Speaking the same language about risk

The following terms are commonly used by managers of financial market, operational and hazard risk management. One of the first stages in the implementation of integrated risk management is the clarification of common terms that will be used in your organization. The terms listed here come from both public and private sector sources that we believe to be accurate. LESRISK and Debt and Risk Management are not responsible for any errors or omissions resulting from the use of these definitions.


Accountability is the obligation to answer for results and the manner in which responsibilities are discharged. Accountability cannot be delegated.


A method for validating a strategy or a model by inputting historical data and comparing the results with historical reality. e.g. What would have happened had we done this five years ago?


CoCo stands for “criteria of control”. It is a risk management tool developed by the Canadian Institute of Chartered Accountants to assist managers and internal auditors in designing, assessing and reporting on control systems of an organization. See Control.


Consequence is the outcome of an event or situation expressed qualitatively or quantitatively, being a loss, injury, disadvantage or opportunity.


A risk management tool:

(i) Those elements of an organization (including its resources, systems, processes, culture, structure and tasks) that taken together, support people in the achievement of the organization’s objectives.

(ii) An action, structure, or rule that reduces the impact /likelihood of a negative risk or increases the impact and of a positive risk relative to the organization’s objectives.

Correlation Matrices

Statistical constructs used to determine the degree that various factors are related to one another. A tool that can be used as part of risk assessment.

Cost of Regret

An estimation of the absolute loss or downside relative to a chosen benchmark for a given scenario.

Credit Risk

The risk that a loss will be incurred if a counterparty to a transaction does not fulfil its financial obligations in a timely manner.

Decision Tree

A schematic (pictorial) representation of the relationship between decisions, risks and outcomes. It can be used as a tool to evaluate alternative strategies and make decisions.The decision tree breaks down a series of events and decisions into smaller, simpler, more manageable, independent segments. These segments are represented as branches of a tree. The lattice concept of the tree is also used to analyse events (see event tree) and to assess risk paths that are dependent on one another.



The use of a group of knowledgeable individuals to arrive independently at an estimate of the outcome of an uncertain situation.


A term often applied to financial instruments whose value changes with the value and characteristics of another market variable (“the underlying”). Derivatives are often used to hedge financial market risks.

Ecological Risk

Risks to the environment including air, water earth, forests.

External Risks

Risks are usually determined by sources outside of the control of the organization. Examples of external risks would include changes in the economy, demographics and in federal policy.


An incident or situation that occurs in a particular place during a particular interval of time.

Event Tree Analysis

A method of illustrating and analysing the relationships between a sequence of outcomes that may arise over time. (Similar to a decision tree.)


The potential maximum impact of a risk. Sometimes referred to as the “exposure co-efficient”.

Financial Market Risk

Risks relating to changes in prices of tradable macroeconomic variables such as foreign exchange rates, interest rates and commodity prices.

Financial Risks

Risks that relate to losing/gaining financial resources. Financial risks include market risk, liquidity risk and credit risk.


A measured likelihood expressed as the number of occurrences of an event in a given time. See Probability


A risk that is a threat. The term is often used in reference to health and safety risks with the potential of causing damage or harm. See Risk

Health and Safety Risk

Physical hazards to citizens’ property as well as opportunities for improved security and well being. See Hazard

Impact-Likelihood Matrix

A tool for subjectively mapping the assessment or measurement of a risk in terms of its likelihood and impact on objectives. The matrix also suggests risk management strategies appropriate to the level of risk.

Information Risks

Risks that relate to the access to, or the use of inaccurate, irrelevant or untimely information, unreliable systems, and inaccurate or misleading reporting in support of decisions. The ability to accurately forecast future costs based on historical trends would be an example of information risk. Most other risk categories would have an information risk component.

Integrated Risk Management

Integrated risk management is a continuous, proactive and systematic process to understand, manage and communicate risk from an organization-wide perspective.  It incorporates the risk management process into the planning and decision-making of business processes and aggregates all types of risk across from all departments, and monitors and manages risk on a (portfolio) comprehensive basis.

Legal Risk

The risk associated with the judicial process and contract law.


A measurement of how often and probable an event might occur. It is often used as a synonym for probability and frequency especially in a qualitative context. See Probability


Any negative consequence, financial or otherwise.


The action of reducing or minimizing the severity of the impact or likelihood of a risk or an event. Risk mitigation usually consists of management strategies such as: insurance, transfer to a more acceptable risk, etc.

Modern Controllership

Modern Controllership is a set of management functions that ensures: ethical behaviour, conscious managing of risks, clear lines of accountability, stewardship of resources, and the reporting and evaluation of results against stated objectives.


To check, supervise, observe critically, or record the progress of an activity, action or system on a regular basis in order to identify the need for change.

Net Present Value

A technique used to assess the current worth of future cashflows by discounting those future cashflows at today’s cost of capital.


Objectives may be defined as measurable goals. Explicit objectives are those stated in the business plan. Implicit objectives are those inherent or assumed in any organization.

Operating Risks

Risks that relate to doing the right things the wrong way. For example,asking employees to practice risk management practices without providing training to the employees would be considered an operating risk.

Operational Risk

Risk pertaining to the delivery of services. These would include risks involving human resources, controls and processes.


A risk with a positive outcome.  See Risk

Opportunity Cost

The value of an action that could have been taken if the current action had not been chosen.


The desired benefit of a program (event).


An output is what is produced by a program or event.

Political Risk

Risk pertaining to an impact on the Government, i.e. a change in government policy.


The likelihood of a specific outcome measured by the ratio of the specific outcomes to the total number of possible outcomes. Probability is expressed as a decimal number between 0 and 1, with 0 representing an impossible outcome and 1 indicating the certainty of an outcome.

Real Options

A real option is a non-financial option that gives the holder the right but not action in the future.  e.g. cancelthe obligation to take an lation features in contracts.

Residual Risk

The remaining level of risk after a risk management strategy has been implemented.


The chance of something happening that will impact on the achievement of objectives. Risk can represent an opportunity or a threat to the achievement of objectives.  It is observed as a variance from objective.

Risk Acceptability

A term used in Hazard Risk Management. Acceptable risk is a level of risk that senior management is willing to accept or tolerate.The term is commonly used in hazard risk management in reference to risk tolerance levels that are set in legislation or standards outlined in a policy. See Risk Acceptance

Risk Acceptance

A term used in hazard risk management meaning an informed decision to accept the likelihood and the impact of a particular risk.

Risk Adjusted Performance Measures

A measurement of performance optimisation. Risk adjusted performance measures (RAPM) consider the cost of risk management in determining performance.

Risk Analysis

A systematic use of available information to determine:    
How often specified opportunities / threats to objectives (risks) may occur;
The impact of specified risks on the organizations ability to meet its objectives;
The timing of the risk;

The source and relation of the identified risk to other risks.

Risk Assessment

The process used to determine risk management priorities by evaluating and comparing the level of risk against predetermined standards, target risk levels or other criteria.

Risk Control

The process of integrating findings from the risk assessment with technical, financial, policy, and non-technical concerns of stakeholders, to develop and select suitable risk control actions, and implementation of these actions. Risk control actions include implementation of policies, standards, procedures and physical changes.

Risk Evaluation

The process by which risks are examined in terms of costs and benefits, and evaluated in terms of acceptability of risk considering the needs, issues and concerns of stakeholders.

Risk Hedging

A risk management strategy that offsets an existing risk (fully or partially). Often a hedge transfers the risk to another entity such as an insurer or a counterparty.

Risk Management

Risk management is the active process of identifying, assessing, communicating and managing the risks facing an organization to ensure that an organization meets its objectives.

Risk Management Process

A systematic decision and management tool that at a minimum consists of a five-stage cycle: clarify objectives, identify risk, assess (measure) risk, plan and take action to manage risk, and monitor risk.

Risk Receptor

A term used in Hazard Risk Management. An entity or individual that can be impacted as a result of an activity undertaken by that entity or individual, or by others.  Examples include members of the public, businesses and their employees.

Risk Reduction

A selective application of appropriate techniques and management principles to reduce either the likelihood of an occurrence or its impact, or both.

Risk Tolerance

Risk tolerance is the degree of comfort with various levels of risk.

Risk Transformation

A risk management strategy that changes a risk from an unacceptable form (or type of risk) to a more acceptable form of risk.

Sensitivity Analysis

An analysis that examines how the results of a calculation or model vary as individual assumptions are changed.

Stochastic Modelling

A statistically based method of modelling relationships mathematically to simulate what might happen in a given time period.

Strategic Risks

Risks associated with the strategic direction of an organization. Strategic  risks are often a function of uncertainties that may be driven by government  policy, competition, court decisions or a change in stakeholder requirements.


An analytical method that evaluates a risk under a range of scenarios. For example, as a risk management practice, bridge and highway designs are stress-tested mathematically to highlight structural weaknesses.  Similarly, the value of a portfolio of financial instruments is stress-tested to see the change in value under worst case scenarios of specific elements.


A condition where the outcome is not known.

Undesirable Event

An event that brings out the hazard and results in an adverse consequence for the risk receptors.


A measurement of risk. Value at risk (VaR) is the probabilistic bound of losses (usually financial market losses) over a given period of time expressed in terms of a specific degree of certainty (or confidence interval). VaR is widely used by financial institutions around the globe and accepted by regulatory agencies as a methodology for determining reserve requirements.