Risk Assurance

Types of risk include:

Asset Risk

A category of risk management that looks at maximising investment related activities and managing such adverse factors as, the collapse of an investment market, currency mismatches and poor investment performance. This type of risk is also known as ‘Investment Risk’.

Business Risk

The risk that external factors, such as a fall in demand for an organisations products or services, will result in unexpected loss. Business risk, if managed well, can also result in a competitive advantage being gained.

Corporate Risk

A category of risk management that looks at ensuring an organisation meets its corporate governance responsibilities, takes appropriate actions and identifies and manages emerging risks.

Inherent Risk

The possibility that some human activity or natural event will have an adverse affect on the asset(s) of an organisation and which cannot be managed or transferred away.

Operational Risk

The risk that deficiencies in information systems or internal controls will result in unexpected loss. The risk is associated with human error, system failures and inadequate procedures and controls.

Residual Risk

The level of uncontrolled risk remaining after all cost-effective actions have been taken to lessen the impact and probability of a specific risk or group of risks, subject to the organisations risk appetite.

Preventative and Contingent Actions include:

Control

Any action which reduces the probability of a risk occurring or reduces its impact if it does occur.

Control Self Assessment (CSA)

A class of techniques used in an audit or in place of an audit to assess risk and control strength and weaknesses against a control framework. The ‘self’ assessment refers to the involvement of management and staff in the assessment process, often facilitated by internal auditors. CSA techniques can include workshop/seminars, focus groups, structured interviews and survey questionnaires

Integrated Risk Management

Where current risks are managed in an integrated way across the whole breath of the organisation.

Organisation Risk Management

Where both current and emerging risks are managed in an integrated way across the whole organisation.

Probability

The chance of a risk occurring and having some impact on normal business operations.

Qualitative Assessment

A form of assessment that analyses the general structures and systems currently in place. A descriptive methodology, which typically involves risk mapping and risk matrices. These assessments do not involve detailed measurements.

Quantification

The objective measure of the seriousness of risk or impact, often measured in financial or regulatory terms.

Risk Analysis

The systematic process of identifying the nature and causes of risks to which an organisation could be exposed and assessing the likely impact and probability of those risks occurring.

Risk Assessment

The overall process of risk identification, analysis and evaluation.

Risk Avoidance

An informed decision not to become involved in a risk situation.

Risk Based Auditing 

Audits that focus on risk and risk management as the audit objective.

Risk Categories

Risks of similar types are grouped together under key headings, otherwise known as ‘risk categories’. These categories include reputation, strategy, financial, investments, operational infrastructure, business, regulatory compliance, people, technology and knowledge.

Risk Classification

The categorisation of risk, normally focussing on likely impact to the organisation or likelihood of occurrence.

Risk Concentration

The risks associated with having Mission Critical Activities and/or their dependencies, systemic processes and people located either in the same building or close geographical proximity (zone), that are not reproduced elsewhere i.e. a single point of failure and lack of organisational resilience.

Risk Context

The environment in which risks exist. This can be broken down into the strategic context such as the relationship between the organisation and the external business environment, and the organisational context such as goals, objectives, capabilities, resources, culture and strategies.

Risk Control

That part of risk management which involves the implementation of policies, standards, procedures and physical changes to eliminate or minimise adverse risks.

Risk Evaluation

The process of comparing actual risk levels with previously established risk criteria. As a result of this comparison, risks can be prioritised for further action.

Risk Event

An event that could potentially lead to an adverse impact on the business or function. The manifestation of a risk into a reality.

Risk Factors

Measurable or observable manifestations or characteristics of a process that either indicates the presence of risk or tend to increase exposure.

Risk Financing

The application of techniques to fund the treatment and consequences of risk e.g. using insurance. A means of accounting for potential loss exposures. Examples include various types of risk retention (e.g. internal contingency funds or reserves funding losses out of operating budgets, etc.) and risk transfer techniques including insurance contracts, self-insurance, captives, sinking funds, etc.

Risk Framework

Measurable or observable manifestations or characteristics of a process that either indicates the presence of risk or tend to increase exposure.

Risk Identification

The process of identifying what can happen, why and how.

Risk Management

The culture, processes and structures that are put in place to effectively manage potential opportunities and adverse effects. As it is not possible or desirable to eliminate all risk, the objective is to implement cost effective processes that reduce risks to an acceptable level, reject unacceptable risks and treat risk by financial interventions i.e. transfer other risks through insurance or other means, or by organisational intervention i.e. BCM.

Risk Management Process

The systematic and documented process of clarifying the risk context and identifying, analysing, evaluating, treating, monitoring, communicating and consulting on risks.

Risk Mitigation

Measure taken to reduce exposures to risks.

Risk Perception

People view risks differently; this is usually related to their attitude to risk and whether they lean more towards being a risk taker or being risk averse.

Risk Prioritisation

The relation of acceptable levels of risks among alternatives.

Risk Profile

The combined result of consequence and probability.

Risk Profiling

The systematic method by which all the risks and associated controls relating to an entity are identified, assessed and documented using risk management tools.

Risk Ranking

The ordinal or cardinal rank prioritisation of the risks in various alternatives, projects or units.

Risk Reduction or Mitigation

A selective application of appropriate techniques and management principles to reduce or mitigate either likelihood of an occurrence or its consequences, or both.

Risk Retention

Intentional (or unintentional) retaining the responsibility for loss or risk financing within the organisation.

Risk Scenarios

A method of identifying and classifying risks through creative application of probabilistic events and their consequences. Typically a brainstorming or other creative technique used to stimulate "what might happen." This can be achieved through creative techniques, such as brainstorming, or through the application of mathematical and statistical techniques and modelling e.g. fault tree analysis and event tree analysis.

Risk Standards

Various Risk Standards have been published around the world providing guidance for business on managing risk. For example: ISO27000

Risk Transfer

A series of techniques describing the various means of addressing risk through insurance and similar products. This includes recent developments such as the securitisation of risk and creation of, for example, catastrophe bonds.

Risk Treatment

The selection and implementation of relevant options for managing risk. The key treatments include:

• Acceptance - risks are retained by the organisation
  • Avoidance - deciding not to carry on with the proposed activities due to the risk being unacceptable or finding another alternative that is more acceptable.Reduction - reducing the likelihood and/or consequence of the risk
  • Transfer - transferring the risk in part or in totality to another. Insurance is an example of risk transfer.

Systemic Risk

The risk that the failure of one participant or part of a process, system, industry or market to meet its obligations will cause other participants to be unable to meet their obligations when due causing significant liquidity and other problems thereby threatening the stability of the whole process, system, industry or market.

Source: The BCI