Glossary of Terms

Term Definition
Accountable authority

The person or group of persons who has responsibility for, and control over a Commonwealth entity’s operations.

See also: PGPA Glossary

Audit committee An independent committee that provides assurance and are responsible for monitoring and reviewing the appropriateness of an entity’s system of risk oversight and effectiveness of the risk management framework. Some Commonwealth entities may have a combined audit and risk committee.
Risk committee (if applicable) A management committee that is responsible for monitoring and reviewing an entity’s risk profile and advising on the management of key risks.

Australian and International

Standard (AS ISO 31000)

ISO 31000 has been developed as a generic and flexible standard that is not specific to any government or industry sector. The Standard identifies elements or steps in the risk management process that can be applied to a wide range of activities at any stage of implementation.
Commonwealth entity
A Commonwealth entity is a:
a. Department of State; or
b. Parliamentary Department; or
c. listed entity; or
d. body corporate established by a law of the Commonwealth

See also: PGPA Glossary

Consequence Outcome or impact of an event that may be expressed qualitatively or quantitatively. There can be more than one consequence from one event. Consequence can be positive or negative. Consequences are considered in relation to the achievement of objectives.
Control Any process, policy, device, practice or other action that is put in place to regulate or modify the likelihood or consequence of a risk. They can be preventative, detective or corrective in nature.
Control effectiveness
Is the term used to describe how well a control is reducing or managing the risk it has been designed to modify. The more effective the control is, the greater assurance this provides an entity that the risk is being managed appropriately.
Commonwealth entity

A Commonwealth entity that is a body corporate and legally separate from the Commonwealth.

See also: PGPA Glossary

Emerging risk
A newly developing or evolving risk that could affect the achievement of an organisation’s strategic objectives. It may be difficult to assess their likelihood or consequence.
Enterprise risk
Risks that affect an entity’s ability to meet their overall business objectives or where the risk is so material that its realisation would have impact across the whole entity. These encompass all areas of an entity’s exposure to risk (financial, operational, compliance, governance etc.)

Enterprise-wide risk

management (ERM)

Also known as entity-wide or integrated risk management. An integrated approach to assessing and addressing all risks that threaten achievement of the entity’s strategic objectives. The purpose of ERM is to understand, prioritise, and develop action plans to maximise benefits and mitigate key risks.

Entity risk management


A document containing the overall intentions, approach and direction of an entity related to risk management.
Event The occurrence or change of a particular set of circumstances. The event can be certain or uncertain. The event can be a single occurrence or a series of occurrences.
Exposure Extent to which an entity is not protected from the consequence of an event.
External context External environment in which the entity seeks to achieve its objectives. External context can include: cultural, political, legal, regulatory, financial, technological, economic, natural and commercial environment whether international, national, regional or local, as well as the perception of external stakeholders and key drivers and trends having an impact on the objectives of the entity.
Internal audit An internal independent, objective assurance and consulting activity designed to add value and improve an entity’s operations and accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
Internal context

Internal environment in which the entity seeks to achieve its objectives. Internal context can include: capabilities understood in terms of knowledge; information systems, decision making processes; policies; perceptions, values and culture; governance structures.

Internal control Any process, policy, device, practice or other actions within the internal environment of an organisation which modifies the likelihood or consequences of a risk.

Key Risk Indicators


Measures and metrics that relate to a specific risk and demonstrate a change in the likelihood or consequence of the risk occurring.
Commonwealth entity

A Commonwealth entity that is not a body corporate and is legally part of the Commonwealth.

See also: PGPA Glossary

Organisational culture
The values, beliefs and norms which influence the behaviour of people as members of an organisation, enabled and reinforced by the environment. Organisational culture is a key part of an organisation’s risk management because it affects how people identify and manage risk.
Project Risk This is an uncertain event or condition that, if it occurs, has the potential to have a positive or negative effect on one or more project objectives.
Adaptive capacity of an entity to resist being affected by a risk event.
Risk The effect of uncertainty on objectives. An effect is a deviation from the expected positive and/or negative. Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances or knowledge) and the associated likelihood of occurrence. Examples of risks include strategic, enterprise, operational, project and emerging.
Risk acceptance The informed decision to take a particular risk. Risk acceptance can occur without risk treatment or during the process of risk treatment. Risks accepted are subject to monitoring and review.
Risk aggregation The consideration of risks in combination.
Risk analysis The process to comprehend the nature of risk and to determine the level of risk. Risk analysis provides the basis for risk evaluation and decisions about risk treatment.
Risk appetite The overarching amount and types of risk an entity is willing to accept or retain in order to achieve its objectives.
Risk assessment The process of risk identification, risk analysis and risk evaluation.
Risk capacity The amount and type of risk an organisation is able to support in pursuit of its objectives.
Risk culture Risk culture is a subset of organisational culture and refers to the system of beliefs, values and behaviours throughout an organisation that shape the collective approach to managing risk and making decisions. It is strongly influenced by organisational culture and involves how an organisation views and engages with risk. The risk culture of an organisation will greatly affect how it approaches risk-taking and innovation.
Risk evaluation The process of comparing the level of risk against risk criteria. Risk evaluation assists in decisions about risk treatment.
Risk event A risk event occurs when the conditions for the existence of the risk come together with a triggering action which leads to the creation of an event (can be either a positive or negative event). Risk events lead to measurable effects which may lead to other effects and eventually lead to an undesirable consequence.
Risk identification

The process of finding, recognising and describing risks.

Risk identification involves the identification of risk sources, risk events, their causes and their potential consequences.

Risk identification can involve historical data, theoretical analysis, informed and expert opinions and stakeholder’s needs.
Risk management
Coordinated activities to direct and control an organisation with regard to risk. These activities include the identification, monitoring, communication and reporting of risks.

Risk management


A set of components that provide the foundations and organisational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organisation.
Risk management plan A document within the risk management framework specifying the approach, the management components and resources to be applied to the management of risk. Management components typically include: procedures, practices, assignment of responsibilities and sequence of activities.

Risk management policy

A statement of the overall intentions and direction of an organisation in relation to risk management.

Risk management


The systematic application of management policies, procedures and practices to the tasks of communicating, establishing the context, identifying, analysing, evaluation, treating, monitoring and reviewing risk.
Risk oversight The supervision of the risk management framework and risk management process.
Risk owner A person with the accountability and authority to manage a risk and any associated risk treatments. This can involve evaluating whether the existing controls adequately mitigate the risk or whether additional treatments are required.
Risk profile A description of any set of risks. The set of risks can contain those that relate to the whole organisation, part of the organisation or as otherwise defined.
Risk register A document used as a risk management tool that acts as a record of information about identified risks.
Risk reporting A form of communication intended to address particular internal or external stakeholders to provide information regarding the current state of risk and its management.
Risk sensing A process of examining all of the information and data available, to detect any early indicators of an emerging risk in an operating environment.
Risk tolerance
The levels of risk taking that are acceptable in order to achieve a specific strategic objective.
Risk treatment The additional action undertaken to treat a risk in response to a risk evaluation where it has been agreed that the risk is outside of the entity’s tolerance, the controls in place are ineffective and further mitigation activities are required.
Shared risk A risk with no single owner, where more than one entity is exposed to or can significantly influence the risk.
Strategic risk Risks that relate to the achievement of specific and defined objectives of an entity. They tend to be longer term and are of particular impact or importance as they can affect the strategic intent of an entity. These are different to enterprise-operational risks which are operational in nature, but of sufficient materiality that if they were realised they would have enterprise level consequences.

Did you find this content useful?