Absolute Assurance
Permalink
A level of assurance that is impossible to achieve.
Usage Notes
Absolute assurance is not attainable because of limitations including the nature of evidence and the characteristics of misconduct, mistakes and miscalculations (especially intentional fraud). Thus, even when assurance activities are conducted with the highest levels of objectivity and competence, it is still impossible to achieve absolute assurance.
ACCEPT (Design Option)
Permalink
An intentional design decision to embrace, or concede to the current level of risk, reward, and compliance.
Usage Notes
Sometimes ACCEPT is used when embracing or conceding to a planned level of risk, reward, or compliance.
Accountable
Permalink
The characteristic of an individual who takes responsibility and ownership for tasks and their outcomes, transcending a narrow job description.
Usage Notes
The quality of an individual who assumes responsibility and ownership, going beyond the idea of "it's not my job"
This involves maintaining a balance between stepping up without overstepping boundaries, avoiding both the lack of accountability that manifests as blame-shifting and excessive accountability that may encroach on others' roles.
Action & Control
Permalink
A specific way, usually used in combination, that an organization addresses risk, reward, and compliance.
- Action & Control Type
A method to organize actions & controls, based on whether they are proactive, detective, or responsive to risk, reward, or compliance.
- Action & Control Category
A method to organize actions & controls, according to the specific resources they involve.
- Action & Control Orientation
A method to organize actions & controls, based on whether they primarily support management, governance, or assurance activities.
Action & Control Category
Permalink
A method to organize actions & controls, according to the specific resources they involve.
- Policy Action & Controls
Formal statements and rules about organizational intentions and expectations used to address risk, reward, and compliance.
- People Actions & Controls
Human factors, including structure, accountability, education, and enablement used to address risk, reward, and compliance.
- Process Action & Controls
Decisions about how and when to perform activities, and where and to whom to assign accountability used to address risk, reward, and compliance.
- Physical Actions & Controls
Physical safeguards, barriers, or constraints, such as fences, locks, guards, cameras, or other protective mechanisms, used to address risk, reward, and compliance.
- Information Actions & Controls
Communications and reports up, down, and across the organization used to address risk, reward, and compliance.
- Technology Action & Controls
Hardware and software systems used to address risk, reward, and compliance.
- Financial Action & Controls
Insurance, captives, hedging, reserves, or other financial instruments used to address risk, reward, and compliance.
Action & Control Orientation
Permalink
A method to organize actions & controls, based on whether they primarily support management, governance, or assurance activities.
Usage Notes
Some actions & controls may serve management, governance, and assurance orientations. In fact, it is desirable for actions & controls to serve all three orientations to avoid duplication and complexity.
- Management Actions & Controls
Actions & controls that primarily serve management activities to address opportunities, obstacles, and obligations.
- Governance Actions & Controls
Actions & controls that primarily serve governance activities to constrain and conscribe the organization or some aspect of it.
- Assurance Actions & Controls
Actions & controls that primarily serve assurance activities.
Action & Control Type
Permalink
A method to organize actions & controls, based on whether they are proactive, detective, or responsive to risk, reward, or compliance.
- Proactive Actions & Controls
Actions & controls that promote or enable favorable events and prevent or deter unfavorable events.
- Detective Actions & Controls
Actions & controls that detect the occurrence of favorable and unfavorable events.
- Responsive Actions & Controls
Actions & controls that aim to accelerate or compound the benefit of favorable events, and correct or recover from the harm of unfavorable events.
Agile
Permalink
Evidence that the organization can respond quickly and positively to changes and stress.
Usage Notes
Agility is often measured by tracking how long it takes to adapt to a change in circumstances. For example:
When a new regulation is announced, how long does it take to address it?
When a new customer requirement is uncovered, how long does it to deliver value?
When a change in organizational structure happens, how long does it take other areas of the organization to respond?
Ambiguous
Permalink
A property that refers to the presence of multiple, unclear, or conflicting interpretations of conditions, events, or behaviors in a system.
Usage Notes
These questions help to understand if a situation is ambiguous:
- Is there a prevailing lack of clarity on how to interpret the situation?
- Are multiple, and often contradictory, interpretations possible for the situation?
- Is the context or frame of reference for the situation unclear or subject to frequent changes?
Analysis Criteria
Permalink
The criteria used to analyze, quantify and select ways to address risk, reward, and compliance.
Antifragile
Permalink
A property or description of systems that increase in capability to thrive as a result of stressors, shocks, volatility, noise, mistakes, faults, attacks, or failures.
Usage Notes
The concept was developed by Nassim Nicholas Taleb in his book, Antifragile, and in technical papers.
Many professionals who aim for organizational resilience say that "getting stronger" has always been an objective of resilience and that "antifragile" may be considered a "maximal form of resilience."
Appetite
Permalink
A range for the value of an indicator that defines a preferred or expected level of variation around a target.
Usage Notes
Any variation within the appetite would be considered expected and normal. No adjustments to actions & controls are necessary when a system operates within the appetite.
Appreciation Incentives
Permalink
Incentives to perform favorable behaviors that provide meaningful gratitude and acknowledgement to the individual that otherwise would not be available.
Assessment
Permalink
A systematic evaluation of something.
- Assurance Assessment
An objective and competent evaluation of subject matter to provide conclusions and confidence that statements and beliefs about the subject matter are justified and true.
- Risk Assessment
An evaluation of the effect of uncertainty on objectives including the likelihood, impact, and velocity of events that, on balance result in negative consequences.
- Effectiveness Assessment
An evaluation of the design and/or operating effectiveness of an area of the organization.
- Maturity Assessment
An evaluation of an area of the organization as it relates to a maturity model.
- Performance Assessment
An evaluation of the performance of an area of the organization that may include its effectiveness, efficiency, responsiveness, or resilience.
Assessment Procedures
Permalink
Assurance
Permalink
The act of objectively and competently evaluating subject matter to provide conclusions and confidence that statements and beliefs about the subject matter are justified and true.
- Assurance Provider
Someone who conducts assurance activities.
- Objectivity (in Assurance)
The degree to which an Assurance Provider can be impartial, disinterested, independent, and free to conduct necessary activities and to form an opinion about the subject matter.
- Competence (in Assurance)
The degree to which an Assurance Provider can use sophisticated, professional, and structured techniques to evaluate subject matter.
- Evaluate
The act of judging subject matter by comparing evidence against suitable criteria.
- Subject Matter
Identifiable statements, conditions, events, or activities for which there is evidence.
- Level of Assurance
A measure of the degree of confidence that an assurance provider can deliver to an information consumer about statements an information provider makes about the subject matter.
- Assurance Assessment
An objective and competent evaluation of subject matter to provide conclusions and confidence that statements and beliefs about the subject matter are justified and true.
Assurance Actions & Controls
Permalink
Actions & controls that primarily serve assurance activities.
Usage Notes
Assurance actions & controls should only be designed and operated if management or governance actions & controls are insufficient for assurance activities.
Assurance Assessment
Permalink
An objective and competent evaluation of subject matter to provide conclusions and confidence that statements and beliefs about the subject matter are justified and true.
Usage Notes
Providing conclusions and enhancing the confidence of stakeholders are key objectives of any assurance assessment.
Assurance Provider
Permalink
Someone who conducts assurance activities.
Usage Notes
Assurance activities are typically intended to mediate the information relationship between information producer and information consumer.
Assurance Risk
Permalink
The risk that an assurance assessment provides inaccurate conclusions, especially inaccurate positive conclusions, that statements about the subject matter are justified and true.
Usage Notes
A meaningful misunderstanding happens when information producers make inaccurate statements to information consumers about subject matter. Common reasons for inaccurate statements include:
- Misconduct. The information producer intentionally made inaccurate statements.
- Mistakes. The information producer made statements that turned out to be inaccurate because of errors in underlying systems, actions, and controls.
Audit & Assurance Discipline
Permalink
A critical discipline that provides methods to enhance confidence that the organization is reliably achieving objectives, addressing uncertainty, and acting with integrity
AVOID (Design Option)
Permalink
A design option to cease all activity or terminate sources that give rise to the opportunity, obstacle, or obligation.
Behaviors
Permalink
Observable actions of a person or group of people, informed by beliefs and values.
- Voluntary Behaviors
Intentional human actions informed by beliefs and values and governed by free will and discipline.
- Involuntary Behaviors
Automatic, often instinctual human actions informed by beliefs and values and governed by nature.
- Habitual Behaviors
Semi-automatic human actions informed by beliefs and values and governed by free will and discipline.
Beliefs
Permalink
Unobservable ideas and assumptions of a person or group, often caused by experience, perception, and personality.
Best Possible Value
Permalink
A value of an indicator that is likely to be achieved under the best possible assumptions and best possible execution.
Board of Directors
Permalink
A group of individuals elected by shareholders to represent their interests and to manage the business and affairs of the organization.
Usage Notes
The board of directors often delegates substantial authority to management and provide more oversight of management and major corporate decisions, and hold a fiduciary duty to protect shareholders' interests.
Boundary
Permalink
- Mandatory Boundary
Obligations that an organization must address because of some legitimate authority (e.g., laws, rules, regulations).
- Voluntary Boundary
Obligations an organization chooses to address because of voluntary decisions (e.g., contracts, agreements and values).
Business Model
Permalink
A model that describes how a company creates, delivers, and captures value for its stakeholders. It defines the fundamental aspects of a company's operations, such as its target customers, value proposition, revenue streams, cost structure, and key resources and activities.
Business Unit
Permalink
An organizational unit that is subordinate to the enterprise and often responsible for specific products, customers, or geography.
Usage Notes
Business unit may be used even when the organization is not a “business” (e.g., government agency, a nonprofit organization)
Capacity
Permalink
A range for an indicator that defines the maximum level of variation around a target that the organization is unwilling, unable and incapable to address; and may result in jeopardy or ruin.
Career Opportunities Incentives
Permalink
Incentives to perform favorable behaviors that provide access to career path opportunities that otherwise would not be available.
Cause
Permalink
The trigger or potential trigger of events that lead to a consequence including agents or forces that are responsible for bringing something into existence or changing it.
Usage Notes
Causes tend to be narrative, descriptive, or qualitative in nature. When quantifying causes, the term likelihood is typically used.
- Prospect
A cause that has the potential to eventually result in benefit.
- Hazard
A cause that has the potential to eventually result in harm.
Cause, Event, Consequence (CEC) Model
Permalink
An integrated model that illustrates the causes and consequences associated with events.
Usage Notes
- Cause
The trigger or potential trigger of events that lead to a consequence including agents or forces that are responsible for bringing something into existence or changing it.
- Event
Something that happens, including a change in condition or behavior.
- Consequence
The outcome or potential outcome of an event or series of events.
Channel
Permalink
The medium used to get the message from the communicator to the audience.
- Audience
The person or group that is intended to receive a message.
- Communicator
The person or group that sends or signals a message.
Climate
Permalink
The collective perception about self, surroundings, and others – including perceptions about culture, some aspect of culture, or some topical area.
Code of Conduct
Permalink
The Code of Conduct sets out the principles, values, standards, or rules of behavior that guide the organization's decisions, procedures, and systems. The Code of Conduct is, in effect, a set of the most important core policies.
Usage Notes
The Code of Conduct is, perhaps, the most important policy in an organization.
Code of Ethics
Permalink
Collaborative
Permalink
The quality of an individual to engage in productive relationships and teamwork, understanding their fundamental role in achieving greater outcomes.
Usage Notes
This characteristic necessitates a balance to avoid underuse, which may lead to isolation and antagonism, and overuse, which may create a social atmosphere without clear accountability.
Committed Value
Permalink
A value of an indicator that is likely to be achieved given current assumptions and planned execution.
Usage Notes
When used, this can be considered synonymous with Target
Competence (in Assurance)
Permalink
The degree to which an Assurance Provider can use sophisticated, professional, and structured techniques to evaluate subject matter.
Usage Notes
Being “competent” in assurance means to be cognitively and physically capability of using sophisticated, professional, and structured techniques to evaluate subject matter.
Complex
Permalink
A property that refers to the interconnected, interdependent, and interrelated nature of the parts of a system that often give rise to nonlinear dynamics, emergent properties and unpredictable outcomes.
Usage Notes
These questions help to understand if a situation is complex:
- Are there a multitude of interconnected variables that need to be considered?
- Does the situation involve navigating through numerous layers of complexity?
- Are the solutions multifaceted, necessitating a thorough consideration of a wide array of elements?
Compliance & Ethics Discipline
Permalink
A critical discipline that provides methods to identify and address mandatory and voluntary obligations and the underlying ethical principles and values.
Compliance Management
Permalink
The act of managing processes and resources to achieve the desired level of compliance.
Compound/Accelerate Actions & Controls
Permalink
Actions & controls that compound, accelerate, and increase the impact of favorable events to maximize benefit and promote future occurrence.
Consequence
Permalink
The outcome or potential outcome of an event or series of events.
Usage Notes
Consequences tend to be narrative, descriptive, or qualitative in nature. When quantifying consequences, the term impact is typically used.
- Impact
A measure that estimates the consequence of an event.
- Harm
A measure of the negative impact that an event has on the organization.
- Benefit
A measure of the positive impact that an event has on the organization.
CONTROL (Design Option)
Permalink
A design option to implement actions that govern and manage the opportunity, obstacle, or obligation according to its nature.
Usage Notes
Using the word "control" by itself is sometimes used to mean "action & control"
Convergent Thinking
Permalink
Focused on high-likelihood possibilities, most favorable/unfavorable conditions and events, current and most relevant circumstances, and most rewarding/riskiest outcomes.
Correct/Recover Actions & Controls
Permalink
Actions & controls that slow down or decrease the impact of unfavorable events, and return the organization to its original state, stable state, or superior state after harm has occurred to minimize harm and prevent future occurrences.
Usage Notes
Returning the organization to its original state or stable state is a sign of resilience.
Returning the organization to a superior state is a sign of antifragility.
- Recovery Actions & Controls
Actions & controls that return the organization to its original state, stable state, or superior state after harm has occurred.
- Corrective Actions & Controls
Actions & controls that safeguard the organization or some asset after an unfavorable event occurs.
Corrective Actions & Controls
Permalink
Actions & controls that safeguard the organization or some asset after an unfavorable event occurs.
Usage Notes
Corrective actions & controls and Recovery actions & controls are related but slightly different.
For example, restoring a server to a clean image is a corrective control because it solves the immediate problem of a malware intrusion, while recovering the server data from backup is a recovery control because it returns the server to a known previous good state allowing the business to resume normal operation.
Creditor
Permalink
An individual, institution, or entity to whom the organization owes money or services.
Critical Disciplines
Permalink
The background disciplines that comprise the interdisciplinary approach to GRC, including: Governance & Oversight, Strategy & Performance, Risk & Decision Support, Compliance & Ethics, Security & Continuity, and Audit & Assurance.
- Governance & Oversight Discipline
A critical discipline that provides methods to guide, constrain and conscribe the organization to achieve its purpose, mission, vision, and values.
- Strategy & Performance Discipline
A critical discipline that provides methods to guide, arrange and operate resources to achieve objectives and monitor performance.
- Risk & Decision Support Discipline
A critical discipline that provides methods to identify and address the effect of uncertainty on objectives, including ways to support decisions under uncertainty.
- Compliance & Ethics Discipline
A critical discipline that provides methods to identify and address mandatory and voluntary obligations and the underlying ethical principles and values.
- Security & Continuity Discipline
A critical discipline that provides methods to identify and address threats to critical physical and digital assets and infrastructure.
- Audit & Assurance Discipline
A critical discipline that provides methods to enhance confidence that the organization is reliably achieving objectives, addressing uncertainty, and acting with integrity
Culture
Permalink
An emergent property of a group of people caused by the interaction of individual beliefs, values, mindsets, and behaviors and demonstrated by observable norms and articulated opinions that shape beliefs, values, mindsets, and behaviors in wide-ranging and durable ways.
Usage Notes
Culture has a bi-directional relationship with individuals. It is both an emergent property of a group of individual beliefs, as well as something that shapes individual beliefs.
- Values
Fundamental beliefs, principles, and ideals that an organization, group, or individual demonstrates and adheres to when making decisions and acting.
- Climate
The collective perception about self, surroundings, and others – including perceptions about culture, some aspect of culture, or some topical area.
- Mindsets
Individual perceptions about self, surroundings, and others – including perceptions about culture, some topical area, or how to approach work.
- Beliefs
Unobservable ideas and assumptions of a person or group, often caused by experience, perception, and personality.
- Norms
Customs, rules, or expectations that a group socially reinforces, usually through informal means.
Current Residual Risk
Permalink
The level of residual risk under currently operating actions & controls.
Current Skill Level
Permalink
Existing level of skill a person, or “typical” person in a group, possesses.
Customer
Permalink
An individual, institution, or entity that purchases products or services.
Usage Notes
- The customer is sometimes considered the "most important stakeholder" because without a customer, an organization cannot provide value.
- For departments or teams, the customer may include a superior, subordinate, or peer organizational unit. For governmental entities, the customer is a constituent or regulated entity.
Damage
Permalink
Decision-Making Criteria
Permalink
The principles, values, rules, variables, conditions, targets, tolerances, and other thresholds used to select an option or make a decision.
- Direction-Setting Criteria
The criteria used to set the direction for the organization and its objectives based on external/internal context, culture, and stakeholder needs.
- Objective-Setting Criteria
The criteria used to set objectives and results in accordance with the organization’s direction.
- Identification Criteria
The criteria used to identify opportunities, obstacles, and obligations that stand in front of the organization and its objectives.
- Analysis Criteria
The criteria used to analyze, quantify and select ways to address risk, reward, and compliance.
- Design Criteria
The criteria used to select actions & controls that address risk, reward, and compliance.
Demographic Factors
Permalink
External factors that include gender, age, ethnicity, knowledge of languages, disabilities, mobility, home ownership, employment status, religious belief or practice, culture and tradition, living standards, and income level.
Department
Permalink
A department is subordinate to the enterprise and often cuts across multiple business units providing shared services such as human resources, information technology (IT), compliance, risk management, and other services.
Descriptive Norms
Permalink
Observation of what individuals do, providing information about what is “normal” in a particular culture.
Design Criteria
Permalink
The criteria used to select actions & controls that address risk, reward, and compliance.
Design Effectiveness
Permalink
Evidence of logically designed actions & controls relative to objectives, opportunities, obstacles, and obligations. This is accomplished by evaluating the design actions & controls against suitable criteria.
Design Options
Permalink
Broad design decisions to address an opportunity, obstacle, or obligation.
Usage Notes
Design options address both risk and reward. The term Risk Response is sometimes used when applied only to risks.
- ACCEPT (Design Option)
An intentional design decision to embrace, or concede to the current level of risk, reward, and compliance.
- SHARE (Design Option)
To outsource, joint ventures, partnerships, buy insurance, or use other financial instruments to address the opportunity, obstacle, or obligation.
- AVOID (Design Option)
A design option to cease all activity or terminate sources that give rise to the opportunity, obstacle, or obligation.
- TRANSFER (Design Option)
A special case of a sharing design option where an attempt is made to give close to 100% of responsibility and consequence to a third party.
- CONTROL (Design Option)
A design option to implement actions that govern and manage the opportunity, obstacle, or obligation according to its nature.
Design Review Procedure
Permalink
A procedure that compares the documentation of the design of a system against suitable criteria that defines an acceptable design of that system.
Usage Notes
Suitable criteria is often available by using available standards or best practices.
Suitable criteria for assessing the GRC Capability Model (or some aspect of it) is available in the GRC Assessment Tools.
Detective Actions & Controls
Permalink
Actions & controls that detect the occurrence of favorable and unfavorable events.
Usage Notes
Unfavorable events include incidents of non-compliance.
Deterrent
Permalink
A type of action and control that reduces the likelihood of an event from occurring.
Usage Notes
Often, a deterrent refers to a specific action, control, or strategy employed to reduce the likelihood of an event by instilling fear, risk, or negative consequences, thereby reducing the probability of its happening.
Direction-Setting Criteria
Permalink
The criteria used to set the direction for the organization and its objectives based on external/internal context, culture, and stakeholder needs.
Divergent Thinking
Permalink
Considering all possibilities, conditions and events, circumstances, and outcomes.
Economic Factors
Permalink
External factors that include growth, exchange, inflation, and interest rates.
Economic Incentives
Permalink
Incentives to perform favorable behaviors that provide monetary compensation, bonuses, profit-sharing or gain-sharing that otherwise would not be available.
Education Activity
Permalink
Effective
Permalink
An aspect of Total Performance which demonstrates evidence of logically designed actions & controls that address appropriate objectives, opportunities, obstacles, and obligations; and evidence that these actions & controls are operating as designed.
Effectiveness Assessment
Permalink
An evaluation of the design and/or operating effectiveness of an area of the organization.
- Design Effectiveness
Evidence of logically designed actions & controls relative to objectives, opportunities, obstacles, and obligations. This is accomplished by evaluating the design actions & controls against suitable criteria.
- Operating Effectiveness
Evidence that actions & controls operate as intended. This is accomplished by substantive testing of information generated by actions & controls to judge actual results against expected results.
Efficient
Permalink
An aspect of Total Performance which demonstrates evidence that the organization productively uses financial, human, and other capital resources without wasted effort or expense.
Enterprise
Permalink
The most superior unit that encompasses the entirety of the organization.
Usage Notes
Enterprise may be used even when the organization is a government agency, a nonprofit organization, or a small organization.
Environmental Factors
Permalink
External factors that include ecological and environmental aspects such as climate and natural resources.
Ethics
Permalink
Values that define right and wrong decisions and actions based on the norms of a group.
Usage Notes
Ethics get their authority from external social systems relating to a specific group. Ethics are often codified in a set of rules that apply to a member of the group (e.g., lawyers, doctors, and accountants follow the ethical system adopted by those in the field).
Ethics and morals are sometimes used interchangeably, but these words have nuanced meanings. Much of the confusion between these two words can be traced back to their origins. For example, the word “ethic” comes from Old French (etique), a set of rules for customs and behaviors, whereas Late Latin (ethica) and Greek (ethos) referred to customs or moral philosophies. “Morals” comes from Late Latin’s moralis, which refers to appropriate behavior and manners in society. The two words originally had very similar meanings.
Evaluate
Permalink
The act of judging subject matter by comparing evidence against suitable criteria.
- Subject Matter
Identifiable statements, conditions, events, or activities for which there is evidence.
- Suitable Criteria
Benchmarks used to evaluate subject matter that yield consistent and meaningful results.
Event
Permalink
Something that happens, including a change in condition or behavior.
Usage Notes
All events have a cause. Most events have a consequence. However, some causes and consequences may be ambiguous, complex, or uncertain.
- Cause
The trigger or potential trigger of events that lead to a consequence including agents or forces that are responsible for bringing something into existence or changing it.
- Consequence
The outcome or potential outcome of an event or series of events.
Executive Management
Permalink
Executive Team
Permalink
A group of executives, often a group of the senior-most executives in an organization.
Usage Notes
The Executive Team is often referred to as the "C-Suite" because the individuals on the Executive Team hold titles such as "chief executive officer," "chief financial officer," and "chief legal officer."
Executives
Permalink
Senior-most managers with broad responsibilities over the entire organization or some significant part of the organization (e.g., all technology, all sales, and marketing, all administration, all finance).
Usage Notes
Executives often have words such as “chief” in their titles, such as “chief executive officer” or “chief operating officer.”
Extended Enterprise
Permalink
External Context
Permalink
External Factors
Permalink
Categories of sources and forces that originate outside of the organization including: industry factors, market factors, economic, technology, societal, legal, political, environmental, demographic factors.
- Industry Factors
External factors that include new entrants, competitors, suppliers, customers, substitutes, and industry norms.
- Market Factors
External factors that include customer trends, demographics, and economic conditions.
- Economic Factors
External factors that include growth, exchange, inflation, and interest rates.
- Technology Factors
External factors include technological aspects like R&D activity, automation, storage, computation, technology incentives, innovations in materials, mechanical efficiency, and the rate of technological change.
- Societal Factors
External factors that include cultural aspects, attitudes, customs, and norms.
- Legal and Regulatory Factors
External factors that include laws, rules, regulations, litigation, and judicial or administrative opinions.
- Political Factors
External factors that relate to how the government intervenes in the economy, including laws, rules, regulations, tax policy, and political stability.
- Environmental Factors
External factors that include ecological and environmental aspects such as climate and natural resources.
- Demographic Factors
External factors that include gender, age, ethnicity, knowledge of languages, disabilities, mobility, home ownership, employment status, religious belief or practice, culture and tradition, living standards, and income level.
- Geopolitical Factors
External factors that include sanctions, export controls, and potential military conflicts.
External Stakeholders
Permalink
An individual, institution, or entity outside of the organization that is affected by, or has an interest in, the company's decisions and activities.
Usage Notes
These stakeholders do not directly participate in the company's operations but can influence or be influenced by the company's business outcomes. Examples of external stakeholders include customers, suppliers, creditors, investors, regulators, the government, competitors, the media, and the community or society in which the company operates. The company's decisions and policies often aim to consider and balance the interests of both internal and external stakeholders.
- Customer
An individual, institution, or entity that purchases products or services.
- Investor
An individual, institution, or entity that provides capital to the organization either by purchasing shares (thus becoming shareholders), bonds, or other financial instruments, with the expectation of receiving a financial return.
- Shareholder
An individual, institution, or entity that owns shares or stock (or some functionally comparable instrument) in the organization.
- Creditor
An individual, institution, or entity to whom the organization owes money or services.
- Lender
An individual, institution, or entity that provides funds to the organization with the expectation that the funds will be paid back in full, usually with interest.
- Supplier
An individual, institution, or entity that provides goods or services to the organization.
- Regulator
Government or independent authorities that oversee and control specific aspects of the organization's practices. They set standards and rules that the organization must follow and can impose penalties for non-compliance.
- Media
Various channels of communication, like newspapers, television, radio, and online platforms, which can shape public perception of the organization.
- Society
The local, national, or global population affected by the organization's operations.
Fifth Line of Accountability
Permalink
The Governing Authority (Board) is ultimately accountable and responsible for the governance, management, and assurance of performance, risk, and compliance. While the governing authority may choose to delegate, this plenary accountability means that the governing authority must use due care to ensure that the right systems are in place to learn about and address important performance, risk, and compliance issues – especially those that present “red flags.”
Financial Action & Controls
Permalink
Insurance, captives, hedging, reserves, or other financial instruments used to address risk, reward, and compliance.
First Line of Accountability
Permalink
Individuals and teams that own and manage performance, risk, and compliance associated with day-to-day operational activities.
Folkways
Permalink
Informal norms that govern everyday behaviors and social etiquette that are not strictly enforced, but where violations may lead to mild disapproval or social awkwardness (e.g., table manners, punctuality, and appropriate dressing).
Force
Permalink
A cause that is an emergent property of volatility, uncertainty, complexity, or ambiguity in the internal or external context.
Fourth Line of Accountability
Permalink
The Executive team is accountable and responsible for the portfolio of organization-wide performance, risk, and compliance. The Fourth Line gains information from the First Line and the Second Line and assurance from the Third Line to make decisions about managing performance, risk, and compliance.
Fractal
Permalink
The property of self-similarity or the repetition of patterns at different scales in a system or structure.
Usage Notes
In fractal geometry, a fractal is a mathematical set that exhibits self-similarity and has a structure that is similar at every scale. Fractals are often found in nature, such as in the branching patterns of trees, the veins of leaves, or the shapes of clouds.
In organizations, fractality is used to describe the self-similar patterns and structures of social networks and interactions, as well as in the study of collective behavior and decision-making.
Fractality means that problems and solutions can replicate and scale to multiple levels of the organization.
Geopolitical Factors
Permalink
External factors that include sanctions, export controls, and potential military conflicts.
Governance
Permalink
The act of indirectly guiding, controlling, and evaluating an entity by constraining and conscribing resources.
Usage Notes
Govern. To govern; governing
Governance & Oversight Discipline
Permalink
A critical discipline that provides methods to guide, constrain and conscribe the organization to achieve its purpose, mission, vision, and values.
Governance Actions & Controls
Permalink
Actions & controls that primarily serve governance activities to constrain and conscribe the organization or some aspect of it.
Usage Notes
Governance actions & controls are added when management actions & controls do not provide enough information or guidance to constrain and conscribe the organization.
Governing Authority
Permalink
The most superior level of accountability and authority.
Usage Notes
- The governing authority is often responsible for balancing the competing needs of stakeholders so that it can guide, constrain, and conscribe the organization to reliably achieve objectives, address uncertainty, and act with integrity to meet these needs.
- The governing authority is often a board of directors if the organization in scope is an enterprise.
- The governing authority may be an oversight committee if the organization in scope is a business unit or department.
GRC
Permalink
An initialism that stands for Governance, Risk, and Compliance, and is an interdisciplinary approach of integrated capabilities, interconnected relationships, and interlinked shared values, which enable Principled Performance.
Usage Notes
GRC, as an initialism, denotes governance, risk, and compliance — but the full story of GRC is so much more than those three words.
The acronym GRC was created as a shorthand reference to the critical capabilities that must work together to achieve Principled Performance — the capabilities that integrate the governance, management, and assurance of performance, risk, and compliance activities.
This includes work done by departments in governance, strategy, risk, compliance, security, audit, finance, legal, IT, and HR. But it also includes operators in lines of business, the executive suite, and the board itself.
While GRC was created by OCEG in 2003, the first peer-reviewed academic paper on the topic was published in 2007 by OCEG founder Scott Mitchell in the International Journal of Disclosure and Governance.
This groundbreaking paper influenced the related software and services industry and began open-source GRC standards.
- GRC is the pathway to Principled Performance.
- GRC is a collection of integrated capabilities to enable Principled Performance.
- GRC is a collection of integrated capabilities that enable an organization to reliably achieve objectives, address uncertainty, and act with integrity.
- GRC is an interdisciplinary approach of integrated capabilities, interconnected relationships, and interlinked shared values, which enable Principled Performance.
- Governance
The act of indirectly guiding, controlling, and evaluating an entity by constraining and conscribing resources.
- Risk Management
The act of managing processes and resources to address risk while pursuing reward.
- Compliance Management
The act of managing processes and resources to achieve the desired level of compliance.
GRC Capability Model™
Permalink
The collection of capabilities that help an organization reliably achieve objectives, address uncertainty, and act with integrity formalized and documented in the GRC Capability Model™ from OCEG.
Usage Notes
The GRC Capability Model is the pathway to Principled Performance and comprises several capabilities from critical disciplines including:
- Governance & Oversight
- Strategy & Performance
- Risk & Decisions
- Compliance & Ethics
- Security & Continuity
- Audit & Assurance
Habitual Behaviors
Permalink
Semi-automatic human actions informed by beliefs and values and governed by free will and discipline.
Helpline
Permalink
A live or on-demand channel for individuals to ask questions before or while they are engaged in a task.
Human Capital
Permalink
The collective knowledge, skills, abilities, and experiences of an organization's workforce, along with the relationships, attitudes, and values that enable them to work together to achieve the organization's objectives
IACM
Permalink
Identification Criteria
Permalink
The criteria used to identify opportunities, obstacles, and obligations that stand in front of the organization and its objectives.
Incentives
Permalink
Incentives include financial and non-financial things that encourage favorable conduct.
Usage Notes
There are two parts to an incentive:
- Promise - Incentives must be announced in advance of the expected conduct.
- Payoff - Incentives must be delivered as promised and meet or exceed the expectations of the individual. Otherwise, news will spread that the incentives aren't what they appear to be.
- Economic Incentives
Incentives to perform favorable behaviors that provide monetary compensation, bonuses, profit-sharing or gain-sharing that otherwise would not be available.
- Appreciation Incentives
Incentives to perform favorable behaviors that provide meaningful gratitude and acknowledgement to the individual that otherwise would not be available.
- Status Incentives
Incentives to perform favorable behaviors that provide access to esteemed roles, promotions or other visible recognition that otherwise would not be available.
- Professional Development Incentives
Incentives to perform favorable behaviors that provide access to professional development opportunities such as training or tuition reimbursements that otherwise would not be available.
- Career Opportunities Incentives
Incentives to perform favorable behaviors that provide access to career path opportunities that otherwise would not be available.
Independence
Permalink
The state of being free from structural or functional conditions that threaten the ability of the assurance provider to perform assurance activities with objectivity and without any undue influence. It includes the independence of the assurance provider from those who own, manage, operate, or support the activity being assured.
Usage Notes
To achieve the degree of independence necessary to deliver the desired Level of Assurance, an Assurance Provider should have direct and unrestricted access to information producers and information consumers.
Indicator
Permalink
A measure of progress toward or status of an objective.
- Target
An expected or planned value for an indicator.
- Appetite
A range for the value of an indicator that defines a preferred or expected level of variation around a target.
- Tolerance
A range for an indicator that defines an acceptable, though not preferred, level of variation around a target the organization is willing and able to address.
- Capacity
A range for an indicator that defines the maximum level of variation around a target that the organization is unwilling, unable and incapable to address; and may result in jeopardy or ruin.
Indicator Targets & Ranges (ITR) Model
Permalink
A model that describes how indicator targets and ranges such as appetite, tolerance and capacity relate to one another and can be used to evaluate total performance.
Usage Notes
The Indicator Targets & Ranges (ITR) Model is a robust model that provides a complete explanation of how to set targets and important ranges of values to evaluate the total performance of an indicator.
- Indicator
A measure of progress toward or status of an objective.
- Target
An expected or planned value for an indicator.
- Appetite
A range for the value of an indicator that defines a preferred or expected level of variation around a target.
- Tolerance
A range for an indicator that defines an acceptable, though not preferred, level of variation around a target the organization is willing and able to address.
- Capacity
A range for an indicator that defines the maximum level of variation around a target that the organization is unwilling, unable and incapable to address; and may result in jeopardy or ruin.
Industry Factors
Permalink
External factors that include new entrants, competitors, suppliers, customers, substitutes, and industry norms.
Information Actions & Controls
Permalink
Communications and reports up, down, and across the organization used to address risk, reward, and compliance.
Information Supplier
Permalink
Information User
Permalink
Injunctive Norm
Permalink
Perceived behavior of what most people approve of, providing information on what one “should” do.
Intangible Resources
Permalink
Resources that refer to non-physical assets, such as knowledge, brand equity, and organizational culture.
Integrated Action & Control Model™
Permalink
A structure that considers the purpose and types of actions & controls used for the governance, management, and assurance of performance, risk, and compliance.
Usage Notes
- Proactive Actions & Controls
Actions & controls that promote or enable favorable events and prevent or deter unfavorable events.
- Detective Actions & Controls
Actions & controls that detect the occurrence of favorable and unfavorable events.
- Responsive Actions & Controls
Actions & controls that aim to accelerate or compound the benefit of favorable events, and correct or recover from the harm of unfavorable events.
Integrated Performance Support
Permalink
A function that provides the exact information needed to solve a learner’s question at the moment of need. The goal is to increase performance by empowering individuals with self-help resources in the flow of work rather than interrupting work with periodic and episodic learning.
Integrated Plan
Permalink
An integrated plan details processes and resources allocated to reliably achieve objectives, address uncertainty, and act with integrity.
Integrity
Permalink
The state of being whole and complete by fulfilling obligations, honoring promises, and cleaning up the mess if a promise was broken.
Usage Notes
One way to evaluate integrity is with the formula Integrity = Promises Kept / Promises Made.
Sometimes factors outside of the control of the organization prevent promises from being honored. For example, an organization makes an implicit promise to every employee that they will be gainfully employed so long as the employee adds value. However, external factors, such as an economic downturn, might prevent the organization from honoring the employment promise, even if the employee is adding value. To maintain integrity, then, an organization must do its best to help the employee find gainful employment.
Intention (Call to Action)
Permalink
What the communicator wants the audience to believe, value, or do as a consequence of the message.
Internal Audit
Permalink
A function inside of the organization that helps the workforce, especially management, reliably achieve objectives, address uncertainty, and act with integrity by providing assurance that the right objectives, opportunities, obstacles, and obligations are addressed in the right way, to increase the total performance.
Usage Notes
Internal audit objectively and competently evaluates subject matter to provide conclusions and confidence that statements and beliefs about the subject matter are justified and true. This is especially important for key objectives, opportunities, obstacles, and obligations to make sure that the organization is operating within acceptable levels of risk/reward and compliance.
Internal Context
Permalink
Internal Factors
Permalink
Categories of sources and forces that originate inside of the organization.
Internal Stakeholders
Permalink
Stakeholders with an internal influence from within the organization; Personnel (and unions that represent the workforce), Managers, Executives, Board members, and Owners (who are involved in the organization).
- Workforce
The collection of individuals the organization employs.
- Owners
Individuals or entities that possess legal ownership and control of the organization.
- Board of Directors
A group of individuals elected by shareholders to represent their interests and to manage the business and affairs of the organization.
Investor
Permalink
An individual, institution, or entity that provides capital to the organization either by purchasing shares (thus becoming shareholders), bonds, or other financial instruments, with the expectation of receiving a financial return.
Involuntary Behaviors
Permalink
Automatic, often instinctual human actions informed by beliefs and values and governed by nature.
Key Compliance Indicator (also KCI)
Permalink
Indicators that help govern, manage, and provide assurance about compliance related to an objective.
Key Milestone Indicator (also KMI)
Permalink
A Boolean value (yes/no) or a percentage value (% complete) that measures the degree to which a milestone is met.
Key Performance Indicator (also KPI)
Permalink
Indicators that help govern, manage, and provide assurance about performance related to an objective.
Key Risk Indicator (also KRI)
Permalink
Indicators that help govern, manage, and provide assurance about risk related to an objective.
Key Risks
Permalink
Highest priority risks that an organization selects, usually based on key objectives.
Usage Notes
An organization is free to voluntarily select its key risks. Key risks should be defined and selected based on their relationship to key objectives.
Leaders
Permalink
Individuals at any level of the organization who have the de facto attention and respect of the workforce regardless of their title or position.
Leadership
Permalink
Lean
Permalink
Learner
Permalink
Learning Activity
Permalink
A directed collection of learning content that achieves learning objectives by enhancing student ability from current skill level to target skill level.
Usage Notes
Learning activities may be synchronous or asynchronous and may be in-person or online.
- Student
Individual who learns.
- Learning Objective
Statements that define an educational activity's expected goal(s). Learning objectives can be used to structure the content of educational activities.
- Learning Outcome
A statement that reflects what the learner will be able to do as a result of participating in the educational activity.
- Current Skill Level
Existing level of skill a person, or “typical” person in a group, possesses.
- Target Skill Level
The desired level of skill a person, or “typical” person in a group, is expected to possess.
- Learning Content
The content in a learning activity includes text, image, audio, and video and takes the form of lecture, discussion, debate, and demonstration.
Learning Content
Permalink
The content in a learning activity includes text, image, audio, and video and takes the form of lecture, discussion, debate, and demonstration.
Learning Objective
Permalink
Statements that define an educational activity's expected goal(s). Learning objectives can be used to structure the content of educational activities.
Learning Outcome
Permalink
A statement that reflects what the learner will be able to do as a result of participating in the educational activity.
Legal and Regulatory Factors
Permalink
External factors that include laws, rules, regulations, litigation, and judicial or administrative opinions.
Lender
Permalink
An individual, institution, or entity that provides funds to the organization with the expectation that the funds will be paid back in full, usually with interest.
Level of Assurance
Permalink
A measure of the degree of confidence that an assurance provider can deliver to an information consumer about statements an information provider makes about the subject matter.
Usage Notes
A greater degree of Assurance Objectivity and a greater degree of Assurance Competence generally result in a higher Level of Assurance.
- Objectivity (in Assurance)
The degree to which an Assurance Provider can be impartial, disinterested, independent, and free to conduct necessary activities and to form an opinion about the subject matter.
- Competence (in Assurance)
The degree to which an Assurance Provider can use sophisticated, professional, and structured techniques to evaluate subject matter.
- Lower Assurance
A more limited level of assurance resulting from activities such as self-assessments and benchmarking performed by the personnel responsible for the subject matter.
- Absolute Assurance
A level of assurance that is impossible to achieve.
- Reasonable Assurance
A special type and level of assurance, provided by external auditors as part of a financial audit or examination, that subject matter conforms to suitable criteria and is free from material error.
- Limited Assurance
A level of assurance resulting from reviews, compilations, and other activities performed by competent personnel who are sufficiently objective about the subject matter.
Limited Assurance
Permalink
A level of assurance resulting from reviews, compilations, and other activities performed by competent personnel who are sufficiently objective about the subject matter.
Lines of Accountability™ Model (also LoA)
Permalink
A model that helps organizations govern, manage and provide assurance over performance, risk, and compliance by allocating specific responsibilities to different individuals or groups within the organization and creating a layered approach to produce and preserve value.
Usage Notes
The Lines of Accountability Model segregates responsibilities so that each “line” or group has the appropriate objectivity and competence to address the nature of the required work.
This model is "fractal" in nature and may be applied at both the organizational level or some lower level such as a team. Hence, while the Lines of Accountability Model is presented using five lines, the reality is that organizations comprise unique and idiosyncratic arrangements of people, processes, information, and technology.
Importantly, the Lines of Accountability Model recognizes that a single department or function may perform activities associated with multiple lines of accountability.
For example, an accounting department may function as a "first line" when it records financial transactions, and as a "second line" when it analyses the performance of a business unit or reconciles each sale with a receipt of cash.
Further, consider a sole proprietor who may “physically” have just one “line” in their organization – namely, themselves. Despite this arrangement, the Lines of Accountability Model may be applied by thoughtfully segregating activities in time and space by just one person.
For example, the sole proprietor may perform daily bookkeeping with an aim toward efficiency and accuracy (first line). Then, once a month, and though not completely objective, this same person may perform “desk checking” and review of their own work (second line). Quarterly, they may conduct some strategic planning and review (fourth line). A meticulous sole proprietor may even take a weekend at the end of the year to trace transactions to perform assurance activities (third line) before preparing materials for an external auditor. And being a board member (fifth line), this same person may perform some “ultimate accountability” activities by filing the annual report to keep the organization in good standing with the tax authority.
Contrast this with a global enterprise with many business units and dozens of lines of accountability with varying degrees of scope and scale. Each business unit may have multiple lines of accountability, providing varying degrees of service to other departments and business units.
Hence, every organization will have a unique arrangement of the Lines of Accountability based on the size, scope, and preferences of the board and executive management. What is critical is that the arrangement helps the organization be reliable.
- First Line of Accountability
Individuals and teams that own and manage performance, risk, and compliance associated with day-to-day operational activities.
- Second Line of Accountability
Individuals and teams that establish performance, risk, and compliance programs for the First Line. The Second Line provides oversight through frameworks, standards, policies, tools, and techniques to support performance, risk, and compliance management. The Second Line often manages its own portfolio of objectives and associated performance, risk, and compliance. The Second Line may provide limited assurance over First Line activities.
- Third Line of Accountability
Individuals and teams that specialize in and provide a high level of assurance on activities performed by the First Line and Second Line. The Third Line may include internal audit, external audit or outside experts who are sufficiently objective and competent.
- Fourth Line of Accountability
The Executive team is accountable and responsible for the portfolio of organization-wide performance, risk, and compliance. The Fourth Line gains information from the First Line and the Second Line and assurance from the Third Line to make decisions about managing performance, risk, and compliance.
- Fifth Line of Accountability
The Governing Authority (Board) is ultimately accountable and responsible for the governance, management, and assurance of performance, risk, and compliance. While the governing authority may choose to delegate, this plenary accountability means that the governing authority must use due care to ensure that the right systems are in place to learn about and address important performance, risk, and compliance issues – especially those that present “red flags.”
Lower Assurance
Permalink
A more limited level of assurance resulting from activities such as self-assessments and benchmarking performed by the personnel responsible for the subject matter.
Management (as a GRC Concept)
Permalink
The act of directly guiding, controlling, and evaluating an entity by arranging and operating resources.
Management Actions & Controls
Permalink
Actions & controls that primarily serve management activities to address opportunities, obstacles, and obligations.
Usage Notes
Management actions & controls comprise most of the work performed by the organization.
Whenever possible, management actions & controls should be used by both the governing authority and assurance providers to avoid unnecessary complexity and duplication.
Management Team
Permalink
A group of managers who are responsible for an area of the business.
Usage Notes
Often, the Management Team comprises the most senior managers for that particular area. For example, if the area of the business is the financial operations, then the management team may comprise the chief financial officer, the lead controller, and the treasurer.
Managers
Permalink
Personnel who manage others.
Usage Notes
Qualifiers such as “senior managers” refer to managers with more responsibility in scale or scope, while “junior managers” have less responsibility.
Mandatory Boundary
Permalink
Obligations that an organization must address because of some legitimate authority (e.g., laws, rules, regulations).
Market Factors
Permalink
External factors that include customer trends, demographics, and economic conditions.
Material Fact
Permalink
A fact is material if there is a substantial likelihood that a reasonable information user would consider it important in making a decision, or if it would have been viewed by the reasonable information user as having significantly altered the 'total mix' of information made available and used to make the decision.
Usage Notes
This definition is based on the standard of materiality articulated by the U.S. Supreme Court in TSC Industries v. Northway, 426 U.S. 438, 449 (1976). While the original standard was applied to financial reporting information in the United States, it is often used as a basis for global financial reporting, cybersecurity reporting and sustainability reporting.
A more direct quote of the original standard would be "a fact is material if there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision or if it would have been viewed by the reasonable investor as having significantly altered the 'total mix' of information made available."
Material Misstatement
Permalink
A material misstatement refers to a significant error or omission in financial statements that could potentially influence the decisions of information consumers of those statements. It can be caused by an error, fraud, or the misapplication of accounting principles. Material misstatements can affect the accuracy and reliability of financial information and may cause financial statements to be misleading or incomplete. Materiality is determined based on the size and nature of the misstatement, as well as its potential impact on the financial statements and the decisions of users of those statements.
Material Misstatements
Permalink
A special case of Meaningful Misunderstanding where the information producer makes a significant error or omission in financial statements that could potentially influence the decisions of information consumers.
Maturity
Permalink
The level of development, progress, or sophistication of a particular process, function, or organization
Maturity Assessment
Permalink
An evaluation of an area of the organization as it relates to a maturity model.
Usage Notes
Maturity Assessments are a form of design effectiveness assessment.
Maturity Model
Permalink
A structured framework that is used to assess and measure an organization's maturity or level of development in a particular area.
Usage Notes
Maturity Models are not required to use a specific form or labels. However, Maturity Models typically define a series of levels, each representing a higher level of maturity, and identify specific characteristics, practices, or capabilities that organizations should demonstrate to achieve each level.
- Level 1 - Initial. Practices are improvised, ad hoc, and often chaotic.
- Level 2 - Managed. Practices are defined and managed, though sometimes informally.
- Level 3 - Consistent. Practices are formally documented and consistently managed.
- Level 4 - Measured. Practices are measured and managed with data-driven evidence.
- Level 5 - Optimizing. Practices are consistently improved over time.
Meaningful Misunderstanding
Permalink
Meaningful misunderstanding occurs when an information producer makes statements that contain material errors or omissions that could affect the decisions of information users of those statements.
Usage Notes
The risk of meaningful misunderstanding determines the purpose and nature of assurance and assessment activities.
Material Misstatements are a special case of Meaningful Misunderstanding where the information producer makes a significant error or omission in financial statements that could potentially influence the decisions of information consumers.
- Material Misstatements
A special case of Meaningful Misunderstanding where the information producer makes a significant error or omission in financial statements that could potentially influence the decisions of information consumers.
Means
Permalink
Usage Notes
One may talk about the "ways and means" that an organization uses to reliably achieve objectives, address uncertainty, and act with integrity.
Media
Permalink
Various channels of communication, like newspapers, television, radio, and online platforms, which can shape public perception of the organization.
Mindsets
Permalink
Individual perceptions about self, surroundings, and others – including perceptions about culture, some topical area, or how to approach work.
Mission
Permalink
An objective that states who the organization serves, what it does, and what it hopes to achieve today and in the long term.
Usage Notes
The mission statement is often used to guide decision-making and priority-setting within the organization, and serves as a clear and consistent statement of its overall purpose and direction.
Monitoring
Permalink
Ongoing and periodic activities that observe actions & controls, and the information generated by these controls, to gauge effectiveness, efficiency, responsiveness, and resilience.
Morals
Permalink
Values that define good and bad (evil) decisions and actions based on a system of beliefs or personal intuitions.
Usage Notes
Morals get their authority from personal intuitions, a "higher power," or other systems of beliefs.
When a society, organization, or group fully embodies a specific system of beliefs, the ethics and morals of that group may be almost synonymous. For example, a religious organization may find its "ethical code" and "moral code" synonymous. For example, a political organization may find its ethics nearly synonymous with the moral code embodied by the political system of belief.
Even though morals may come from an external system of beliefs (e.g., religious or political), morals (unlike ethics) are often internalized and expressed in nuanced ways that are specific to the individual.
Ethics tend to be embodied and expressed in consistent ways across individuals. Morals tend to be embodied and expressed in nuanced, idiosyncratic ways across individuals.
Mores
Permalink
More formalized and serious norms that are deeply ingrained in a culture and have moral significance. Violating mores can lead to severe social disapproval, ostracism, or even legal consequences (e.g., honesty, respect for elders, and adherence to religious practices).
Norms
Permalink
Customs, rules, or expectations that a group socially reinforces, usually through informal means.
- Descriptive Norms
Observation of what individuals do, providing information about what is “normal” in a particular culture.
- Proscriptive Norms
Customs, rules, or expectations that discourage behavior the group deems negative (e.g., “do not cheat”).
- Prescriptive Norms
Customs, rules, or expectations that encourage behavior the group deems positive (e.g., “be honest”).
- Injunctive Norm
Perceived behavior of what most people approve of, providing information on what one “should” do.
- Folkways
Informal norms that govern everyday behaviors and social etiquette that are not strictly enforced, but where violations may lead to mild disapproval or social awkwardness (e.g., table manners, punctuality, and appropriate dressing).
- Mores
More formalized and serious norms that are deeply ingrained in a culture and have moral significance. Violating mores can lead to severe social disapproval, ostracism, or even legal consequences (e.g., honesty, respect for elders, and adherence to religious practices).
Objective-Setting Criteria
Permalink
The criteria used to set objectives and results in accordance with the organization’s direction.
Objectivity (in Assurance)
Permalink
The degree to which an Assurance Provider can be impartial, disinterested, independent, and free to conduct necessary activities and to form an opinion about the subject matter.
Obligation
Permalink
A requirement that an organization must or should address because of a promise, whether mandatory or voluntary.
- Mandatory Boundary
Obligations that an organization must address because of some legitimate authority (e.g., laws, rules, regulations).
- Voluntary Boundary
Obligations an organization chooses to address because of voluntary decisions (e.g., contracts, agreements and values).
Obstacle
Permalink
An uncertain future event that may, on balance, have a negative effect on objectives.
Operating Effectiveness
Permalink
Evidence that actions & controls operate as intended. This is accomplished by substantive testing of information generated by actions & controls to judge actual results against expected results.
Operating Review Procedure
Permalink
A procedure that compares the actual events or transactions performed by a system (including people, processes and technologies) against the expected events and transactions given the design of the system.
Operational Effectiveness
Permalink
Opportunity
Permalink
An uncertain future event that may, on balance, have a positive effect on objectives.
Org Chart
Permalink
Organization
Permalink
Organization in Scope
Permalink
The organizational unit in scope for applying the GRC Capability Model.
Usage Notes
The Organization in Scope may be at any level including:
- Enterprise
- Business Unit
- Department
- Team
Some professionals even apply the GRC Capability Model at an individual level, though the guidance provided is intended for organizations with multiple people.
- Organizational Level
A hierarchical tier within an organization that is responsible for specific tasks, functions, decisions, actions, and controls.
- Organizational Layer
A unit within an organization that is responsible for specific tasks, functions, decisions, actions, and controls and typically referenced in relationship to other layers.
- Organizational Unit
A specific subdivision of an organization that is formed for the purpose of achieving particular objectives.
Organizational Chart
Permalink
A diagram that shows the structure of an organization and the relationships and relative ranks of its parts and positions/jobs
Organizational Layer
Permalink
A unit within an organization that is responsible for specific tasks, functions, decisions, actions, and controls and typically referenced in relationship to other layers.
Usage Notes
When "organizational layer" is used, it typically involves some "layering" of organizational units to achieve an objective. For example:
- Having multiple layers of protection to address a particular risk
- Having multiple layers so that an important strategic priority isn't forgotten
Organizational Level
Permalink
A hierarchical tier within an organization that is responsible for specific tasks, functions, decisions, actions, and controls.
Usage Notes
- Superior Level
Organizational units to which the organization in scope is accountable.
- Peer Level
Organizational units that are lateral to the organization in scope and often report to or are accountable to the same superior unit.
- Subordinate Level
Organizational units that are accountable to the organization in scope.
Organizational Unit
Permalink
A specific subdivision of an organization that is formed for the purpose of achieving particular objectives.
- Enterprise
The most superior unit that encompasses the entirety of the organization.
- Business Unit
An organizational unit that is subordinate to the enterprise and often responsible for specific products, customers, or geography.
- Department
A department is subordinate to the enterprise and often cuts across multiple business units providing shared services such as human resources, information technology (IT), compliance, risk management, and other services.
- Team
The smallest organizational unit. Teams may be part of a department or maybe cross-functional. Teams may be permanent or temporary.
Owners
Permalink
Individuals or entities that possess legal ownership and control of the organization.
Usage Notes
Owners, unlike external shareholders or investors, tend to have direct operational involvement in the organization.
Peer Level
Permalink
Organizational units that are lateral to the organization in scope and often report to or are accountable to the same superior unit.
Usage Notes
Recall that the Organization in Scope may be an enterprise, business unit, department or team. Thus the "Peer Level" would be a unit that shares a common Superior Level to which both the Organization in Scope and the Peer Level report.
People Actions & Controls
Permalink
Human factors, including structure, accountability, education, and enablement used to address risk, reward, and compliance.
Performance
Permalink
Performance Assessment
Permalink
An evaluation of the performance of an area of the organization that may include its effectiveness, efficiency, responsiveness, or resilience.
Performance Management
Permalink
The act of managing processes and resources to pursue reward while addressing risk.
Personnel
Permalink
Physical Actions & Controls
Permalink
Physical safeguards, barriers, or constraints, such as fences, locks, guards, cameras, or other protective mechanisms, used to address risk, reward, and compliance.
Physical Capital
Permalink
The physical assets of an organization, including manufactured goods, buildings, equipment, and infrastructure.
Planned (Simulated) Stress
Permalink
Scenarios that use historical, hypothetical, or simulated events to test how forces will be addressed.
Planned Residual Risk
Permalink
The level of residual risk under planned (or desired) actions & controls.
Policy
Permalink
A broad articulation of what the organization expects on a particular topic, that describes the “why” or intent, considers context, sets the tone, and changes infrequently.
- Prescriptive Policy
A policy that states what to do.
- Proscriptive Policy
A policy that says what not to do.
Policy Action & Controls
Permalink
Formal statements and rules about organizational intentions and expectations used to address risk, reward, and compliance.
Political Factors
Permalink
External factors that relate to how the government intervenes in the economy, including laws, rules, regulations, tax policy, and political stability.
Prescriptive Norms
Permalink
Customs, rules, or expectations that encourage behavior the group deems positive (e.g., “be honest”).
Prevent/Deter Actions & Controls
Permalink
Actions & controls that decrease the likelihood of an unfavorable event by preventing or deterring it from happening.
Principled Performance
Permalink
To reliably achieve objectives, address uncertainty, and act with integrity.
Usage Notes
Principled Performance is the goal of GRC. Principled Performance is an approach to business (and life!) that helps organizations reliably achieve objectives, address uncertainty and act with integrity.
Note that “Reliably” pertains to all other parts of the definition. Thus Principled Performance means to:
- reliably achieve objectives;
- reliably address uncertainty; and
- reliably act with integrity.
- Reliably
To thoughtfully, consistently, dependably, and transparently do something.
- Objective
A measurable outcome to achieve.
- Uncertainty
A state of being unsure about something due to incomplete knowledge or underlying randomness making it difficult to understand with complete confidence.
- Integrity
The state of being whole and complete by fulfilling obligations, honoring promises, and cleaning up the mess if a promise was broken.
Proactive
Permalink
The quality of an individual to anticipate and act on situations, reducing the risk of unforeseen problems.
Usage Notes
This trait requires a balance, preventing both an underuse that can result in inaction or timidity and an overuse that might lead to rash decisions or a state of constant flux without stability.
Proactive Actions & Controls
Permalink
Actions & controls that promote or enable favorable events and prevent or deter unfavorable events.
- Prevent/Deter Actions & Controls
Actions & controls that decrease the likelihood of an unfavorable event by preventing or deterring it from happening.
- Promote/Enable Actions & Controls
Actions & controls that increase the likelihood of a favorable event by promoting, enabling and incentivizing it to happen.
Procedure
Permalink
A detailed articulation of what the organization expects on a particular topic, that describes the “how to” or instructions, guides implementation, and is audience-specific.
Process Action & Controls
Permalink
Decisions about how and when to perform activities, and where and to whom to assign accountability used to address risk, reward, and compliance.
Professional Development Incentives
Permalink
Incentives to perform favorable behaviors that provide access to professional development opportunities such as training or tuition reimbursements that otherwise would not be available.
Promote/Enable Actions & Controls
Permalink
Actions & controls that increase the likelihood of a favorable event by promoting, enabling and incentivizing it to happen.
- Directives
Policy, process, and technology that encourage favorable events.
- Paragons
Role models that encourage favorable events.
- Incentives
Incentives include financial and non-financial things that encourage favorable conduct.
Proscriptive Norms
Permalink
Customs, rules, or expectations that discourage behavior the group deems negative (e.g., “do not cheat”).
Protector
Permalink
A GRC Professional who spends substantial time producing and preserving value and serving as a stabilizing force in their organization.
- Protector Mindset™
Traits that strengthen the way that a high-performing Protector makes decisions and appraises problems, solutions, people, and reality. These traits include being: Collaborative, Accountable, Stable, Proactive, Visionary, and Versatile.
- Protector Skillset™
Interdisciplinary skills that strengthen the way that a high-performing Protector does their job including the critical disciplines.
Protector Mindset™
Permalink
Traits that strengthen the way that a high-performing Protector makes decisions and appraises problems, solutions, people, and reality. These traits include being: Collaborative, Accountable, Stable, Proactive, Visionary, and Versatile.
- Stable
The quality of an individual to consistently provide calm, composed and orderly influence within volatile, uncertain, complex and ambiguous environments.
- Versatile
The quality of an individual to employ a multi-disciplinary approach and a wide range of skills to address complex issues.
- Accountable
The characteristic of an individual who takes responsibility and ownership for tasks and their outcomes, transcending a narrow job description.
- Collaborative
The quality of an individual to engage in productive relationships and teamwork, understanding their fundamental role in achieving greater outcomes.
- Proactive
The quality of an individual to anticipate and act on situations, reducing the risk of unforeseen problems.
- Visionary
The quality of an individual to maintain a long-term, optimistic perspective and remain purpose-driven, even amidst distractions.
Protector Skillset™
Permalink
Interdisciplinary skills that strengthen the way that a high-performing Protector does their job including the critical disciplines.
Purpose
Permalink
The purpose states who the organization serves, what it does, what it believes, what is stands for, what it hopes to achieve in the near term and long term, and why all of this matters; usually through its Mission, Vision and Values statements.
- Mission
An objective that states who the organization serves, what it does, and what it hopes to achieve today and in the long term.
- Vision
An objective that describes what the organization aspires to be and why it matters.
- Values
Fundamental beliefs, principles, and ideals that an organization, group, or individual demonstrates and adheres to when making decisions and acting.
RACI Matrix
Permalink
A chart that describes the participation of various roles in completing tasks or deliverables for a project or business process.
Usage Notes
RACI is an acronym derived from the four key responsibilities most typically used: responsible, accountable, consulted, and informed.
- R = Responsible (also recommender)
Those who do the work to complete the task. There is at least one role with this role, although others can be delegated to assist in the work required. - A = Accountable (also approver or final approving authority)
Those who are ultimately answerable for the correct and thorough completion of the deliverable or task, ensure the prerequisites of the task are met, and delegate the work to those responsible. In other words, an accountable must sign off (approve) work that the responsible person provides. There must be only one person or entity accountable for each task or deliverable. - C = Consulted (sometimes consultant or counsel)
Those whose opinions are sought, typically subject-matter experts, and with whom there is two-way communication. - I = Informed (also informee)
Those who are kept up-to-date on progress, often only on completion of the task or deliverable, and with whom there is just one-way communication.
Reasonable Assurance
Permalink
A special type and level of assurance, provided by external auditors as part of a financial audit or examination, that subject matter conforms to suitable criteria and is free from material error.
Receiver
Permalink
Recovery Actions & Controls
Permalink
Actions & controls that return the organization to its original state, stable state, or superior state after harm has occurred.
Usage Notes
Corrective actions & controls and Recovery actions & controls are related but slightly different.
For example, restoring a server to a clean image is a corrective control because it solves the immediate problem of a malware intrusion, while recovering the server data from backup is a recovery control because it returns the server to a known previous good state allowing the business to resume normal operation.
Regulator
Permalink
Government or independent authorities that oversee and control specific aspects of the organization's practices. They set standards and rules that the organization must follow and can impose penalties for non-compliance.
Residual Risk
Permalink
The level of risk in the presence of actions & controls.
- Current Residual Risk
The level of residual risk under currently operating actions & controls.
- Planned Residual Risk
The level of residual risk under planned (or desired) actions & controls.
Resilient
Permalink
Evidence that the organization can withstand or recover quickly from difficult conditions and even become stronger after stress.
Resources
Permalink
A general term referring to Capital Resources that include tangible and intangible assets and capabilities that an organization may use to achieve objectives.
- Tangible Resources
Resources that refer to physical assets, such as land, buildings, and equipment.
- Intangible Resources
Resources that refer to non-physical assets, such as knowledge, brand equity, and organizational culture.
- Financial Capital
Liquidity, budgets, and other economic resources.
- Human Capital
The collective knowledge, skills, abilities, and experiences of an organization's workforce, along with the relationships, attitudes, and values that enable them to work together to achieve the organization's objectives
- Physical Capital
The physical assets of an organization, including manufactured goods, buildings, equipment, and infrastructure.
- Information Capital
Data, communications, and intelligence.
- Technology Capital
Hardware, software, and related technological resources that an organization may use to achieve its objectives.
Response Options
Permalink
Responsive
Permalink
Responsive Actions & Controls
Permalink
Actions & controls that aim to accelerate or compound the benefit of favorable events, and correct or recover from the harm of unfavorable events.
- Correct/Recover Actions & Controls
Actions & controls that slow down or decrease the impact of unfavorable events, and return the organization to its original state, stable state, or superior state after harm has occurred to minimize harm and prevent future occurrences.
- Compound/Accelerate Actions & Controls
Actions & controls that compound, accelerate, and increase the impact of favorable events to maximize benefit and promote future occurrence.
Review Procedures
Permalink
Procedures performed by an assurance provider to review or assess subject matter.
- Design Review Procedure
A procedure that compares the documentation of the design of a system against suitable criteria that defines an acceptable design of that system.
- Operating Review Procedure
A procedure that compares the actual events or transactions performed by a system (including people, processes and technologies) against the expected events and transactions given the design of the system.
Reward
Permalink
A measure of the positive, favorable effect of uncertainty on objectives.
Usage Notes
- Likelihood
A measure that estimates the occurrence of an event.
- Impact
A measure that estimates the consequence of an event.
- Prospect
A cause that has the potential to eventually result in benefit.
- Benefit
A measure of the positive impact that an event has on the organization.
- Opportunity
An uncertain future event that may, on balance, have a positive effect on objectives.
Risk
Permalink
A measure of the negative, unfavorable effect of uncertainty on objectives.
Usage Notes
- Likelihood
A measure that estimates the occurrence of an event.
- Impact
A measure that estimates the consequence of an event.
- Velocity
A measure that estimates how quickly an event or impact might occur.
- Harm
A measure of the negative impact that an event has on the organization.
- Hazard
A cause that has the potential to eventually result in harm.
- Obstacle
An uncertain future event that may, on balance, have a negative effect on objectives.
Risk & Decision Support Discipline
Permalink
A critical discipline that provides methods to identify and address the effect of uncertainty on objectives, including ways to support decisions under uncertainty.
Risk Appetite
Permalink
The level and type of risk the organization is WILLING to address given the level and type of reward it pursues.
Risk Assessment
Permalink
An evaluation of the effect of uncertainty on objectives including the likelihood, impact, and velocity of events that, on balance result in negative consequences.
Usage Notes
Risk assessments often entail the identification, analysis, and high level design options to address risks.
Risk Capacity
Permalink
The MAXIMUM cumulative level and type of risk that the organization can address. Anything over the risk capacity may affect the organization’s survival.
Risk Management
Permalink
The act of managing processes and resources to address risk while pursuing reward.
Risk Target
Permalink
The level and type of risk the organization EXPECTS to address given the level and type of reward it pursues.
Risk Tolerance
Permalink
The level and type of risk the organization is UNWILLING to exceed given the level and type of reward it pursues.
Scope
Permalink
The boundaries, limitations, and extent where the GRC Capability Model is applied. The scope is often expressed in terms of organizational unit, geographic area, or functional department.
Second Line of Accountability
Permalink
Individuals and teams that establish performance, risk, and compliance programs for the First Line. The Second Line provides oversight through frameworks, standards, policies, tools, and techniques to support performance, risk, and compliance management. The Second Line often manages its own portfolio of objectives and associated performance, risk, and compliance. The Second Line may provide limited assurance over First Line activities.
Security & Continuity Discipline
Permalink
A critical discipline that provides methods to identify and address threats to critical physical and digital assets and infrastructure.
Sender
Permalink
Senior Management
Permalink
SHARE (Design Option)
Permalink
To outsource, joint ventures, partnerships, buy insurance, or use other financial instruments to address the opportunity, obstacle, or obligation.
Usage Notes
TRANSFER is a special case of SHARING where an attempt is made to give close to 100% of consequence to another party such as an insurance company.
Shareholder
Permalink
An individual, institution, or entity that owns shares or stock (or some functionally comparable instrument) in the organization.
SMART Criteria
Permalink
Criteria used to design/set Objectives to work with Indicators; to be specific, measurable, achievable (yet aspirational), relevant, and time-bound.
Societal Factors
Permalink
External factors that include cultural aspects, attitudes, customs, and norms.
Society
Permalink
The local, national, or global population affected by the organization's operations.
Sound
Permalink
Source
Permalink
Stable
Permalink
The quality of an individual to consistently provide calm, composed and orderly influence within volatile, uncertain, complex and ambiguous environments.
Usage Notes
This trait includes an avoidance of neurotic or chaotic behavior and an ability to distance oneself from emotional turmoil, while at the same time steering clear from an overuse of stability that may come across as indifferent or uncaring.
Stakeholder
Permalink
A self-legitimizing person, group, or other entity with a direct or indirect stake in the organization's actions because of actual or perceived impact.
- Internal Stakeholders
Stakeholders with an internal influence from within the organization; Personnel (and unions that represent the workforce), Managers, Executives, Board members, and Owners (who are involved in the organization).
- External Stakeholders
An individual, institution, or entity outside of the organization that is affected by, or has an interest in, the company's decisions and activities.
Stakeholder Expectation
Permalink
(also Stakeholder Want, Stakeholder Need)
A general term that refers to what a stakeholder requests, wants, or expects from the organization.
Stakeholder Need
Permalink
Stakeholder Want
Permalink
Status Incentives
Permalink
Incentives to perform favorable behaviors that provide access to esteemed roles, promotions or other visible recognition that otherwise would not be available.
Strategy & Performance Discipline
Permalink
A critical discipline that provides methods to guide, arrange and operate resources to achieve objectives and monitor performance.
Student
Permalink
Individual who learns.
Usage Notes
A student is a specialized term to refer to the target audience for communications and learning activities.
Subject Matter
Permalink
Identifiable statements, conditions, events, or activities for which there is evidence.
Subordinate Level
Permalink
Organizational units that are accountable to the organization in scope.
Usage Notes
Recall that the Organization in Scope may be an enterprise, business unit, department or team. Thus the "Subordinate Level" would be any unit that reports to the Organization in Scope.
Suitable Criteria
Permalink
Benchmarks used to evaluate subject matter that yield consistent and meaningful results.
Superior Level
Permalink
Organizational units to which the organization in scope is accountable.
Usage Notes
Recall that the Organization in Scope may be an enterprise, business unit, department or team. Thus the "Superior Level" would be the unit to which the Organization in Scope reports.
Supplier
Permalink
An individual, institution, or entity that provides goods or services to the organization.
System
Permalink
A collection of interconnected, interdependent, and interrelated parts that interact with each other to form a coherent whole. In the context of organizations, these parts may be people, processes, information, physical assets, digital assets, financial capital, and other resources.
Tangible Resources
Permalink
Resources that refer to physical assets, such as land, buildings, and equipment.