Glossary of Terms

Clarification of key terms used in the NHSCFA's Risk Management Guidance

Published: 28 July 2022

Assurance An evaluated opinion, based on evidence gained from a review and analysis of an organisation’s governance, risk management and internal control framework.
Audit, Risk & Assurance Committee (ARAC) A Committee appointed to support the Board to in monitoring the corporate governance and control systems in the organisation.
Corrective Controls Designed to reduce the harm of or compensate for the realisation of a risk.
Detective Controls Controls put in place to detect whether a risk has been realised. These are designed to limit harm and act as an early warning.
Directive Controls Directions to employees or business units designed specifically to limit risk realisation or harm.
Exposure The consequences, as a combination of impact and likelihood, which may be experienced by the organisation if a specific risk is realised.
Governance Governance comprises the organisational arrangements put in place to ensure that the intended outcomes for stakeholders are defined and achieved.
Inherent Risk The exposure arising from a specific risk before any action has been taken to manage it.
Internal Control Any action originating within the organisation taken to manage risk. These actions may be taken to manage either the impact if the risk is realised, or the frequency of the realisation of the risk.
Issue An issue is defined as an event that has happened or is happening. It is a known as opposed to an unknown quantity. The outcome of the actions or events is no longer subject to uncertainty.
Preventive Controls Controls designed to limit the possibility of an undesirable outcome being realised.
Probability and impact matrix A grid setting out the possible risk assessment scores for each combination of probability and impact.
Residual Risk The exposure arising from a specific risk after action has been taken to manage it and making the assumption that the action is effective.
Risk Risk is defined as the uncertainty on objectives: whether positive opportunity or negative threat. It is the combination of probability and impact.
Risk Appetite The amount of risk that an organisation is prepared to accept or be exposed to at any point in time. Sometimes referred to as “risk tolerance”.
Risk Appetite Statement The amount and type of risk that an organisation is willing to take in order to meet their strategic objectives.
Risk Assessment The evaluation of risk with regard to the probability and impact should a risk be realised taking into account risk proximity.
Risk Management All the processes involved in identifying, and assessing risks, assigning ownership, taking actions to mitigate or anticipate them, and monitoring, reviewing and communicating progress.
Risk Policy The overall organisational approach to risk management as defined by the senior management and/or Board. This should be documented and easily available throughout the organisation.
Risk Profile The documented and prioritised overall assessment of the range of specific risks faced by the organisation
Risk Proximity A judgement as to how soon exposure to the risk might occur of the risk

Help us improve

Tell us what's happened so we can fix the problem. Please do not provide any personal, identifiable or sensitive information.


Thanks for the feedback!