The remaining risk after management has taken action to alter the risk's likelihood or impact.

In common usage, the chance that an event will have a downside.

For RiskOnBoard, we use the term specifically to represent the mathematical product of the likelihood of an event multiplied by the impact of the event. If we bet $1 on the flip of a coin, the mathematical risk is $0.50 - (50% * $1). We use the terms likelihood and impact to refer to the components of risk.

See also Security Risk Methodology

No action is taken to affect risk likelihood or impact.

Organization’s approach to assess and eventually pursue, retain, take or turn away from risk.

Avoiding the activities giving rise to risk.

See 'Establishing the Risk Context'.

Set of components that provide the foundations and organizational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organization.

Statement of the overall intentions and direction of an organization related to risk management.

The act of lessening the impact of a risk. Specific risks can be understood in terms of their likelihood or their impact. Mitigation may reduce either of these dimensions.

Mitigation may or may not reduce a risk to zero.

Person or entity with the accountability and authority to manage a risk.

A single filterable, analyzable compilation of all (or all the major) risks facing an enterprise. One of the core processes involved in ERM - Enterprise Risk Management.

Not to be confused with Portfolio Risk.

Description of any set of risks.
NOTE The set of risks can contain those that relate to the whole organization, part of the organization, or as otherwise defined.

Reducing risk likelihood or impact by transferring or otherwise sharing a portion of the risk.

A subtle and advanced yet critical concept in Enterprise Risk Management.

Risk tolerance explicitly documents an organization's desire to tolerate certain risks. For example, the risk of death in coal mining companies is typically non-zero; the risk of fraud in companies is certainly non-zero. The extent of measures to mitigate these risks will be a function of the enterprises risk tolerance. A mining company with high tolerance for deaths will take few steps, one with low tolerance many precautions.

See also risk mitigation.