RiskGlossary

Annual Internal Risk Audit: A detailed assessment of risk conducted by an internal auditor or risk manager employing audit standards and using a formalized approach to select categories of risk for inclusion in the annual audit plan. Audit Cycle: The duration of time between scheduled risk audits for a business enterprise. For example:

Every year for a high-risk enterprise Every other year for an above-average risk enterprise Every four years for a moderate-risk enterprise Every six years for a low-risk enterprise

Audit History: The scores or ratings of risk over time resulting from a detailed cyclical measurement of risk using auditing standards. Chief Risk Officer (CRO): A senior manager with day-to-day oversight of enterprise risk management. Cost-of-Risk: The financial impact to an organization from undertaking activities with an uncertain outcome, including such factors as the cost of managing those risks, cost of transferring potential liabilities, cost of sustaining uninsured or uninsurable losses, and cost of loss of use. Common determinants of Cost-of-Risk and impacts to Risk Ratings are:

Frequency of occurrence Severity of potential loss Cost to mitigate Degree of uncertainty Financial value at risk Benefit potentially lost

Enterprise Risk Management (ERM): An integrated approach to assessing, analyzing and managing all risks that threaten profitability and survivability of an enterprise. The purpose of ERM is to understand, prioritize, and develop action plans to maximize benefits and mitigate risks of greatest concern. The ERM framework enables management to work collaboratively to identify, assess, and manage existing and future risks that are integrated across the enterprise in various ways, also known as business, holistic, strategic, or integrated risk management. ERM:

Is central to an enterprises strategic planning and management Is focused on identifying and treating risks of all types Adds maximum sustainable value to all activities Increases probability of success and minimizes probability of failure Is continuous; integrated with plan implementation Is integrated with organizational culture and led by senior management Assigns responsibility of risk control throughout the enterprise at each position

IanDunn

9October2013

RiskGlossary
Enterprise Risk Management Framework (ERM Framework): A structured process for managing risk of an enterprise in iterative steps:

Risk Identification Identify risk factors Risk Analysis Analyze risk impact o Assessment Measure the risk levels associated with risk factors o Quantification Turn qualitative risk data into quantitative data o Interpretation Interpret the quantitative data o Report Compile the data and recommend action Risk Response Establish an action plan; Assign those responsible to respond to risk and establish deadlines Risk Control Implement a solution to reduce or transfer risk Risk Monitoring Observe implemented risk controls and report the results

Failure Risk: The probability that an enterprise will experience a business interruption or cease to operate. Impact: Effect or result of an activity or event. Impact can be positive or negative relative to the objectives of the enterprise, and there can be a range of possible impacts associated with any single activity or event. Inherent Risk: The risk to the enterprise in the absence of any actions management might take to otherwise alter the likelihood the risk could result in a negative impact. Internal Environment: Encompasses the culture of an enterprise and sets the basis for how risks are viewed and managed, including risk management philosophy, risk appetite, acceptance of risk controls, and the overall environment in which the enterprise operates. Interpretation: Study of quantitative risk data to associate results with overall impact to an enterprise Likelihood: Probability; possibility of a condition or event occurring. Loss Control: The technique of minimizing the severity of loss once a condition arises or event occurs to cause a negative impact. Maximum Profitability: The highest level of profitability achievable by an enterprise under ideal conditions. Metrics: The means in which to measure the effectiveness and/or success of risk mitigation techniques. Opportunity: The possibility that a condition will arise or event will occur that will have a positive impact on achievement of the enterprises objectives. Probability: Likelihood; possibility of a condition or event occurring. Profitability: The ability of an enterprise to generate revenues in excess of the costs incurred to produce those revenues; often measured by a rate of profit or rate of return on investment.

IanDunn

9October2013

RiskGlossary
Profitability Risk: The likelihood that an enterprise will not achieve its Maximum Profitability. Quantification: Conversion of qualitative risk data into quantitative data Residual Risk: The risk that remains after an enterprise has responded to risk by deploying risk controls. Risk: The possibility of suffering loss or harm Risk Acceptance: Occurs when no action is taken to prevent the likelihood of harm to an enterprise as a result of a known condition or event. Risk Analysis: Describing and assessing individual risks, estimating the impact of each on the enterprise, and developing a corresponding risk profile and recommended mitigation techniques. Risk Appetite: An organizations tolerance for risk. The broad amount of risk an enterprise will accept in pursuit of its objectives. Risk Assessment: Determining the likelihood that an identified risk will prevent an enterprise from attaining its objectives. Risk Assessment Tools: The instruments designed to assess and evaluate risks in order to make more informed decisions. Risk Avoidance: Avoiding the practices giving rise to risk. Risk Center: A division, department or group having clear boundaries and risk exposure. Risk Components:

Financial: Exposure to uncertainty regarding the management and control of the availability and cost of commodities and credit. Hazard: Exposure to loss arising from bodily injury, damage to property or from tortious acts; typically includes the perils covered by insurance. Operational: Exposure to uncertainty related to day-to-day business activities. Strategic: Exposure to uncertainty related to long-term policy directions of the enterprisethe big picture risks.

Risk Control: The technique for implementing risk controls to minimize the frequency or severity of conditions or events that threaten the objectives of the enterprise Risk Controls: Systems, procedures, policies, practices and safeguards designed to minimize the frequency or severity of conditions or events that increase risk. Risk Evaluation: Reviewing the results of a risk analysis, determining the significance of the risk exposures, and deciding whether to accept and manage them, transfer them by means such as insurance, a combination of the two, or eliminate the risks altogether.

IanDunn

9October2013

RiskGlossary
Risk Exposure: An activity, event or condition that has a moderate or high probability of preventing achievement of the financial objectives of an enterprise Risk Factor: An action, condition or event that can cause loss or harm performance and profitability objectives, if encountered. Risk Financing: The mechanisms for funding risk mitigation strategies and/or funding the financial consequences of risk; i.e., insurance or the financial consequences of uninsured or uninsurable risks. Risk Identification: The qualitative determination of significant risks factors that can potentially impact an enterprises achievement of its financial and/or strategic objectives. This is often done through in-depth structured review of the internal practices used in industry specific companies combined with interviews of key industry personnel, consultants and experts. Risk Level: One of three risk levels: high, moderate, or low risk. Indicates the likelihood that an individual activity, condition or event will negatively impact the financial objectives of an enterprise. A rating of high risk reflects the criticality of instituting risk controls to mitigate the potential negative impact. Risk Mapping: The visual representation of risks which have been identified through a risk assessment exercise in a way that easily allows priority ranking of them. This representation often takes the form of a two-dimensional grid with probability on one axis and impact on the other axis. The risks that fall in the high probability/high impact quadrant are given priority risk management attention. Risk Mitigation: Actions which reduce a risk or its consequences (see Risk Strategies). Risk Monitoring: Observing the effectiveness of installed risk controls and reporting the findings. Risk Portfolio: A list of risk exposures at a certain time. (also called Risk Register) Risk Prioritization: The ranking of risks on an appropriate scale which identifies which risks are most important to manage based upon severity. (See Risk Mapping). Risk Profiling: The use of a tool or system to rate and/or prioritize a series of risks. Risk Recommendation: A suggested action that will reduce or transfer risk. Risk Reduction: Action taken to mitigate risk while retaining it in the enterprise Risk Reporting: Distribution of information on risks to internal and/or external stakeholders. Risk Response: Managements development of a set of actions to avoid, accept, reduce, share or transfer risk that align with the enterprises risk appetite and tolerances. Risk Sharing: Reducing the negative impact of risk by transferring some or otherwise sharing a portion of the risk.
IanDunn 4 9October2013

RiskGlossary
Risk Silo: Divisions, departments, or other groups independently exposed to risk and acting in isolation from other risk centers. Risk Strategies: Possible responses to risk situations such as avoidance, acceptance, reduction sharing, or transfer. Risk Tolerance: The acceptable level of risk relative to the achievement of an objective. Risk Transfer: Action taken to mitigate risk by moving responsibility for it to external parties outside the enterprise. Risk Treatment: The process of selecting and implementing measures to modify the risk. Sarbanes-Oxley Act: The Sarbanes-Oxley Act of 2002, commonly referred to as SOX or SarBox, is an amendment to the Federal Securities Exchange Act of 1934. It is intended to prevent auditors from providing specific non-audit services, including actuarial services, to their SEC-regulated audit clients. There are five major components of the amendment that are of specific interest for higher education. They include sections on 1) transparency of financial reports, 2) corporate disclosure, 3) board independence, 4) accountability, and 5) development of ethical operating standards. Although the Act includes requirements that apply to publicly held companies only, some the components are essential good practices for all companies. Traditional Risk Management: Original form of risk management, focusing primarily on insurable hazard risks.

IanDunn

9October2013