Enterprise Risk Management, Governance, and Compliance
One of the challenges in risk management is overcoming the “acronym soup” that pervades the industry. It starts with basic terms like “GRC” and “ERM,” two of the most widely used abbreviations. At LogicManager, our goal is to make risk management as accessible and intuitive as possible. The below covers both typical industry terms that users might encounter, as well as common LogicManager terms that will improve their use of the system.
ASSURANCE – The level of confidence an organization has in how well a risk is being managed by MITIGATION activities. More effective mitigation activities have lower assurance scores, while less effective mitigation activities have higher assurance scores (see RESIDUAL RISK).
AUDIT – A process where an organization tests controls and workflows of the company to ensure the success or downfalls of each process. Check out the functionalities of our audit software.
AUTHORITY DOCUMENTS – The best practices, procedures, and regulations that an organization operates by.
BCP/DR – Business continuity planning/disaster recovery program. This is a business plan designed to maintain the integrity of business functions and resource reliability in the event of a challenge or disaster. Check out our BCP software.
BIA – Business Impact Analysis. A systematic process to identify and evaluate the possible vulnerabilities or risks within the company that may occur. A BIA helps begin the process of planning and strategizing how to mitigate those risks from occuring.
CITATIONS – Evidence within an authorized document that have defined requirements.
COMPLIANCE RISK – Risks organizations face when they are unable to follow internal policies, government laws and regulations, and is subjected to legal penalties and financial fines. See how LogicManager helps companies plan for compliance risks.
COSO – Committee of Sponsoring Organizations of the Treadway Commission. This organization works with five other private sector organizations to provide frameworks and guidance for ERM, internal controls and fraud deterrence with the goal of improving organizational achievements and governance and diminishing the extent of fraud in an organization.
ERM – Enterprise Risk Management. A risk management process that uncovers risk on an enterprise-wide level with a risk-based approach. ERM approaches differ from traditional GRC approaches in that they track progress over time, use heat maps and other reports to provide insight and transparency, and standardize the RISK ASSESSMENT process so the entire organization is using one scale.
FFIEC – Federal Financial Institutions Examination Council. The FFIEC’s mission is to foster a uniform way of supervising financial institutions. It provides an extensive list of cybersecurity guidelines, which we cover in our eBook, FFIEC Cybersecurity.
GRC – Governance, Risk Management, and Compliance. GRC is a high-level term that addresses an enterprise’s method of execution for each of its three elements. GRC activities are designed to increase efficiency and communication, but by separating each of its three components, GRC is inherently more “siloed” than ENTERPRISE RISK MANAGEMENT solutions.
HEATMAP – A visual grid typically structured with x-axis as likelihood, and y-axis as impact, and the color of the data point represents the third dimension of assurance. Heatmaps provide a graphical representation of the data in order to help you best visualize and prioritize your remediation efforts.
INCIDENTS – A process to record and document any events/incidents that occur within the organization. By tracking these events/incidents the organization can spot trends that may point to deficiencies in activities or to areas where more formal procedures need to be put in place. Check out how LogicManager helped Winona Health use the software to integrate its enterprise risk management and incident management programs in 45 days here.
IMPACT – The specific effects, both quantitative and qualitative, that a risk will have if it occurs. LogicManager typically sees customers score impact on a 1-5 or 1-10 scale. See how LogicManager assists companies assess their risks.
INHERENT RISK – Also called the inherent index, inherent risk is the threat a certain risk poses to the organization before mitigation activities are taken into account. LogicManager calculates the inherent risk by multiplying IMPACT and LIKELIHOOD scores. Because it’s often difficult to isolate what effects a risk might have without the controls that are already in place, the evaluation of inherent index is often an educated guess.
ISO – International Organization for Standardization. ISO is an organization that assembles documents that outline specification, requirements, guidelines, that can aid in the alignment and consistency of different products, processes, and services ensuring their success within the company.
ISSUES (Also referred to as a FINDING) – A way to document a gap/action item and assign ownership out, detailing what specifically is needed to close the gap. Often, the completion of an issue should result in a current mitigation being updated or a new mitigation activity being created.
KPIs – Key performance indicators. The value that measures and monitors how effective a company is at achieving key business objectives by finding where the gaps lie between actual and targeted performance.
KRIs – Key risk indicators. The value that measures the likelihood that a specific event will occur, and if the consequence will exceed the organization’s risk appetite. Read more about LogicManager’s KPI and KRI libraries.
METRICS – A type of MONITORING activity. Metrics allow users to define goals, set tolerances, and record real-time quantitative results. Visit our risk metrics and monitoring page on our website to learn more.
MITIGATION – A process implemented to reduce the likelihood and/or impact of one or more risks. Mitigation activities can include nearly anything, from improved training programs to annual employee assessments. Mitigation is conducted through mitigation activities, such as CONTROLS. See how LogicManager helps companies document, manage, and prioritize control strategies with our Risk Mitigation Tools.
MONITORING – The process of tracking real performance and comparing it to organizational goals and deadlines. While mitigation activities minimize the impact/likelihoods of risks, monitoring activities analyze the effectiveness and relevance of those mitigation activities in order to ensure resources are being allocated appropriately.
NIST – National Institute of Standards and Technology. NIST is part of the U.S. Department of Commerce and works as an agency to develop and provide new tools, technology, measurements, and standards to help the advancement of various companies throughout the country. For more information on one of NIST’s most popular plugins, check out LogicManager’s NIST cybersecurity framework plugin
ORSA – Own Risk and Solvency Assessment. This is one component of an initiative driven by the National Association of Insurance Commissioners (NAIC). Now-required ORSA reports are intended to stimulate effective ERM practices for all insurers. For more information about ORSA, read our free eBook, ORSA Compliance: 5 Steps You Need to Take.
RESIDUAL RISK – Also called the residual index, residual risk is the threat a certain risk poses to the organization after the appropriate mitigation activities are taken into account. For this reason, the residual index is always ≤ the inherent index. In a worst-case scenario, the residual index is the same as the inherent index, meaning there are no effective mitigations in place. This is why, as mentioned in our definition of ASSURANCE, a more effective mitigation activity receives a lower assurance score. To get the residual index, we multiply the inherent index by Assurance.The lower that number, the lower the residual index.
RIMS – The Risk Management and Insurance Society. RIMS is a not-for-profit organization whose purpose is to disseminate and improve the effectiveness of risk management practices. LogicManager has been a proud supporter of RIMS since 2006 when CEO Steven Minsky authored and donated the RIMS Risk Maturity Model to the organization. You can view the RIMS website here.
RISK APPETITE – Compare to RISK TOLERANCE. A risk appetite is a broad, high-level statement summarizing what risk level management decides the organization can afford to shoulder. A (very brief) example of a risk appetite statement is: “[The Company] will not shoulder any risks that have the potential to result in a significant loss of its revenue base.” Read our article on risk appetites and risk tolerances for more information.
RISK-BASED APPROACH – The core of LogicManager’s method, the risk-based approach looks at every potential issue, whether it’s related to compliance, incident management, governance, security, etc. through the lens of risk. All these issues share something in common (risk), and LogicManager uses that fact to break down interdepartmental barriers and manage risk, governance, and compliance in one central place.
RISK CRITERIA – Established criteria that is both qualitative and quantitative in nature to enable risk owners to determine most appropriate risk level based on expertise. This helps to make risk assessment more objective in nature, and LogicManager offers the ability to customize criteria to align with customers’ own risk criteria.
RISK IDENTIFICATION – The process of determining which risks are relevant to the organization. LogicManager customers have access to a pre-built, fully customizable risk library that facilitates this process.
RISK TOLERANCE – Compare to RISK APPETITE. A risk tolerance is narrower in scope than is a risk appetite, and sets acceptable levels of variation around business objectives. It is more actionable than risk appetite because it is not as high-level. Consider this sample tolerance statement that relates to our prior example of risk appetite: “[The Company] doesn’t accept risks that have the potential to decrease revenue from its top ten customers by more than 1% in one year.” To learn more about risk appetites and tolerances, read our eBook, 5 Steps Towards an Actionable Risk Appetite.
ROOT CAUSE – Simply put, root cause is the reason an event occurs. Our Risk Library is structured to identify the root causes of risks, not the symptoms, so that we can target mitigation activities in a way that neutralizes risks and prevents them from re-emerging in the future. For more information about root cause, read our best-practice article, “Risk Identification: Root Cause.”
SAAS – Software-as-a-Service. SaaS solutions don’t require on-site installations, they never become obsolete (because they’re constantly being updated), are less expensive than traditional solutions, and have a transparent fee structure.
SLA – Service-level agreement. A contract between the end user and service provider that defines what level of service is expected. SLA’s main purpose is to define which services the customer will receive.
TESTING – A MONITORING activity that allows a user to determine whether mitigation activities succeeded or not. Usually, testing takes the form of Pass/Fail or Effective/Non-Effective evaluations.
THIRD-PARTY RISK MANAGEMENT- Managing risks associated with third party vendors, customers, or regulators. This involves collecting critical third party information, tracking what they have access to, understanding what internal policies apply to them, and more. Check out LogicManager’s Vendor Management Solution.
VELOCITY – A fourth dimension of risk that can be assessed (the other three being IMPACT, LIKELIHOOD, and ASSURANCE). Velocity measures both how quickly the effects of a risk will be felt after it occurs and the expected duration of those effects.