Enterprise Risk Management (ERM)
A process that involves identifying potential events (risks) that may affect an entity and managing risk within its risk appetite to provide reasonable assurance regarding the achievement of entity objectives. These risks are typically categorized into strategic, operational, financial, compliance and reputational risks. 

Heat Map
A visual representation of each risk’s likelihood and severity scores.

Impact
Impact is the numeric rating of the financial, operational or reputational severity that results from a risk event occurring with existing controls.

Inherent Risk
The level of risk that resides with an event or process prior to management taking mitigation action.  

Likelihood
The likelihood is a numeric rating of how likely the risk is to occur with existing controls.

Preparedness / Resilience
The effectiveness of controls (i.e., training, testing, business continuity) currently in place to address an identified risk.

Residual Risk
The level of risk that remains after management has taken action to mitigate the risk. 

Risk
The potential for an event or circumstance to have an impact on the achievement of an organization’s objectives.

Risk Appetite
The level of risk an organization is willing to accept in pursuit of its objectives.

Risk Assessment
The process of evaluating the likelihood and potential impact of identified risks.

Risk Champion
A risk champion is the executive-level leader who provides oversight and guidance within a specific risk area. The role of the risk champion is to support risk owners in the execution of proposed risk mitigation strategies. The risk champion should be an individual with the authority to intervene when risk management efforts are being hampered.

Risk Driver / Sub-risk
A specific factor, condition or underlying cause that contributes to the likelihood or impact of a broader (enterprise) risk.

Risk Mitigation and Response
The actions taken to address identified risks, including accepting, transferring, mitigating or avoiding them.

Risk Monitoring
The ongoing process of tracking and evaluating identified risks, as well as the effectiveness of risk management strategies.

Risk Owner
A risk owner is the individual who is ultimately accountable for the management and mitigation of an enterprise risk. With the assistance of the Ethics and Compliance Office, risk owners develop and implement strategies to address concerns raised within a specific risk area. Risk owners serve as the point of contact for the Ethics and Compliance Office in measuring and monitoring the effectiveness of a risk mitigation strategy.

Risk Tolerance
The level of risk an organization is willing to accept around specific objectives. Risk tolerance is a narrower level than risk appetite. 

Subject Matter Expert (SME)
A subject matter expert is an individual with specialized skills and/or knowledge in relation to the risk area. The job duties of the SME need not be specific to the risk area; however, the responsibilities and expertise of this individual should provide vital input regarding the assessment, existing controls and potential mitigation strategies.

Velocity
The speed at which a risk can materialize and impact an organization.