Risk is defined as ‘the effect of uncertainty on objectives’. This may also be expressed as a deviation from expected outcomes, either positive (opportunity) or negative (threat).
Risk management is defined as ‘co-ordinated activities to direct and control an organisation with regard to risk’.
Risk appetite is defined as ‘the amount of risk that an organisation is willing to pursue or retain’.
A risk management framework is defined as ‘a set of components that provide the foundations and organisational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organisation’. A risk management framework would be expected to include policy, objectives, mandate and commitment to manage risk; together with plans, accountabilities, resources, processes and activities for risk management.
These definitions are specified in international standards ISO Guide 73:2009 and reflected in ISO 31000:2009.