Risk is the potential that a chosen action or activity (including the choice of inaction) will lead to a loss (an undesirable outcome). The notion implies that a choice having an influence on the outcome exists (or existed). Potential losses themselves may also be called "risks". Almost any human endeavor carries some risk, but some are much riskier than others.

There are two elements to this definition, namely:

1) Risks are related to Objectives; with specific reference to those circumstances that may cause the institution not to achieve those objectives.

2) Risks are therefore prioritized in terms of impact and likelihood.

Enterprise risk management (ERM) in business includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives. ERM provides a framework for risk management, which typically involves identifying particular events or circumstances relevant to the organization's objectives (risks and opportunities), assessing them in terms of likelihood and magnitude of impact, determining a response strategy, and monitoring progress.

Enterprise risk management deals with risks and opportunities affecting value creation or preservation, defined as follows:

Enterprise risk management is a process, effected by an institution’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the institution, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of institution objectives.

Enterprise risk management consists of eight interrelated components. These are derived from the way management runs an enterprise and are integrated with the management process. These components are:

--Internal Environment –The internal environment encompasses the tone of an organization, and sets the basis for how risk is viewed and addressed by an institution’s people, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate.

--Objective Setting –Objectives must exist before management can identify potential events affecting their achievement. Enterprise risk management ensures that management has in place a process to set objectives and that the chosen objectives support and align with the institution’s mission and are consistent with its risk appetite. Event Identification –Internal and external events affecting achievement of an institution’s objectives must be identified, distinguishing between risks and opportunities.

Enterprise risk management (ERM) includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives. ERM provides a framework for risk management, which typically involves identifying particular events or circumstances relevant to the organization's objectives (risks and opportunities), assessing them in terms of likelihood and magnitude of impact, determining a response strategy, and monitoring progress.

Opportunities are channeled back to management’s strategy or objective-setting processes.

--Risk Assessment –Risks are analyzed, considering likelihood and impact, as a basis for determining how they should be managed. Risks are assessed on an inherent and a residual basis.

--Risk Response –Management selects risk responses –avoiding, accepting, reducing, or sharing risk –developing a set of actions to align risks with the institution’s risk tolerances and risk appetite.

--Control Activities –Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out.

--Information and Communication –Relevant information is identified, captured, and communicated in a form and timeframe that enable people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across, and up the institution.

--Monitoring –The entirety of enterprise risk management is monitored and modifications made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations, or both.

Risks are the events or conditions that may result in losses to the enterprise, or may prevent it from achieving its objectives. The sources of risk include the following:

1. The conditions and events in the decision environment of an enterprise that may prevent it from achieving its predetermined performance expectations; and/or

2. The conditions and events in an organisation that limit its capacity to achieve its predetermined objectives in a sustainable manner.

The common aim of all risk assessment models is to assess the potential risks that could impact negatively on the capacity of an institution to achieve its primary aims in an effective, efficient and economical manner. It normally entails the following phases:

--Determine context: This phase starts when the municipality research its decision-making, management and operating environments with a view of identifying risks.

--The next phase is when individual risks are identified.

--Once risks have been identified, it must the analyzedwith a view of prioritizing it in order to determine which must be mitigated, which accepted and which avoided.

--The next step is to evaluate risks to determine how each must be categorized and treated.

--The final phase is when the institution compares the risk values associated with each of the identified risks, compare it with defined risk threshold (absorption levels) and then decide how to treat it.