Risk Management Glossary

Glossary

Center of Excellence — CoE

A center of excellence is a centralized unit of dedicated people with a mission to streamline access to scarce, high-demand capabilities for rapid execution across the business. This group hones expertise in a specific subject area, standardizes best practices for wide-scale adoption, and provides thought leadership and direction in their area of expertise.​​​​​​​

Continuity, Insurance and Risk — CIR

CIR is a media company based in the United Kingdom that provides news, analysis, and awards for the insurance, risk management, and business continuity industries.

Control

Control is an activity that prevents or detects errors to mitigate risks.

Control Attestation

Control attestation is the act of confirming the internal control environment meets prescribed standards.

Control Testing

Control testing is the process by which an individual or set of individuals periodically assesses the design and effectiveness of established controls to provide assurance as to how robust or functional those controls are.

Disaster Recovery Journal — DRJ

The Disaster Recovery Journal is the industry’s largest resource for business continuity, disaster recovery, crisis communication, and risk management.

Enterprise Risk Management — ERM

Enterprise Risk Management is the framework of systematic management information, data, methods, and practices to assess and monitor risk; it enables management to align key strategic objectives to key risk management techniques.

Governance, Risk, and Compliance — GRC

GRC is the capability that helps an organization achieve its vision and strategic objectives while reducing risk and improving control effectiveness.

Information and Communication Technology — ICT

Information and communication technology refers to a broad range of technological tools and resources used to transmit, store, create, share, or exchange information.

Information Technology Risk Management — ITRM

Information technology risk management is defined as the policies, procedures, and technology an organization adopts in order to reduce the threats, vulnerabilities, and consequences that could arise if data is not protected.

Inherent Risk

Inherent risk is the risk that exists before any mitigating factors or controls have been put in place.​​​

Integrated Risk Management — IRM

Integrated risk management is a strategy that identifies and protects companies against risks; it refers to the “next evolution of GRC” but stresses the flexibility, customization, and dexterity needed in a modern enterprise. ​​​​​​​

International Organization for Standardization — ISO

The International Organization for Standardization is an independent, non-governmental organization that creates international standards.

Key Performance Indicator — KPI

A key performance indicator evaluates the success of an organization or of a particular activity in which it engages.

Key Risk Indicator — KRI

A key risk indicator provides an early signal of increasing risk exposure in various areas of the enterprise.

Mitigation Plan

A mitigation plan is a strategy that reduces the likelihood or impact of potential disruptions.

Operational Risk Management — ORM

Operational risk management is a continual cyclic process that includes risk assessments, risk decision-making, and the implementation of risk-based controls, which results in acceptance, mitigation, or avoidance of risk. ORM is the oversight of operational risk, including the risk of loss resulting from inadequate or failed internal processes and systems, human factors, or external events.

Process Risk Control — PRC

Process Risk Control is a systematic approach within an organization to identify, assess, and mitigate potential risks associated with specific business processes.

Residual Risk

Residual risk is the portion of risk that remains after mitigating factors or controls have been put in place.

Risk

Risk is the uncertainty of an outcome which can relate to either a threat (downside) or an opportunity (upside).

Risk Actions Issues Decisions — RAID

RAID is a tool that is used to identify and track potential risks, actions needed to address them, current issues that arise, and dependencies between different tasks within a project.

Risk and Control Self-Assessment — RCSA

A risk and control self-assessment is a process used to identify risks and control ratings, impact, likelihood, gaps, etc. which may negatively affect the desired results of business units and is used to monitor the progress (by management) to close any identified gaps.

Risk Appetite

Risk appetite is the amount and type of risk an organization is willing to accept in pursuit of its business objectives.

Risk Assessment

A risk assessment is the process of identifying and evaluating potential threats to business continuity.

Risk Lines of Defense

Risk lines of defense refers to a model that organizes and defines how both risk and control cascade across an organization and where responsibility and expectation are assigned.

• 1st Line of Defense refers to functions that own and manage risk.
• 2nd Line of Defense refers to functions that facilitate, oversee, monitor, and assist risk owners throughout the organization.
• 3rd Line of Defense refers to the function that provides independent assurance of risk and control activities across an organization (a.k.a. internal audit).
  ​​​​​​

Risk Management Society — RIMS

The Risk Management Society is the world’s largest community dedicated to the advancement of risk management.

Risk Tolerance

Risk tolerance is the amount of uncertainty an organization is willing and prepared to accept.

Statement of Applicability — SOA

A statement of applicability is the main link between your information security risk assessment and treatment work.