Metrics that provide insight into risk positions, trends, and emerging issues. Risk indicators include both Key Risk Indicators (KRIs) that track major known risks and emerging risk indicators that monitor potential new threats or opportunities. In RBPM, risk indicators complement performance indicators to provide a balanced view of progress toward strategic objectives and associated risk exposures. Effective risk indicators combine leading measures (predictive) and lagging measures (confirmatory) to enable both proactive and reactive risk management.

The process of finding, recognizing, and describing risks that could affect an organization's ability to achieve its objectives. Risk identification seeks to develop a comprehensive inventory of risks from both internal and external sources, drawing on historical data, theoretical analysis, informed opinions, stakeholder input, and expert assessments. In RBPM, risk identification focuses particularly on risks related to strategic objectives, ensuring that the most significant strategic threats and opportunities are captured and managed.

A visual representation of risks based on their assessed likelihood and impact. Typically presented as a two-dimensional matrix with likelihood on one axis and impact on the other, with risks plotted according to their assessment scores. Color coding (usually red, amber, green) indicates risk severity, with risks in the high-likelihood, high-impact quadrant requiring greatest attention. In RBPM, Heat Maps help prioritize risk mitigation efforts and communicate risk positions to stakeholders, though they should be complemented by more nuanced analyses.

The extent to which an organization is subject to specific risks at a point in time. Risk exposure represents the combination of risk likelihood and impact after considering existing controls (residual risk). In RBPM, exposure is regularly assessed and compared to risk appetite to determine whether the organization is operating within acceptable risk boundaries. The Appetite Alignment Matrix visually displays the relationship between exposure and appetite, highlighting areas of over-exposure or under-exposure that require management attention.

An occurrence or change of a particular set of circumstances that results in a risk materializing. Risk events can lead to positive outcomes (opportunities realized) or negative outcomes (threats materialized). In RBPM, risk events are analyzed to understand their causes, impacts, and control failures, with this information feeding back into the risk management process. Effective risk event management includes timely identification, appropriate escalation, root cause analysis, and implementation of corrective actions. Risk event data provides valuable input for refining risk assessments and improving control effectiveness.

The norms, attitudes, and behaviors related to risk awareness, risk-taking, and risk management within an organization. Risk culture influences how employees identify, understand, discuss, and act upon current and future risks. In RBPM, a positive risk culture is characterized by transparency, accountability, appropriate challenge, continuous learning, and balance between risk control and value creation. Risk culture is shaped by leadership behaviors, incentive structures, governance mechanisms, and communication practices, and serves as a critical enabler of effective risk-based performance management.

The policies, procedures, practices, or other mechanisms designed to modify risk by reducing likelihood, impact, or both. Controls can be preventive (reducing the chance of a risk materializing) or detective (identifying when a risk has materialized). In RBPM, controls should be proportionate to the risk they address and aligned with the organization's risk appetite. Effective controls enable pursuit of strategic objectives while maintaining risk exposure within acceptable boundaries. Control effectiveness is monitored through Key Control Indicators and regular assessment processes.

The phenomenon where multiple risks concentrate in particular areas of the organization or strategy, potentially creating compounding effects that exceed the sum of individual risk impacts. Risk clustering can be visualized using the Four Perspective Risk Map, which shows how risks distribute across strategic perspectives. Identifying risk clusters helps organizations understand potential systemic vulnerabilities and implement more comprehensive mitigation strategies. In RBPM, addressing risk clustering may require enterprise-wide approaches rather than risk-by-risk treatments.

Classifications used to organize and group similar types of risks for consistent identification, assessment, and management. Common risk categories include strategic, financial, operational, compliance, reputational, and external risks. In RBPM, risk categories help ensure comprehensive risk identification and enable aggregation of risk information across the organization. They provide a structured approach to risk management while recognizing that risks often span multiple categories and require integrated treatment rather than siloed approaches.

A visualization tool for risk analysis that illustrates the relationship between risk causes, risk events, and risk consequences. The risk event forms the center of the bow-tie, with causes branching to the left and consequences to the right. Controls can be mapped to both the cause and consequence sides, showing preventive controls (reducing likelihood) and detective/corrective controls (reducing impact). The Bow-Tie helps clarify risk definitions and enables more targeted risk management by addressing specific causes and consequences rather than generic risk categories.

An integrated framework and methodology for managing organizational performance and risk through the lens of risk appetite. RBPM embeds risk management into strategic and operational decision-making to ensure that organizations execute their strategies while "operating within appetite." The approach comprises seven disciplines: set strategy, manage performance, manage risk, align risk to strategy, governance, culture, and communication, with appetite serving as the binding element across all disciplines. RBPM helps organizations navigate "continuous turbulent times" by balancing strategic ambition with prudent risk management.

An organizational environment where employees at all levels understand the importance of risk management, feel responsible for identifying and reporting risks, consider risk implications in their decision-making, and operate within established risk appetite boundaries. In RBPM, a risk-aware culture is complemented by strategic focus to create a "strategy-focused, risk-aware culture" that enables sustainable strategy execution. Cultural factors often determine the success or failure of risk management frameworks regardless of their technical sophistication.

The process of identifying, analyzing, and evaluating risks to determine their potential impact and likelihood. Risk assessment provides the foundation for risk management decisions by establishing which risks require attention and what level of treatment is appropriate. In RBPM, risk assessment is conducted at both strategic and operational levels, with key risks linked directly to strategic objectives. The assessment process typically employs a consistent methodology across the organization to ensure comparability and aggregation of risk information.

A formal expression of an organization's willingness to take specific types and amounts of risk to achieve its strategic objectives. The statement typically includes both qualitative descriptions and quantitative parameters that define acceptable risk levels across various risk categories and business activities. In RBPM, a well-crafted risk appetite statement serves as a powerful management tool, providing clear guidance for decision-making at all levels of the organization. It establishes the framework within which strategy can be executed in a risk-aware manner.

The amount and type of risk that an organization is willing to accept, and must take, to achieve its strategic objectives and create value for stakeholders. Risk appetite establishes boundaries for risk-taking activities and serves as a reference point for evaluating whether actual risk exposure is appropriate. In RBPM, risk appetite is the central concept that connects strategy and risk management. It should be clearly articulated by the board, communicated throughout the organization, and regularly reviewed as conditions change

The risk that remains after controls have been implemented to mitigate inherent risk. Residual risk represents the actual exposure that an organization faces after accounting for its risk management efforts. In RBPM, residual risk is assessed against risk appetite to determine whether additional controls are needed or whether existing controls can be relaxed. Effective risk management involves optimizing control investments to achieve appropriate residual risk levels rather than minimizing all risks regardless of cost.

The potential for damage to an organization's standing, brand, or credibility among stakeholders. Reputational risk can arise from actions by the organization itself, its employees, or associated parties, or from external events beyond the organization's control. The impact of reputational damage can include customer loss, difficulty attracting talent, regulatory scrutiny, and reduced financial performance. In RBPM, reputational risk is typically managed through governance structures, ethical frameworks, stakeholder management programs, and crisis communication capabilities.

A term from W. Chan Kim and Renée Mauborgne's strategic framework describing competition in existing market spaces where industry boundaries and competitive rules are well-established. In red oceans, companies try to outperform rivals to capture greater market share in a limited market, often leading to commoditization and reduced profit margins. The term contrasts with Blue Ocean Strategy, which focuses on creating uncontested market spaces. In RBPM, organizations pursuing red ocean strategies must carefully define risk appetite levels related to competitive actions and pricing strategies.

A scoring methodology used in RBPM that employs a five-point scale (Red, Amber, Green, Amber, Red) to communicate indicator status and exceptions. Unlike traditional RAG (Red, Amber, Green) approaches that focus only on underperformance, RAGAR recognizes that performance can also be too good, potentially indicating inappropriate risk-taking. The RAGAR approach acknowledges that indicators should typically operate within tolerance ranges rather than always maximizing or minimizing values. This promotes a culture focused on operating within defined parameters rather than blindly pursuing targets regardless of risk implications.

A framework for clarifying roles and responsibilities using four designations: Responsible (those who do the work), Accountable (the ultimate authority who approves the work), Consulted (those whose input is sought before decisions), and Informed (those who are updated on progress and decisions). In RBPM, the RACI model serves as a governance mechanism that establishes clear accountability for strategic objectives, key risks, and controls. It ensures that decision rights are appropriately assigned and that stakeholders receive the right level of involvement in risk and performance management activities.