Enterprise Risk Management
Key Risk Indicator



Anything of value to a company.


ERM includes managing overall risk for the organization, aligned to the organization’s governance and risk tolerance. Enterprise risk management includes all areas of risk, not merely those concerned with technology. It is the overall management of risk for an organization.


An instance of compromise.

Natural Disasters

Natural disasters are a category of risks to cloud deployments that is based solely on geography and location. Regulatory violations are not always based on location. They can also be based on the type of industry.

Reputational Risk

Reputational risk is the loss of value of a brand or the ability of an organization to persuade.

Residual Risk

The risk that exists after controls have been implemented.

Risk Appetite

Risk appetite is the total risk that the organization can bear in a given risk profile, usually expressed in aggregate. Risk appetite is set by senior management and is the level, amount, or type of risk that the organization finds acceptable.
  • Organizations accept a level of risk that allows operations to continue in a successful manner.
  • It is legal and defensible to accept risks higher than the norm, or greater than your competitors, except risks to health and human safety; these risks must be addressed to the industry standard or whatever regulator motif to which your organization adheres.
As risk appetite or tolerance increases, so does the willingness to take greater and greater risks.

Risk Owners and Players

These are the individuals in the organization who together determine the organization's overall risk profile. For example, while one department may be willing to take moderately high risks in engaging cloud activities, another may have a lower risk tolerance. It is the aggregate of these individual tolerances that determines the organization's overall risk appetite.

Risk Profiles

The risk profile of the organization is a comprehensive analysis of the possible risks the organization is exposed to. It lists the identified risks and their potential effects.
The risk profile is determined by an organization's willingness to take risks as well as the threats to which it is exposed. The risk profile should identify the level of risk to be accepted, the way risks are taken, and the way risk-based decision making is performed. Additionally, the risk profile should take into account potential costs and disruptions should one or more risks be exploited.

Risk Tolerance

Risk tolerance is the level of risk that an organization can accept per individual risk.

Secondary Risk

When one risk response triggers another risk event. For example, a fire suppression system that displaces oxygen is a means to mitigate the original risk (fire) but adds a new risk (suffocating people).


Something that could cause loss to all or part of an asset.

Threat Agent

Something or someone that carries out the attack.

Total Risk

The risk that exists before any controls are implemented.
Export as PDF
Copy link