Management of Risk Glossary of Terms - A - Z

This is an A-Z glossary of terms, from the Management of Risk (M_o_R). See also dictionaries for Agile Projects, Managing Successful Programmes (MSP) Dictionary, PRINCE2 and ITIL.


A risk response that means that the organization takes the chance that the risk will occur, with full impact on objectives if it does.

Accounting Officer

A public sector role. Has personal responsibility for the propriety and regularity of the finances for which he or she is answerable; for the keeping of proper accounts; for prudent and economical administration; for avoidance of waste and extravagance; and for the efficient and effective use of resources. This brings with it a responsibility for governance issues, and includes custodianship of risk management and its adoption throughout the organization.

Audit committee

A body of independent directors who are responsible for monitoring the integrity of the financial statement of the company; the effectiveness of the company's internal audit function; and the external auditor's independence and objectivity; and the effectiveness of the audit process.


The measurable improvement resulting from an outcome perceived as an advantage by one or more Stakeholders.
The justification for an organizational activity (strategic, programme, project or operational) which typically contains costs, benefits, risks and timescales and against which continuing viability is tested.

Business change manager

The role responsible for benefits management, from identification through to realisation and ensuring the implementation and embedding of the new capabilities delivered by the projects. Typically allocated to more than one individual. Alternative title: change agent.

Business continuity management (BCM)

A holistic management process that identifies potential impacts that threaten an organization and provides a framework for building resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities. The management of recovery or continuity in the event of a disaster. Also the management of the overall process through training, rehearsals and reviews, to ensure the business continuity plan stays current and up-to-date.

Business continuity plan (BCP)

A plan for the fast and efficient resumption of essential business operations by directing recovery actions of specified recovery teams.
Failure to achieve business objectives/benefits. See a list of typical Business Risks.

Communications plan

A plan of the communications activities during the organizational activity (strategic, programme, project or operational) that will be established and maintained. Typically contains when, what, how and with whom information flows.
A plan to be executed if a particular risk occurs in order to minimise the impact after the event.

Contingency planning

The process of identifying and planning appropriate responses to be taken when a risk actually occurs.

Corporate governance

The ongoing activity of maintaining a sound system of internal control by which the directors and officers of an organization ensure that effective management systems, including financial monitoring and control systems, have been put in place to protect assets, earnings capacity and the reputation of the organization.


A formalised security risk analysis and management methodology originally developed by CCTA (now part of the OGC) in collaboration with a number of private sector organizations.

Disaster recovery planning

A series of processes that focus on recovery processes, principally in response to physical disasters. This activity forms part of business continuity planning, not the totality.


Outcomes perceived as negative by one or more stakeholders. Dis-benefits are actual consequences of an activity whereas, by definition, a risk has some uncertainty about whether it will materialise.


A risk response for an opportunity. Enhancement of an opportunity refers to both the realisation of an opportunity and achieving additional gains over and above the opportunity.

Expected value

This is calculated by multiplying the average impact by the probability percentage.


A risk response for an opportunity. Exploitation refers to changing an activity's scope, suppliers or specification in order to achieve a beneficial outcome.

Gateway reviews

Independent assurance reviews that occur at key decision points within the lifecycle of a programme or project.

Horizon scanning

The systematic examination of potential threats, opportunities and likely future developments which are at the margins of current thinking and planning.


Impact is the result of a particular threat or opportunity actually occurring.

Inherent risk

The exposure arising from a specific risk before any action has been taken to manage it.


A relevant event that has happened, was not planned and requires management action. It could be a problem, query, concern, change request or risk that has occurred. Download an Issue Log template.

Issue actionee

A role or individual responsible for the management and control of all aspects of individual issues, including the implementation of the measures taken in respect of each issue.

Management of risk framework

Sets the context within which risks are managed, in terms of how they will be identified, assessed and controlled. It must be consistent and comprehensive, with processes that are embedded in management activities throughout the organization.

Maturity level

A well-defined evolutionary plateau towards achieving a mature process (five levels are often cited: initial, repeatable, defined, managed and optimising).

OGC Gateway ReviewsTM

Independent assurance reviews of major (high-risk) projects in the UK Government. They are mandatory, and occur at key decision points within the lifecycle of a project. See Office of Government Commerce for details.

Operational risk

Failure to achieve business/organizational objectives due to human error, system failures and inadequate procedure and controls.


An uncertain event that could have a favourable impact on objectives or benefits.


The result of change, normally affecting real-world behaviour or circumstances. Outcomes are desired when a change is conceived. Outcomes are achieved as a result of the activities undertaken to effect the change.


The tangible or intangible artefact produced, constructed or created as a result of a planned activity.

Overall Project Risk

“Overall project risk” is defined as “the effect of uncertainty on the project as a whole.” (PMBOK p. 310)

This is in contract to individual project risk, which is an "uncertain event or condition that, if it occurs, has a positive or negative effect on a project’s objectives.”

The Top 50 Business Risks and how to manage them!

20 Common Project Risks - example Risk Register

Checklist of 30 Construction Risks

Simple Risk Register - Excel template


This is the evaluated likelihood of a particular threat or opportunity actually happening, including a consideration of the frequency with which this may arise.


An input or output, whether tangible or intangible, that can be described in advance, created and tested. Also known as an output or deliverable.
A temporary, flexible organization structure created to co-ordinate, direct and oversee the implementation of a set of related projects and activities in order to deliver outcomes and benefits related to the organization's strategic objectives. A programme is likely to have a life that spans several years.

Programme risk

Risk concerned with transforming high-level strategy into new ways of working to deliver benefits to the organization.


A temporary organization that is created for the purpose of delivering one or more business products according to a specified business case.

Project risk

Project risks are those concerned with the successful completion of the project. Typically these risks include personal, technical, cost, schedule, resource, operational support, quality and supplier issues.

Proximity (of risk)

The time factor of risk, i.e. the occurrence of risks will be due at particular times, and the severity of their impact will vary depending on when they occur.

Quality assurance

Assurance that products will be fit for purpose or meet requirements.


A risk response for an opportunity. The realisation of opportunities ensures that potential improvements to an organizational activity are delivered.


A risk response for a threat. Proactive actions are taken to reduce:
  • The probability of the event occurring by performing some form of control, or
  • The impact of the threat should it occur.


A risk response for a threat. Typically involves changing an aspect of the organizational activity, i.e. changing the scope, procurement route, supplier or sequence of activities.

Residual risk

The risk remaining after the risk response has been applied.


A risk response for a threat. A conscious and deliberate decision is taken to retain the threat, having discerned that it is more economical to do so than to attempt a risk response action. The threat should continue to be monitored to ensure that it remains tolerable.


An uncertain event or set of events that, should it occur, will have an effect on the achievement of objectives. A risk is measured by a combination of the probability of a perceived threat or opportunity occurring and the magnitude of its impact on objectives.

Risk actionee

Some actions may not be within the remit of the risk owner to control explicitly; in that situation there should be a nominated owner of the action to address the risk. He or she will need to keep the risk owner apprised of the situation.

Risk appetite

An organization's unique attitude towards risk taking, which in turn dictates the amount of risk that it considers acceptable.

Risk cause

A description of the source of the risk, i.e. the event or situation that gives rise to the risk.

Risk committee

A body of independent directors who are responsible for reviewing the company's internal control and risk management systems.

Risk effect

A description of the impact that the risk would have on the organizational activity should the risk materialise.

Risk estimation

The estimation of probability and impact of an individual risk, taking into account predetermined standards, target risk levels, interdependencies and other relevant factors.

Risk evaluation

The process of understanding the net effect of the identified threats and opportunities on an activity when aggregated together.

Risk event

A description of the area of uncertainty in terms of the threat or the opportunity.

Risk identification

Determination of what could pose a risk; a process to describe and list sources of risk (threats and opportunities).

Risk Log

Risk Management

Systematic application of principles, approach and processes to the tasks of identifying and assessing risks, and then planning and implementing risk responses.

Risk Management Strategy

Describes the goals of applying risk management to the activity, a description of the process that will be adopted, the roles and responsibilities, risk thresholds, the timing of risk management interventions, the deliverables, the tools and techniques that will be used and reporting requirements. It may also describe how the process will be coordinated with other management activities.

Risk Management Policy

A high-level statement showing how risk management will be handled throughout the organization.

Risk Management Process Guide

Describes the series of steps (from Identify through to Implement) and their respective associated activities, necessary to implement risk management.

Risk manager

A role or individual responsible for the implementation ofrisk management for each activity at each of the organizational levels.

Risk owner

A role or individual responsible for the management and control of all aspects of individual risks, including the implementation of the measures taken in respect of each risk.

Risk perception

The way in which a stakeholder views a risk, based on a set of values or concerns.

Risk potential assessment (RPA)

A standard set of high-level criteria against which the intrinsic characteristics and degree of difficulty of a proposed project are assessed. Used in the UK public sector to assess the criticality of projects and so determine the level of OGC Gateway Review required.

Risk profile

Describes the types of risk faced by an organization and its exposure to those risks.
A record of all identified risks relating to an initiative, including their status and history. Also called a Risk Log. Risk Register Template and Prince2 Risk Register Template.

Risk response

Actions that may be taken to bring the situation to a level where the exposure to risk is acceptable to the organization. These responses fall into one of a number of risk response categories – see below.

Risk response category

For threats, the individual risk response category can be reduction, removal, transfer, retention or share of one or more risks. For opportunities, the individual risk response category can be realisation, enhancement or exploitation or share of one or more risks.

Risk tolerance

The threshold levels of risk exposure, which with appropriate approvals, can be exceeded, but which when exceeded, will trigger some form of response (e.g. reporting the situation to senior management for action).

Risk tolerance line

A line drawn on the Summary Risk Profile. Risks that appear above this line cannot be accepted (lived with) without referring them to a higher authority. For a project, the Project Manager would refer these risks to the Senior responsible owner.

Senior responsible owner (SRO)

The single individual with overall responsibility for ensuring that a project or programme meets its objectives and delivers the projected benefits.

Severity of risk

The degree to which the risk could affect the situation.


A risk response for a threat. Modern procurement methods commonly entail a form of risk sharing through the application of a pain/gain formula: both parties share the gain (within pre-agreed limits) if the cost is less than the cost plan; and share the pain (again within pre-agreed limits) if the cost plan is exceeded.


The main driving force behind a programme or project.

Sponsoring group

The main driving force behind a programme providing investment decisions and top-level endorsement of the rationale and objectives of the programme.


Any individual, group or organization that can affect, be affected by, or perceive itself to be affected by, an initiative (programme, project, activity or risk).

Statement of internal control (SIC)

A narrative statement by the board of directors of a company disclosing that there is an ongoing process for the identification and management of significant risks faced by the company.

Strategic risk

Risk concerned with where the organization wants to go, how it plans to get there, and how it can ensure survival.

Summary Risk Profile

A simple mechanism to increase the visibility of risks. It is a graphical representation of information normally found on an existing Risk Register.


An uncertain event that could have a negative impact on objectives or benefits.


A risk response for a threat. Whereby a third party takes on responsibility for an aspect of the threat.


Business continuity management


Business continuity plan


Business Continuity Planning Guide produced by UK government property advisers (now part of OGC)


Business Impact Analysis


Business Impact Review


British Standards Institution


Central Computer and Telecommunications Agency, one of the organizations that was merged to form OGC


Commercial Off The Shelf


Critical path analysis - What is Critical Path Analysis?


Critical path method


A risk analysis and management method developed by the UK government to protect IT systems/services


A risk assessment method standing for 'hazard and operability analysis, Risk Registers and databases'


Health and Safety Executive


Incident Control


Institute of Chartered Accountants of England and Wales


Interdepartmental Liaison Group for Risk Assessment, secretariat provided by HSE (Health and Safety Executive).


Information System


Information Technology


The OGC IT Infrastructure Library, a set of guides on the management and provision of operational IT services


Lifecycle Costings


Management of Risk (the brand name for this guidance)


Not Applicable


National Audit Office (UK government body)


Programme Evaluation and Review Technique


Analysis of political, economic, social, technological, legal, environmental factors


Private Finance Initiative


Project Profile Model


The standard UK government method for project management that provides a process-based framework for setting up and controlling projects; the acronym stands for 'projects in controlled environments'


Programme or Project Support Office

RAG status

Flag that can be used to indicate status of the exposure of a risk, the status of which is denoted by color – red, amber or green


Return On Capital Employed


return on investment. Read more on ROI


Risk Potential Assessment


Senior Responsible Owner


Summary Risk Profile


Analysis of strengths, weaknesses, opportunities and threats within the given situation. Learn more on SWOT analysis using an example for analyzing stakeholders.


Copyright © AXELOS Limited 2012. All rights reserved. Material is reproduced with the permission of AXELOS

A Guide to the Project Management Body of Knowledge (PMBOK® Guide) – Fifth Edition (Project Management Institute, 2013, p. 310).

Read more on Risk Management