The Enterprise Risk Management – Integrated Framework published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) in 2004 and updated in 2017. This framework defines enterprise risk management as a process applied in strategy setting and across the enterprise, designed to identify potential events and manage risk within risk appetite. The COSO ERM Framework is a significant influence on RBPM, particularly in its emphasis on risk appetite and the integration of risk management with strategy setting.

The system of rules, practices, processes, and relationships by which a company is directed and controlled. It involves balancing the interests of stakeholders such as shareholders, management, customers, suppliers, financiers, government, and the community. In RBPM, corporate governance establishes the framework for decision-making, risk oversight, and accountability. It ensures that strategic objectives are pursued within appropriate risk appetite boundaries and that risks are effectively identified, assessed, managed, and monitored.

An informal coalition of individuals from various levels within an organization who share a common commitment to implementing risk-based performance management. This alliance includes both formal participants in the implementation and informal supporters who can influence and advocate for the approach. Building a core change alliance is a critical early step in the RBPM implementation process, helping to overcome resistance and sustain momentum through the transformation journey. The alliance provides guidance, shares expertise, and helps navigate organizational politics.

A management tool that tracks and reports on the effectiveness of key controls within an organization. It includes information on control owners, key control indicators (KCIs), assessment results, and status indicators. The Control Scorecard helps senior management answer questions about whether the control environment is effective, whether compliance obligations are being met, whether control effectiveness trends are moving in the right direction, and what exceptions require investigation. It complements the Performance and Risk Scorecards to provide a comprehensive view of risk-based performance management.

A visualization tool that assesses control performance and control design dimensions on a matrix. Control performance is evaluated based on how consistently the control is applied, while control design is assessed on how effectively the control mitigates the associated risk. The Control Map provides insight into control effectiveness and helps prioritize improvement actions. It can be further enhanced by incorporating exposure or appetite alignment dimensions, enabling organizations to focus control improvement efforts on areas where exposure is high or outside appetite boundaries.

The set of standards, processes, and structures that provide the foundation for carrying out internal control throughout an organization. It encompasses the organization's integrity, ethical values, management philosophy, board oversight, accountability structures, and commitment to competence. In RBPM, the control environment is a critical component of risk management, establishing the tone for risk awareness and the importance of operating within appetite. A strong control environment helps prevent excessive risk-taking while enabling appropriate risk-taking in pursuit of strategic objectives.

A term describing the early 21st century business environment characterized by unprecedented speed of change, technological disruption, economic volatility, geopolitical shifts, regulatory evolution, and intensified competition. In this environment, organizations face greater uncertainty and complexity than ever before. The RBPM approach was designed specifically to help organizations thrive in continuous turbulent times by integrating strategy and risk management, enabling more agile responses to emerging opportunities and threats while maintaining appropriate risk appetite boundaries.

The risk of legal or regulatory sanctions, material financial loss, or reputational damage that an organization may suffer as a result of failing to comply with laws, regulations, internal policies, or prescribed practices. Within RBPM, compliance risk is typically identified as a specific risk category requiring dedicated controls and monitoring. Effective management of compliance risk involves identifying applicable requirements, assessing potential impacts of non-compliance, implementing appropriate controls, monitoring compliance status, and reporting to governance bodies.

The structured approach to transitioning individuals, teams, and organizations from a current state to a desired future state. In RBPM implementation, change management focuses on preparing, supporting, and helping people successfully adopt new ways of working. This includes managing cultural transformations necessary to embed risk awareness into decision-making processes. Effective change management addresses resistance, builds commitment, and ensures sustainability of the new practices. It encompasses communications planning, stakeholder analysis, coaching, training, and reinforcement activities to facilitate the adoption of integrated strategy and risk management approaches.

A methodology for evaluating and measuring the maturity of an organization's processes, originally developed by the Carnegie Mellon University Software Engineering Institute. It typically defines maturity levels ranging from initial (processes are unpredictable and poorly controlled) to optimized (focus on continuous improvement). In RBPM, maturity models help assess the sophistication of risk management practices and strategy execution capabilities, identifying gaps and improvement opportunities. They provide a roadmap for developing more advanced risk management and performance management capabilities.

A strategic management visual chart developed by Alexander Osterwalder that allows organizations to describe, design, challenge, and pivot their business model. The canvas has nine building blocks: customer segments, value propositions, channels, customer relationships, revenue streams, key resources, key activities, key partnerships, and cost structure. In RBPM, the Business Model Canvas is used to understand the business model and its implications for objectives and risks. It helps organizations identify where risks might emerge and ensures that risk appetite aligns with the chosen business model.

A description of how an organization creates, delivers, and captures value. It encompasses the organization's value proposition, target customers, distribution channels, revenue streams, key resources, activities, partnerships, and cost structure. Within RBPM, the business model is a fundamental consideration when determining appropriate risk appetite levels, as different business models have inherent risk profiles. Business model innovation is becoming an increasingly important source of competitive advantage, but such innovation must be pursued within appetite boundaries.

The fundamental factors that disproportionately influence the success or failure of a business or industry. These critical variables significantly impact an organization's performance and value creation. In RBPM, business drivers serve as the foundation for establishing risk appetite and strategic objectives. Examples might include access to capital, technological innovation capabilities, regulatory environment, or customer demographics. By identifying and understanding key business drivers, organizations can develop strategies that leverage these factors while remaining cognizant of associated risks.

A holistic management process that identifies potential threats to an organization and the impacts those threats might have on business operations. It provides a framework for building organizational resilience and effective response capabilities that safeguard the interests of key stakeholders, reputation, brand, and value-creating activities. Within RBPM, business continuity management connects to operational risk management, ensuring that risk events don't catastrophically impact strategic objectives. It includes developing response plans for various risk scenarios to minimize disruption.

The supervisory role played by an organization's board of directors in monitoring management's execution of strategy within defined risk appetite boundaries. Effective board oversight involves setting risk appetite, approving risk policies, ensuring appropriate risk management frameworks, challenging management on strategic decisions, and monitoring risk exposure against defined limits. The board should regularly review risk reports, assess the effectiveness of risk management processes, and ensure alignment between risk-taking and strategic objectives. In RBPM, board oversight is a critical governance function.

A strategic approach developed by W. Chan Kim and Renée Mauborgne that challenges organizations to create uncontested market space (blue oceans) rather than competing in existing crowded markets (red oceans). Blue Ocean Strategy involves developing new value innovations that make competition irrelevant by creating and capturing new demand. This approach aligns with the RBPM framework by encouraging organizations to consider both the performance potential and risk implications of pursuing new market opportunities, ensuring that innovation is pursued within appropriate risk appetite parameters.

A strategic management framework developed by Robert Kaplan and David Norton that translates an organization's vision and strategy into a comprehensive set of performance measures. It provides a balanced view of organizational performance across four perspectives: financial, customer, internal processes, and learning and growth. The Balanced Scorecard enables organizations to track financial results while simultaneously monitoring progress in building capabilities and acquiring intangible assets needed for future growth. It serves as a foundation for the performance management aspects of RBPM.

A visualization tool developed to provide a simple way of understanding alignment between current risk exposure levels and defined risk appetite. The matrix plots appetite levels along the horizontal axis and current risk exposure on the vertical axis, with diagonal cells showing the intersection between the two. It reveals three zones: the Optimal Zone (where appetite and exposure are aligned), the Over-exposed Zone (where exposure exceeds appetite), and the Under-exposed Zone (where appetite exceeds exposure). This matrix helps organizations identify opportunities for strategic advantage and is particularly powerful in highlighting areas where organizations may not be taking enough risk to achieve objectives.

The process of continuously aligning an organization's current risk exposure to its defined risk appetite. This critical component of operating within appetite helps organizations understand if their current level of risk-taking is aligned to their chosen business strategy. The alignment process involves regular monitoring and management to ensure risk levels remain within acceptable boundaries while pursuing strategic objectives. The Appetite Alignment Matrix is a key visualization tool that demonstrates where organizations may be taking too much risk (over-exposed) or not enough risk (under-exposed) relative to their stated appetite.