GRC Glossary

Absolute Assurance Permalink

A level of assurance that is impossible to achieve.

Usage Notes

Absolute assurance is not attainable because of limitations including the nature of evidence and the characteristics of misconduct, mistakes and miscalculations (especially intentional fraud). Thus, even when assurance activities are conducted with the highest levels of objectivity and competence, it is still impossible to achieve absolute assurance.

ACCEPT (Design Option) Permalink

An intentional design decision to embrace, or concede to the current level of risk, reward, and compliance.

Usage Notes

Sometimes ACCEPT is used when embracing or conceding to a planned level of risk, reward, or compliance.

Accountable Permalink

The characteristic of an individual who takes responsibility and ownership for tasks and their outcomes, transcending a narrow job description.

Usage Notes

The quality of an individual who assumes responsibility and ownership, going beyond the idea of "it's not my job"

This involves maintaining a balance between stepping up without overstepping boundaries, avoiding both the lack of accountability that manifests as blame-shifting and excessive accountability that may encroach on others' roles.

Action & Control Permalink

A specific way, usually used in combination, that an organization addresses risk, reward, and compliance.

Action & Control Type

A method to organize actions & controls, based on whether they are proactive, detective, or responsive to risk, reward, or compliance.

Action & Control Category

A method to organize actions & controls, according to the specific resources they involve.

Action & Control Orientation

A method to organize actions & controls, based on whether they primarily support management, governance, or assurance activities.

Action & Control Category Permalink

A method to organize actions & controls, according to the specific resources they involve.

Policy Action & Controls

Formal statements and rules about organizational intentions and expectations used to address risk, reward, and compliance.

People Actions & Controls

Human factors, including structure, accountability, education, and enablement used to address risk, reward, and compliance.

Process Action & Controls

Decisions about how and when to perform activities, and where and to whom to assign accountability used to address risk, reward, and compliance.

Physical Actions & Controls

Physical safeguards, barriers, or constraints, such as fences, locks, guards, cameras, or other protective mechanisms, used to address risk, reward, and compliance.

Information Actions & Controls

Communications and reports up, down, and across the organization used to address risk, reward, and compliance.

Technology Action & Controls

Hardware and software systems used to address risk, reward, and compliance.

Financial Action & Controls

Insurance, captives, hedging, reserves, or other financial instruments used to address risk, reward, and compliance.

Action & Control Orientation Permalink

A method to organize actions & controls, based on whether they primarily support management, governance, or assurance activities.

Usage Notes

Some actions & controls may serve management, governance, and assurance orientations. In fact, it is desirable for actions & controls to serve all three orientations to avoid duplication and complexity.

Management Actions & Controls

Actions & controls that primarily serve management activities to address opportunities, obstacles, and obligations.

Governance Actions & Controls

Actions & controls that primarily serve governance activities to constrain and conscribe the organization or some aspect of it.

Assurance Actions & Controls

Actions & controls that primarily serve assurance activities.

Action & Control Type Permalink

A method to organize actions & controls, based on whether they are proactive, detective, or responsive to risk, reward, or compliance.

Proactive Actions & Controls

Actions & controls that promote or enable favorable events and prevent or deter unfavorable events.

Detective Actions & Controls

Actions & controls that detect the occurrence of favorable and unfavorable events.

Responsive Actions & Controls

Actions & controls that aim to accelerate or compound the benefit of favorable events, and correct or recover from the harm of unfavorable events.

Agile Permalink

Evidence that the organization can respond quickly and positively to changes and stress.

Usage Notes

Agility is often measured by tracking how long it takes to adapt to a change in circumstances. For example:

When a new regulation is announced, how long does it take to address it?

When a new customer requirement is uncovered, how long does it to deliver value?

When a change in organizational structure happens, how long does it take other areas of the organization to respond?

Ambiguous Permalink

A property that refers to the presence of multiple, unclear, or conflicting interpretations of conditions, events, or behaviors in a system.

Usage Notes

These questions help to understand if a situation is ambiguous:

1. Is there a prevailing lack of clarity on how to interpret the situation?
2. Are multiple, and often contradictory, interpretations possible for the situation?
3. Is the context or frame of reference for the situation unclear or subject to frequent changes?

Analysis Criteria Permalink

The criteria used to analyze, quantify and select ways to address risk, reward, and compliance.

Analytics (method) Permalink

Analyze trends, ratios or other relationships between gathered data in systems.

Usage Notes

Involves (1) observing changes over time to detect significant variations in stakeholder needs, requirements or expectations, (2) comparing numberical values like financial reports and budgets against industry standards, competitor behavior or past performance; and (3) evaluating data across departments or benchmarks.

Antifragile Permalink

A property or description of systems that increase in capability to thrive as a result of stressors, shocks, volatility, noise, mistakes, faults, attacks, or failures.

Usage Notes

The concept was developed by Nassim Nicholas Taleb in his book, Antifragile, and in technical papers.

Many professionals who aim for organizational resilience say that "getting stronger" has always been an objective of resilience and that "antifragile" may be considered a "maximal form of resilience."

Appetite Permalink

A range for the value of an indicator that defines a preferred or expected level of variation around a target.

Usage Notes

Any variation within the appetite would be considered expected and normal. No adjustments to actions & controls are necessary when a system operates within the appetite.

Appreciation Incentives Permalink

Incentives to perform favorable behaviors that provide meaningful gratitude and acknowledgement to the individual that otherwise would not be available.

Assessment Permalink

A systematic evaluation of something.

Assurance Assessment

An objective and competent evaluation of subject matter to provide conclusions and confidence that statements and beliefs about the subject matter are justified and true.

Risk Assessment

An evaluation of the effect of uncertainty on objectives including the likelihood, impact, and velocity of events that, on balance result in negative consequences.

Effectiveness Assessment

An evaluation of the design and/or operating effectiveness of an area of the organization.

Maturity Assessment

An evaluation of an area of the organization as it relates to a maturity model.

Performance Assessment

An evaluation of the performance of an area of the organization that may include its effectiveness, efficiency, responsiveness, or resilience.

Assessment Planning Permalink

An assessment plan outlines the detailed process and activities necessary to conduct a specific assessment, based on a thorough understanding of the area under review.

Usage Notes

An Assessment Plan is an operational document that details the process for each assessment activity performed for specific areas which are included in the Assurance Plan for the organization.

Assessment Procedures Permalink

Assurance Permalink

The act of objectively and competently evaluating subject matter to provide conclusions and confidence that statements and beliefs about the subject matter are justified and true.

Assurance Provider

Someone who conducts assurance activities.

Objectivity (in Assurance)

The degree to which an Assurance Provider can be impartial, disinterested, independent, and free to conduct necessary activities and to form an opinion about the subject matter.

Competence (in Assurance)

The degree to which an Assurance Provider can use sophisticated, professional, and structured techniques to evaluate subject matter.

Evaluate

The act of judging subject matter by comparing evidence against suitable criteria.

Subject Matter

Identifiable statements, conditions, events, or activities for which there is evidence.

Level of Assurance

A measure of the degree of confidence that an assurance provider can deliver to an information consumer about statements an information provider makes about the subject matter.

Assurance Assessment

An objective and competent evaluation of subject matter to provide conclusions and confidence that statements and beliefs about the subject matter are justified and true.

Assurance Actions & Controls Permalink

Actions & controls that primarily serve assurance activities.

Usage Notes

Assurance actions & controls should only be designed and operated if management or governance actions & controls are insufficient for assurance activities.

Assurance Assessment Permalink

An objective and competent evaluation of subject matter to provide conclusions and confidence that statements and beliefs about the subject matter are justified and true.

Usage Notes

Providing conclusions and enhancing the confidence of stakeholders are key objectives of any assurance assessment.

Assurance Planning Permalink

An assurance plan is a strategic document that outlines the scope, objectives, and needed resources for each planned assessment. It also specifies the timeframe, typically in alignment with the organizational framework for each assessment plan.

Usage Notes

Feedback and formal approval from the responsible oversight body, such as a Board of Directors or Risk Management Oversight Board, is required to ensure alignment with organizational priorities and governance requirements.

Assurance Provider Permalink

Someone who conducts assurance activities.

Usage Notes

Assurance activities are typically intended to mediate the information relationship between information producer and information consumer.

Assurance Risk Permalink

The risk that an assurance assessment provides inaccurate conclusions, especially inaccurate positive conclusions, that statements about the subject matter are justified and true.

Usage Notes

A meaningful misunderstanding happens when information producers make inaccurate statements to information consumers about subject matter. Common reasons for inaccurate statements include:

• Misconduct. The information producer intentionally made inaccurate statements.
• Mistakes. The information producer made statements that turned out to be inaccurate because of errors in underlying systems, actions, and controls.
  

Assurance Risk Equation Permalink

A mathematical method for measuring the level of Assurance Risk (the risk that assurance does not achieve its purpose).

The equation:

Assurance Risk (AR) = (Inherent Risk (IR) x Control Risk (CR)) x Non-Detection Risk (NDR)

Usage Notes

Assurance Risk

Inherent Risk

Control Risk

Non-Detection Risk

Audience Permalink

The person or group that is intended to receive a message.

Audit & Assurance Discipline Permalink

A critical discipline that provides methods to enhance confidence that the organization is reliably achieving objectives, addressing uncertainty, and acting with integrity

AVOID (Design Option) Permalink

A design option to cease all activity or terminate sources that give rise to the opportunity, obstacle, or obligation.

Behaviors Permalink

Observable actions of a person or group of people, informed by beliefs and values.

Voluntary Behaviors

Intentional human actions informed by beliefs and values and governed by free will and discipline.

Involuntary Behaviors

Automatic, often instinctual human actions informed by beliefs and values and governed by nature.

Habitual Behaviors

Semi-automatic human actions informed by beliefs and values and governed by free will and discipline.

Beliefs Permalink

Unobservable ideas and assumptions of a person or group, often caused by experience, perception, and personality.

Benefit Permalink

A measure of the positive impact that an event has on the organization.

Best Possible Value Permalink

A value of an indicator that is likely to be achieved under the best possible assumptions and best possible execution.

Board of Directors Permalink

A group of individuals elected by shareholders to represent their interests and to manage the business and affairs of the organization.

Usage Notes

The board of directors often delegates substantial authority to management and provide more oversight of management and major corporate decisions, and hold a fiduciary duty to protect shareholders' interests.

Boundary Permalink

Mandatory Boundary

Obligations that an organization must address because of some legitimate authority (e.g., laws, rules, regulations).

Voluntary Boundary

Obligations an organization chooses to address because of voluntary decisions (e.g., contracts, agreements and values).

Business Model Permalink

A model that describes how a company creates, delivers, and captures value for its stakeholders. It defines the fundamental aspects of a company's operations, such as its target customers, value proposition, revenue streams, cost structure, and key resources and activities.

Business Unit Permalink

An organizational unit that is subordinate to the enterprise and often responsible for specific products, customers, or geography.

Usage Notes

Business unit may be used even when the organization is not a “business” (e.g., government agency, a nonprofit organization)

Capacity Permalink

A range for an indicator that defines the maximum level of variation around a target that the organization is unwilling, unable and incapable to address; and may result in jeopardy or ruin.

Career Opportunities Incentives Permalink

Incentives to perform favorable behaviors that provide access to career path opportunities that otherwise would not be available.

Cause Permalink

The trigger or potential trigger of events that lead to a consequence including agents or forces that are responsible for bringing something into existence or changing it.

Usage Notes

Causes tend to be narrative, descriptive, or qualitative in nature. When quantifying causes, the term likelihood is typically used.

Prospect

A cause that has the potential to eventually result in benefit.

Hazard

A cause that has the potential to eventually result in harm.

Cause, Event, Consequence (CEC) Model Permalink

An integrated model that illustrates the causes and consequences associated with events.

Usage Notes

Cause

The trigger or potential trigger of events that lead to a consequence including agents or forces that are responsible for bringing something into existence or changing it.

Event

Something that happens, including a change in condition or behavior.

Consequence

The outcome or potential outcome of an event or series of events.

Channel Permalink

The medium used to get the message from the communicator to the audience.

Audience

The person or group that is intended to receive a message.

Communicator

The person or group that sends or signals a message.

Climate Permalink

The collective perception about self, surroundings, and others – including perceptions about culture, some aspect of culture, or some topical area.

Code of Conduct Permalink

The Code of Conduct sets out the principles, values, standards, or rules of behavior that guide the organization's decisions, procedures, and systems. The Code of Conduct is, in effect, a set of the most important core policies.

Usage Notes

The Code of Conduct is, perhaps, the most important policy in an organization.

Code of Ethics Permalink

Collaborative Permalink

The quality of an individual to engage in productive relationships and teamwork, understanding their fundamental role in achieving greater outcomes.

Usage Notes

This characteristic necessitates a balance to avoid underuse, which may lead to isolation and antagonism, and overuse, which may create a social atmosphere without clear accountability.

Committed Value Permalink

A value of an indicator that is likely to be achieved given current assumptions and planned execution.

Usage Notes

When used, this can be considered synonymous with Target

Communicator Permalink

The person or group that sends or signals a message.

Message

The content of what is communicated.

Competence Permalink

The ability to do something successfully.

Competence (in Assurance) Permalink

The degree to which an Assurance Provider can use sophisticated, professional, and structured techniques to evaluate subject matter.

Usage Notes

Being “competent” in assurance means to be cognitively and physically capability of using sophisticated, professional, and structured techniques to evaluate subject matter.

Complex Permalink

A property that refers to the interconnected, interdependent, and interrelated nature of the parts of a system that often give rise to nonlinear dynamics, emergent properties and unpredictable outcomes.

Usage Notes

These questions help to understand if a situation is complex:

1. Are there a multitude of interconnected variables that need to be considered?
2. Does the situation involve navigating through numerous layers of complexity?
3. Are the solutions multifaceted, necessitating a thorough consideration of a wide array of elements?

Compliance Permalink

A measure of the degree to which obligations are proven to be addressed.

Compliance & Ethics Discipline Permalink

A critical discipline that provides methods to identify and address mandatory and voluntary obligations and the underlying ethical principles and values.

Compliance Management Permalink

The act of managing processes and resources to achieve the desired level of compliance.

Compound/Accelerate Actions & Controls Permalink

Actions & controls that compound, accelerate, and increase the impact of favorable events to maximize benefit and promote future occurrence.

Condition Permalink

A state of reality.

Confirmation (method) Permalink

Ask a third party about the assessment area for information and explanations to clarify how processes are followed and procedures are performed.

Usage Notes

Share 'evidence' with a third party whose function involves confirming the validity of the evidence. This can show discrepencies when they occur and provide early detection of inconsistencies if they exist.

Consequence Permalink

The outcome or potential outcome of an event or series of events.

Usage Notes

Consequences tend to be narrative, descriptive, or qualitative in nature. When quantifying consequences, the term impact is typically used.

Impact

A measure that estimates the consequence of an event.

Harm

A measure of the negative impact that an event has on the organization.

Benefit

A measure of the positive impact that an event has on the organization.

Continuous Assessments Permalink

Ongoing, real-time monitoring of processes or controls. These assessments provide continuous feedback and insights, allowing for more proactive management of risks and performance issues as they arise. This type of assessment is part of the organization's day-to-day operations, designed to quickly identify both favorable and unfavorable events​​.

Usage Notes

Types of Assessments

Engagement Assessments

Periodic Assessments

CONTROL (Design Option) Permalink

A design option to implement actions that govern and manage the opportunity, obstacle, or obligation according to its nature.

Usage Notes

Using the word "control" by itself is sometimes used to mean "action & control"

Control Risk Permalink

The level of risk in the event of action/control failure.

Usage Notes

Assurance Risk Equation

Assurance Risk

Inherent Risk

Non-Detection Risk

Convergent Thinking Permalink

Focused on high-likelihood possibilities, most favorable/unfavorable conditions and events, current and most relevant circumstances, and most rewarding/riskiest outcomes.

Correct/Recover Actions & Controls Permalink

Actions & controls that slow down or decrease the impact of unfavorable events, and return the organization to its original state, stable state, or superior state after harm has occurred to minimize harm and prevent future occurrences.

Usage Notes

Returning the organization to its original state or stable state is a sign of resilience.

Returning the organization to a superior state is a sign of antifragility.

Recovery Actions & Controls

Actions & controls that return the organization to its original state, stable state, or superior state after harm has occurred.

Corrective Actions & Controls

Actions & controls that safeguard the organization or some asset after an unfavorable event occurs.

Corrective Actions & Controls Permalink

Actions & controls that safeguard the organization or some asset after an unfavorable event occurs.

Usage Notes

Corrective actions & controls and Recovery actions & controls are related but slightly different.

For example, restoring a server to a clean image is a corrective control because it solves the immediate problem of a malware intrusion, while recovering the server data from backup is a recovery control because it returns the server to a known previous good state allowing the business to resume normal operation.

Creditor Permalink

An individual, institution, or entity to whom the organization owes money or services.

Critical Disciplines Permalink

The background disciplines that comprise the interdisciplinary approach to GRC, including: Governance & Oversight, Strategy & Performance, Risk & Decision Support, Compliance & Ethics, Security & Continuity, and Audit & Assurance.

Governance & Oversight Discipline

A critical discipline that provides methods to guide, constrain and conscribe the organization to achieve its purpose, mission, vision, and values.

Strategy & Performance Discipline

A critical discipline that provides methods to guide, arrange and operate resources to achieve objectives and monitor performance.

Risk & Decision Support Discipline

A critical discipline that provides methods to identify and address the effect of uncertainty on objectives, including ways to support decisions under uncertainty.

Compliance & Ethics Discipline

A critical discipline that provides methods to identify and address mandatory and voluntary obligations and the underlying ethical principles and values.

Security & Continuity Discipline

A critical discipline that provides methods to identify and address threats to critical physical and digital assets and infrastructure.

Audit & Assurance Discipline

A critical discipline that provides methods to enhance confidence that the organization is reliably achieving objectives, addressing uncertainty, and acting with integrity

Culture Permalink

An emergent property of a group of people caused by the interaction of individual beliefs, values, mindsets, and behaviors and demonstrated by observable norms and articulated opinions that shape beliefs, values, mindsets, and behaviors in wide-ranging and durable ways.

Usage Notes

Culture has a bi-directional relationship with individuals. It is both an emergent property of a group of individual beliefs, as well as something that shapes individual beliefs.

Values

Fundamental beliefs, principles, and ideals that an organization, group, or individual demonstrates and adheres to when making decisions and acting.

Climate

The collective perception about self, surroundings, and others – including perceptions about culture, some aspect of culture, or some topical area.

Mindsets

Individual perceptions about self, surroundings, and others – including perceptions about culture, some topical area, or how to approach work.

Beliefs

Unobservable ideas and assumptions of a person or group, often caused by experience, perception, and personality.

Norms

Customs, rules, or expectations that a group socially reinforces, usually through informal means.

Current Residual Risk Permalink

The level of residual risk under currently operating actions & controls.

Current Skill Level Permalink

Existing level of skill a person, or “typical” person in a group, possesses.

Customer Permalink

An individual, institution, or entity that purchases products or services.

Usage Notes

• The customer is sometimes considered the "most important stakeholder" because without a customer, an organization cannot provide value.
• For departments or teams, the customer may include a superior, subordinate, or peer organizational unit. For governmental entities, the customer is a constituent or regulated entity.

Damage Permalink

Decision-Making Criteria Permalink

The principles, values, rules, variables, conditions, targets, tolerances, and other thresholds used to select an option or make a decision.

Direction-Setting Criteria

The criteria used to set the direction for the organization and its objectives based on external/internal context, culture, and stakeholder needs.

Objective-Setting Criteria

The criteria used to set objectives and results in accordance with the organization’s direction.

Identification Criteria

The criteria used to identify opportunities, obstacles, and obligations that stand in front of the organization and its objectives.

Analysis Criteria

The criteria used to analyze, quantify and select ways to address risk, reward, and compliance.

Design Criteria

The criteria used to select actions & controls that address risk, reward, and compliance.

Demographic Factors Permalink

External factors that include gender, age, ethnicity, knowledge of languages, disabilities, mobility, home ownership, employment status, religious belief or practice, culture and tradition, living standards, and income level.

Department Permalink

A department is subordinate to the enterprise and often cuts across multiple business units providing shared services such as human resources, information technology (IT), compliance, risk management, and other services.

Descriptive Norms Permalink

Observation of what individuals do, providing information about what is “normal” in a particular culture.

Design Criteria Permalink

The criteria used to select actions & controls that address risk, reward, and compliance.

Design Effectiveness Permalink

Evidence of logically designed actions & controls relative to objectives, opportunities, obstacles, and obligations. This is accomplished by evaluating the design actions & controls against suitable criteria.

Design Options Permalink

Broad design decisions to address an opportunity, obstacle, or obligation.

Usage Notes

Design options address both risk and reward. The term Risk Response is sometimes used when applied only to risks.

ACCEPT (Design Option)

An intentional design decision to embrace, or concede to the current level of risk, reward, and compliance.

SHARE (Design Option)

To outsource, joint ventures, partnerships, buy insurance, or use other financial instruments to address the opportunity, obstacle, or obligation.

AVOID (Design Option)

A design option to cease all activity or terminate sources that give rise to the opportunity, obstacle, or obligation.

TRANSFER (Design Option)

A special case of a sharing design option where an attempt is made to give close to 100% of responsibility and consequence to a third party.

CONTROL (Design Option)

A design option to implement actions that govern and manage the opportunity, obstacle, or obligation according to its nature.

Design Review Procedure Permalink

A procedure that compares the documentation of the design of a system against suitable criteria that defines an acceptable design of that system.

Usage Notes

Suitable criteria is often available by using available standards or best practices.

Suitable criteria for assessing the GRC Capability Model (or some aspect of it) is available in the GRC Assessment Tools.

Detective Actions & Controls Permalink

Actions & controls that detect the occurrence of favorable and unfavorable events.

Usage Notes

Unfavorable events include incidents of non-compliance.

Deterrent Permalink

A type of action and control that reduces the likelihood of an event from occurring.

Usage Notes

Often, a deterrent refers to a specific action, control, or strategy employed to reduce the likelihood of an event by instilling fear, risk, or negative consequences, thereby reducing the probability of its happening.

Direction-Setting Criteria Permalink

The criteria used to set the direction for the organization and its objectives based on external/internal context, culture, and stakeholder needs.

Directives Permalink

Policy, process, and technology that encourage favorable events.

Divergent Thinking Permalink

Considering all possibilities, conditions and events, circumstances, and outcomes.

Duration Permalink

A measure that estimates how long an event or impact might last.

Economic Factors Permalink

External factors that include growth, exchange, inflation, and interest rates.

Economic Incentives Permalink

Incentives to perform favorable behaviors that provide monetary compensation, bonuses, profit-sharing or gain-sharing that otherwise would not be available.

Education Activity Permalink

Effect Permalink

A measure that estimates the likelihood and impact that an event has on objectives.

Risk

A measure of the negative, unfavorable effect of uncertainty on objectives.

Reward

A measure of the positive, favorable effect of uncertainty on objectives.

Effective Permalink

An aspect of Total Performance which demonstrates evidence of logically designed actions & controls that address appropriate objectives, opportunities, obstacles, and obligations; and evidence that these actions & controls are operating as designed.

Effectiveness Assessment Permalink

An evaluation of the design and/or operating effectiveness of an area of the organization.

Design Effectiveness

Evidence of logically designed actions & controls relative to objectives, opportunities, obstacles, and obligations. This is accomplished by evaluating the design actions & controls against suitable criteria.

Operating Effectiveness

Evidence that actions & controls operate as intended. This is accomplished by substantive testing of information generated by actions & controls to judge actual results against expected results.

Efficient Permalink

An aspect of Total Performance which demonstrates evidence that the organization productively uses financial, human, and other capital resources without wasted effort or expense.

Engagement Assessments Permalink

Deliberately initiated formal and structured evaluations of specific projects or assignments that have a defined start and end. These assessments are designed to provide high assurance regarding the performance, risk, and compliance aspects of these projects. Engagements are characterized by their higher level of objectivity and competence, as well as clear and well-defined reporting requirements.

Usage Notes

Types of Assessments

Continuous Assessments

Periodic Assessments

Enterprise Permalink

The most superior unit that encompasses the entirety of the organization.

Usage Notes

Enterprise may be used even when the organization is a government agency, a nonprofit organization, or a small organization.

Environmental Factors Permalink

External factors that include ecological and environmental aspects such as climate and natural resources.

Ethics Permalink

Values that define right and wrong decisions and actions based on the norms of a group.

Usage Notes

Ethics get their authority from external social systems relating to a specific group. Ethics are often codified in a set of rules that apply to a member of the group (e.g., lawyers, doctors, and accountants follow the ethical system adopted by those in the field).

Ethics and morals are sometimes used interchangeably, but these words have nuanced meanings. Much of the confusion between these two words can be traced back to their origins. For example, the word “ethic” comes from Old French (etique), a set of rules for customs and behaviors, whereas Late Latin (ethica) and Greek (ethos) referred to customs or moral philosophies. “Morals” comes from Late Latin’s moralis, which refers to appropriate behavior and manners in society. The two words originally had very similar meanings.

Evaluate Permalink

The act of judging subject matter by comparing evidence against suitable criteria.

Subject Matter

Identifiable statements, conditions, events, or activities for which there is evidence.

Suitable Criteria

Benchmarks used to evaluate subject matter that yield consistent and meaningful results.

Event Permalink

Something that happens, including a change in condition or behavior.

Usage Notes

All events have a cause. Most events have a consequence. However, some causes and consequences may be ambiguous, complex, or uncertain.

Cause

The trigger or potential trigger of events that lead to a consequence including agents or forces that are responsible for bringing something into existence or changing it.

Consequence

The outcome or potential outcome of an event or series of events.

Opportunity

An uncertain future event that may, on balance, have a positive effect on objectives.

Obstacle

An uncertain future event that may, on balance, have a negative effect on objectives.

Evidence Permalink

Information that is validated for use by information consumers who require validation (assurance) on subject matter conclusions.

Usage Notes

Evidence can be used by the assessment area personnel as part of self-evaluation, by assurance providers as part of internal audit to provide a reasonable level assurance, or by assurance providers as part of an external audit to provide a highly justified, objective, and unbiased assurance about assessment area.

Evidence Gathering Procedures Permalink

Methods for acquiring data from various sources using different means to obtain any trackable and monitored data, verifying such data, and ultimately translating it into indicating factors for decision making. Verified data is considered "Evidence". These methods are Inquiry, Confirmation, Inspection of Info, Inspection of Assets, Observation, Recalculation, Reperformance and Analytics.

Usage Notes

Any, some, or all of these methods can be used to provide a relatively reasonable level assurance.

Analytics (method)

Analyze trends, ratios or other relationships between gathered data in systems.

Confirmation (method)

Ask a third party about the assessment area for information and explanations to clarify how processes are followed and procedures are performed.

Inquiry (method)

Ask assessment area personnel for information and explanations to clarify how processes are followed and procedures are performed.

Observation (method)

Watch personnel actually perform the procedures in the assessment area and document/record findings.

Reperformance (method)

Independently perform controls and evaluate results.

Recalculation (method)

Re-compute the work already done by assessment area personnel to compare.

Inspection of Information (method)

Gather information, explanations and clarification by examining records or documents.

Inspection of Assets (method)

Gather information, explanations and clarification by examining tangible assets (e.g. property).

Exception Reports Permalink

Documents or system-generated outputs that identify deviations from established standards, norms, or expected practices within an organization. These reports are typically produced through automated monitoring systems and serve to highlight anomalies in business processes that require attention or investigation.

Usage Notes

The primary purpose of exception reports is to efficiently identify and draw attention to unusual activities or transactions that may require investigation, rather than reviewing all transactions or activities.

Executive Management Permalink

Executive Team Permalink

A group of executives, often a group of the senior-most executives in an organization.

Usage Notes

The Executive Team is often referred to as the "C-Suite" because the individuals on the Executive Team hold titles such as "chief executive officer," "chief financial officer," and "chief legal officer."

Executives Permalink

Senior-most managers with broad responsibilities over the entire organization or some significant part of the organization (e.g., all technology, all sales, and marketing, all administration, all finance).

Usage Notes

Executives often have words such as “chief” in their titles, such as “chief executive officer” or “chief operating officer.”

Extended Enterprise Permalink

External Context Permalink

External Factors Permalink

Categories of sources and forces that originate outside of the organization including: industry factors, market factors, economic, technology, societal, legal, political, environmental, demographic factors.

Industry Factors

External factors that include new entrants, competitors, suppliers, customers, substitutes, and industry norms.

Market Factors

External factors that include customer trends, demographics, and economic conditions.

Economic Factors

External factors that include growth, exchange, inflation, and interest rates.

Technology Factors

External factors include technological aspects like R&D activity, automation, storage, computation, technology incentives, innovations in materials, mechanical efficiency, and the rate of technological change.

Societal Factors

External factors that include cultural aspects, attitudes, customs, and norms.

Legal and Regulatory Factors

External factors that include laws, rules, regulations, litigation, and judicial or administrative opinions.

Political Factors

External factors that relate to how the government intervenes in the economy, including laws, rules, regulations, tax policy, and political stability.

Environmental Factors

External factors that include ecological and environmental aspects such as climate and natural resources.

Demographic Factors

External factors that include gender, age, ethnicity, knowledge of languages, disabilities, mobility, home ownership, employment status, religious belief or practice, culture and tradition, living standards, and income level.

Geopolitical Factors

External factors that include sanctions, export controls, and potential military conflicts.

External Stakeholders Permalink

An individual, institution, or entity outside of the organization that is affected by, or has an interest in, the company's decisions and activities.

Usage Notes

These stakeholders do not directly participate in the company's operations but can influence or be influenced by the company's business outcomes. Examples of external stakeholders include customers, suppliers, creditors, investors, regulators, the government, competitors, the media, and the community or society in which the company operates. The company's decisions and policies often aim to consider and balance the interests of both internal and external stakeholders.

Customer

An individual, institution, or entity that purchases products or services.

Investor

An individual, institution, or entity that provides capital to the organization either by purchasing shares (thus becoming shareholders), bonds, or other financial instruments, with the expectation of receiving a financial return.

Shareholder

An individual, institution, or entity that owns shares or stock (or some functionally comparable instrument) in the organization.

Creditor

An individual, institution, or entity to whom the organization owes money or services.

Lender

An individual, institution, or entity that provides funds to the organization with the expectation that the funds will be paid back in full, usually with interest.

Supplier

An individual, institution, or entity that provides goods or services to the organization.

Regulator

Government or independent authorities that oversee and control specific aspects of the organization's practices. They set standards and rules that the organization must follow and can impose penalties for non-compliance.

Media

Various channels of communication, like newspapers, television, radio, and online platforms, which can shape public perception of the organization.

Society

The local, national, or global population affected by the organization's operations.

Factor Permalink

A category of forces in the internal or external context.

Feedback Permalink

The reaction from the audience to a message.

Fifth Line of Accountability Permalink

The Governing Authority (Board) is ultimately accountable and responsible for the governance, management, and assurance of performance, risk, and compliance. While the governing authority may choose to delegate, this plenary accountability means that the governing authority must use due care to ensure that the right systems are in place to learn about and address important performance, risk, and compliance issues – especially those that present “red flags.”

Financial Action & Controls Permalink

Insurance, captives, hedging, reserves, or other financial instruments used to address risk, reward, and compliance.

Financial Capital Permalink

Liquidity, budgets, and other economic resources.

First Line of Accountability Permalink

Individuals and teams that own and manage performance, risk, and compliance associated with day-to-day operational activities.

Folkways Permalink

Informal norms that govern everyday behaviors and social etiquette that are not strictly enforced, but where violations may lead to mild disapproval or social awkwardness (e.g., table manners, punctuality, and appropriate dressing).

Force Permalink

A cause that is an emergent property of volatility, uncertainty, complexity, or ambiguity in the internal or external context.

Fourth Line of Accountability Permalink

The Executive team is accountable and responsible for the portfolio of organization-wide performance, risk, and compliance. The Fourth Line gains information from the First Line and the Second Line and assurance from the Third Line to make decisions about managing performance, risk, and compliance.

Fractal Permalink

The property of self-similarity or the repetition of patterns at different scales in a system or structure.

Usage Notes

In fractal geometry, a fractal is a mathematical set that exhibits self-similarity and has a structure that is similar at every scale. Fractals are often found in nature, such as in the branching patterns of trees, the veins of leaves, or the shapes of clouds.

In organizations, fractality is used to describe the self-similar patterns and structures of social networks and interactions, as well as in the study of collective behavior and decision-making.

Fractality means that problems and solutions can replicate and scale to multiple levels of the organization.

Frequency Permalink

A measure that estimates how often the same event might occur.

Geopolitical Factors Permalink

External factors that include sanctions, export controls, and potential military conflicts.

Governance Permalink

The act of indirectly guiding, controlling, and evaluating an entity by constraining and conscribing resources.

Usage Notes

Govern. To govern; governing

Governance & Oversight Discipline Permalink

A critical discipline that provides methods to guide, constrain and conscribe the organization to achieve its purpose, mission, vision, and values.

Governance Actions & Controls Permalink

Actions & controls that primarily serve governance activities to constrain and conscribe the organization or some aspect of it.

Usage Notes

Governance actions & controls are added when management actions & controls do not provide enough information or guidance to constrain and conscribe the organization.

Governing Authority Permalink

The most superior level of accountability and authority.

Usage Notes

• The governing authority is often responsible for balancing the competing needs of stakeholders so that it can guide, constrain, and conscribe the organization to reliably achieve objectives, address uncertainty, and act with integrity to meet these needs.
• The governing authority is often a board of directors if the organization in scope is an enterprise.
• The governing authority may be an oversight committee if the organization in scope is a business unit or department.

GRC Permalink

GRC is a collection of integrated capabilities that enable an organization to reliably achieve objectives, address uncertainty, and act with integrity.

It is an initialism that stands for Governance, Risk, and Compliance, and is an interdisciplinary approach of integrated capabilities, interconnected relationships, and interlinked shared values, which enable Principled Performance.

Usage Notes

GRC, as an initialism, denotes governance, risk, and compliance — but the full story of GRC is so much more than those three words.

The acronym GRC was created as a shorthand reference to the critical capabilities that must work together to achieve Principled Performance — the capabilities that integrate the governance, management, and assurance of performance, risk, and compliance activities.

This includes work done by departments in governance, strategy, risk, compliance, security, audit, finance, legal, IT, and HR. But it also includes operators in lines of business, the executive suite, and the board itself.

While GRC was created by OCEG in 2003, the first peer-reviewed academic paper on the topic was published in 2007 by OCEG founder Scott Mitchell in the International Journal of Disclosure and Governance.

This groundbreaking paper influenced the related software and services industry and began open-source GRC standards.

• GRC is the pathway to Principled Performance.
• GRC is a collection of integrated capabilities to enable Principled Performance.
• GRC is a collection of integrated capabilities that enable an organization to reliably achieve objectives, address uncertainty, and act with integrity.
• GRC is an interdisciplinary approach of integrated capabilities, interconnected relationships, and interlinked shared values, which enable Principled Performance.

Governance

The act of indirectly guiding, controlling, and evaluating an entity by constraining and conscribing resources.

Risk Management

The act of managing processes and resources to address risk while pursuing reward.

Compliance Management

The act of managing processes and resources to achieve the desired level of compliance.

GRC Capability Model™ Permalink

The collection of capabilities that help an organization reliably achieve objectives, address uncertainty, and act with integrity formalized and documented in the GRC Capability Model™ from OCEG.

Usage Notes

The GRC Capability Model is the pathway to Principled Performance and comprises several capabilities from critical disciplines including:

• Governance & Oversight
• Strategy & Performance
• Risk & Decisions
• Compliance & Ethics
• Security & Continuity
• Audit & Assurance

Habitual Behaviors Permalink

Semi-automatic human actions informed by beliefs and values and governed by free will and discipline.

Harm Permalink

A measure of the negative impact that an event has on the organization.

Hazard Permalink

A cause that has the potential to eventually result in harm.

Helpline Permalink

A live or on-demand channel for individuals to ask questions before or while they are engaged in a task.

Hotline Permalink

A live or on-demand channel for individuals to report problems.

Human Capital Permalink

The collective knowledge, skills, abilities, and experiences of an organization's workforce, along with the relationships, attitudes, and values that enable them to work together to achieve the organization's objectives

IACM Permalink

Identification Criteria Permalink

The criteria used to identify opportunities, obstacles, and obligations that stand in front of the organization and its objectives.

Impact Permalink

A measure that estimates the consequence of an event.

Benefit

A measure of the positive impact that an event has on the organization.

Harm

A measure of the negative impact that an event has on the organization.

Incentives Permalink

Incentives include financial and non-financial things that encourage favorable conduct.

Usage Notes

There are two parts to an incentive:

• Promise - Incentives must be announced in advance of the expected conduct.
• Payoff - Incentives must be delivered as promised and meet or exceed the expectations of the individual. Otherwise, news will spread that the incentives aren't what they appear to be.

Economic Incentives

Incentives to perform favorable behaviors that provide monetary compensation, bonuses, profit-sharing or gain-sharing that otherwise would not be available.

Appreciation Incentives

Incentives to perform favorable behaviors that provide meaningful gratitude and acknowledgement to the individual that otherwise would not be available.

Status Incentives

Incentives to perform favorable behaviors that provide access to esteemed roles, promotions or other visible recognition that otherwise would not be available.

Professional Development Incentives

Incentives to perform favorable behaviors that provide access to professional development opportunities such as training or tuition reimbursements that otherwise would not be available.

Career Opportunities Incentives

Incentives to perform favorable behaviors that provide access to career path opportunities that otherwise would not be available.

Independence Permalink

The state of being free from structural or functional conditions that threaten the ability of the assurance provider to perform assurance activities with objectivity and without any undue influence. It includes the independence of the assurance provider from those who own, manage, operate, or support the activity being assured.

Usage Notes

To achieve the degree of independence necessary to deliver the desired Level of Assurance, an Assurance Provider should have direct and unrestricted access to information producers and information consumers.

Indicator Permalink

A measure of progress toward or status of an objective.

Target

An expected or planned value for an indicator.

Appetite

A range for the value of an indicator that defines a preferred or expected level of variation around a target.

Tolerance

A range for an indicator that defines an acceptable, though not preferred, level of variation around a target the organization is willing and able to address.

Capacity

A range for an indicator that defines the maximum level of variation around a target that the organization is unwilling, unable and incapable to address; and may result in jeopardy or ruin.

Indicator Targets & Ranges (ITR) Model Permalink

A model that describes how indicator targets and ranges such as appetite, tolerance and capacity relate to one another and can be used to evaluate total performance.

Usage Notes

The Indicator Targets & Ranges (ITR) Model is a robust model that provides a complete explanation of how to set targets and important ranges of values to evaluate the total performance of an indicator.

Indicator

A measure of progress toward or status of an objective.

Target

An expected or planned value for an indicator.

Appetite

A range for the value of an indicator that defines a preferred or expected level of variation around a target.

Tolerance

A range for an indicator that defines an acceptable, though not preferred, level of variation around a target the organization is willing and able to address.

Capacity

A range for an indicator that defines the maximum level of variation around a target that the organization is unwilling, unable and incapable to address; and may result in jeopardy or ruin.

Industry Factors Permalink

External factors that include new entrants, competitors, suppliers, customers, substitutes, and industry norms.

Information Actions & Controls Permalink

Communications and reports up, down, and across the organization used to address risk, reward, and compliance.

Information Capital Permalink

Data, communications, and intelligence.

Information Consumer Permalink

An individual, group, or any entity that receives information.

Usage Notes

In the context of Assurance, this information is used as evidence to evaluate and compare against given criteria to provide a certain level of assurance.

Information Producer Permalink

An individual, group, or any entity that produces data/information to send to another individual, group, or entity.

Usage Notes

In the context of Assurance, this is typically information about the design, operation or output of a process are.

Information Supplier Permalink

Information User Permalink

Inherent Effect Permalink

The effect of uncertainty in the absence of actions & controls.

Inherent Risk Permalink

The level of risk in the absence of actions & controls.

Injunctive Norm Permalink

Perceived behavior of what most people approve of, providing information on what one “should” do.

Inquiry (method) Permalink

Ask assessment area personnel for information and explanations to clarify how processes are followed and procedures are performed.

Usage Notes

Investigate the area(s) subject to assessment and assurance activities for data and information that have been documented, monitored, and updated continuously to provide a higher assurance level. This method involves 'pulling' information from sources. Element P6 Inquiry in the GRC Capability Model offers more insight on this method.

Inspection of Assets (method) Permalink

Gather information, explanations and clarification by examining tangible assets (e.g. property).

Usage Notes

Examine the identified assets and collected documents, data, and information from all sources to provide justified conclusions about subject matter.

Inspection of Information (method) Permalink

Gather information, explanations and clarification by examining records or documents.

Usage Notes

Examine the collected documents, data, and information from all sources to provide justified conclusions about subject matter.

Instructor Permalink

Individual who teaches.

Intangible Resources Permalink

Resources that refer to non-physical assets, such as knowledge, brand equity, and organizational culture.

Integrated Action & Control Model™ Permalink

A structure that considers the purpose and types of actions & controls used for the governance, management, and assurance of performance, risk, and compliance.

Usage Notes

Proactive Actions & Controls

Actions & controls that promote or enable favorable events and prevent or deter unfavorable events.

Detective Actions & Controls

Actions & controls that detect the occurrence of favorable and unfavorable events.

Responsive Actions & Controls

Actions & controls that aim to accelerate or compound the benefit of favorable events, and correct or recover from the harm of unfavorable events.

Integrated Performance Support Permalink

A function that provides the exact information needed to solve a learner’s question at the moment of need. The goal is to increase performance by empowering individuals with self-help resources in the flow of work rather than interrupting work with periodic and episodic learning.

Integrated Plan Permalink

An integrated plan details processes and resources allocated to reliably achieve objectives, address uncertainty, and act with integrity.

Integrity Permalink

The state of being whole and complete by fulfilling obligations, honoring promises, and cleaning up the mess if a promise was broken.

Usage Notes

One way to evaluate integrity is with the formula Integrity = Promises Kept / Promises Made.

Sometimes factors outside of the control of the organization prevent promises from being honored. For example, an organization makes an implicit promise to every employee that they will be gainfully employed so long as the employee adds value. However, external factors, such as an economic downturn, might prevent the organization from honoring the employment promise, even if the employee is adding value. To maintain integrity, then, an organization must do its best to help the employee find gainful employment.

Intention (Call to Action) Permalink

What the communicator wants the audience to believe, value, or do as a consequence of the message.

Internal Audit Permalink

A function inside of the organization that helps the workforce, especially management, reliably achieve objectives, address uncertainty, and act with integrity by providing assurance that the right objectives, opportunities, obstacles, and obligations are addressed in the right way, to increase the total performance.

Usage Notes

Internal audit objectively and competently evaluates subject matter to provide conclusions and confidence that statements and beliefs about the subject matter are justified and true. This is especially important for key objectives, opportunities, obstacles, and obligations to make sure that the organization is operating within acceptable levels of risk/reward and compliance.

Internal Context Permalink

Internal Factors Permalink

Categories of sources and forces that originate inside of the organization.

Internal Stakeholders Permalink

Stakeholders with an internal influence from within the organization; Personnel (and unions that represent the workforce), Managers, Executives, Board members, and Owners (who are involved in the organization).

Workforce

The collection of individuals the organization employs.

Owners

Individuals or entities that possess legal ownership and control of the organization.

Board of Directors

A group of individuals elected by shareholders to represent their interests and to manage the business and affairs of the organization.

Investor Permalink

An individual, institution, or entity that provides capital to the organization either by purchasing shares (thus becoming shareholders), bonds, or other financial instruments, with the expectation of receiving a financial return.

Involuntary Behaviors Permalink

Automatic, often instinctual human actions informed by beliefs and values and governed by nature.

Key Compliance Indicator (also KCI) Permalink

Indicators that help govern, manage, and provide assurance about compliance related to an objective.

Key Milestone Indicator (also KMI) Permalink

A Boolean value (yes/no) or a percentage value (% complete) that measures the degree to which a milestone is met.

Key Performance Indicator (also KPI) Permalink

Indicators that help govern, manage, and provide assurance about performance related to an objective.

Key Risk Indicator (also KRI) Permalink

Indicators that help govern, manage, and provide assurance about risk related to an objective.

Key Risks Permalink

Highest priority risks that an organization selects, usually based on key objectives.

Usage Notes

An organization is free to voluntarily select its key risks. Key risks should be defined and selected based on their relationship to key objectives.

Lagging Indicators Permalink

Indicators that provide information about past events or conditions.

Leaders Permalink

Individuals at any level of the organization who have the de facto attention and respect of the workforce regardless of their title or position.

Leadership Permalink

Leading Indicators Permalink

Indicators that provide information about future events or conditions.

Lean Permalink

Learner Permalink

Learning Activity Permalink

A directed collection of learning content that achieves learning objectives by enhancing student ability from current skill level to target skill level.

Usage Notes

Learning activities may be synchronous or asynchronous and may be in-person or online.

Student

Individual who learns.

Learning Objective

Statements that define an educational activity's expected goal(s). Learning objectives can be used to structure the content of educational activities.

Learning Outcome

A statement that reflects what the learner will be able to do as a result of participating in the educational activity.

Current Skill Level

Existing level of skill a person, or “typical” person in a group, possesses.

Target Skill Level

The desired level of skill a person, or “typical” person in a group, is expected to possess.

Learning Content

The content in a learning activity includes text, image, audio, and video and takes the form of lecture, discussion, debate, and demonstration.

Learning Content Permalink

The content in a learning activity includes text, image, audio, and video and takes the form of lecture, discussion, debate, and demonstration.

Learning Objective Permalink

Statements that define an educational activity's expected goal(s). Learning objectives can be used to structure the content of educational activities.

Learning Outcome Permalink

A statement that reflects what the learner will be able to do as a result of participating in the educational activity.

Legal and Regulatory Factors Permalink

External factors that include laws, rules, regulations, litigation, and judicial or administrative opinions.

Lender Permalink

An individual, institution, or entity that provides funds to the organization with the expectation that the funds will be paid back in full, usually with interest.

Level of Assurance Permalink

A measure of the degree of confidence that an assurance provider can deliver to an information consumer about statements an information provider makes about the subject matter.

Usage Notes

A greater degree of Assurance Objectivity and a greater degree of Assurance Competence generally result in a higher Level of Assurance.

Objectivity (in Assurance)

The degree to which an Assurance Provider can be impartial, disinterested, independent, and free to conduct necessary activities and to form an opinion about the subject matter.

Competence (in Assurance)

The degree to which an Assurance Provider can use sophisticated, professional, and structured techniques to evaluate subject matter.

Lower Assurance

A more limited level of assurance resulting from activities such as self-assessments and benchmarking performed by the personnel responsible for the subject matter.

Absolute Assurance

A level of assurance that is impossible to achieve.

Reasonable Assurance

A special type and level of assurance, provided by external auditors as part of a financial audit or examination, that subject matter conforms to suitable criteria and is free from material error.

Limited Assurance

A level of assurance resulting from reviews, compilations, and other activities performed by competent personnel who are sufficiently objective about the subject matter.

Likelihood Permalink

A measure that estimates the occurrence of an event.

Limited Assurance Permalink

A level of assurance resulting from reviews, compilations, and other activities performed by competent personnel who are sufficiently objective about the subject matter.

Lines of Accountability™ Model Permalink

A model that helps organizations govern, manage and provide assurance over performance, risk, and compliance by allocating specific responsibilities to different individuals or groups within the organization and creating a layered approach to produce and preserve value.

Usage Notes

The Lines of Accountability Model segregates responsibilities so that each “line” or group has the appropriate objectivity and competence to address the nature of the required work.

This model is "fractal" in nature and may be applied at both the organizational level or some lower level such as a team. Hence, while the Lines of Accountability Model is presented using five lines, the reality is that organizations comprise unique and idiosyncratic arrangements of people, processes, information, and technology.

Importantly, the Lines of Accountability Model recognizes that a single department or function may perform activities associated with multiple lines of accountability.

For example, an accounting department may function as a "first line" when it records financial transactions, and as a "second line" when it analyses the performance of a business unit or reconciles each sale with a receipt of cash.

Further, consider a sole proprietor who may “physically” have just one “line” in their organization – namely, themselves. Despite this arrangement, the Lines of Accountability Model may be applied by thoughtfully segregating activities in time and space by just one person.

For example, the sole proprietor may perform daily bookkeeping with an aim toward efficiency and accuracy (first line). Then, once a month, and though not completely objective, this same person may perform “desk checking” and review of their own work (second line). Quarterly, they may conduct some strategic planning and review (fourth line). A meticulous sole proprietor may even take a weekend at the end of the year to trace transactions to perform assurance activities (third line) before preparing materials for an external auditor. And being a board member (fifth line), this same person may perform some “ultimate accountability” activities by filing the annual report to keep the organization in good standing with the tax authority.

Contrast this with a global enterprise with many business units and dozens of lines of accountability with varying degrees of scope and scale. Each business unit may have multiple lines of accountability, providing varying degrees of service to other departments and business units.

Hence, every organization will have a unique arrangement of the Lines of Accountability based on the size, scope, and preferences of the board and executive management. What is critical is that the arrangement helps the organization be reliable.

First Line of Accountability

Individuals and teams that own and manage performance, risk, and compliance associated with day-to-day operational activities.

Second Line of Accountability

Individuals and teams that establish performance, risk, and compliance programs for the First Line. The Second Line provides oversight through frameworks, standards, policies, tools, and techniques to support performance, risk, and compliance management. The Second Line often manages its own portfolio of objectives and associated performance, risk, and compliance. The Second Line may provide limited assurance over First Line activities.

Third Line of Accountability

Individuals and teams that specialize in and provide a high level of assurance on activities performed by the First Line and Second Line. The Third Line may include internal audit, external audit or outside experts who are sufficiently objective and competent.

Fourth Line of Accountability

The Executive team is accountable and responsible for the portfolio of organization-wide performance, risk, and compliance. The Fourth Line gains information from the First Line and the Second Line and assurance from the Third Line to make decisions about managing performance, risk, and compliance.

Fifth Line of Accountability

The Governing Authority (Board) is ultimately accountable and responsible for the governance, management, and assurance of performance, risk, and compliance. While the governing authority may choose to delegate, this plenary accountability means that the governing authority must use due care to ensure that the right systems are in place to learn about and address important performance, risk, and compliance issues – especially those that present “red flags.”

LOA Permalink

Lower Assurance Permalink

A more limited level of assurance resulting from activities such as self-assessments and benchmarking performed by the personnel responsible for the subject matter.

Management (as a GRC Concept) Permalink

The act of directly guiding, controlling, and evaluating an entity by arranging and operating resources.

Management Actions & Controls Permalink

Actions & controls that primarily serve management activities to address opportunities, obstacles, and obligations.

Usage Notes

Management actions & controls comprise most of the work performed by the organization.

Whenever possible, management actions & controls should be used by both the governing authority and assurance providers to avoid unnecessary complexity and duplication.

Management Team Permalink

A group of managers who are responsible for an area of the business.

Usage Notes

Often, the Management Team comprises the most senior managers for that particular area. For example, if the area of the business is the financial operations, then the management team may comprise the chief financial officer, the lead controller, and the treasurer.

Managers Permalink

Personnel who manage others.

Usage Notes

Qualifiers such as “senior managers” refer to managers with more responsibility in scale or scope, while “junior managers” have less responsibility.

Mandatory Boundary Permalink

Obligations that an organization must address because of some legitimate authority (e.g., laws, rules, regulations).

Market Factors Permalink

External factors that include customer trends, demographics, and economic conditions.

Material Fact Permalink

A fact is material if there is a substantial likelihood that a reasonable information user would consider it important in making a decision, or if it would have been viewed by the reasonable information user as having significantly altered the 'total mix' of information made available and used to make the decision.

Usage Notes

This definition is based on the standard of materiality articulated by the U.S. Supreme Court in TSC Industries v. Northway, 426 U.S. 438, 449 (1976). While the original standard was applied to financial reporting information in the United States, it is often used as a basis for global financial reporting, cybersecurity reporting and sustainability reporting.

A more direct quote of the original standard would be "a fact is material if there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision or if it would have been viewed by the reasonable investor as having significantly altered the 'total mix' of information made available."

Material Misstatement Permalink

A material misstatement refers to a significant error or omission in financial statements that could potentially influence the decisions of information consumers of those statements. It can be caused by an error, fraud, or the misapplication of accounting principles. Material misstatements can affect the accuracy and reliability of financial information and may cause financial statements to be misleading or incomplete. Materiality is determined based on the size and nature of the misstatement, as well as its potential impact on the financial statements and the decisions of users of those statements.

Material Misstatements Permalink

A special case of Meaningful Misunderstanding where the information producer makes a significant error or omission in financial statements that could potentially influence the decisions of information consumers.

Maturity Permalink

The level of development, progress, or sophistication of a particular process, function, or organization

Maturity Assessment Permalink

An evaluation of an area of the organization as it relates to a maturity model.

Usage Notes

Maturity Assessments are a form of design effectiveness assessment.

Maturity Model Permalink

A structured framework that is used to assess and measure an organization's maturity or level of development in a particular area.

Usage Notes

Maturity Models are not required to use a specific form or labels. However, Maturity Models typically define a series of levels, each representing a higher level of maturity, and identify specific characteristics, practices, or capabilities that organizations should demonstrate to achieve each level.

• Level 1 - Initial. Practices are improvised, ad hoc, and often chaotic.
• Level 2 - Managed. Practices are defined and managed, though sometimes informally.
• Level 3 - Consistent. Practices are formally documented and consistently managed.
• Level 4 - Measured. Practices are measured and managed with data-driven evidence.
• Level 5 - Optimizing. Practices are consistently improved over time.

Meaningful Misunderstanding Permalink

Meaningful misunderstanding occurs when an information producer makes statements that contain material errors or omissions that could affect the decisions of information users of those statements.

Usage Notes

The risk of meaningful misunderstanding determines the purpose and nature of assurance and assessment activities.

Material Misstatements are a special case of Meaningful Misunderstanding where the information producer makes a significant error or omission in financial statements that could potentially influence the decisions of information consumers.

Material Misstatements

A special case of Meaningful Misunderstanding where the information producer makes a significant error or omission in financial statements that could potentially influence the decisions of information consumers.

Means Permalink

Usage Notes

One may talk about the "ways and means" that an organization uses to reliably achieve objectives, address uncertainty, and act with integrity.

Media Permalink

Various channels of communication, like newspapers, television, radio, and online platforms, which can shape public perception of the organization.

Message Permalink

The content of what is communicated.

Message Cadence Permalink

The velocity and frequency of sending a message.

Mindsets Permalink

Individual perceptions about self, surroundings, and others – including perceptions about culture, some topical area, or how to approach work.

Miscalculations Permalink

The information producer made mathematically inaccurate statements about the subject matter where there were undetectable errors in the input of such statements.

Usage Notes

Assessment Risk

Misconduct

Mistakes

Mission Permalink

An objective that states who the organization serves, what it does, and what it hopes to achieve today and in the long term.

Usage Notes

The mission statement is often used to guide decision-making and priority-setting within the organization, and serves as a clear and consistent statement of its overall purpose and direction.

Monitoring Permalink

Ongoing and periodic activities that observe actions & controls, and the information generated by these controls, to gauge effectiveness, efficiency, responsiveness, and resilience.

Morals Permalink

Values that define good and bad (evil) decisions and actions based on a system of beliefs or personal intuitions.

Usage Notes

Morals get their authority from personal intuitions, a "higher power," or other systems of beliefs.

When a society, organization, or group fully embodies a specific system of beliefs, the ethics and morals of that group may be almost synonymous. For example, a religious organization may find its "ethical code" and "moral code" synonymous. For example, a political organization may find its ethics nearly synonymous with the moral code embodied by the political system of belief.

Even though morals may come from an external system of beliefs (e.g., religious or political), morals (unlike ethics) are often internalized and expressed in nuanced ways that are specific to the individual.

Ethics tend to be embodied and expressed in consistent ways across individuals. Morals tend to be embodied and expressed in nuanced, idiosyncratic ways across individuals.

Mores Permalink

More formalized and serious norms that are deeply ingrained in a culture and have moral significance. Violating mores can lead to severe social disapproval, ostracism, or even legal consequences (e.g., honesty, respect for elders, and adherence to religious practices).

Noise Permalink

Anything that causes difficulties during the communication process.

Non Detection Risk Permalink

The level of risk due to failure to identify material misstatements or meaningful misunderstandings during monitoring, review or an audit. It indicates the possibility that some errors go unnoticed.

Usage Notes

Assurance Risk Equation

Assurance Risk

Inherent Risk

Control Risk

Norms Permalink

Customs, rules, or expectations that a group socially reinforces, usually through informal means.

Descriptive Norms

Observation of what individuals do, providing information about what is “normal” in a particular culture.

Proscriptive Norms

Customs, rules, or expectations that discourage behavior the group deems negative (e.g., “do not cheat”).

Prescriptive Norms

Customs, rules, or expectations that encourage behavior the group deems positive (e.g., “be honest”).

Injunctive Norm

Perceived behavior of what most people approve of, providing information on what one “should” do.

Folkways

Informal norms that govern everyday behaviors and social etiquette that are not strictly enforced, but where violations may lead to mild disapproval or social awkwardness (e.g., table manners, punctuality, and appropriate dressing).

Mores

More formalized and serious norms that are deeply ingrained in a culture and have moral significance. Violating mores can lead to severe social disapproval, ostracism, or even legal consequences (e.g., honesty, respect for elders, and adherence to religious practices).

Objective Permalink

A measurable outcome to achieve.

Objective-Setting Criteria Permalink

The criteria used to set objectives and results in accordance with the organization’s direction.

Objectivity (in Assurance) Permalink

The degree to which an Assurance Provider can be impartial, disinterested, independent, and free to conduct necessary activities and to form an opinion about the subject matter.

Obligation Permalink

A requirement that an organization must or should address because of a promise, whether mandatory or voluntary.

Mandatory Boundary

Obligations that an organization must address because of some legitimate authority (e.g., laws, rules, regulations).

Voluntary Boundary

Obligations an organization chooses to address because of voluntary decisions (e.g., contracts, agreements and values).

Observation (method) Permalink

Watch personnel actually perform the procedures in the assessment area and document/record findings.

Usage Notes

Monitor the actual implementation of actions and controls as they are being performed by personnel in the area(s) subject to assessment and/or assurance activities, analyze findings, document results (for tracking and comparison purposes) and draw justified conclusions. These conclusions serve as evidence to provide a higher level of assurance.

Obstacle Permalink

An uncertain future event that may, on balance, have a negative effect on objectives.

Operating Effectiveness Permalink

Evidence that actions & controls operate as intended. This is accomplished by substantive testing of information generated by actions & controls to judge actual results against expected results.

Operating Geographies Permalink

Legal jurisdictions where the organization operates.

Operating Review Procedure Permalink

A procedure that compares the actual events or transactions performed by a system (including people, processes and technologies) against the expected events and transactions given the design of the system.

Operational Effectiveness Permalink

Opportunity Permalink

An uncertain future event that may, on balance, have a positive effect on objectives.

Org Chart Permalink

An organizational chart, or org chart, is a visual representation of an organization's structure. It illustrates the roles, responsibilities, and relationships between individuals within the company, highlighting the hierarchy and reporting lines. It's a way to understand how the company is organized and how different parts connect.

Organization Permalink

Organization in Scope Permalink

The organizational unit in scope for applying the GRC Capability Model.

Usage Notes

The Organization in Scope may be at any level including:

• Enterprise
• Business Unit
• Department
• Team

Some professionals even apply the GRC Capability Model at an individual level, though the guidance provided is intended for organizations with multiple people.

Organizational Level

A hierarchical tier within an organization that is responsible for specific tasks, functions, decisions, actions, and controls.

Organizational Layer

A unit within an organization that is responsible for specific tasks, functions, decisions, actions, and controls and typically referenced in relationship to other layers.

Organizational Unit

A specific subdivision of an organization that is formed for the purpose of achieving particular objectives.

Organizational Chart Permalink

A diagram that shows the structure of an organization and the relationships and relative ranks of its parts and positions/jobs

Organizational Layer Permalink

A unit within an organization that is responsible for specific tasks, functions, decisions, actions, and controls and typically referenced in relationship to other layers.

Usage Notes

When "organizational layer" is used, it typically involves some "layering" of organizational units to achieve an objective. For example:

• Having multiple layers of protection to address a particular risk
• Having multiple layers so that an important strategic priority isn't forgotten

Organizational Level Permalink

A hierarchical tier within an organization that is responsible for specific tasks, functions, decisions, actions, and controls.

Usage Notes

Superior Level

Organizational units to which the organization in scope is accountable.

Peer Level

Organizational units that are lateral to the organization in scope and often report to or are accountable to the same superior unit.

Subordinate Level

Organizational units that are accountable to the organization in scope.

Organizational Unit Permalink

A specific subdivision of an organization that is formed for the purpose of achieving particular objectives.

Enterprise

The most superior unit that encompasses the entirety of the organization.

Business Unit

An organizational unit that is subordinate to the enterprise and often responsible for specific products, customers, or geography.

Department

A department is subordinate to the enterprise and often cuts across multiple business units providing shared services such as human resources, information technology (IT), compliance, risk management, and other services.

Team

The smallest organizational unit. Teams may be part of a department or maybe cross-functional. Teams may be permanent or temporary.

Owners Permalink

Individuals or entities that possess legal ownership and control of the organization.

Usage Notes

Owners, unlike external shareholders or investors, tend to have direct operational involvement in the organization.

Paragons Permalink

Role models that encourage favorable events.

Peer Level Permalink

Organizational units that are lateral to the organization in scope and often report to or are accountable to the same superior unit.

Usage Notes

Recall that the Organization in Scope may be an enterprise, business unit, department or team. Thus the "Peer Level" would be a unit that shares a common Superior Level to which both the Organization in Scope and the Peer Level report.

People Actions & Controls Permalink

Human factors, including structure, accountability, education, and enablement used to address risk, reward, and compliance.

Performance Permalink

Performance Assessment Permalink

An evaluation of the performance of an area of the organization that may include its effectiveness, efficiency, responsiveness, or resilience.

Performance Management Permalink

The act of managing processes and resources to pursue reward while addressing risk.

Periodic Assessments Permalink

Scheduled evaluations that occur at regular intervals. They do not provide the same level of ongoing insight as continuous assessments but serve to review the effectiveness, efficiency, responsiveness and resilience of controls or processes on a cyclical basis. These assessments are essential for monitoring overall Total Performance and ensuring alignment with objectives over time​.

Usage Notes

Types of Assessments

Engagement Assessments

Continuous Assessments

Personnel Permalink

Physical Actions & Controls Permalink

Physical safeguards, barriers, or constraints, such as fences, locks, guards, cameras, or other protective mechanisms, used to address risk, reward, and compliance.

Physical Capital Permalink

The physical assets of an organization, including manufactured goods, buildings, equipment, and infrastructure.

Planned (Simulated) Stress Permalink

Scenarios that use historical, hypothetical, or simulated events to test how forces will be addressed.

Planned Residual Risk Permalink

The level of residual risk under planned (or desired) actions & controls.

Policy Permalink

A broad articulation of what the organization expects on a particular topic, that describes the “why” or intent, considers context, sets the tone, and changes infrequently.

Prescriptive Policy

A policy that states what to do.

Proscriptive Policy

A policy that says what not to do.

Policy Action & Controls Permalink

Formal statements and rules about organizational intentions and expectations used to address risk, reward, and compliance.

Political Factors Permalink

External factors that relate to how the government intervenes in the economy, including laws, rules, regulations, tax policy, and political stability.

Prescriptive Norms Permalink

Customs, rules, or expectations that encourage behavior the group deems positive (e.g., “be honest”).

Prescriptive Policy Permalink

A policy that states what to do.

Prevent/Deter Actions & Controls Permalink

Actions & controls that decrease the likelihood of an unfavorable event by preventing or deterring it from happening.

Principled Performance Permalink

To reliably achieve objectives, address uncertainty, and act with integrity.

Usage Notes

Principled Performance is the goal of GRC. Principled Performance is an approach to business (and life!) that helps organizations reliably achieve objectives, address uncertainty and act with integrity.

Note that “Reliably” pertains to all other parts of the definition. Thus Principled Performance means to:

• reliably achieve objectives;
• reliably address uncertainty; and
• reliably act with integrity.

Reliably

To thoughtfully, consistently, dependably, and transparently do something.

Objective

A measurable outcome to achieve.

Uncertainty

A state of being unsure about something due to incomplete knowledge or underlying randomness making it difficult to understand with complete confidence.

Integrity

The state of being whole and complete by fulfilling obligations, honoring promises, and cleaning up the mess if a promise was broken.

Proactive Permalink

The quality of an individual to anticipate and act on situations, reducing the risk of unforeseen problems.

Usage Notes

This trait requires a balance, preventing both an underuse that can result in inaction or timidity and an overuse that might lead to rash decisions or a state of constant flux without stability.

Proactive Actions & Controls Permalink

Actions & controls that promote or enable favorable events and prevent or deter unfavorable events.

Prevent/Deter Actions & Controls

Actions & controls that decrease the likelihood of an unfavorable event by preventing or deterring it from happening.

Promote/Enable Actions & Controls

Actions & controls that increase the likelihood of a favorable event by promoting, enabling and incentivizing it to happen.

Procedure Permalink

A detailed articulation of what the organization expects on a particular topic, that describes the “how to” or instructions, guides implementation, and is audience-specific.

Process Permalink

A series of actions or steps to achieve an objective.

Process Action & Controls Permalink

Decisions about how and when to perform activities, and where and to whom to assign accountability used to address risk, reward, and compliance.

Professional Development Incentives Permalink

Incentives to perform favorable behaviors that provide access to professional development opportunities such as training or tuition reimbursements that otherwise would not be available.

Promote/Enable Actions & Controls Permalink

Actions & controls that increase the likelihood of a favorable event by promoting, enabling and incentivizing it to happen.

Directives

Policy, process, and technology that encourage favorable events.

Paragons

Role models that encourage favorable events.

Incentives

Incentives include financial and non-financial things that encourage favorable conduct.

Proscriptive Norms Permalink

Customs, rules, or expectations that discourage behavior the group deems negative (e.g., “do not cheat”).

Proscriptive Policy Permalink

A policy that says what not to do.

Prospect Permalink

A cause that has the potential to eventually result in benefit.

Protector Permalink

A GRC Professional who spends substantial time producing and preserving value and serving as a stabilizing force in their organization.

Protector Mindset™

Traits that strengthen the way that a high-performing Protector makes decisions and appraises problems, solutions, people, and reality. These traits include being: Collaborative, Accountable, Stable, Proactive, Visionary, and Versatile.

Protector Skillset™

Interdisciplinary skills that strengthen the way that a high-performing Protector does their job including the critical disciplines.

Protector Mindset™ Permalink

Traits that strengthen the way that a high-performing Protector makes decisions and appraises problems, solutions, people, and reality. These traits include being: Collaborative, Accountable, Stable, Proactive, Visionary, and Versatile.

Stable

The quality of an individual to consistently provide calm, composed and orderly influence within volatile, uncertain, complex and ambiguous environments.

Versatile

The quality of an individual to employ a multi-disciplinary approach and a wide range of skills to address complex issues.

Accountable

The characteristic of an individual who takes responsibility and ownership for tasks and their outcomes, transcending a narrow job description.

Collaborative

The quality of an individual to engage in productive relationships and teamwork, understanding their fundamental role in achieving greater outcomes.

Proactive

The quality of an individual to anticipate and act on situations, reducing the risk of unforeseen problems.

Visionary

The quality of an individual to maintain a long-term, optimistic perspective and remain purpose-driven, even amidst distractions.

Protector Skillset™ Permalink

Interdisciplinary skills that strengthen the way that a high-performing Protector does their job including the critical disciplines.

Purpose Permalink

The purpose states who the organization serves, what it does, what it believes, what is stands for, what it hopes to achieve in the near term and long term, and why all of this matters; usually through its Mission, Vision and Values statements.

Mission

An objective that states who the organization serves, what it does, and what it hopes to achieve today and in the long term.

Vision

An objective that describes what the organization aspires to be and why it matters.

Values

Fundamental beliefs, principles, and ideals that an organization, group, or individual demonstrates and adheres to when making decisions and acting.

RACI Matrix Permalink

A chart that describes the participation of various roles in completing tasks or deliverables for a project or business process.

Usage Notes

RACI is an acronym derived from the four key responsibilities most typically used: responsible, accountable, consulted, and informed.

• R = Responsible (also recommender)
  Those who do the work to complete the task. There is at least one role with this role, although others can be delegated to assist in the work required.
• A = Accountable (also approver or final approving authority)
  Those who are ultimately answerable for the correct and thorough completion of the deliverable or task, ensure the prerequisites of the task are met, and delegate the work to those responsible. In other words, an accountable must sign off (approve) work that the responsible person provides. There must be only one person or entity accountable for each task or deliverable.
• C = Consulted (sometimes consultant or counsel)
  Those whose opinions are sought, typically subject-matter experts, and with whom there is two-way communication.
• I = Informed (also informee)
  Those who are kept up-to-date on progress, often only on completion of the task or deliverable, and with whom there is just one-way communication.

Reasonable Assurance Permalink

A special type and level of assurance, provided by external auditors as part of a financial audit or examination, that subject matter conforms to suitable criteria and is free from material error.

Recalculation (method) Permalink

Re-compute the work already done by assessment area personnel to compare.

Usage Notes

Simulate the process of implementing actions and controls in various methods and compare results against those of the actual implementation. This provides sufficient verification of gathered data and deem it evidence. It can also be used to identify areas for improvement.

Receiver Permalink

Recovery Actions & Controls Permalink

Actions & controls that return the organization to its original state, stable state, or superior state after harm has occurred.

Usage Notes

Corrective actions & controls and Recovery actions & controls are related but slightly different.

For example, restoring a server to a clean image is a corrective control because it solves the immediate problem of a malware intrusion, while recovering the server data from backup is a recovery control because it returns the server to a known previous good state allowing the business to resume normal operation.

Regulator Permalink

Government or independent authorities that oversee and control specific aspects of the organization's practices. They set standards and rules that the organization must follow and can impose penalties for non-compliance.

Reliably Permalink

To thoughtfully, consistently, dependably, and transparently do something.

Reperformance (method) Permalink

Independently perform controls and evaluate results.

Usage Notes

Implement the actions and controls in place separately and independently from the assessment area and its personnel, and re-evaluate the results and compare them with the observation results. Also, the same reperformance process can take place for the recalculated/simulated actions and controls and compare the results with actual implementation by assessment area personnel and by assurance providers alike.

Residual Effect Permalink

The effect of uncertainty in the presence of actions & controls.

Residual Risk Permalink

The level of risk in the presence of actions & controls.

Current Residual Risk

The level of residual risk under currently operating actions & controls.

Planned Residual Risk

The level of residual risk under planned (or desired) actions & controls.

Resilient Permalink

Evidence that the organization can withstand or recover quickly from difficult conditions and even become stronger after stress.

Resources Permalink

A general term referring to Capital Resources that include tangible and intangible assets and capabilities that an organization may use to achieve objectives.

Tangible Resources

Resources that refer to physical assets, such as land, buildings, and equipment.

Intangible Resources

Resources that refer to non-physical assets, such as knowledge, brand equity, and organizational culture.

Financial Capital

Liquidity, budgets, and other economic resources.

Human Capital

The collective knowledge, skills, abilities, and experiences of an organization's workforce, along with the relationships, attitudes, and values that enable them to work together to achieve the organization's objectives

Physical Capital

The physical assets of an organization, including manufactured goods, buildings, equipment, and infrastructure.

Information Capital

Data, communications, and intelligence.

Technology Capital

Hardware, software, and related technological resources that an organization may use to achieve its objectives.

Response Options Permalink

Responsive Permalink

Responsive Actions & Controls Permalink

Actions & controls that aim to accelerate or compound the benefit of favorable events, and correct or recover from the harm of unfavorable events.

Correct/Recover Actions & Controls

Actions & controls that slow down or decrease the impact of unfavorable events, and return the organization to its original state, stable state, or superior state after harm has occurred to minimize harm and prevent future occurrences.

Compound/Accelerate Actions & Controls

Actions & controls that compound, accelerate, and increase the impact of favorable events to maximize benefit and promote future occurrence.

Review Procedures Permalink

Procedures performed by an assurance provider to review or assess subject matter.

Design Review Procedure

A procedure that compares the documentation of the design of a system against suitable criteria that defines an acceptable design of that system.

Operating Review Procedure

A procedure that compares the actual events or transactions performed by a system (including people, processes and technologies) against the expected events and transactions given the design of the system.

Reward Permalink

A measure of the positive, favorable effect of uncertainty on objectives.

Usage Notes

Likelihood

A measure that estimates the occurrence of an event.

Impact

A measure that estimates the consequence of an event.

Prospect

A cause that has the potential to eventually result in benefit.

Benefit

A measure of the positive impact that an event has on the organization.

Opportunity

An uncertain future event that may, on balance, have a positive effect on objectives.

Risk Permalink

A measure of the negative, unfavorable effect of uncertainty on objectives.

Usage Notes

Likelihood

A measure that estimates the occurrence of an event.

Impact

A measure that estimates the consequence of an event.

Velocity

A measure that estimates how quickly an event or impact might occur.

Harm

A measure of the negative impact that an event has on the organization.

Hazard

A cause that has the potential to eventually result in harm.

Obstacle

An uncertain future event that may, on balance, have a negative effect on objectives.

Risk & Decision Support Discipline Permalink

A critical discipline that provides methods to identify and address the effect of uncertainty on objectives, including ways to support decisions under uncertainty.

Risk Appetite Permalink

The level and type of risk the organization is WILLING to address given the level and type of reward it pursues.

Risk Assessment Permalink

An evaluation of the effect of uncertainty on objectives including the likelihood, impact, and velocity of events that, on balance result in negative consequences.

Usage Notes

Risk assessments often entail the identification, analysis, and high level design options to address risks.

Risk Capacity Permalink

The MAXIMUM cumulative level and type of risk that the organization can address. Anything over the risk capacity may affect the organization’s survival.

Risk Event Register Permalink

Document or system the organization uses to record and monitor potential risk events that may impact achieving objectives. It also serves as a central database for identifying, assessing, and addressing risks.

Usage Notes

The Risk Event Register serves as a critical mechanism for monitoring, and involves documenting, assessing, and tracking organizational risks, all in alignment with the followed govenance frameworks while ensuring compliance and keeping trackable records for governing bodies, and future risk assessments.

Risk Management Permalink

The act of managing processes and resources to address risk while pursuing reward.

Risk Target Permalink

The level and type of risk the organization EXPECTS to address given the level and type of reward it pursues.

Risk Tolerance Permalink

The level and type of risk the organization is UNWILLING to exceed given the level and type of reward it pursues.

Risk-Control Matrix Permalink

A comprehensive document that maps the relationship between identified risks and the controls designed to mitigate them. It demonstrates how specific controls address risks that could impact achieving objectives.

Usage Notes

The matrix typically includes:

Identified risks

Related objectives

Controls in place to address each risk

Assessment of control effectiveness

Testing procedures to evaluate controls

Results of control testing

Scope Permalink

The boundaries, limitations, and extent where the GRC Capability Model is applied. The scope is often expressed in terms of organizational unit, geographic area, or functional department.

Second Line of Accountability Permalink

Individuals and teams that establish performance, risk, and compliance programs for the First Line. The Second Line provides oversight through frameworks, standards, policies, tools, and techniques to support performance, risk, and compliance management. The Second Line often manages its own portfolio of objectives and associated performance, risk, and compliance. The Second Line may provide limited assurance over First Line activities.

Security & Continuity Discipline Permalink

A critical discipline that provides methods to identify and address threats to critical physical and digital assets and infrastructure.

Sender Permalink

Senior Management Permalink

SHARE (Design Option) Permalink

To outsource, joint ventures, partnerships, buy insurance, or use other financial instruments to address the opportunity, obstacle, or obligation.

Usage Notes

TRANSFER is a special case of SHARING where an attempt is made to give close to 100% of consequence to another party such as an insurance company.

Shareholder Permalink

An individual, institution, or entity that owns shares or stock (or some functionally comparable instrument) in the organization.

Skill Gap Permalink

The difference between the current skill level and the target skill level.

SMART Criteria Permalink

Criteria used to design/set Objectives to work with Indicators; to be specific, measurable, achievable (yet aspirational), relevant, and time-bound.

Societal Factors Permalink

External factors that include cultural aspects, attitudes, customs, and norms.

Society Permalink

The local, national, or global population affected by the organization's operations.

Sound Permalink

Source Permalink

Stable Permalink

The quality of an individual to consistently provide calm, composed and orderly influence within volatile, uncertain, complex and ambiguous environments.

Usage Notes

This trait includes an avoidance of neurotic or chaotic behavior and an ability to distance oneself from emotional turmoil, while at the same time steering clear from an overuse of stability that may come across as indifferent or uncaring.

Staff Permalink

Junior-level personnel who typically do not manage others.

Stakeholder Permalink

A self-legitimizing person, group, or other entity with a direct or indirect stake in the organization's actions because of actual or perceived impact.

Internal Stakeholders

Stakeholders with an internal influence from within the organization; Personnel (and unions that represent the workforce), Managers, Executives, Board members, and Owners (who are involved in the organization).

External Stakeholders

An individual, institution, or entity outside of the organization that is affected by, or has an interest in, the company's decisions and activities.

Stakeholder Expectation Permalink

(also Stakeholder Want, Stakeholder Need)
A general term that refers to what a stakeholder requests, wants, or expects from the organization.

Stakeholder Need Permalink

Stakeholder Want Permalink

Status Incentives Permalink

Incentives to perform favorable behaviors that provide access to esteemed roles, promotions or other visible recognition that otherwise would not be available.

Strategic Goals Permalink

Long-term objectives typically at higher levels of the organization.

Strategy & Performance Discipline Permalink

A critical discipline that provides methods to guide, arrange and operate resources to achieve objectives and monitor performance.

Stress Permalink

A significant magnitude of force applied to the organization.

Stretch Value Permalink

A value that is unlikely to be achieved, but still possible.

Student Permalink

Individual who learns.

Usage Notes

A student is a specialized term to refer to the target audience for communications and learning activities.

Subject Matter Permalink

Identifiable statements, conditions, events, or activities for which there is evidence.

Subordinate Level Permalink

Organizational units that are accountable to the organization in scope.

Usage Notes

Recall that the Organization in Scope may be an enterprise, business unit, department or team. Thus the "Subordinate Level" would be any unit that reports to the Organization in Scope.

Suitable Criteria Permalink

Benchmarks used to evaluate subject matter that yield consistent and meaningful results.

Superior Level Permalink

Organizational units to which the organization in scope is accountable.

Usage Notes

Recall that the Organization in Scope may be an enterprise, business unit, department or team. Thus the "Superior Level" would be the unit to which the Organization in Scope reports.

Supplier Permalink

An individual, institution, or entity that provides goods or services to the organization.

System Permalink

A collection of interconnected, interdependent, and interrelated parts that interact with each other to form a coherent whole. In the context of organizations, these parts may be people, processes, information, physical assets, digital assets, financial capital, and other resources.

Tangible Resources Permalink

Resources that refer to physical assets, such as land, buildings, and equipment.

Target Permalink