University of Illinois System

Enterprise Risk Management Glossary


Associate in Risk Management


A process effected by our Board, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to identified risks. Actions or activities that minimize the frequency or severity of conditions or events that threaten the objectives of the enterprise (see also mitigation).

The affect upon the institution when a risk becomes a reality. An organization has no ability to directly manage a consequence, but can manage the cause-based events that lead to the consequence.

Committee of Sponsoring Organizations of the Treadway Commission

Cost of Risk
The financial impact of an organization from undertaking activities with an uncertain outcome. The cost of managing risks and incurring losses.


Enterprise Risk Management (ERM)
An integrated approach to assessing and addressing all risks that threaten achievement of the organization's strategic objectives. The purpose of ERM is to understand, prioritize, and develop action plans to maximize benefits and mitigate top risks. The ERM framework enables management, working without silos, to collaboratively identify, assess, and manage future risks and opportunities individually and across the organization. Also known as holistic, strategic, or integrated risk management.


  • is central to an organization's strategic management
  • is focused on identifying and treating risks
  • adds maximum sustainable value to all activities
  • increases probability of success and minimizes probability of failure
  • is continuous; integrated with strategic planning and plan implementation
  • integrated with organizational culture and led by senior management
  • assigns responsibility throughout the organization; in each job description

Enterprise-Wide Risk Assessment
Evaluation of primary risks based upon impact, likelihood, and control effectiveness that uses input from Risk Owners from across the University. 

An incident or occurrence, from sources internal or external to an entity that affects achievement of objectives.


Focused Risk Assessment
The focused risk assessment (FRA) serves as a follow up to the enterprise-wide risk assessment. The Office of Enterprise Risk Management (ERM) will collaborate with University leadership and Risk Assessment Leaders to determine which specific risks require in-depth analysis. FRA's are conducted through interviews, independent research, and formal reports.

A framework is a real or conceptual structure intended to serve as a support or guide for the building of something that expands the structure into something useful.


Institute of Internal Auditors

Insurance Institute of America

Immediate Response Strategies
Determined by the risk score or impact x likelihood. The scale describes the five categories of risk and is used to assist risk owners with immediate response strategies.

Impact and Likelihood
Result or effect of a risk and the possibility that it will occur. There may be a range of possible impacts associated with an event. The impact can be financial and/or reputational. We use a scale of 1 to 5.

Inherent Risk
The risk to an entity in the absence of any actions management might take to alter either the risk's likelihood or impact.

Internal Environment
Encompasses the tone of an organization, and sets the basis for how risk is viewed and addressed by an entity, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which the organization operates.


Actions which reduce a risk or its consequences

Measuring the effectiveness and/or success of risk mitigation strategies.

The entirety of risk management is monitored and modifications made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations, or both.


National Association of College and University Business Officers


The possibility that an event will occur and positively affect the achievement of objectives.


Public Risk Management Association

The likelihood that a risk will become a reality.

A set of linked tasks that are controlled by a common set of policies and procedures, and generate a common set of risks.


Residual Risk
The remaining risk after management has taken action to alter the risk's likelihood or impact.

Risk and Insurance Management Society

The chance of loss or gain; the possibility that an event affecting the achievement of an organization's mission or objectives will occur.

Risk Acceptance
The decision to accept the consequences, impact, and likelihood of a risk. No action is taken to affect risk likelihood or impact.

Risk Analysis
Identifying, describing and estimating risks, and developing a risk profile.

Risk Appetite
An organization's tolerance for risk; the amount of risk an organization is willing to accept in pursuit of its mission/vision.

Risk Assessment
The consideration of the extent to which potential events have an impact on achievement of objectives. Assessment is done from two perspectives; impact and likelihood. Includes positive and negative impacts of potential events. 

Risk Assessment Tools
Instruments designed to assist employees in assessing and evaluating risks when making decisions.

Risk Avoidance
Avoiding the activities giving rise to risk.

Risk Center
Divisions, departments, or other groups having clear boundaries and risk exposure. Clusters used to separate and organize related risks.

Risk Control
The technique of minimizing the frequency or severity of losses by any number of means such as training, safety and security measures, a regulation, policy, or procedure.

Risk Description
To display the identified risks in a structured format, for example, by using a table.

Risk Financing
The mechanisms for funding risk mitigation strategies and/or funding the financial consequences of risk (i.e., insurance).

Risk Identification
The qualitative determination of risks that are material; i.e., that potentially can impact the achievement of our objectives.

Risk Management Policy
An organization's written statement that sets out its approach to an appetite for risk and its approach to risk management.

Risk Mapping
The visual representation of risks (which have been identified through a risk assessment exercise) in a way that easily allows priority ranking them. This representation often takes the form of a two-dimensional grid with probability on one axis and impact on the other axis. The risks that fall in the high probability/high impact quadrant are given priority risk management attention.

Risk Mitigation
Actions which reduce a risk or its consequences (see Risk Strategies).

Risk Owner
A risk owner is the individual or unit who will take the lead in developing and executing a mitigation activity plan. Additionally, the risk owner is also responsible for communication progress to senior management.

Risk Portfolio
A list of risks identified and evaluated by an organization (also called Risk Register) that represent our portfolio of risks at a certain time.

Risk Prioritization
The ranking of material risks on an appropriate scale, such as frequency and/or severity (see also Risk Mapping)

Risk Profile or Risk Score
The use of a tool or system to rate and/or prioritize a series of risks. Risk Score = Impact x Likelihood.

Risk Reduction
Action is taken to reduce risk likelihood or impact, or both. Measures to reduce the frequency or severity of losses. May include engineering, fire protection, safety inspections, or claims management.

Risk Register
A listing of an organization's risks (also called Risk Portfolio).

Risk Response
Management selects risk responses-avoiding, accepting, reducing or sharing risk-developing a set of actions to align risks with the entity's risk tolerances and risk appetite.

Risk Reporting
Publishing information on risks to internal or external stakeholders.

Risk Sharing
Reducing risk likelihood or impact by transferring or otherwise sharing a portion of the risk.

Risk Strategies (see Risk Mitigation)
Possible responses to risk situations such as: Avoidance, Acceptance, Sharing, Reduction

Risk Tolerance
The acceptable variation relative to the achievement of an objective.

Risk Treatment
The process of selecting and implementing measures to modify the risk.


Describes divisions, departments or other groups and individuals in organizations that tend to act in isolation.


Traditional Risk Management
Original form of risk management focusing on insurable losses and/or specific functional areas of an organization.


University Risk Management and Insurance Association

Last Updated: March 6, 2020