Impact (Severity): Outcome of an event affecting objectives, or the impact of a risk materialising. Consequences can be expressed qualitatively or quantitatively. Also referred to as consequence.
Impact assessment: An impact assessment is an analytical process that systematically examines the possible environmental, socio-economic consequences of the implementation of projects, programmes, and policies.
Inherent risk: the level of untreated risk, or the risk before the application of any risk management activities or control measures to reduce its likelihood or impact.
Internal control: Based on the definition used by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), the International Auditing and Assurance Standards Board defines internal control as, “the process designed, implemented, and maintained by those charged with governance, management, and other personnel to provide reasonable assurance about the achievement of an entity’s objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations.”
Level of risk (or risk level): The magnitude or importance of a risk, as a result of the combination of impact and probability.
Likelihood: Chance of something happening. In risk management terminology, the word “likelihood” is used to refer to the chance of something happening, whether defined, measured or determined objectively or subjectively, qualitatively, or quantitatively, and described using general terms or mathematically.
Residual Risk: The risk that remains after management has taken measures to reduce the likelihood of occurrence and the impact of the occurrence of an undesirable event.
Risk: The probability of adverse or beneficial events, following a known probability distribution. The International Organization for Standardization (ISO) defines risk as the effect of uncertainty on objectives. Article 3 of Law 4795/2021 defines risk as: "the possibility or threat of damage, loss or, in general, some negative consequence for the organization's objectives, which can be due to both endogenous and exogenous factors and can be mitigated through preventive actions and control measures".
Risk analysis: The process of clarifying the nature and determining the level of risk.
Risk appetite: Amount and type of risk that an organisation is willing to pursue or retain.
Risk assessment: assessing risks by evaluating the likelihood and impact of the identified risks.
Risk control: Any action or process undertaken by an entity to manage the risks and increase the likelihood of achieving its goals and objectives. Risk controls can involve avoiding the risk; accepting or retaining the risk; changing the likelihood or consequences; or sharing the risk with another party or parties. Risk controls are sometimes referred to as risk mitigation, risk elimination, risk prevention or risk reduction.
Risk criteria: Indicators used to assess the importance of a risk. Four criteria are recommended: the likelihood of occurrence or the probability of occurrence of a risk, the impact of a risk, the risk level and the efficiency of control measures.
Risk evaluation: Analysis and interpretation of the information gathered during the risk assessment phase. It aims to determine the significance of each identified risk by considering factors such as its potential impact on procurement objectives, the likelihood of occurrence, and the organization's risk tolerance.
Risk identification: The process of finding, recognizing, and describing risks. Risk identification involves the identification of risk sources, events, their causes, and their potential consequences.
Risk management: Risk management refers to an integrated part of an entity’s management system, effected by an entity’s board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to (a) identify, understand, and assess potential risks and opportunities (and their interdependence) that may affect the entity, and (b) manage those risks and opportunities to be within its risk appetite, so as to provide proper disclosure and reasonable assurance regarding the achievement of entity objectives. Risk management also relates to generating ideas and promoting good practice and is most effective when line managers (a) embrace it and use it as part of their management process, and (b) provide their employees with a better understanding of the entity’s risk appetite, to help manage risk across the organization.
According to Article 3 of Law 4795/2021, risk management can also be defined as the process of identifying, evaluating, and controlling potential adverse or favourable events or situations, through which the organization methodically approaches the risks associated with its activities and provides reasonable assurance for the achievement of its objectives.
Risk management framework: Set of guidelines and organisational arrangements relating to the design, implementation, evaluation, and continuous improvement of the entity's risk management, as well as the methodology for conducting the risk management process.
Risk management policy: Statement of the overall intentions and direction of an organization related to risk management. The risk management policy includes how risks are to be managed by purpose and objective, the risk appetite and level of risk tolerance, and the roles and responsibilities of the appropriate levels of management with respect to the design, monitoring and implementation of the risk management framework.
Risk management process: Systematic application of management policies, procedures, and practices to the activities of communicating, consulting, establishing the context, and identifying, analysing, evaluating, treating, monitoring and reviewing risk.
Risk management body: Person or entity in charge of managing the risks affecting the implementation of their strategic and operational objectives, as well as their efficiency and effectiveness.
Risk tolerance: The willingness of an organisation or an interested party to assume the risk that remains, after measures taken to address it, in order to achieve its objectives.
Risk treatment: the process of selecting and implementing actions to mitigate risks. Once risks have been identified, assessed, and evaluated, risk treatment involves deciding on the most appropriate course of action to address them. This can include mitigating risks to reduce their likelihood or impact, transferring risks to third parties such as insurers, avoiding risks altogether by changing plans or procedures, or accepting risks if they fall within acceptable tolerance levels.
Stakeholder: Natural or legal person who can influence and/or be influenced or consider to be influenced by the decisions and/or activities of the entity.