Metrics that provide early warning signals of increasing risk exposure in various areas of an organization. KRIs track changes in risk profile and help predict potential risk events before they materialize. Examples might include staff turnover rates (indicating operational risk), customer complaint trends (indicating reputational risk), or liquidity ratios (indicating financial risk). In RBPM, KRIs work alongside KPIs and KCIs to provide a comprehensive view of strategic progress, risk position, and control effectiveness.

Quantifiable measurements that gauge an organization's progress toward achieving its strategic objectives. KPIs track performance against targets and signal when interventions may be required to address performance gaps. In RBPM, KPIs are selected based on their relevance to strategic objectives and should include both leading (predictive) and lagging (outcome) measures. Effective KPIs provide actionable information that triggers performance conversations and improvement initiatives when performance deviates from expectations.

The critical variables that disproportionately influence an organization's success or failure. These fundamental drivers of value vary across industries and organizations. Examples might include technological innovation capabilities, access to capital at competitive rates, regulatory frameworks, or demographic trends. In RBPM, key business drivers form the foundation for establishing risk appetite, as they represent the factors most crucial to value creation. Understanding these drivers helps organizations focus their strategy and risk management efforts on the areas of greatest impact.

An international standard for risk management published by the International Organization for Standardization. It provides principles, framework, and process guidance for managing risk in any organization regardless of size, activity, or sector. ISO 31000 defines risk as "the effect of uncertainty on objectives" and emphasizes that risk management should be integrated with organizational governance and decision-making processes. While ISO 31000 notably lacks explicit treatment of risk appetite, its process-oriented approach has significantly influenced RBPM development.

A tool that visually demonstrates the relationship between strategic initiatives and objectives, risks, and/or controls. The matrix indicates the strength of alignment using percentage values (ranging from 0% for very weak alignment to 100% for very strong alignment). This tool helps organizations prioritize initiatives based on their strategic impact and identify potential gaps where important objectives or risks lack supporting initiatives. It promotes cross-functional discussion and ensures that change efforts focus on activities with the greatest strategic relevance.

Discussions that challenge assumptions, explore multiple perspectives, consider both opportunities and threats, and lead to better-informed decisions. In RBPM, high-quality conversations are a characteristic of a strategy-focused, risk-aware culture. They occur when people have access to relevant information about performance and risk, feel psychologically safe to raise concerns or challenging questions, and are motivated to find optimal solutions that balance risk and reward. Such conversations are essential for aligning risk-taking with strategy and operating within appetite.

Risks associated with accidental losses, such as those arising from natural disasters, accidents, fire, property damage, or liability claims. Hazard risks traditionally formed the core focus of insurance-based risk management before the emergence of more comprehensive approaches. Within RBPM, hazard risks are typically managed through a combination of preventive controls, contingency planning, and risk transfer mechanisms like insurance. While less directly connected to strategy than other risk types, major hazard events can significantly disrupt strategic execution if not properly managed.

The formal arrangement of bodies, roles, and relationships that oversee and direct an organization's activities. This typically includes the board of directors, board committees (such as audit, risk, and remuneration committees), executive management team, and management committees. In RBPM, an effective governance structure provides clear escalation paths for risk issues, ensures appropriate challenge and oversight of risk-taking activities, and maintains the integrity of risk management processes. It establishes the mechanisms through which risk appetite is set, communicated, and monitored.

The processes and practices that define an organization's strategic, operating, and decision-making boundaries, as well as how decisions are made and implemented. Governance establishes clear lines of authority, accountability, and responsibility. In RBPM, governance is a critical "soft" discipline that ensures strategic objectives are pursued within appropriate risk appetite boundaries. It includes board oversight, management committees, policy frameworks, delegation authorities, and control mechanisms that collectively shape and constrain organizational behavior.

A visualization tool that shows key risks organized according to the four perspectives of the Strategy Map (financial, customer, internal processes, and learning and growth). This tool provides an at-a-glance view of risk exposures across the organization and highlights potential risk clusters or interrelationships. The Four Perspective Risk Map works alongside the Strategy Map and Appetite Alignment Matrix to provide a comprehensive view of strategic progress and risk position. It helps organizations identify where they may face multiple risks that could collectively threaten strategic objectives.

Uncertainty related to financial aspects of business operations, including market risk, credit risk, liquidity risk, and capital adequacy. Financial risks involve potential losses due to market movements, counterparty defaults, funding constraints, or insufficient capital to support strategic initiatives. In RBPM, financial risks are typically well-quantified, with established measurement techniques and controls. Managing financial risks involves setting clear limits aligned with the organization's overall risk appetite and ensuring that exposure remains within these boundaries.

Risks originating from factors outside an organization's control, such as economic conditions, competitor actions, regulatory changes, technological disruptions, or natural disasters. These risks cannot be eliminated but can be anticipated, monitored, and mitigated. Within RBPM, external risk management focuses on developing resilience, agility, and contingency plans rather than risk elimination. Scenario planning and early warning systems are particularly important for managing external risks within the organization's appetite boundaries.

Uncertainty related to an organization's ability to execute its chosen strategy. This includes risks associated with inadequate resources, insufficient capabilities, poor project management, change resistance, or implementation failures. In RBPM, execution risk is distinguished from strategic risk (which relates to the soundness of strategic choices themselves). Effective management of execution risk requires clear governance structures, robust program management capabilities, regular performance monitoring, and appropriate contingency planning to address implementation challenges.

A six-step management system developed by Robert Kaplan and David Norton that connects strategy formulation and planning with operational execution. The system includes: 1) Develop the strategy, 2) Plan the strategy, 3) Align the organization, 4) Plan operations, 5) Monitor and learn, and 6) Test and adapt the strategy. This system represents the most evolved version of the Balanced Scorecard methodology and serves as an important foundation for the RBPM approach, particularly in its emphasis on linking strategic objectives to operational activities.

A comprehensive approach to identifying, assessing, managing, monitoring, and reporting on risks across an entire organization. ERM considers strategic, operational, financial, compliance, and reputational risks within a holistic framework rather than addressing risks in silos. In contrast to earlier risk management approaches that focused narrowly on insurable or financial risks, ERM emerged in the early 2000s to provide a more integrated perspective. RBPM builds on ERM concepts, particularly in its emphasis on linking risk management to strategy execution.

Controls designed to identify errors, irregularities, or adverse events that have already occurred. Detective controls help organizations identify when risks have materialized so that corrective action can be taken. Examples include exception reports, reconciliations, physical inventories, and compliance reviews. Within RBPM, detective controls are an important complement to preventive controls, providing a second line of defense in the risk management framework. Effective detective controls enable timely detection of risk events and limit their potential impact on strategic objectives.

The formal allocation of authority to make specific decisions within an organization. Clear decision rights establish who has input to decisions, who makes decisions, and who is accountable for outcomes. In RBPM, decision rights are formalized through the RACI model, clarifying who is Responsible, Accountable, Consulted, and Informed for each strategic objective, key risk, and control. Well-defined decision rights ensure that risk-taking decisions are made at appropriate organizational levels within established appetite boundaries.

A strategic approach focused on delivering precisely what specific customers want through detailed customer knowledge and operational flexibility. Organizations pursuing customer intimacy continually tailor and shape products and services to fit increasingly precise definitions of customer segments. This strategy requires deep customer insights, relationship-building capabilities, and often entails higher costs that are justified by building long-term customer loyalty. In RBPM, organizations pursuing customer intimacy must define appropriate risk appetite levels for customer-related investments and service delivery.

The shared values, beliefs, assumptions, and behaviors that characterize an organization. In RBPM, culture is a critical "soft" discipline that can either enable or undermine the effectiveness of strategy and risk management. A strategy-focused, risk-aware culture is one where employees at all levels understand strategic objectives, appreciate risk-taking boundaries, feel empowered to identify and report risks, and make decisions aligned with the organization's risk appetite. Cultural factors often determine whether RBPM implementation succeeds or fails.

The severe global financial crisis that began in 2007-2008, triggered by failures in the subprime mortgage market and resulting in a liquidity crisis in the banking system. The Credit Crunch revealed significant weaknesses in risk management practices, particularly in financial institutions that failed to understand their risk exposures and operate within appropriate risk appetite boundaries. It highlighted the consequences of divorcing risk management from strategy, demonstrating the need for integrated approaches like RBPM to ensure sustainable strategic execution.