The possibility that an event will occur and adversely affect the achievement of objectives.

The possibility that an event will occur and positively affect the achievement of objectives.

Risks that are specifically associated with organizations conducting a form of business: uncertainties regarding threats to the achievement of business objectives.

The process conducted by management to understand and deal with uncertainties (that is, risks and opportunities) that could affect the organization’s ability to achieve its objectives. 

What an entity desires to achieve. When referring to what an organization wants to achieve, these are called business objectives, and may be classified as strategic, operations, reporting, and compliance.

Set of shared beliefs and attitudes characterizing how the organization considers risks in everything it does.

The amount of risk, on a broad level, an organization is willing to accept in pursuit of its business objectives.

The acceptable levels of risk size and variation relative to the achievement of objectives, which must align with the organization’s risk appetite.

The combination of internal and external risk factors in their pure, uncontrolled state, or, the gross risk that exists, assuming there are no internal controls in place.

The portion of inherent risk that remains after management executes its risk response (sometimes referred to as net risk).

Any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved.

A process that assesses the presence and functioning of governance, risk management, and control over time. There are three types of monitoring: Ongoing, Separate evaluation, Combination

A senior management position established by many companies that acts as the centralized coordinating point to facilitate risk management activities. 

Controls that operate across an entire entity and, as such, are not bound by, or associated with, individual processes. 

An activity that, if key controls do not fully operate effectively, may help to reduce the related risk. A compensating control with not, by itself, reduce risk to an acceptable level.

The introduction of threats that may result in substantial limitation, or the appearance of a substantial limitation, to the internal auditor’s ability to perform an engagement without bias or interference.

A compilation of the subsidiaries, business units, departments, groups, processes, or other established subdivisions of an organization that exist to manage on or more business risks.