Risk Management Glossary of Terms

Consequence

Outcome of event affecting objectives.
Note: an event can lead to a range of consequences. 1

Control

Measure that is modifying risk.
Note 1: Controls include any processes, policy, device, practice or other actions which modify risk.
Note 2: Controls may not always exert the intended or assumed modifying effect. 1

Event

Occurrence or change of a particular set of circumstances.  

Note 1: An event can be one or more occurrences and can have several causes.
Note 2: An event can consist of something not happening.
Note 3: An event can sometimes be referred to as an “incident” or an “accident.” 1

Hazard

Source of potential harm.
Note: "Hazard" can be a "risk source".
Hazard means a situation or thing that has the potential to harm a person. Hazards at work may include: noisy machinery, a moving forklift, chemicals, electricity, working at heights, a repetitive job, bullying and violence at the workplace. 1

Inherent Risk

The current or original risk rating which considers current controls prior to the addition of risk treatments.

Level of Risk

Magnitude or a risk or combination of risks expressed in terms of the combination of consequences and their likelihood. 1

Likelihood

Chance of something happening. 1

Residual Risk

Risk remaining after risk treatment.
Note: Residual risk can be known as “retained risk”. 1

Risk

Effect of uncertainty on objectives. 1

Risk Appetite

Amount and type of risk that an organisation is willing to pursue or retain. 1

Risk Control Effectiveness Rating

This is a measure that defines how effectively the risk management controls are managing the risk.
Additionally, this rating is used to measure how effective further risk treatments have been in addressing the short comings of current controls when the current control had been rated as “room for improvement” or “inadequate.”

The measurement used are:

  • AdequateNothing more to be done except review and monitor the existing controls. Controls are well designed for the risk, are largely preventative and address the root causes and Management believes that they are effective and reliable at all times. Reactive controls only support preventative controls.
  • Room for improvementMost controls are designed correctly and are in place and effective however there are some controls that are either not correctly designed or are not very effective. There may be an over-reliance on reactive controls. Some more work to be done to improve operating effectiveness or Management has doubts about operational effectiveness and reliability.
  • InadequateSignificant control gaps or no credible control. Either controls do not treat root causes or they do not operate at all effectively.

Controls, if they exist are just reactive. Management has no confidence that any degree of control is being achieved due to poor control design and/or very limited operational effectiveness.

Risk Description

Structured statement of risk usually containing four elements: sources, events, causes and consequences. 1

Risk Identification

Process of finding, recognising and describing risks. 1

Risk Matrix

Tool for ranking and displaying risks by defining ranges for consequence and likelihood. 1

Risk Owner

Person or entity with the accountability and authority to manage risk.
In the ACT Government context this is the officer/manager who has the authority to manage the risk.

Risk Profile

Description of any set of risks.
Note: the set of risks can contain those that relate to the whole organisation, part of the organisation, or as otherwise defined. 1

Risk Register

Documented record of information about identified risks. 1

Risk Source

Element which alone or in combination has the intrinsic potential to give rise to risk. 1

Risk Treatment

Process to modify risk.
Note: Risk treatment can involve:

- Avoiding the risk by deciding not to start or continue with the activity that fives rise to the risk;
- Taking or increasing risk in order to pursue an opportunity;
- Removing the risk source;
- Changing the likelihood;
- Changing the consequence;
- Sharing the risk with another party or parties (including contracts and risk financing); and
- Retaining the risk by informed decision.

In Work Health and Safety risk treatment is defined as: "Risk control" and means taking action to eliminate health and safety risks so far as is reasonably practicable, and if that is not possible, minimising the risks so far as is reasonably practicable. Eliminating a hazard will also eliminate any risks associated with that hazard. 2

Risk Treatment Owner

The officer/manager responsible for managing the treatment of risks. This includes ensuring that the treatment strategy outlined is implemented and is doing what it was designed to do – manage the risk.
The risk treatment owner is not always (will be in some cases) the risk owner.


Bibliography

1 - ISO Guide 73:2009 - Risk management - Vocabulary

2 - Work Health and Safety (How to Manage Work Health and Safety Risks) Code of Practice 2011


The ACT Government is committed to improving the accessibility of web content. If, however, you experience problems accessing the information or functions in any uploaded PDF or Word document, please contact the ACTIA Officer Manager. We will endeavour to fix the problem or provide the information in an alternative format.