Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
53 Definitions The following terms are used throughout this guidebook: Audit: The process by which procedures and/or documentation is measured against pre-agreed standards. Control: Any management action or intervention that reduces the frequency/probability of a risk occurring and/or reduces its impact if it does occur. Enterprise risk management: A holistic approach and process to identify, prioritize, mitigate, manage, and monitor current and emerging risks in an integrated way across the breadth of the enterprise. Enterprise risk management framework: A series of key components that collectively provide the ERM principles, concepts, processes, terminology, and direction for the delivery of effec- tive ERM to enable the achievement of key strategic/operational objectives. Extreme or catastrophic event: An event of immense proportions that has severe consequences, often damaging a large proportion of the organizationâs assets. A very rare event, which results in an extreme loss greater than an unexpected loss. Financial impact: An operating expense that occurs following a risk event, which, as a result of the event, cannot be offset by income and directly affects the financial position of the organi- zation. The realization of an unexpected financial loss. Following an opportunity event, the organization may realize a positive financial benefit. Governance: The system by which organizations are directed and controlled. Boards of directors are responsible for the governance of their organizations. Governance includes the system and structure for defining policies, providing leadership, and managing and coordinating processes and resources to meet an organizationâs strategic goals. Hazard: A source of potential harm or a situation with a potential to cause loss. Health and safety: The process by which the well-being of all employees, contractors, visitors, and the public is safeguarded. Inherent risk: A possibility that cannot be managed or transferred away that some human activity or natural event will have an adverse effect on the asset(s) of an organization. This is a risk to which an entity is exposed due to the nature of the environment in which it operates. Definitions and Acronyms A p p e n d i x A
54 Application of enterprise Risk Management at Airports Key control indicator: An indicator that is used to help measure the effectiveness of mitigation measures. These indicators can be used to determine whether mitigation is effective and/or adequate. Likelihood: A measurement of how often an event might occur and how probable it is that the event will occur. Likelihood is often used as a synonym for probability and frequency, especially in a qualitative context where a precise analytical calculation cannot be obtained. Likelihood (assessed as high, medium, or low) can be used in risk assessment as a proxy for probability to assist understanding of the more complex probability measure. Loss: The negative effect of a risk event, which may be financial (such as loss of cash) or non- financial (such as loss of information or goodwill). Mitigation: The action of reducing (if not eliminating) the frequency and/or impacts of a risk by use of controls, contingency, insurance, etc. Opportunity: The positive effect of an event, which may be a financial gain or non-financial, such as enhanced goodwill. Probability: The extent to which an event is likely to occur during a given period of time (it can be measured mathematically by the ratio of potential/actual events to the whole number of cases). Probability can be defined as how likely an event is to occur, expressed as a number between 0 and 1. A probability of 0 means the event will never occur whereas a probability of 1 means that the event will always occur. Qualitative assessment: A form of assessment that analyzes the general structures and systems currently in place. A descriptive methodology, which typically involves risk mapping and risk matrices. These assessments do not involve detailed measurements. Quantitative assessment: A form of assessment that analyzes the actual numbers and values involved. This type of methodology typically applies mathematical and statistical techniques and modeling. Residual risk: The amount of risk or level of risk impact after the existing control environment has been taken into account. Also referred to as net risk. Risk: Risks are uncertain future events that may influence an organizationâs ability to achieve its objectives. The term âriskâ can be used in three distinct applications: ⢠Risk as exposure: The most common definition of the term. Most people refer to potential negative events such as financial loss, fraud, lawsuits, or threats to meeting objectives as ârisks.â In this context, risk management means reducing the probability of a negative event without incurring excessive costs. ⢠Risk as uncertainty: The distribution of all possible outcomes, both positive and negative. In this context, risk management seeks to reduce the variance between anticipated outcomes and actual results. ⢠Risk as opportunity: This is implicit in the concept that a relationship exists between risk and return. The greater the risk, the greater the potential return, and, necessarily, the greater the potential for loss. In this context, managing risk means using techniques to maximize the upside of uncertainty within the constraints of a current operating environment. Risk appetite: The amount of risk, on a broad level, an entity is willing to accept in pursuit of value. Risk appetite reflects the enterpriseâs risk management philosophy and, in turn, influ- ences the entityâs culture and operating style.
definitions and Acronyms 55 Risk causes: A factor that makes it more probable that a risk event or opportunity may occur and/or can increase the severity of a risk impact. Risk identification: The process of identifying what events, losses, and opportunities can hap- pen; why they might happen; and how. Risk impact: The effect(s) of a risk event, for example financial loss, service failure, reputational damage, people/staff dissatisfaction, regulatory/legal non-compliance, and client relation- ship damage. For opportunities, the effect(s) of the event could include financial gain, service enhancement, and competitive advantage. Risk perception: An individualâs subjective view of risks and opportunities. This view can vary significantly due to differences in assumptions and concepts and the needs, issues, and con- cerns of stakeholders as they relate to the risks or issues under discussion. People tend to naturally lean toward being risk takers or being risk averse. Risk prioritization: The ordering of risks and opportunities into priority order. Risk register: A basic, ongoing working document that captures and describes risks and oppor- tunities as they are identified together with risk accountabilities, actions where required, and review and completion dates. Risk reporting: The provision of relevant, accurate, and timely risk/opportunity information to an organizationâs decision makers to provide a picture of the current state/potential future state of the enterprise. Risk tolerance: Risk tolerance is a calculation based on the financial strength of the organiza- tion that indicates how much money the organization can lose before its key performance indicators are affected. While financial measures are quite common, risk tolerance can also be articulated in non-financial measures such as media exposure, downtime, and compliance levels. Risk transfer: A series of techniques describing the various means of addressing risk through insurance and similar products. This includes recent developments such as the securitization of risk and creation of, for example, catastrophe bonds. Risk treatment: The selection and implementation of relevant options for managing risk. There are five key treatments; accept, exploit, avoid, mitigate, and transfer. Stakeholder: An individual, group, or organization that can affect, be affected by, or perceive itself to be affected by a risk. Stakeholders can include customers, shareholders, employees, suppliers, bankers, community groups, unions, etc. Acronyms AIRMIC Association of Insurance and Risk Managers in Commerce ALARM The Public Risk Management Association BCM Business Continuity Management CEO Chief Executive Officer CFO Chief Financial Officer COSO Committee of Sponsoring Organizations of the Treadway Commission ERM Enterprise Risk Management
56 Application of enterprise Risk Management at Airports FERMA Federation of European Risk Management Associations IEC International Electrotechnical Commission IRM Institute of Risk Management ISO International Organization for Standardization KCI Key Control Indicator KPI Key Performance Indicator KRI Key Risk Indicator PDCA Plan-Do-Check-Act RIMS Risk and Insurance Management Society RMIS Risk Management Information System SMS Safety Management System SOX Sarbanes-Oxley SRM Safety Risk Management