Risk Management Terminology

Apr 23
5 min read

Risk management shouldn’t feel like learning a new language – especially when the consequences of getting it wrong are real.

If you’re running a business, leading people, or managing operations, the words used around risk can either build clarity or create chaos.

This article cuts through the noise. It’s a plain-English guide to risk management terminology – the terms that matter in the context of enterprise, operational, health and safety, security, environmental, and fatal risks.

Let’s get clear on what we’re really talking about.

1. Enterprise Risk

Enterprise risks are the big-picture threats to your business’s success, sustainability or reputation.

They include:

Regulatory compliance failures
Economic instability
Strategic decisions that miss the mark
ESG and climate-related liabilities
Catastrophic events (safety, cyber, legal)

These risks live at the board and executive level. Managing them well requires clear governance (how decisions are made) and assurance (how we know those decisions are being followed and are working).

2. Operational Risk

Operational risks show up in the systems, processes, people and assets that keep your business moving day to day. These include:

Equipment or system failure
Key person risk or staff turnover
Process inefficiencies or workarounds
Data entry errors, delays or miscommunications

Often brushed off as ‘just part of the job’, operational risks can quietly snowball into compliance breaches, injuries, or large-scale disruptions if left unmanaged.

3. Risk Assessment

A risk assessment is the process of identifying hazards, analysing what could go wrong, and deciding how to control or eliminate the risk.

Here are the main types used across industry:

Traditional Risk Assessment: Identifies hazards, rates risks (using likelihood and consequence), and recommends controls.
WRAC (What-If Risk Assessment): A structured brainstorming process asking “what if” questions to explore risk scenarios.
JSEA (Job Safety and Environmental Analysis): Task-based assessment used to identify hazards and controls for specific jobs.
SWMS (Safe Work Method Statement): A legislative requirement for high-risk construction work in Australia. Documents how the work will be carried out safely.
HAZOP (Hazard and Operability Study): A highly structured, team-based assessment used in processing industries to examine how systems might deviate from design intent.
HAZID (Hazard Identification Study): A qualitative technique used early in project design to identify hazards that could impact safety or the environment.
Bowtie Analysis: A visual assessment tool that maps hazards, causes, controls, and consequences in one diagram.
SLAM and Take 5: Simple personal risk assessments encouraging workers to stop, think, and check conditions before beginning a task.

Each has its place – the key is choosing the right method for the situation and the level of risk involved. Read more about the different types of risk assessments here.

4. Health and Safety Risk

Health and safety risks are those that can cause injury, illness, or death. They include:

Physical hazards: machinery, heights, noise, electricity
Biological hazards: mould, viruses, contaminated waste
Chemical hazards: solvents, dust, flammable gases
Psychosocial hazards: bullying, fatigue, burnout, poor job design

Managing these risks means going beyond checklists. It requires clear critical controls, well-defined performance standards, and verification activities that confirm the controls are working – not just assumed.

5. Fatal Risk / Critical Risk

These are the most serious risks in your business – those that can lead to death or irreversible harm.

Examples include:

Working at heights
Mobile equipment and pedestrian interactions
Confined spaces
Energised electrical work
Excavation collapse
Fire or explosion

Fatal risks / critical risks demand critical controls. And those controls must be non-negotiable, implemented consistently, and checked regularly.

6. Security Risk

Security risks threaten the safety of people, property, information, or reputation. Common examples include:

Unauthorised access
Theft or sabotage
Workplace violence
Cybersecurity breaches
Insider threats

Security risks can overlap with health and safety risks – particularly in lone work, remote sites, and customer-facing roles.

Understanding risk velocity (how quickly the event can unfold) is crucial here. Security risks often escalate fast – leaving no time for response if controls are weak.

7. Environmental Risk

Environmental risks are the potential for harm to the natural world due to business activities. They include:

Spills or emissions
Land or water contamination
Noise and dust
Waste mismanagement
Climate-related exposure

Environmental risks often have both operational and enterprise consequences – especially with tightening regulation and growing public scrutiny. Strong governance and compliance monitoring is key here.

8. Critical Control

A critical control is a specific, key control that must work to prevent or mitigate a fatal or catastrophic outcome.

Critical controls are not generic or nice-to-haves. They:

Address a specific causal or consequence pathway
Have a performance standard (what good looks like)
Are subject to verification (evidence they are working as intended)

Without them, serious incidents become more than likely – they become inevitable.

9. Risk Matrix (Likelihood, Consequence, Velocity)

The risk matrix is a tool to assess how serious a risk is, using:

Likelihood: How probable is it?
Consequence: How bad could it be?
Velocity: How fast will it escalate if controls fail?

High-velocity risks, like falls or explosions, require critical controls with immediate and guaranteed effectiveness.

10. Risk Tolerance

Risk tolerance defines the level of risk your organisation is willing to accept before action must be taken.

Without clear tolerance levels, risk decisions vary wildly between teams and leaders. Risk tolerance should be defined at the enterprise level and applied consistently.

11. Risk Owner

The Risk Owner is responsible for ensuring a specific risk is identified, assessed, treated, and monitored. They often sit at senior or strategic levels and need visibility over budget, resources, and controls.

12. Control Owner

A Control Owner is responsible for the implementation and effectiveness of a specific risk control – especially critical ones.

If no one owns the control, no one maintains or checks it – and that’s when things fail.

13. Investigative Risk Management

This is the process of learning from incidents and near misses – not just what happened, but why it happened.

It focuses on:

Identifying failed or missing controls
Understanding system weaknesses
Strengthening risk controls
Embedding learnings into risk reviews

It's not about blame. It’s about building resilience and protecting people and performance.

14. Governance and Assurance

Governance: The framework that defines who owns what, how decisions are made, and how risk fits into strategy.
Assurance: The process of confirming that controls are in place, effective, and working as intended. Includes audits, reviews, inspections, and independent assessments.

Without assurance, governance is just paperwork. Without governance, assurance has no teeth. You need both.

15. Bowtie Analysis

The bowtie diagram visually maps:

The hazard
The unwanted event
The causes and preventative controls on one side
The consequences and mitigative controls on the other

It’s one of the clearest tools for understanding how risks manifest – and where you must place your critical controls.

Final Thoughts

These aren’t just terms. They’re the foundation of good risk management – and ultimately, they protect people, performance, and your reputation.

If you want to be taken seriously as a risk leader – you need to speak the language.

Before You Assume “Everyone Knows This”…

Ask yourself:

Are we using these terms consistently across the business?
Do our people understand their role in managing risk?
Are our critical controls clearly defined, verified, and owned?
Have we linked our risk assessments to fatal, environmental, and security exposures?