Definitions
Risk: In accordance with the ISO3100 (2018) definition, the University defines risk as the potential
"effect of uncertainty on objectives". Risk implies future uncertainty about deviation from
expected outcome.
Risk is about the possibility of something happening. This should not be confused with something
that has already happened, which is then called an issue.
E.g. The risk of the roof of a building leaking if strong winds and rain persist (the roof is not
leaking, but it may start to).
The roof is now leaking due to strong winds and rain (this is now an issue as there is water coming
into the building).
Risk Register: A Risk Register is a risk management tool which is used to log risks, assign risk
scores and treatments, allocate mitigating actions, and track any changes to the risks included.
SoƜware most commonly used at the University of Aberdeen to generate a Risk Register includes
MS Excel. (download copy)
Risk Appetite: This refers to the level of risk the University is willing to tolerate or accept in the
pursuit of its objectives. When considering threats, risk appetite defines the acceptable level of
exposure deemed tolerable or justifiable by the institution; when considering opportunities, risk
appetite defines how much the University is prepared to actively put at risk in order to realise
potential or expected benefits. (Qualitative measure)
Risk Tolerance: Risk Tolerance is directly linked to Risk Appetite; an organisation with a higher
Risk Appetite will tolerate a higher level of risk, meaning its risk tolerance threshold - the point at
which the level of risk exposure becomes intolerable or unacceptable - will also be higher.
(Quantitative measure)
Risk Treatment: A decision made on how to respond to a risk.