How to Run a Risk Voting Workshop
Risk voting is an easy and powerful way to increase executive engagement in your ERM program and generate more value
A practical, plain-language definition of terms from an enterprise risk management (ERM) perspective
The following is a summary of key terms often used in the field of risk management. Definitions can vary by sector and by use case. The purpose of this glossary is to provide a practical, plain-language definition of terms from an enterprise risk management (ERM) perspective.
Annualized Loss Expectancy (ALE) - A term used in quantitative risk analysis; it is the amount of loss that is expected to occur from a specific risk event within a one-year time period. It is calculated as the expected loss for a single event, multiplied by the number of times per year that the event is expected to occur. For example, if an event will cost $500,000 per event and it is expected to occur 3 times per year, the ALE would be $500,000 x 3 = $1,500,000. If instead, the event is expected to occur every 2 years, the ALE would be $500,000 x ( ½ ) = $250,000.
Appetite - See the definition for Risk Appetite, along with our background article on risk appetite and our 7-step guide for incorporating risk appetite frameworks into enterprise risk management programs.
Assurance - A term used to communicate confidence, or the level of confidence, that an organization has in its risk mitigations. It is sometimes referred to as a measure of control effectiveness.
Audit - In enterprise risk management terms, an audit is the process that an organization tests the effectiveness of its risk controls to provide a measure of assurance and to identify areas for improvement. It is typically performed by a group separate from the group rating and managing risks and can be an internal team (internal audit) or an external service provider (external audit). Audits often consist of reviews of risk mitigation processes and sample testing of controls to ensure they are working as expected.
Black Swan Event - Black swan events are a risk events that are far outside of what is normally expected and have potentially severe consequences. Black swan events are typically characterized by their extreme rarity, their severe impact, and the widespread belief that they are unpredictable and therefore impossible to plan for. In financial markets, it has been shown that standard forecasting tools can both fail to predict and potentially increase vulnerability to black swans by propagating risk and offering false security. From an ERM perspective, it is possible and prudent to plan for black swan events. Scenario planning that includes both pre-and post-event mitigations (e.g. bowtie analysis), as well as KRI-based early warning systems can be particularly helpful.
Bow Tie - A risk bow tie is a diagram that helps to visualize a risk event, along with its root causes, consequences and risk mitigations. It gets its name from the bow tie shape that is created by the diagram. Risk bow ties started in the hazard management sector but have gained strong popularity in recent years in ERM programs. Executives and managers find them helpful because they communicate the information surrounding a risk in a single easy-to-understand picture. Bow tie diagrams easily display multiple scenarios together and help highlight the difference between proactive and reactive risk management steps. Please see our article on risk bow tie diagrams and how to build them (including sample templates).
Capital Asset Pricing Model - The Capital Asset Pricing Model predicts the rate of return for an equity security. The pricing is defacto the sum of a risk free rate plus an equity element multiplied by beta (which is a measure of risk or volatility). The model implies that equity returns are positively correlated with volatility or risk.
Consequence - In enterprise risk management terms, this represents the objective or subjective impact that the organization will incur if a particular risk event materializes. Examples could include financial loss, loss of market share, physical injury or death, loss of consumer confidence, reputational damage, regulatory penalties and more. It is a primary component of risk bow tie diagrams.
COSO - COSO stands for the “Committee of Sponsoring Organizations of the Treadway Commission.” It was initially organized by five major U.S. professional associations and includes included representatives from industry, public accounting, investment firms, and the New York Stock Exchange. COSO provides thought leadership through the development of frameworks and guidance on enterprise risk management, internal control and fraud deterrence.
COSO’s guidance on enterprise risk management has become one of the leading frameworks used to design and manage ERM programs. Along with the ISO 31000 standard, COSO’s “Enterprise Risk Management—Integrating with Strategy and Performance (2017)” , is considered state-of-the-art guidance for modern, effective ERM programs.
Control - In enterprise risk management terms, control refers to the processes put in place by management that seek to reduce the likelihood of risk events occurring and/or their impact should risk events materialize. In ERM terms, risk controls are sometimes also referred to as risk mitigations. While some practitioners will differentiate between the terms, in our experience the differences do not provide practical benefits and the terms controls and mitigations can be used interchangeably.
Control Effectiveness - A rating of how well risk mitigations are expected to reduce the impact and/or likelihood of an associated risk event. For example, a high control effectiveness indicates that the controls should significantly reduce the negative outcomes associated with a risk. Control effectiveness is typically rated on a 1 to 5 scale (from “none” to “fully effective”) and is often the subject of audit and simulation activities to verify that controls are in place and functioning as expected.
Cost of Risk - A measure of the cost of managing risks and incurring losses. Total cost of risk is the sum of all aspects of an organization's operations that relate to risk, including retained (uninsured) losses and related loss adjustment expenses, risk control costs, transfer costs, and administrative costs.
Credit Risk - Relates to the risk that an organization will incur losses due to the default or downgrade of a counterparty (e.g., customer, investee , swap counterparty. As an example if a customer does not pay an account receivable this would represent a crystallized credit risk. In order to limit customer credit risk companies usually go through a variety of processes including, the development of credit risk policies, up front credit checks on new clients and regular review of aged accounts receivable
Enterprise Risk Management (ERM) - Enterprise risk management (ERM) is the process by which the board and management of an organization identify and manage risks to the organization, its strategic objectives and its stakeholders. ERM shares common perspectives with other risk management disciplines. What sets ERM apart, however, is that it focuses on risks that could interfere with an organization’s strategy and or that emerge from the pursuit of the business strategy.
The ERM process typically involves board members, senior executives and business unit leaders. Risks identified and managed through the ERM process will generally apply to the organization overall and will include forward looking risks related to business disruption, market shifts, regulatory changes and more. As such, ERM is considered a component of corporate governance, strategic planning and strategic execution.
ERM is a complementary process to other more specific forms of risk management (e.g. cyber security, incident management, project risk, financial risk, etc.). It is common for these specific risk processes to be rolled up and summarized in one or more risk entries within the overall ERM program.
Essential ERM - A secure, web-based software application developed and hosted by us, that helps clients around the world to automate and improve the enterprise risk management process.
Essential ERM is unique in that it is purpose-built for enterprise risk management and for use by executives. It can function as a standalone ERM tool and does not require other platforms or modules to operate. We have removed many of the unnecessary features that complicate ERM programs. The system is intuitive and easy-to-use for executives. It also includes several visual features that simplify and unlock the value from ERM concepts such as risk appetite, risk-based strategy, bow tie visualization, key risk indicators, risk trending, scenario analysis and more.
ERM Software - Software systems used to automate ERM processes, including data gathering, risk monitoring, analysis and reporting. There are three broad categories of software tools used to facilitate ERM programs: manual tools like spreadsheets and presentation documents, large integrated GRC suites and purpose-built ERM tools like the Essential ERM system. The pros and cons of each approach are described in this article on ERM tools and this article on why ERM programs fail.
Fourth Party Risk - Similar to third party risk, fourth party risk also refers to risk that arises from a firm’s dealings with external parties. Whereas third party risk arises from the firm’s direct interactions with external parties (e.g. suppliers, vendors, agents etc.), fourth party risk arises from the relationships that those third parties have with other organizations. A common example would be a third-party vendor using technology outsourcers or contractors. The primary difference between third party and fourth party risk is that in the case of third-party risk, there is often a contractual relationship between an organization and its third parties, whereas an organization will not typically have a contract with its fourth parties. Organizations will typically rely on their contracts with third parties to include language that covers the third parties’ dealings with external organizations.
GRC - An acronym that stands for governance, risk and compliance. It is sometimes used to denote a business area that oversees these functions. It is also often used to describe software systems that integrate functions of governance, risk management and compliance management into a single platform. Many of these systems have grown out of compliance functions detailed compliance management remains their primary focus. See our article on enterprise risk management tools for more information.
Hazard - The meaning of hazard can be confusing in an ERM context. The word has many meanings and has a wide variety of uses by risk practitioners. Some view hazard as a danger or a risk and will use the term interchangeably with risk. Others view it analogous to a threat or root cause, that can potentially contribute to or trigger a risk event.
Most commonly, however, a hazard is typically thought of a potential source of harm to employees, customers or other persons interacting with an organization. It is closely related to the practices of incident management and hazard management, which seek to oversee processes and materials to reduce harm and to provide appropriate response when needed.
Health and Safety Risk - Risk that relates to the safety and health of employees, customers, suppliers and other individuals who interact with the organization.
Heat Map - In enterprise risk management, a heat map is a visual grid that plots the potential impact of an event against the likelihood of it occurring. The purpose of a heat map is to convey the organization’s overall risk profile at a point in time.
Heat maps are represented in a 5 x 5 matrix that results in a 25-square grid. The heat map gets its name from the colors (variants of green, yellow red) that are used to colour each of the grid squares. Individual risks or summarized categories are plotted on the heat map based on their likelihood and impact scores.
Impact - The objective or subjective effect of a specific risk event occurring. In an ERM context, it is one of the two primary axes of a heat map and one of the two factors used to generate a risk score (along with likelihood). It is typically assessed using a 1 – 5 scale (ranging from “insignificant” to “extreme”). Additional quantitative measures, such as potential loss amounts, may be associated with impact levels e.g. impact level 5 equates to a US$500,000 loss.
Incident - An event that could lead to loss of, or disruption to, an organization's operations, services or functions. It is typically thought of a risk event that has actually occurred. An event may be described as a risk while there is uncertainty of it occurring. Once it has happened, it is termed an incident. The practice of incident management identifies and tracks incidents in order to decrease and respond better to incidents in the future. The number of incidents that occur during a given timeframe may be key risk indicators for other enterprise risks.
Inherent Risk - The rating of risk before the effects of any risk mitigation steps have been considered. It represents the level of risk that would be faced if the organization were to accept the risk without taking any steps to mitigate it. It is usually calculated as the product of inherent likelihood times the inherent impact of an event. Inherent risk is generally rated higher than residual risk, which is the rating of a risk after risk mitigations have been taken into account.
Integrated Risk Management (IRM) - The Treasury Board of Canada Secretariat defines IRM as “a continuous, proactive, systematic approach to identifying, assessing, understanding, acting on, and communicating risk from an organization-wide, aggregate perspective.” IRM is typically viewed as synonymous with enterprise risk management (ERM), although some practitioners prefer the term IRM to emphasize that the discipline is pulling together risk management practices from across an organization into a unified framework. Our view is that it is somewhat of an artificial distinction and you should not get too hung up on the jargon. We use the term ERM in our materials and software systems.
ISO 31000 (ISO 31000:2009) - ISO 31000 refers to a risk management standard that was published in November 2009 by the International Organization for Standardization (ISO). It provides a concise set of principles and high-level guidelines for risk management. Along with the COSO framework, ISO 31000 has become a recognized paradigm to guide enterprise risk management. The ISO 31000 standard provides generic guidelines for the design, implementation and maintenance of risk management processes throughout an organization. It focuses on co-existing with current risk management practices and integrating them into a common enterprise framework. While the ISO 31000 standard and COSO framework share common principles, ISO 31000 is notable for its additional focus the relationship between risk and opportunities. ISO 31000 defines risk as “the effect of uncertainty on objectives.” By this definition, risks can have both positive and negative effects. See our article on risk appetite frameworks for additional background on the link between risk and opportunity.
Key Risk Indicators (KRIs) - These are empirical metrics that indicate that a risk event may happen in the near future (leading indicator) or that a risk event has already occurred (trailing or lagging indicator). For example, if a company has a large portfolio of variable interest rate debt then it has market risk related to interest rates. A key risk leading indicator in this case may be several domestic central bank interest rate increases, interest rate increases in other countries. In another example, imagine that a firm is concerned that it’s customer service levels and customer satisfaction levels are decreasing due to changes made in its operations. Lagging indicators could include metrics as number of complaints to the office of the President, number of negative social media mentions, increased support ticket rates, customer satisfaction scores and more. Both leading and lagging risk indicators allow risk managers to identify changing risk profiles faster, so that management teams and boards can take corrective action more quickly. This is an area where ERM automation software can be of great assistance, as manual KRI tracking is typically not feasible.
Likelihood - The probability of a specific risk event occurring. In an ERM context, it is one of the two primary axes of a heat map and one of the two factors used to generate a risk score (along with impact). It is typically assessed using a 1 – 5 scale (ranging from “rare” to “almost certain”). Additional quantitative measures, such as percentage of occurrence amounts, may be associated with likelihood levels.
Liquidity Risk - Exposure to adverse impacts stemming from the mismatch of cash inflows and outflows. The risk crystallizes where an organization is at least temporarily unable to meet its payment obligations as they come due.
Market Risk - The risk that a company may experience losses due to external market drivers such as interest rates or foreign currency rates. If a company has a large portfolio of variable interest rate debt then it has market risk related to interest rates. In this case a company may seek to limit its risk by purchasing swaps which would partially or completely offset any market driven losses.
Mitigation - In enterprise risk management terms, mitigation typically refers to the processes put in place by management that seek to reduce the likelihood of risk events occurring and/or their impact should risk events materialize. In ERM terms, risk mitigations are sometimes also referred to as risk controls. While some practitioners will differentiate between the terms, in our experience the differences do not provide practical benefits and the terms mitigations and controls can be used interchangeably.
Modern Portfolio Theory - Modern portfolio theory was first put forward in 1952 by Harry Markowitz in his paper "Portfolio Selection," published in the Journal of Finance. Since then, it has had a tremendous impact on current day thinking around financial portfolio management. One of the core concepts of the theory is that risk is an inherent part of higher reward. According to the theory, it's possible to construct an "efficient frontier" of optimal portfolios offering the maximum possible expected return for a given level of risk. A key takeaway for enterprise risk management is the concept that risk and opportunity are intertwined, as discussed further in our overview of key concepts for risk appetite.
Monte Carlo Simulation - A broad class of computational algorithms that rely on repeated random sampling to obtain numerical results. The core concept is to use randomness to provide many alternative solutions to a problem. The solutions can then be reviewed in detail identify of underlying trends or relationships.
Operationalize - In the context of enterprise risk programs, operationalize means to put the process into everyday use. In practical terms, this means distributing ERM processes into functional business units, such that business unit leaders are managing their own risk portfolios and using ERM concepts within their decision-making processes. It also usually involves the inclusion of ERM metrics and dashboards into regular operational, strategic and board review activities. The primary goals of these activities are to embed ERM best practices into daily operations and to make ERM an continuous value-generating process (versus and annual “check box” activity).
Operational Risk - This is the risk driven by exposure to uncertainty arising from daily tactical business activities. An example of an operational risk is the failure to provide financial statements to the Board for their review. Another operational risk is the risk that the organization incurs a cybersecurity incident.
Post-Event Mitigation - Inevitably, some risks will materialize into actual events for all organizations. Post-event mitigations are activities and measures that an organization uses in response to a risk event, in order to lessen the impact of a risk event and/or recover to a desired state more quickly. Insurance is a traditional form of post-event mitigation. An insurance policy does not stop a risk event from occurring but can help lessen the financial impact after the fact. In an operations example, a cyber-incident response plan is a post-event mitigation for a cyber breach risk event. In a financial example, if a company has a large portfolio of variable interest rate debt then it has market risk related to interest rates. If there is a sudden material increase in interest rates, the company will start to incur losses due to increased interest expense. A potential post-event mitigation would be to either switch from variable to fixed debt or enter into swap agreements to offset the potential volatility for future periods. Post-event mitigations are a primary component of risk bow tie diagrams.
Pre-Event Mitigation - Pre-event mitigations are measures and activities that have been put in place to lessen the negative consequences of a risk event before it occurs. Pre-event mitigations focus on lessening the likelihood that a risk event will occur. For example, an organization concerned about the risk of a service outage at an important data centre caused by a power outage may choose to implement a redundant power source as a proactive preventative measure. Pre-event mitigations are a primary component of risk bow tie diagrams.
Quantitative Risk Assessment - An approach to risk assessment that focuses on factual and numerical data, along with mathematical analysis methods, in order to reduce bias and produce a more accurate measure of risk. Impact rating may be based on the specific losses that would be occurred from a risk event and probability may be derived from past incidents or other measurable key risk indicators. A simple model for quantitative risk assessment is included in our guide of 7 steps to implementing risk appetitive. More sophisticated approaches include calculations for Annualized Loss Expectancy, Modern Portfolio Theory, Value at Risk, Monte Carlo Simulation and more.
Residual Risk - The rating of risk after the beneficial effects of risk mitigations have been considered. It represents the net level of risk facing organization after risk controls. Because risk mitigations can moderate both the impact and likelihood of a risk event, residual risk is usually calculated as the product of residual likelihood times the residual impact of an event. Residual risk differs from inherent risk, which is the gross risk facing the organization before considering the moderating effects of risk mitigations.
Risk - There are many different definitions and interpretations of the word risk. Most dictionaries describe risk as some form of exposure to danger, harm or loss. This concept was carried into early enterprise risk management models, which characterized risk as something bad that should be minimized. In contrast, a modern enterprise risk management programs view risk as “the effect of uncertainty on objectives.” Uncertainty can affect objectives in negative and positive ways and risk in itself not inherently bad. For example, risk and opportunity are closely interrelated, as discussed in our article providing an overview or risk appetite frameworks.
Risk Appetite - A description of the amount and types of risk that an organization wishes to take in order to achieve its desired objectives. It usually starts with a broadly written organizational-wide statement and then provides a series of more refined statements for certain situations (usually done by risk category). It is expressed in terms of residual risk levels (after considering the effects of risk mitigations). It can be qualitative, quantitative, or a mix of both.
Risk Appetite Framework - The overall approach, including policies, processes, controls, and systems through which risk appetite is established, communicated, and monitored within an organization. It includes an overall risk appetite statement that is usually followed by a series of more specific statements for certain situations (usually by risk category). It also includes roles and responsibilities of establishing and monitoring of the risk appetite framework. The risk appetite framework should align closely with the organization’s strategy.
Risk Capacity -- In enterprise risk management terms, risk capacity usually refers to the total amount of risk that organization can bear without imperilling it critical objectives or corporate viability. This is typically an amount higher than the upper risk thresholds that are set within the risk appetite framework. Risk capacity can be both quantitative and qualitative and is often used to describe financial thresholds e.g. the maximum financial loss in dollar terms that can be absorbed or the maximum capital that can be exposed. Risk capacity is sometimes used as a synonym for risk tolerance and note that it can have a different meaning in investment management, where it represents the amount of risk an organization or individual requires to meet their investment goals.
Risk Profile - In enterprise risk management terms, risk profile usually refers to a summary of the top risks facing an organization i.e. the aggregate level of residual risk across the ERM program. It is used as a baseline or barometer of total enterprise risk. Historically, risk profile was communicated in risk-centric views, such as excerpts from a risk register or a classic heat map. In recent years, risk profiles have evolved to be presented in objective-centric views, which identify the organization’s top strategic objectives and their associated levels of risk (and upside benefits).
Risk Register - A summary listing of the organization’s risks, along with their ratings (scores or risk levels) and a summary of the actions being taken in response to the risk. Risk registers used in enterprise risk management are unique in that they tend to focus on a relatively small number of strategic or enterprise-wide risks. These enterprise risks are monitored and reported on to the executive team and board of directors on a regular basis. Enterprise risk registers may incorporate summary information from more granular departmental risk registers. It is common for enterprise risk registers to have 15-20 risks in total, whereas the total of all risks from departmental registers can be in the dozens or even hundreds of risks. Risk registers are a useful starting point, however, they provide more business value when paired with risk appetite thresholds and a mapping of risks to strategic objectives.
Risk Tolerance - We do not use the term risk tolerance in our models or our Essential ERM system because there are several interpretations of the term and no clear consensus on its use. Risk tolerance may be used as a synonym for risk appetite or a synonym for risk capacity. Still others use it in a more granular fashion to track and monitor variances against key risk indicators.
Risk Transfer - In enterprise risk terms, risk transfer is a risk treatment approach that uses legal contracts to shift residual risk from one party to another. One example is the purchase of an insurance policy, by which a specified risk of loss is passed from the policyholder to the insurer.
Risk Treatment - In enterprise risk management terms, risk treatment refers to the strategies and steps taken to reduce, remove, avoid, transfer or otherwise alter the level of a risk. Treatment options can involve deploying additional proactive and reactive risk mitigations, signing legal agreements to transfer a portion of risk to a third party, or deciding to cease activities which could lead to the risk. Risk treatment approaches are taken in order to bring risk levels in line with the desired risk thresholds set by the board of directors and executive team in the organization’s risk appetite. The final approach to risk treatment is risk acceptance, which typically occurs once mitigations have been applied and a management team agreed to accept the remaining level of residual risk.
Risk Velocity - The speed at which a risk is expected to emerge from root causes, crystallize into an actual risk event and then translate into consequences. Risk velocity can also be thought of as Time to Impact. Some ERM practitioners use risk velocity as an additional variable to assess risks, in addition to likelihood and impact. For example, two serious risks may have the same rating of likelihood and impact, but one risk may occur and lead to consequences immediately, whereas the other develops slowly over a period of months or years. The risk with high velocity is likely to be managed with more intense controls, including the monitoring of leading key risk indicators. Common examples of high velocity risks are cyber security breaches, industrial accidents and public relations problems. Sample low velocity risks are changing market preferences and customer behaviours, political shifts, and regulatory changes. It is important to note, however, that what often separates high and low velocity risks is an organization’s ability to detect and react to changing conditions. Risk events that strike suddenly have often been building undetected for long periods of time. Risk analysis using the bow tie model and the use of key risk indicators to monitor root causes and control effectiveness can be helpful in avoiding sudden risk events.
Risk Workshop - A collaborative working session that is used within the enterprise risk management process for a variety of purposes, including:
• Review, prioritization and scoring of key risks (including risk voting sessions)• Review of key risks affecting business strategy• Developing and approving risk appetite statements• Developing a consistent view regarding the effectiveness of organizational controls.
Workshops help participants to gain a deeper understanding of business operations, objectives and challenges and an enhanced ability to make risk-adjusted decisions when they return to their functional units.
Root Cause - In enterprise risk management terms, a root cause is a preceding event or condition that triggers or otherwise leads to the occurrence of a risk event. Root causes are a core component of risk bow tie diagrams and are used in root cause analysis to proactively identify and mitigate risk drivers before they trigger risk events.
Root Cause Analysis -A practice that seeks to identify and mitigate root causes before they trigger or contribute to risk events. Mitigating at a root cause level is a form of proactive risk management. It also can be a more efficient approach to risk management, as many risks may share a common root cause and preventing a risk event is often much less expensive that mitigating its impact once it has occurred. Root cause analysis is made easier through visual approaches, such as bow tie diagrams, and through ERM software tools with built-in root cause analysis, including the Essential ERM system.
SaaS - SaaS is an acronym for software-as-a-service. It is a delivery mechanism for software whereby functionality is provided through a subscription to an online service, rather than being bought and installed on individual computers. SaaS applications are hosted centrally by the vendor and accounts are provisioned for client organizations, with users accessing the software functionality through their browsers. SaaS delivery methods have become popular for many reasons. First, there is nothing for client organizations to install or support in their internal environment. Second, SaaS applications never become obsolete because they are continuously updated centrally by the vendor. Third, SaaS applications often provide an increased level of security. While there are additional risks raised by using an online tool hosted by a third party, many SaaS vendors provide a level of security measures that is higher than what individual (and typically smaller) organizations can maintain. Fourth, SaaS solutions often have more flexible and transparent pricing models, allowing users to minimize their up-front commitment until they have proven the viability of the solution and generated a return on their initial investment. Finally, SaaS solutions allow organizations to treat expenditures as operating expenses instead of capital expenditures, which can be beneficial in many situations. One perceived downside of SaaS solutions is that fees are ongoing (versus an up-front purchase that can be used for many years), however, in most cases, an estimate of the total cost of ownership (including installation, maintenance, hardware, hosting, internal support, upgrades, security etc.) will show SaaS solutions to be more economical in the long run as well. It is far more efficient for a software application to be supported once centrally than in hundreds or thousands of individual client organizations, and those cost savings are eventually passed on to users.
Strategic Risk - Strategic risk Exposure to uncertainty arising from long-term business planning and execution. For example, strategic risk might arise from making poor business decisions (or failing to make decisions), from the substandard execution of decisions, from inadequate resource allocation, or from a failure to respond well to changes in the business environment. Strategic risk is often a primary risk category within enterprise risk management programs, including risks related to reputation, brand, business model, economic trends and competition.
Stress Testing - Stress testing is a simulation technique often used in the banking industry. Stress testing is also used on asset and liability portfolios to determine their reactions to different financial situations. Additionally, stress tests are used to gauge how certain stressors will affect a company, industry or specific portfolio. Stress testing It became a regulatory requirement in the financial services industry due to the 2010 U.S. Dodd-Frank Act in response to the 2008 financial crisis. Stress tests are usually computer-generated simulation models that test hypothetical scenarios.
Third Party Risk - The risk that an organization faces as a result of its interactions with external entities, including suppliers, vendors, contract manufacturers, business partners and affiliates, brokers, distributors, resellers, and agents. Third parties can be both “upstream” (suppliers and vendors) and “downstream”, (distributors and re-sellers), as well as non-contractual parties. Third party risk management has become a regulatory requirement in many sectors and the legal frameworks in Europe, Canada and the United States are starting to incorporate the concept that organizations can have a legal responsibility for the actions of their suppliers (e.g. with regards to data protection and cyber security). Some risk practitioners use the term fourth party risk to refer to the risk that arises from the relationships that third parties have with other organizations (e.g. a third-party vendor using a technology outsourcer or contractor). Many third-party risk management programs are being expanded to include the concept of fourth party risk.
Value at Risk (VaR) - Value at Risk is a quantitative risk measurement technique that is used to estimate the risk of a financial investment. It is a statistical technique that measures the amount of potential loss that could happen in a portfolio of investment over a period of time. Value at Risk gives the probability of losing more than a given amount on a given portfolio over a period of time. Value at risk is commonly used by financial institutions to provide a quantified estimate of potential downside of an investment or portfolio.