Risk: Is an activity, situation, or condition which impacts an organization's ability to meet its objectives.
Impact: Is a cumulative result of consequences from an exposure (Physical, Financial, Reputation, Legal, Strategic/Mission damage)
Controls: Are any conscious action or inaction to reduce or eliminate likelihood and/or impact (Avoidance, Prevention, Reduction, Separation, Duplication, or Transfer)
Inherent Risk: Degree of uncertainty measure by Likelihood x Impact (Baseline measurement before controls)
Residual Risk: Degree of uncertainty measure by Likelihood x Impact (After controls are put in place…it is the risk which is leftover)
Risk Appetite: The amount of risk in which the university is willing to accept in the pursuit of its objectives or creating value.
Important considerations when defining Risk Appetite:
- Informs decision-making over strategy and objectives
- Guides allocation of key resources
- Requires continued monitoring and discussion
- Informs risk assessment and prioritization
- Tend to be broad and are tied to the university’s strategy and goals
Risk Tolerance: The acceptable range of risk by which an operational unit can take before it encroaches on the institution’s risk appetite.
Important considerations when defining Risk Tolerance:
- Statements are more specific and are at times unit or department-specific
- Implemented at the operational level of the university
- Considered more tactical and actionable
- Informs the comfortable range of risk by which departments/units can take