There is a range of terms used when conducting risk management. Refer to our glossary to learn more:
| Cause |
Potential occurrences that would result in the risk event. |
| Consequence |
The outcome of an event affecting objectives. |
| Consequence description |
An explanation of the main consequences of the risk event. |
| Control |
Any action taken by management which either reduces the likelihood of a risk event occurring or reduces the potential for damage arising from that risk event. It can include any process, policy, device, practice, or other action that modifies the risk. |
| Control gap |
There is no adequate control in place to address the given risk of an activity or process. |
| Control owner |
A person or entity with accountability for ensuring that the control activity is in place and is operating effectively.
The control owner does not necessarily perform the control activity, however, if not conducting the control, they should have a level of oversight of its performance. |
| Forecast risk |
The level or risk remaining after agreed treatment plans have been implemented. |
| Framework |
A structure with which a firm identifies and manages the risk, internal control, and compliance requirements to support the assurances provided by the firm to its stakeholders. |
| Inherent consequence |
The outcome of an event affecting objectives without consideration to the impact of controls. |
| Inherent risk |
The level of risk without giving consideration to the impact of controls. |
| Key risk indicator |
A measure to indicate the risk level of an activity. KRIs give early warning to identify potential events that may harm continuity of an activity. |
| Likelihood |
The probability of a risk event occurring in the next 12 months, expressed in terms of a percentage between 0% and 100%. |
| Process owner |
Person or role responsible for the operation of a process or activity. This role may be formally designated or, by default, may be the person responsible for the process or activity's main tasks. |
| Residual consequence |
The outcome of an event affecting objectives when the current control environment is taken into account. |
| Residual risk |
The level of risk after the current control environment is taken into account. |
| Risk |
The effect of uncertainly on objectives. |
| Risk description |
Details of the risk event. |
| Risk owner |
A person or entity with the accountability and authority to manage a risk. Where the 'control owner' and the 'treatment owner'
are different, the risk owner has accountability to ensure that the treatment plan is implemented. |
Risk
treatment /
Treatment plan |
The process of selecting one or more options for mitigating risks and implementing those options. |
| Treatment plan owner |
The person accountable for monitoring and reporting implementation progress of the treatment plan. |
