A systematic process for identifying the underlying causes of problems or events rather than just addressing symptoms. Root cause analysis techniques include the "5 Whys" approach (asking why repeatedly to drill down to fundamental causes) and Ishikawa diagrams (fishbone diagrams that categorize potential causes). In RBPM, root cause analysis is applied to risk events to understand their origins and implement more effective preventive controls. It helps organizations address systemic issues rather than treating individual symptoms.

The process of selecting and implementing measures to modify risk exposure. Risk treatment options include avoiding the risk, taking the risk to pursue an opportunity, removing the risk source, changing the likelihood or consequences, sharing the risk with another party, or retaining the risk by informed decision. In RBPM, risk treatment decisions consider both the organization's risk appetite and the strategic importance of related objectives, ensuring that control investments align with strategic priorities.

The acceptable level of variation in the pursuit of specific objectives. Risk tolerance establishes the operational parameters within which the organization can operate while remaining consistent with its broader risk appetite. In RBPM, tolerance levels are expressed as thresholds around Key Risk Indicators, defining acceptable boundaries for risk metrics. Organizations with higher risk appetite will typically set wider tolerance ranges, allowing greater variation, while those with lower appetite will set narrower ranges requiring tighter control.

The deliberate acceptance of uncertainty in pursuit of strategic objectives. Risk-taking is an inherent part of business activity and value creation - without some level of risk-taking, organizations cannot innovate, grow, or generate returns. In RBPM, the focus is on appropriate risk-taking within defined appetite boundaries rather than risk minimization. The Appetite Alignment Matrix highlights where organizations may be taking too much risk (over-exposed) or not enough risk (under-exposed) relative to their strategic ambitions.

A management tool that tracks and reports on an organization's key risks and their status. It includes information on risk owners, appetite alignment status, risk assessment results, key risk indicators, and risk scores. The Risk Scorecard helps senior management answer questions about whether risks are being effectively managed, whether risk exposures are within tolerance levels, whether risk management trends are moving in the right direction, and what risk exceptions require investigation. It complements the Performance and Control Scorecards to provide a comprehensive view of risk-based performance management.

The approach an organization takes to address an identified risk. Common risk responses include:

- Accept (take the risk without additional controls)

- Avoid (eliminate the activity or circumstance creating the risk)

- Transfer (shift risk to a third party through insurance or outsourcing)

- Reduce (implement controls to decrease likelihood or impact)

- Exploit (take actions to increase the probability of beneficial outcomes)

In RBPM, risk responses should align with risk appetite and contribute to strategic objectives rather than simply minimizing all risks.

A documented record of identified risks, their assessment details, planned risk responses, control information, and monitoring requirements. The risk register serves as a central repository of risk information and a management tool for tracking risk status and treatment actions. In RBPM, the risk register links risks directly to strategic objectives, ensuring that risk information directly supports strategy execution decisions. Advanced risk registers may include additional elements like key risk indicators, control effectiveness assessments, and appetite alignment status.

The aggregate view of an organization's risk exposure across all risk categories and business activities. The risk profile presents a comprehensive picture of the organization's risk position at a point in time, considering both threats and opportunities. In RBPM, the risk profile is regularly assessed against risk appetite to determine whether the organization is operating within acceptable risk boundaries. Changes in the risk profile may trigger adjustments to strategy, controls, or risk appetite as circumstances evolve.

The person or entity with the accountability and authority to manage a risk. Risk owners are responsible for ensuring that appropriate resources and attention are directed toward risk assessment, control implementation, monitoring, and reporting. In RBPM, risk ownership is formalized through the RACI model, which distinguishes between ultimate accountability and operational responsibility for risk management activities. Clear risk ownership ensures that risks receive appropriate attention and that risk-related decisions are made at the right organizational level.

The level of development, sophistication, and effectiveness of an organization's risk management capabilities. Risk maturity models typically define stages ranging from initial/rudimentary to advanced/optimized, with each stage characterized by increasingly comprehensive risk identification, more sophisticated assessment methodologies, more effective controls, better integration with decision-making, and stronger risk cultures. In RBPM, understanding current risk maturity helps organizations develop appropriate implementation roadmaps for enhancing their integrated strategy and risk management capabilities.

A term from Accenture's research describing organizations that excel at creating value through superior risk management. Risk Masters integrate risk considerations into strategic planning and decision-making processes, deploy sophisticated measurement and analytics capabilities, align risk management across business units, establish C-level risk leadership, infuse risk awareness throughout their culture, and invest in continuous improvement of risk capabilities. The RBPM approach incorporates many characteristics identified in Risk Masters, particularly their focus on creating competitive advantage through risk management.

A visual representation that displays risks according to a defined classification scheme, such as risk categories, business units, or strategic perspectives. In RBPM, the Four Perspective Risk Map organizes risks according to the Balanced Scorecard perspectives (financial, customer, internal processes, learning and growth), enabling clearer understanding of risk interdependencies and alignment with strategic objectives. Risk Maps help identify risk concentrations, highlight relationships between risks, and communicate risk positions to stakeholders.

The organization's approach to assessing and managing risk, articulating how it will identify, analyze, and address the risks to its objectives. A risk management strategy includes risk governance structures, roles and responsibilities, appetite setting, assessment methodologies, treatment approaches, monitoring processes, and continuous improvement mechanisms. In RBPM, the risk management strategy aligns with and supports the overall business strategy, ensuring that risk management enables rather than constrains strategic execution.

The organizational unit responsible for designing, implementing, and coordinating risk management activities across the enterprise. The risk management function typically develops risk policies, provides risk assessment methodologies, facilitates risk identification and analysis, monitors risk exposures, reports to governance bodies, and promotes risk awareness. In RBPM, the risk management function serves as a strategic partner to the business rather than just a control function, helping to optimize risk-taking in pursuit of strategic objectives.

The structured approach an organization uses to identify, assess, respond to, and monitor risks. A risk management framework typically includes risk governance, risk appetite definition, risk assessment methodologies, control implementation, reporting processes, and continuous improvement mechanisms. In RBPM, the risk management framework is fully integrated with strategy execution processes rather than operating as a separate system. This integration ensures that risk management directly supports strategic decision-making rather than functioning as a compliance exercise.

Metrics that provide insight into risk positions, trends, and emerging issues. Risk indicators include both Key Risk Indicators (KRIs) that track major known risks and emerging risk indicators that monitor potential new threats or opportunities. In RBPM, risk indicators complement performance indicators to provide a balanced view of progress toward strategic objectives and associated risk exposures. Effective risk indicators combine leading measures (predictive) and lagging measures (confirmatory) to enable both proactive and reactive risk management.

The process of finding, recognizing, and describing risks that could affect an organization's ability to achieve its objectives. Risk identification seeks to develop a comprehensive inventory of risks from both internal and external sources, drawing on historical data, theoretical analysis, informed opinions, stakeholder input, and expert assessments. In RBPM, risk identification focuses particularly on risks related to strategic objectives, ensuring that the most significant strategic threats and opportunities are captured and managed.

A visual representation of risks based on their assessed likelihood and impact. Typically presented as a two-dimensional matrix with likelihood on one axis and impact on the other, with risks plotted according to their assessment scores. Color coding (usually red, amber, green) indicates risk severity, with risks in the high-likelihood, high-impact quadrant requiring greatest attention. In RBPM, Heat Maps help prioritize risk mitigation efforts and communicate risk positions to stakeholders, though they should be complemented by more nuanced analyses.

The extent to which an organization is subject to specific risks at a point in time. Risk exposure represents the combination of risk likelihood and impact after considering existing controls (residual risk). In RBPM, exposure is regularly assessed and compared to risk appetite to determine whether the organization is operating within acceptable risk boundaries. The Appetite Alignment Matrix visually displays the relationship between exposure and appetite, highlighting areas of over-exposure or under-exposure that require management attention.

An occurrence or change of a particular set of circumstances that results in a risk materializing. Risk events can lead to positive outcomes (opportunities realized) or negative outcomes (threats materialized). In RBPM, risk events are analyzed to understand their causes, impacts, and control failures, with this information feeding back into the risk management process. Effective risk event management includes timely identification, appropriate escalation, root cause analysis, and implementation of corrective actions. Risk event data provides valuable input for refining risk assessments and improving control effectiveness.