Risk Term

Definition

Risk

The potential for loss or harm due to the likelihood of an unwanted event and its adverse consequences.  Risk typically implies that the likelihood of the event can be measured or estimated in some reliable manner. 

Uncertainty

The degree to which likelihood and consequence can be confidently estimated.  Events which are fundamentally random and uncorrelated can typically be estimated and hence have low degrees of uncertainty.  Events in which strategic actors are actively influence their likelihood of carrying out an event or seek to correlate a series of events carry a high degree of uncertainty and therefore low confidence in the estimate of likelihood. 

Security risk

The risk of a successful attack by an intelligent actor.  Security risk is typically represented as being a function of threat, vulnerability, and the impact of a successful attack or consequence.

Risk Management

The process of constructing and evaluating strategies for reducing losses from future adverse events.  Risk management strategies include a combination of options, such as providing information (i.e., risk communication), economic incentives (e.g., subsidies, fines), insurance, regulations, standards, and implementation of countermeasures.  These strategies enable organizations to avoid, transfer, mitigate, hedge, or accept their perceived risks.  In many cases, risk management strategies can be evaluated by undertaking cost effectiveness analyses to determine the trade-off between reduction of risk and the costs of undertaking such measures.  In other cases, benefits are harder to quantify and must rely on logical analysis. 

Risk Analysis

A process for studying the nature of risk across a set of systems and/or assets.  Risk analyses can be strategic or tactical, are typically broader in scope than risk assessments, and may involve risks to multiple assets, systems, transportation modes, and/or geographic regions.

System

A system is an assembly of components, subsystems, or elements that are related to each other and together perform one or more functions.  A system maintains its existence and operates as a whole through the interaction of its parts.  Systems generally exhibit the following characteristics: 1) Consist of components that are connected to each other physically, or through relationships, dependencies, information flows, etc., and demonstrate a degree of integration to perform a function. 2) Exhibit causal properties in that a change in a single component causes changes to other components, or to the overall system. 3)Exhibit feedback in that a change to a single component causes a subsequent change to a second component; in turn, the change to the second component causes a new change to the first component, and so forth.

Asset

An asset is any person, facility, material, information, or activity that has a positive value to the system being managed for risk.  Assets may be categorized in many ways, including: people, information, equipment, facilities, conveyances, and operations.

Threat

The likelihood or relative likelihood that an attack or adverse event will occur within a given timeframe.

Likelihood

The probability of an event.  Likelihood can be measured as a ratio of occurrence of an event over some set period of time given similar conditions.  Likelihood of natural events

Vulnerability

The relative likelihood that the attack or adverse event (the threat) will be successful in achieving worst, reasonable case consequences associated with a defined scenario, given that the attack is attempted.  Typically, vulnerability scores are calculated based on the recognizability, susceptibility, and resilience of a system or asset.  Vulnerabilities include any flaw or weakness in a system or asset design, implementation, or operation that can be exploited by an adversary.

Consequence

The outcome of an event, including immediate, medium- and long-term direct and indirect effects.  Effects or losses are typically measured in terms of deaths and casualties, economic damages, and may also include less tangible and less quantifiable effects such as behavioral consequences (political ramifications, decreased morale, break down in the rule of law, etc.).

Supply Chain Risk Management (SCRM)

The practice of managing the risk of any factor or event that can materially disrupt a supply chain whether within a single company or spread across multiple companies.  The ultimate purpose of supply chain risk management is to enable cost avoidance, customer service, and market position. 

Enterprise Risk Management

The practice of managing, as a whole, the set of risks across an enterprise that can materially disrupt the fundamental mission of an organization.  Common risks managed include financial, IT, supply-chain, marketing, acquisition, regulatory, and political.  Typically Enterprise Risk Management (ERM) is addressed through strategic planning, operations management, and internal controls. 

Internal Environment

The internal characteristics of a company which encompasses culture, organization structure, philosophy, ethics, internal politics, and oversight approach

Strategic Risk Objective

Strategic Risk Objectives are risk-informed statements of risk-reduction priorities that establish specific, measurable, realistic and attainable targets that, when achieved, will improve the a system’s risk profile.  They flow from an understanding of high-consequence risks to the system, and enable organizational leaders to focus risk management efforts appropriately and effectively.

Objective Setting

The process of setting risk objectives in relation to business objectives and risk tolerance in order to improve a system’s risk profile.  Objective setting is a precondition for event identification, risk assessment and risk response. 

Risk Tolerance

The threshold at which managers are willing to accept risks for the organization.  Organizations will differ in the amount and type of risk they are willing to accept. 

Event Identification

The process of identifying those incidents, occurring internally or externally, that could affect strategy and achievement of business objectives.  Events that may have a negative impact represent risks, which require management response or they have a positive impact represent natural offsets (opportunities), which management channels back to strategy setting

Risk Assessment

A structured method and process for identifying risk to a specific system or asset through the evaluation of threats, vulnerabilities (likelihood) and consequences (impact).  Risk assessments provide the basis for rank ordering of risks, usually within a narrow scope (e.g. at the asset level), and help establish priorities for the application of risk-reduction measures for the specific system or asset being assessed.

Risk Response

The processes in which management makes decisions on options to address specific risks with avoidance, reduction, sharing, or acceptance strategies and countermeasures.  Management evaluates options in relation to risk appetite, cost vs. benefit of potential risk responses, and degree to which a response will reduce impact and/or likelihood.  The response is evaluated with regard to whether residual risk is within risk tolerance

Control Activities

Specific processes/procedures designed to ensure that the countermeasures and strategies put in place to avoid risk are being carried out effectively and efficiently. 

Information & Communication

The process of capturing and communicating pertinent information in a form and timeframe that enables people to carry out their risk management responsibilities. (See risk communication below)

Risk Communication

The process used by risk analysts, decision makers, policy makers, and intelligent adversaries to provide data, information, and knowledge to change the risk perceptions of individuals and organizations and enable them to assess the risk differently than they otherwise might.  Risk communications can ensure more accurate public perceptions or risks, which helps minimize over-reactions and under-reactions to risks.

Monitoring

The process whereby risk managers assess the status of risk-reduction measures to determine effectiveness on an ongoing basis.

Physical Disruption Risk

The risk of the destruction of critical infrastructure in the supply chain.  Critical Infrastructure includes the physical components or assets necessary for the continuous operation of the transportation system including equipment and personnel

Process Disruption Risk

The risk of interrupting or destroying processes that involve day-to-day operations of supply chains.  Processes include the rules, actions, decisions, and information flows that give life to the physical level and are necessary for efficient and effective operation of the supply-chain system.  Processes are what allow material  components to work together—physically or  virtually—as a system or supply chain

Institutional Disruption Risk

Events that involve changes in company or supply-network governance and strategy.  Institutional considerations include the policies, guidance, and organizations that empower and constrain the operation of the supply chain to meet large-scale company goals.  Public sector examples of institutional disruptions include federal legislation, national policies, and state regulations.   Private sector examples include company reorganizations, mergers, market shifts, and technology breakthroughs.

Black Swan Risk

Large-impact, hard-to-predict, and rare event/risks beyond the realm of normal expectations.  Predictive information about Black Swan events either 1) does not exist, 2) cannot be obtained, or 3) cannot be understood because the observer of the event does not have a world-view that could “connect-the-dots” of the predictive information.  Popularized by author Nassim Taleb.  The term black swan comes from the ancient western conception that 'All swans are white'. In that context, a black swan was a metaphor for something that could not exist. The 17th Century discovery of black swans in Australia metamorphosed the term to connote that the perceived impossibility actually came to pass.

Narrative Fallacy

The fallacy associated with individuals’ vulnerability to over-interpretation of a series of events and a predilection for compact stories over raw truths.  The narrative fallacy is particularly acute when dealing with the aftermath of rare events when explanations are constructed to explain causality.  The common expressions “20-20 hindsight” and “Monday morning quarter-backing” indicate the same concept in which an individual develops a story to help explain an even assign responsibility for an event (good or bad) which could not have been foreseen prior to the event.  After the event, a “narrative” may have powerful explanatory attractiveness regardless of its factual veracity.

Time to Recover (TTR) 

Number of weeks required to restore 100% operational output following a supply chain disruption

Revenue Exposure

Weekly Product Revenue * TTR (weeks)

Substitute Product

A product that may be sold to a customer in lieu of one that is not available due

Business Continuity Planning (BCP)

Procedures by supply chain partners that enable them recover from a catastrophic event