Before we delve into the components of ERM, let’s clarify some key terms related to risk. These include risk portfolio, risk appetite, inherent risk, residual risk, and different responses to risk such as risk acceptance, risk avoidance, risk sharing, and risk reduction.

First, let’s discuss risk appetite. Risk appetite refers to the type and amount of risk an organization is willing to take. Similar to how a large appetite indicates a desire to consume more food, a high-risk appetite in an organization signifies its willingness to take on substantial risk.

Next is risk portfolio, which encapsulates the amount and types of risks across the entire entity. A company should not consider the risks in its various departments in isolation; instead, it needs to view the entire risk portfolio to understand all risks within the entity and their interconnections.

When discussing risks, it’s essential to differentiate between inherent risks and residual risks. Inherent risk is the level of risk present if an organization did nothing to mitigate it. For example, let’s consider our hypothetical company Hands-Off Cars. Suppose there’s a risk that other car manufacturers will develop superior technologies, potentially forcing Hands-Off Cars out of business. This scenario is the inherent risk—what would happen if we took no measures to prevent it?

On the other hand, residual risk is the remaining risk after risk mitigation measures have been implemented. Let’s say Hands-Off Cars decides to outspend other manufacturers on research and development, becoming the market leader in driverless cars. This strategy reduces the risk, but there’s still residual risk. Another manufacturer could develop superior technology, displacing Hands-Off Cars as the market leader.

In summary, inherent risk represents the level of risk without any mitigation, while residual risk is the remaining risk after risk response.