is an acronym for Strengths, Weaknesses, Opportunities and Threats and is an analytic approach for environmental scanning that combines internal and external context with obstacles and accelerators to success in achieving objectives.
created when an organization makes products or delivers services that people outside the organization find to be worthwhile, useful, convenient, effective or otherwise desirable or of some importance to the processor or user.
A high-level model developed by Michael Porter used to describe the process by which businesses receive raw materials, add value to the raw materials through various processes to create a finished product, and then sell that end product to customers. (Investopedia http://www.investopedia.com/terms/v/valuechain.asp)
Value chain analysis
A strategy tool used to analyze internal firm activities. Its goal is to recognize which activities are the most valuable (i.e., are the source of cost or differentiation advantages) to the firm and which ones could be improved to provide competitive advantage. (Strategic Risk Management Insight www.strategicmanagementinsight.com/tools/value-chain-analysis)
an organization’s cultural beliefs and behaviors that form the foundation on which the organization performs its work and the way the people within the organization conduct themselves; sometimes referred to as core values.
the level and speed of change over time and against a norm or expected state. Antonym: stability.