Enterprise Risk Management (ERM) Terminology

Heat Map
A visual representation of each risk’s likelihood and severity scores.

Impact is the numeric rating of the financial, operational or reputational severity that results from a risk event occurring with existing controls.

The likelihood is a numeric rating of how likely the risk is to occur with existing controls.

The effectiveness of controls (i.e., training, testing, business continuity) currently in place to address an identified risk.

The potential for an event or circumstance to have an impact on the achievement of an organization’s objectives.

Risk Appetite
The level of risk an organization is willing to accept in pursuit of its objectives.

Risk Assessment
The process of evaluating the likelihood and potential impact of identified risks.

Risk Champion
A risk champion is the executive-level leader who provides oversight and guidance within a specific risk area. The role of the risk champion is to support risk owners in the execution of proposed risk mitigation strategies. The risk champion should be an individual with the authority to intervene when risk management efforts are being hampered.

Risk Mitigation and Response
The actions taken to address identified risks, including accepting, transferring, mitigating or avoiding them.

Risk Monitoring
The ongoing process of tracking and evaluating identified risks, as well as the effectiveness of risk management strategies.

Risk Owner
A risk owner is the individual who is ultimately accountable for the management and mitigation of an enterprise risk. With the assistance of the Ethics and Compliance Office, risk owners develop and implement strategies to address concerns raised within a specific risk area. Risk owners serve as the point of contact for the Ethics and Compliance Office in measuring and monitoring the effectiveness of a risk mitigation strategy.

Subject Matter Expert (SME)
A subject matter expert is an individual with specialized skills and/or knowledge in relation to the risk area. The job duties of the SME need not be specific to the risk area; however, the responsibilities and expertise of this individual should provide vital input regarding the assessment, existing controls and potential mitigation strategies.

A specific risk identified within an enterprise risk area.

The speed at which a risk can materialize and impact an organization.