Industry Glossary: Enterprise Risk Management, Governance, and Compliance2018-02-15T14:43:05+00:00

Industry Glossary

Enterprise Risk Management, Governance, and Compliance

Industry Terms

ASSURANCE – The level of confidence an organization has in how well a risk is being managed by MITIGATION activities. More effective mitigation activities have lower assurance scores, while less effective mitigation activities have higher assurance scores (see RESIDUAL RISK).

BCP/DR – Business continuity planning/disaster recovery program. This is a business plan designed to maintain the integrity of business functions and resource reliability in the event of challenge or disaster. Read our blog post to learn about implementing a BCP/DR plan, or check out our BCP software.

BIA – Business impact analysis.

CONTROL – Synonymous with MITIGATION activity. A control/mitigation activity is a business process designed to neutralize one or more risks.

COSO – An internal control framework designed by the Committee of Sponsoring Organizations of the Treadway Commission. COSO was created to help organizations implement internal controls and addresses RISK ASSESSMENTS, organizational communication, MONITORING, and more.

ERM – Enterprise Risk Management. A risk management process that uncovers risk on an enterprise-wide level. ERM approaches differ from traditional GRC approaches in that they track progress over time, use heat maps and other reports to provide insight and transparency, and standardize the RISK ASSESSMENT process so the entire organization is using one scale.

FFIEC – Federal Financial Institutions Examination Council. The FFIEC’s mission is to foster a uniform way of supervising financial institutions. It provides an extensive list of cybersecurity guidelines, which we cover in our eBook, FFIEC Cybersecurity.

GRC – Governance, Risk Management, and Compliance. GRC is a high-level term that addresses an enterprise’s method of execution for each of its three elements. GRC activities are designed to increase efficiency and communication, but by separating each of its three components, GRC is inherently more “siloed” than ENTERPRISE RISK MANAGEMENT solutions.

IMPACT – The specific effects, both quantitative and qualitative, that a risk will have if it ends up occurring. LogicManager typically sees customers score impact on a 1-10 scale.

INHERENT RISK – Also called the inherent index, inherent risk is the threat a certain risk poses to the organization before mitigation activities are taken into account. LogicManager calculates the inherent index by multiplying impact and LIKELIHOOD scores. Because it’s often difficult to isolate what effects a risk might have without the controls that are already in place, the evaluation of inherent index is often an educated guess.

ISO – International Organization for Standardization. ISO 19600 is a set of compliance guidelines that call for the integration of risk assessments and the risk management process. Read our blog post, “ISO 19600: Risk-Based Compliance Management,” for more information.

KPIs – Key performance indicators.

KRIs – Key risk indicators.

LIKELIHOOD – The chance that a particular risk will manifest itself. Together with IMPACT, likelihood makes up the INHERENT RISK. Usually measured on a 1-10 scale.

METRICS – A type of MONITORING activity. Metrics allow users to define goals, set tolerances, and record real-time numerical results. Visit our “Risk Metrics & Monitoring” page to learn more.

MITIGATION – A process implemented to reduce the likelihood and/or impact of one or more risks. Mitigation activities can include nearly anything, from improved training programs to annual employee assessments.

MONITORING – The process of tracking real performance and comparing it to organizational goals and deadlines. While mitigation activities minimize the impact/likelihoods of risks, monitoring activities analyze the effectiveness and relevance of those mitigation activities in order to ensure resources are being allocated appropriately.

ORSA – Own Risk and Solvency Assessment. This is one component of an initiative driven by the National Association of Insurance Commissioners (NAIC). Now-required ORSA reports are intended to stimulate effective ERM practices for all insurers. For more information about ORSA, read our free eBook, ORSA Compliance – 5 Steps You Need to Take in 2015.

RESIDUAL RISK – Also called the residual index, residual risk is the threat a certain risk poses to the organization after the appropriate mitigation activities are taken into account. For this reason, the residual index is always ≤ the inherent index; In a worst-case scenario, the residual index is the same as the inherent index, meaning there are no mitigations in place. This is why, as mentioned in our definition of ASSURANCE, a more effective mitigation activity receives a lower assurance score. To get the residual index, we multiply the inherent index by (Assurance / 10). The lower that number, the lower the residual index.

RIMS – The Risk Management Society. RIMS is a not-for-profit organization whose purpose is to disseminate and improve the effectiveness of risk management practices. LogicManager has been a proud supporter of RIMS for more than ten years. You can view the RIMS website here.

RISK APPETITE – Compare to RISK TOLERANCE. A risk appetite is a broad, high-level statement summarizing what risk level management decides the organization can afford to shoulder. A (very brief) example of a risk appetite statement is: “[The Company] will not shoulder any risks that have the potential to result in a significant loss of its revenue base.”

RISK ASSESSMENT – The process of analyzing the specifics of different risks faced by the organization. This comes after RISK IDENTIFICATION.

RISK IDENTIFICATION – The process of determining which risks are relevant to the organization. LogicManager customers have access to a pre-built, fully customizable risk library that facilitates this process.

RISK TOLERANCE – Compare to RISK APPETITE. A risk tolerance is narrower in scope than is a risk appetite, and sets acceptable levels of variation around business objectives. It is more actionable than risk appetite, because it is not as high-level. Consider this sample tolerance statement that relates to our prior example of risk appetite: “[The Company] doesn’t accept risks that have the potential to decrease revenue from its top ten customers by more than 1% in one year.” To read more about risk appetites and tolerances, read our eBook, 5 Steps Towards an Actionable Risk Appetite.

RISK-BASED APPROACH – The core of LogicManager’s method, the risk-based approach looks at every potential issue, whether it’s related to compliance, incident management, governance, security, etc., through the lens of risk. All these issues share something in common (risk), and LogicManager uses that fact to break down interdepartmental barriers and manage risk, governance, and compliance in one central place.

ROOT CAUSE – Simply put, root cause is the reason an event occurs. We identify the root causes of risks, not the symptoms, so that we can target mitigation activities in a way that neutralizes risks and prevents them from reemerging in the future. For more information about root cause, read our best-practice article, “Risk Identification: Root Cause.”

SAAS – Software-as-a-Service. SaaS solutions don’t require on-site installations, they never become obsolete (because they’re constantly being updated), are less expensive than traditional solutions, and have a transparent fee structure.

SLA – Service-level agreement.

SMART – Specific, Manageable, Actionable, Relevant, Trending. These are the five attributes of effective risk monitoring. SMART Monitoring is linked to specific risks within business processes, rolls up from the process to the enterprise level, prioritizes and aligns resources, connects strategic imperatives, and measures over time goals vs. reality.

TESTING – The simplest type of MONITORING activity, testing, allows a system user to determine whether mitigation activities succeeded or not. Usually, testing takes the form of Pass/Fail or Effective/Non-Effective evaluations.

VELOCITY – A fourth risk parameter (the other three being IMPACTLIKELIHOOD, and ASSURANCE). Velocity measures both how quickly the effects of a risk will be felt after it occurs and the expected duration of those effects. Typically, we don’t see customers assessing risks based on velocity, but the system does support that functionality.

LogicManager Terms

CATEGORY – The highest-level grouping of risk defined by LogicManager. A risk’s category reveals where it originates: employees within the company, external conditions like a fluctuating market or encroaching competitors, faulty systems, etc.

DRILL-DOWN – LogicManager’s ability to “step inside” a PLAN or risk that has been input into the system. When a user drills down into a risk category (e.g. “External”), the action produces a list of all risk factors categorized under the External category. The user can then drill down into each individual risk.

FACTOR – The “second level” of risk categorization, narrower than risk category but broader than risk INDICATOR. At LogicManager, we think of the factor as the topic of risk. For example, one factor is “Fraud, Theft, & Crime,” which is a subset of the “External” category. “Fraud, Theft, & Crime” encompasses a variety of risk indicators, including “Forgery” and “IT Data Threats.”

INDICATOR – The most specific categorization of risk in the LogicManager system, under Factor and Category. See FACTOR for some examples of indicators that fall under “Fraud, Theft, & Crime.”

PLAN – A type of folder within the LogicManager platform that houses in one location an end user’s identified/assessed risks, mitigation activities, and monitoring activities. Each plan can be customized according to particular focus areas and cross-functional needs.

RISK LIBRARY – LogicManager’s compilation of two different types of risk: industry-neutral risks that virtually all organizations share (about 70% of the library), and industry-specific risks unique to certain fields (about 30% of the library). The library is divided into various categories, and new risks can easily be added and irrelevant risks excised by the user.

TAXONOMY – LogicManager’s patent-pending, risk-based system used for defining relationships between risks, requirements, regulations, resources, and processes. Visit one of our web pages to learn about the features of our risk-based Taxonomy.

Why a Glossary?

One of the challenges in risk management is overcoming the “acronym soup” that pervades the industry. It starts with basic terms like “GRC” and “ERM,” two of the most widely used abbreviations. At LogicManager, our goal is to make risk management as accessible and intuitive as possible.

With that in mind, please don’t hesitate to let us know if:

  1. You’d like more information about a term on this page.
  2. There is a pertinent term/phrase that you think we should add.

Feel free to email us at, and one of our analysts will get in touch with you.