“In the context of a risk intelligent infrastructure, establishing ‘common’ risk management processes…means establishing processes for pushing down a unified view of risk—standardized risk definitions, a common risk language, and so on—from the risk governance bodies to all parts of the organization.”

                                       “Creating a Risk Intelligent infrastructure:  Getting Risk Intelligence Done,” Deloitte Risk Intelligence Series, Issue No. 19

This page provides definitions of risk-related vocabulary used on the UC Berkeley campus.  The following terms are defined:




The things the organization does in support of its mission, such as teaching, research, public service, etc.  Risks are inherent in the activities carried out.  Identifying the organization's activities is a good starting point to understanding its risks.


The consequence of a risk event is the answer to the questions:  “So what if that risk occurs? What’s the worst credible scenario that could result?”


A process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations.

To be effective, controls must be designed effectively, and they must be operated correctly.  A control can fail because it was not designed correctly, or because it was not performed (operated) correctly.  When control effectiveness is evaluated, both these characteristics should be addressed.

Cosmology of Risk

In western philosophy, "cosmology" refers to "the study of the origin, fundamental structure, nature, and dynamics of the universe." ["Metaphysics," Wikipedia.]  We've borrowed the term to refer to those components, not of the universe, but of risk, or of the risk universe.  If we can understand all the elements that compose risk, if we understand its "fundamental structure," then we will be in a better position to respond effectively to it.  

The principal elements of the risk cosmology are stakeholders, activities, tools, physical setting, and external forces. From the perspective of the cosmology of risk, risk is a function of stakeholders carrying out activities with tools in a physical setting, all of which is influenced by external forces.  See illustration.


The Committee of Sponsoring Organizations of the Treadway Commission (COSO) was established in the United States to provide thought leadership to executive management and governance entities on critical aspects of organizational governance, business ethics, internal control, enterprise risk management, fraud, and financial reporting. 

COSO has established enterprise risk management and internal control models against which companies and organizations may assess their risk management and control systems. COSO is a joint initiative of five private-sector organizations:  the Institute of Management Accountants, the American Accounting Association, the American Institute of Certified Public Accountants, the Institute of Internal Auditors, and the Financial Executives International.  (Adapted from:  Wikipedia)

Enterprise Risk Management

Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.  The definition reflects certain fundamental concepts. Enterprise risk management is:

  • A process, ongoing and flowing through an entity
  • Effected by people at every level of an organization
  • Applied in strategy setting
  • Applied across the enterprise, at every level and unit, and includes taking an entity-level portfolio view of risk
  • Designed to identify potential events that, if they occur, will affect the entity and to manage risk within its risk appetite
  • Able to provide reasonable assurance to an entity’s management and board of directors
  • Geared to achievement of objectives in one or more separate but overlapping categories

Also see What is ERM?

Source:  COSO.  In October 2014 COSO announced a project to update the 2004 ERM framework. From its website:  "The update project is intended to enhance the framework's content and relevance in an increasingly complex business environment so that organizations worldwide can attain better value from their enterprise risk management programs. This initiative will update concepts developed in the original framework and changes that reflect the evolution of risk management thinking and practices, as well as changing stakeholder expectations. The initiative will also develop tools to assist management in reporting risk information and in reviewing and assessing the application of enterprise risk management."

Event, or Risk Event

Events can have negative impact, positive impact, or both. Events with a negative impact represent risks, which can prevent value creation or erode existing value. Events with positive impact may offset negative impacts or represent opportunities. Opportunities are the possibility that an event will occur and positively affect the achievement of objectives, supporting value creation or preservation. Management channels opportunities back to its strategy or objective-setting processes, formulating plans to seize the opportunities.

Event identification is one of the eight components of the COSO ERM framework, and is described as follows:  Internal and external events affecting achievement of an entity’s objectives must be identified, distinguishing between risks and opportunities.  Opportunities are  channeled back to management’s strategy or objective-setting processes.

Source:  COSO

External Forces

The forces acting on, and influencing, the organization's operations, and therefore influencing the organization's decisions, including decisions about strategy.  External forces fall into these categories:  economic, social/demographic, technological, geographic, political/ legal/regulatory.

See external risks.


Governance, risk, and compliance.  A ‘GRC tool’ refers to a software application that captures an organization’s information across these three areas.  

Inherent Risk

Inherent risk is the potential for risk events that could occur as a result of undertaking some activity when there are no controls in place.  Once controls are put into place, the residual risk is the remaining risk.  

Luck Factor

The amount of residual risk remaining above the organization's risk appetite after controls are implemented.  When an organization accepts more risk than its risk appetite would allow, the organization is relying on luck that a risk event will not occur.  See illustration.


Activities designed to ensure that internal controls are operating according to their design.  Monitoring is accomplished through ongoing management activities, separate evaluations, or both.


Objective setting is a precondition to event identification, risk assessment, and risk response.  The risks of concern are those that jeopardize the organization's ability to meet its objectives.  There must first be objectives before management can identify and assess risks to their achievement and take necessary actions to manage the risks.  

COSO identifies the following categories of objective:

  • Strategic:  High-level goals, aligned with and supporting its mission.
  • Operations:  Effective and efficient use of its resources.
  • Reporting:  Reliability of reporting.
  • Compliance:  Compliance with applicable laws and regulations.

Pure Risk

A pure risk is a chance of loss or no loss, but no chance of gain.

Reputation Risk

A violation of the "social contract" between the organization and a group of its stakeholders, leading the stakeholders to behave in an adversarial way toward the organization.  In this context, "social contract" refers to the unwritten expectations the stakeholder group has about how it expects the organization to behave.  When the organization behaves in a way contrary to the expectations, the stakeholder group behaves in an adversarial way--e.g., if a donor becomes upset with an action the organization took, the stakeholder elects to stop or suspend financial donations.  

Residual Risk

Residual risk is the level of risk left over from the initial inherent risk after controls have been implemented.  The residual risk is then compared agains risk tolerance to determine if more controls are warranted or if the residual risk is acceptable to the organization.  


D&T Risk Intelligence:  Risk is the potential for loss caused by an event (or series of events) that can adversely affect the achievement of an organization’s objectives. 

COSO:  All entities face uncertainty, and the challenge for management is to determine how much uncertainty to accept as it strives to grow stakeholder value.  Uncertainty presents both risk and opportunity, with the potential to erode or enhance value. 

ISO 31000:  Risk is the effect of uncertainty on objectives.  Notes regarding the ISO 31000 definition of risk: 

  1. An effect is a deviation from the expected—positive or negative.
  2. Objectives can have different aspects (such as financial, health and safety, and environmental goals) and can apply at different levels (such as strategic, organizationwide, project, product and process).
  3. Risk is often characterized by reference to potential events  and consequences, or a combination of these.
  4. Risk is oft en expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood of occurrence.
  5. Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of an event, its consequence, or likelihood.

Risk Ante Rate

The basic "cost" of being "in the game" (see definition of ante).  The risk price of entry.  The ante rate is a kind of residual risk in that it is a level of risk that exists net of controls.  For more on the risk ante rate, go to this link.

 Risk Appetite

The amount of risk, on a broad level, an entity is willing to accept in pursuit of value.

Risk Categories

The five types of risk event that may occur as a result of carrying out an activity in support of achieving the University's mission: 

  • Financial:  An increase in cost or a decrease in revenue.
  • Health–Safety:  Physical or emotional injuries, or fatalities.
  • Operational:  Inability to carry out a process effectively or efficiently.
  • Reputation:  Violation of the "social contract" with stakeholders, leading them to behave adversarially.  (Source:  Dr. Nir Kossovsky)
  • Strategic:  A failure to achieve a strategic objective.

Risk Intelligence

Deloitte, one of the global “Big Four” public accounting firms, coined the phrase Risk Intelligence.  From a Deloitte whitepaper:  “Risk intelligence is ERM done right.  ERM has been around at least a decade; yet a standard definition of ERM remains elusive; and the range of practices falling loosely under the ERM heading is vast and growing.  It is the rare company that intelligently manages the full spectrum of risk.  Since it occurs so infrequently, when ERM is done right it deserves a special designation.  Organizations that do ERM right are Risk Intelligent Enterprises.

Risk Portfolio

The complete set of risks that an organization is exposed to.  The portfolio of risks is organized into the five risk categories.

Risk Statements

A risk statement is a written description of a potential adverse risk event.  They are prepared during risk identification and assessment workshops.  Because they  are hypothetical events, risks are associated with the words  could, might, may

Risk statements should be written with enough clarity that a reasonable person who is not a subject-matter expert could understand what is meant.  Following are examples of risk statements:

  • Federal grant expenditures could be disallowed.
  • Data in CARS might be inaccurate.
  • Buildings may become uninhabitable.

Risk Types

There are three broad types of risk; each has different characteristics, value propositions, treatment criteria, and control approaches.  They are:

Risk Type

Risk Value Proposition


Treatment Approach

Risk Control Characteristics

1.   Internal, or Operational, Risks

These  risks are inherent in the internal activities carried out at University locations.  UC controls the likelihood that these risks will occur.  They are avoidable.

Inherently undesirable.  No strategic benefit is gained by taking on these risks.

Internal risks are preventable.  They should be avoided, eliminated, or minimized. 

Risks can be managed using a rules-based control model.

2.   Strategic Risks

These  risks are also inherent in the internal activities carried out at University locations.  UC controls the likelihood that these risks will occur.  They are avoidable.

Not inherently undesirable.  These are the risks deliberately taken on in pursuit of its mission and strategic initiatives. 

Accept the “right amount” of these risks.  Understand the level of risk the University is willing to take on in pursuit of its strategy, and manage the risk accordingly.

Cannot be managed using a rules-based control model.  The approach must reduce the probability of risks occurring and contain any consequences if the risks occur.*

3.   External Risks

These risks are related to requirements or forces imposed on the University from outside.  UC cannot control the likelihood they will occur; it can only prepare for and respond to them.  They include these and other forces:  Legal/Regulatory (Compliance), Natural Hazard, Economic, Technological, Social, Demographic

External risks press on the University and, depending on their nature and impact, force it to respond.  These risks drive internal process design.

Focus on identifying these external forces and understanding their potential impacts to the University:  Which ones are sources of competitive advantage?  Which ones could result in a loss of reputation?  Identify the appropriate level of response. 

Risk control characteristics for external risks are based on the University’s response to the external force.  As a result, controls will take on the characteristics of the type of controls used for internal and strategic risks as described above.

*Effective management of strategic risks could enable the University to take on higher risk-reward initiatives and obtain competitive advantage over its peer universities having less effective strategic risk management processes (Kaplan and Mikes, ibid.)  

Source:  Partially adapted from Robert S. Kaplan and Anette Mikes, “Managing Risks: A New Framework,” Harvard Business Review, June 2012.

Speculative Risk

Speculative risk involves a chance of loss, no loss, or of gain (see pure risk).


The people who do the activities of the organization or otherwise come into contact with those activities, such as faculty, staff, students, the public, etc.

Return to top of page.

Return to the main ERM menu.