“Our organizational strategic objective for 2022 is to shift our focus from GRC as adapted from SOX compliance to that of ESG compliant by reviewing our ERM as defined by our IMS”
In English please:
“Our organizational strategic objective for 2022 is to shift our focus from being Governance, Risk Management, and Compliance (GRC) as adapted from Sarbanes-Oxley Act (SOX) to that of Environmental Social Governance (ESG) compliant by reviewing our Enterprise Risk Management (ERM) as defined by our Integrated Management System”
As the global pressure mounts for companies to become compliant to globally accepted practices and standards, seemingly, so too does the list of specialised jargon, references and acronyms, thus to make better sense of it all, I thought it useful to share some of the most common used terminology, references and acronyms referred to in the compliance environment.
The level of confidence an organization has in how well a risk is being managed by MITIGATION activities. More effective mitigation activities have lower assurance scores, while less effective mitigation activities have higher assurance scores (see RESIDUAL RISK).
The acknowledgement of understanding and abidance to policies, procedures or training
A process where an organization tests controls and workflows of the company to ensure the success or downfalls of each process
The best practices, procedures, and regulations that an organization operates by.
Business continuity planning/disaster recovery program. This is a business plan designed to maintain the integrity of business functions and resource reliability in the event of a challenge or disaster.
Analysing your data year over year by comparing one's own business processes and performance against the industry standard to reveal compliance program effectiveness and determine needed improvements.
Business Impact Analysis. A systematic process to identify and evaluate the possible vulnerabilities or risks within the company that may occur. A BIA helps begin the process of planning and strategizing how to mitigate those risks from occurring.
A blockchain is a digitized, decentralized, public ledger of all cryptocurrency transactions. Growing as completed blocks, the most recent transactions are recorded and added to the chain in chronological order allowing market participants to track digital currency transactions without central recordkeeping. Each node (a computer connected to the network) gets a copy of the blockchain that is downloaded automatically. Originally developed as the accounting method for the virtual currency Bitcoin, blockchains use what is now known as distributed ledger technology (DLT). This technology creates indelible records that cannot be changed, as the authenticity can be verified by the entire community using the blockchain instead of a single centralized authority.
An incentive given or offered to a person or organization to encourage that person/organization to take an action that benefits the giver
Chief Privacy Officer
A chief privacy officer (CPO) is a corporate executive charged with developing and implementing policies designed to protect employee and customer data from unauthorized access
Chief Risk Officer
The chief risk officer (CRO) is the corporate executive tasked with assessing and mitigating significant competitive, regulatory and technological threats to an enterprise's capital and earnings. The position is sometimes called chief risk management officer or simply risk management officer
Code of Conduct or Code of Ethics
An organization’s Code of Conduct is its policy of all policies. It’s a central guide and reference for users in support of day-to-day decision making. It is meant to clarify an organization's mission, values and principles, linking them with standards of professional conduct. As a reference, it can be used to locate relevant documents, services and other resources related to ethics within the organization.
Compliance is either a state of being in accordance with established guidelines or specifications, or the process of becoming so
Compliance burden, also called regulatory burden, is the administrative cost of a regulation in terms of money, time and complexity
A compliance framework is a structured set of guidelines that details an organization's processes for maintaining accordance with established regulations, specifications or legislation
Risks organizations face when they are unable to follow internal policies, government laws and regulations, and is subjected to legal penalties and financial fines.
Corporate governance is a term that refers broadly to the rules, processes or laws by which businesses are operated, regulated and controlled. The term can refer to internal factors defined by the officers, stockholders or constitution of a corporation, as well as to external forces such as consumer groups, clients and government regulations
Cyber security is the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access.
Enterprise Risk Management. A risk management process that uncovers risk on an enterprise-wide level with a risk-based approach. ERM approaches differ from traditional GRC approaches in that they track progress over time, use heat maps and other reports to provide insight and transparency, and standardize the RISK ASSESSMENT process so the entire organization is using one scale.
The decisions, choices and actions (behaviours) we make that reflect and enact our values
General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is a legal framework that sets new guidelines for the collection and processing of personal information of individuals within the European Union (EU). The GDPR lays out the principles for data management and the rights of the individual, while also imposing fines that can be revenue-based. The General Data Protection Regulation applies to all organizations that deal with EU citizen data, making it a critical regulation for corporate compliance officers at banks, insurers, and other financial organizations. (Effective May 25, 2018 GDPR across the EU).
The act, process or power of exercising authority or control in an organizational setting
Governance, Risk and Compliance (GRC)
Governance, Risk and Compliance (GRC) is a combined area of focus within an organization that developed because of interdependencies between the three components. GRC software products, available from a number of vendors, typically facilitate compliance with legal requirements, such as those specified in the Sarbanes-Oxley Act (SOX) or occupational health and safety regulations.
Governance, Risk Management, and Compliance. GRC is a high-level term that addresses an enterprise’s method of execution for each of its three elements. GRC activities are designed to increase efficiency and communication, but by separating each of its three components, GRC is inherently more “isolated” than ENTERPRISE RISK MANAGEMENT solutions.
A visual grid typically structured with x-axis as likelihood, and y-axis as impact, and the colour of the data point represents the third dimension of assurance. Heat maps provide a graphical representation of the data in order to help you best visualize and prioritize your remediation efforts.
A process to record and document any events/incidents that occur within the organization. By tracking these events/incidents the organization can spot trends that may point to deficiencies in activities or to areas where more formal procedures need to be put in place.
Also called the inherent index, inherent risk is the threat a certain risk poses to the organization before mitigation activities are taken into account.
Making choices that are consistent with each other and with the stated and operative values one espouses. Striving for ethical congruence in one's decisions
An internal control is a business practice, policy or procedure that is established within an organization to create value or minimize risk
International Organization for Standardization. ISO is an organization that assembles documents that outline specification, requirements, guidelines, that can aid in the alignment and consistency of different products, processes, and services ensuring their success within the company.
Key performance indicators. The value that measures and monitors how effective a company is at achieving key business objectives by finding where the gaps lie between actual and targeted performance.
Key risk indicators. The value that measures the likelihood that a specific event will occur, and if the consequence will exceed the organization’s risk appetite.
A type of MONITORING activity. Metrics allow users to define goals, set tolerances, and record real-time quantitative results.
A process implemented to reduce the likelihood and/or impact of one or more risks. Mitigation activities can include nearly anything, from improved training programs to annual employee assessments. Mitigation is conducted through mitigation activities, such as CONTROLS.
MONITORING – The process of tracking real performance and comparing it to organizational goals and deadlines. While mitigation activities minimize the impact/likelihoods of risks, monitoring activities analyse the effectiveness and relevance of those mitigation activities in order to ensure resources are being allocated appropriately.
Ransomware is a type of malware (malicious software) distinct from other malware; its defining characteristic is that it attempts to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker who deployed the malware, until a ransom is paid.
Regulatory compliance is an organization's adherence to laws, regulations, guidelines and specifications relevant to its business. Violations of compliance regulations often result in legal punishment, including mandatory fines
Also called the residual index, residual risk is the threat a certain risk poses to the organization after the appropriate mitigation activities are taken into account. For this reason, the residual index is always ≤ the inherent index. In a worst-case scenario, the residual index is the same as the inherent index, meaning there are no effective mitigations in place. This is why, as mentioned in our definition of ASSURANCE, a more effective mitigation activity receives a lower assurance score. To get the residual index, we multiply the inherent index by Assurance. The lower that number, the lower the residual index.
Compare to RISK TOLERANCE. A risk appetite is a broad, high-level statement summarizing what risk level management decides the organization can afford to shoulder. A (very brief) example of a risk appetite statement is: “[The Company] will not shoulder any risks that have the potential to result in a significant loss of its revenue base..
Risk assessment is the process of identifying variables that have the potential to negatively impact an organization’s ability to conduct business
Risk Assessment Framework (RAF)
A risk assessment framework (RAF) is a strategy for prioritizing and sharing information about the security risks to an information technology (IT) infrastructure
Risk Based Approach
The risk-based approach looks at every potential issue, whether it’s related to compliance, incident management, governance, security, etc. through the lens of risk. All these issues share something in common (risk), the breakdown of interdepartmental barriers and manage risk, governance, and compliance in one central place.
Established criteria that is both qualitative and quantitative in nature to enable risk owners to determine most appropriate risk level based on expertise. This helps to make risk assessment more objective in nature.
Risk exposure is a quantified loss potential of business. Risk exposure is usually calculated by multiplying the probability of an incident occurring by its potential losses
Compare to RISK APPETITE. A risk tolerance is narrower in scope than is a risk appetite, and sets acceptable levels of variation around business objectives. It is more actionable than risk appetite because it is not as high-level. Consider this sample tolerance statement that relates to our prior example of risk appetite: “[The Company] doesn’t accept risks that have the potential to decrease revenue from its top ten customers by more than 1% in one year.”
Sarbanes-Oxley Act (SOX)
The Sarbanes-Oxley Act of 2002 (often shortened to SOX) is legislation passed by the U.S. Congress to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise, as well as improve the accuracy of corporate disclosures. The U.S. Securities and Exchange Commission (SEC) administers the act, which sets deadlines for compliance and publishes rules on requirements
A contract between the end user and service provider that defines what level of service is expected. SLA’s main purpose is to define which services the customer will receive.
Third Party Risk Management
Managing risks associated with third party vendors, customers, or regulators. This involves collecting critical third party information, tracking what they have access to, understanding what internal policies apply to them, and more.