Glossary
GRC Glossary of Risk, Audit, and Compliance Terms
Understand essential governance, risk, audit, and compliance terminology, all in one place. From risk appetite and audit trails to internal controls and ISO 27001, this glossary helps you build clarity, confidence, and consistency across your GRC practices.
A
Action Plan
A defined sequence of steps or activities intended to achieve a specific goal, often used in response to identified risks or audit findings.Aggregation of Risk
The process of combining individual risks to assess the total exposure or impact at a portfolio or enterprise level.Assessment
The process of analysing the likelihood, impact, and controls associated with a risk or compliance requirement.Assurance
Independent validation or verification of processes, controls, or reports, providing confidence to stakeholders that systems are working as intended. Assurance can be provided at different levels — for example, limited assurance offers moderate confidence based on limited procedures, while reasonable assurance provides a higher level of confidence through comprehensive evaluation.Audit
A systematic, independent, and documented process for obtaining objective evidence and evaluating it to determine the extent to which criteria are fulfilled.Audit Committee
A subcommittee of the board responsible for overseeing financial reporting, internal audit, risk management, and compliance activities.Audit Findings
Identified gaps, weaknesses, or opportunities for improvement observed during an audit process.Audit Management Software
A digital solution designed to streamline and automate the planning, execution, tracking, and reporting of internal or external audits. It helps organisations schedule audits, assign responsibilities, manage documentation, track findings, and monitor remediation actions. Audit management software supports compliance, improves transparency, and ensures consistency across audit processes, often integrating with risk, compliance, and policy management systems for a unified governance framework.Audit Trail
A complete, chronological record of activities, events, decisions, and transactions that provides documented evidence of compliance, internal controls, and operational performance. In line with ISO and COSO standards, an audit trail supports traceability, verification, and accountability by linking actions to specific users, systems, or processes.Audit Universe
A comprehensive list of all auditable entities, functions, processes, or systems within an organisation.B
Benchmarking
The process of comparing your organisation’s processes, risk posture, or performance against industry best practices, peers, or regulatory standards to identify areas for improvement.Board of Directors
A group of individuals elected to represent shareholders and oversee the governance, risk, and strategic direction of an organisation.Business Continuity
The ability of an organisation to maintain essential functions during and after a disruption. It involves planning for resilience and recovery from incidents like cyberattacks, power failures, or natural disasters.Business Continuity and Resilience Planning (BCP)
A proactive approach that ensures an organisation can maintain critical functions and quickly recover in the face of disruption. It combines traditional business continuity planning with organisational resilience principles, preparing teams to withstand, adapt to, and grow through operational shocks such as cyber incidents, supply chain failures, or natural disasters. It typically includes impact assessments, recovery strategies, communication plans, and ongoing testing.Business Impact Analysis (BIA)
A systematic process that evaluates the potential effects of an interruption to critical business operations. It helps identify time-sensitive functions and the resources required to support them.Business Objective
A specific, measurable step an organisation takes to achieve its overall strategy. Risk and compliance activities are often aligned with key business objectives.Business Model
A conceptual framework that defines how an organisation creates, delivers, and captures value for its customers and itself. It explains who the business serves, what it offers, how it offers it, and how it achieves its strategic and operational goals. The business model encompasses all key processes, policies, and practices adopted by the organisation to ensure long-term viability and success.Business Unit
A segment or division within an organisation that operates semi-independently to deliver specific services or manage a function (e.g. IT, HR, Operations).Bottom-Up Risk Assessment
A method that involves gathering input from front-line staff and process owners to identify and assess risks at the operational level. Often used alongside top-down assessments to get a holistic view.C
Compliance
The ability of an organisation to conform to relevant laws, regulations, internal policies, and contractual obligations. Compliance ensures business activities meet legal and ethical standards, helping avoid penalties and maintain trust.Compliance Risk
The potential for financial loss, penalties, or legal repercussions stemming from failure to comply with laws, regulations, or prescribed practices from governments and regulatory bodies.Control
Any policy, procedure, or activity implemented to manage risk and increase the likelihood of achieving objectives. Controls can be preventive, detective, or corrective, and are essential to effective governance.Corporate Governance
The system of rules, practices, and processes by which a company is directed and controlled. It balances the interests of stakeholders and ensures accountability, fairness, and transparency in decision-making.Corporate Risk
Risks that could potentially affect the overall enterprise. This could include strategic, financial, reputation, and operational risks.Cybersecurity
The practice of protecting systems, networks, and data from digital attacks, unauthorised access, and breaches. Cybersecurity is a critical component of operational resilience and risk management.Control Testing
The process of assessing the design and operating effectiveness of internal controls to determine whether they are functioning as intended and mitigating risk appropriately.D
Data
Raw facts, figures, or information that can be collected, processed, and analysed to support decisions, reporting, and risk or compliance assessments.
Data Breach
An incident where sensitive, confidential, or protected information is accessed, disclosed, or stolen by an unauthorised party.
Data Governance
A framework that ensures high data quality, integrity, security, and availability across an organisation. It defines roles, policies, standards, and metrics for managing data throughout its lifecycle.
Decision-Making Under Uncertainty
The process of making strategic or operational decisions when outcomes are unpredictable due to lack of information or external volatility.
Disaster Recovery Plan (DRP)
A documented, structured approach with instructions for responding to unplanned incidents, such as cyberattacks, system failures, or natural disasters, to restore critical business functions and IT systems quickly.
Due Diligence
A comprehensive appraisal or investigation conducted to assess risk and compliance before entering into agreements, partnerships, or transactions.
Dynamic Risk Assessment
A continuous, real-time evaluation of risks in rapidly changing situations. Often used in operational settings where static assessments are insufficient.
E
Effectiveness
The degree to which objectives are achieved and the extent to which targeted problems are solved. In risk and control, it refers to how well a control or process performs its intended function.
Efficiency
The ability to accomplish a task with the minimum expenditure of time and resources. In a compliance or audit context, this refers to performing duties in a way that maximises output and minimises waste or cost.
Emerging Risk
A newly developing or changing risk that may have a significant impact on the organisation but is not yet fully understood or managed. Often characterised by high uncertainty.
Enterprise Risk Management (ERM)
As defined by the COSO ERM Framework, ERM is the culture, capabilities, and practices, integrated with strategy-setting and performance, that organisations rely on to manage risk in creating, preserving, and realising value.
Entity
Any organisation or organisational unit, including for-profit businesses, not-for-profit entities, or governmental bodies.
Environmental Risk
Risks related to environmental factors such as pollution, climate change, and resource depletion that can affect business operations and reputation.
Ethics
Principles and standards that guide behaviour in the conduct of business, particularly with respect to honesty, fairness, and responsibility.
Exception Reporting
The process of identifying and documenting instances where actual performance deviates from expected or approved parameters, triggering further review or corrective actions.
External Audit
An independent examination of an organisation’s financial statements, compliance, or processes by a third-party auditor to provide stakeholders with an unbiased assessment.
External Environment
Factors outside the entity—such as economic, political, legal, and social conditions—that can affect its ability to achieve objectives.
External Stakeholders
Individuals or groups outside of the organisation (e.g. regulators, customers, partners, public) who can affect or be affected by the entity’s operations or decisions.
F
Failure Mode and Effects Analysis (FMEA)
A structured approach to identifying potential failures in a system, process, or product and assessing their causes and consequences to prioritise mitigation efforts.Financial Risk
The possibility of losing money on an investment or business operation, including credit risk, market risk, and liquidity risk.First Line of Defence
The functions that own and manage risks directly — typically business units and operational management responsible for implementing controls.Fraud
Any intentional act of deceit used to gain an unfair advantage, such as falsifying financial information, embezzlement, or insider trading. Fraud may result in legal penalties and damage to reputation.Fraud Risk Assessment
A process to identify, assess, and prioritise the risk of fraud across an organisation, often used to guide anti-fraud controls and response strategies.Framework
A structured approach that outlines processes, principles, and tools to guide risk, audit, or compliance activities. Examples include the COSO ERM Framework and ISO 31000.Functional Risk
Risks that arise from the specific functions or departments of a business (e.g. HR, IT, Finance) that could impact operational efficiency or compliance.Forensic Audit
A specialised examination conducted to detect fraud, financial misconduct, or other irregularities, often leading to legal proceedings.G
GDPR (General Data Protection Regulation)
The General Data Protection Regulation is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area. Though it was drafted and passed by the EU, the law imposes obligations onto organisations anywhere, so long as they target or collect data related to people in the EU (GDPR.eu).
Gap Analysis / Gap Assessment
A Gap Analysis or Assessment is a method of assessing an organisation’s performance or compliance against a selected set of controls, policies, or specified set of questions. Gap Assessments can be conducted to better understand if requirements are being met and what an organisation’s gaps are in complying to standards they have identified as essential.
General Controls
Broad-based IT controls that support the functioning of application controls and help ensure the continued proper operation of systems. These include access controls, change management, and data backup.
Governance
The combination of processes, structures, and policies used by the board and management to ensure accountability, fairness, and transparency in an organisation’s relationship with stakeholders.
Governance Framework
The system by which an organisation is directed and controlled, including the mechanisms through which objectives are set, performance is monitored, and compliance is assured.
GRC (Governance, Risk, and Compliance)
An integrated approach that aligns governance, risk management, and compliance functions to improve performance, reduce silos, and ensure strategic alignment with objectives.
H
Heat Map
A visual representation of risks where the severity (impact) and likelihood are plotted on a matrix, typically using colours to highlight areas of high concern.
High-Risk Area
A function, process, or part of the organisation identified as having a greater likelihood or impact of risk and therefore requiring more stringent controls or oversight.
HIPAA Privacy Rule
The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically (HHS.gov).
Horizon Scanning
A strategic approach to identify potential threats, risks, and emerging issues that could affect the future growth and business outcomes of the organisation.
I
Impact
The effect or consequence of a risk event if it occurs. Impact can be financial, reputational, operational, legal, or safety-related and may be positive or negative.
Incident
An unplanned event or situation that has the potential to cause harm or disrupt operations. Incidents are often logged and reviewed to improve controls.
Incident Management
The process of identifying, recording, analysing, and resolving incidents to minimise their impact and prevent recurrence.
Incident Response Framework
A structured approach to detecting, responding to, and recovering from cybersecurity incidents. It outlines key stages such as preparation, detection, containment, eradication, recovery, and lessons learned, ensuring coordinated, timely, and effective response to minimise damage and restore normal operations.
Independent Assurance
A third-party evaluation of systems, controls, or reports to ensure objectivity and increase stakeholder confidence in the reliability of outcomes.
Information Security
The practice of protecting information from unauthorised access, disclosure, alteration, or destruction, ensuring confidentiality, integrity, and availability.
Inherent Risk
The level of risk present before any controls or mitigation measures are applied.
Internal Audit
An independent, objective assurance function that evaluates and improves an organisation’s governance, risk management, and control processes. Often referred to as the “third line of defence.”
Internal Control
A process effected by an entity’s board, management, and personnel to provide reasonable assurance regarding the achievement of objectives in operations, reporting, and compliance.
Internal Stakeholders
Individuals or groups within the organisation, such as employees, management, and board members, who are directly involved in or affected by organisational activities.
ISO 27001
An international standard for Information Security Management Systems (ISMS), offering a framework for managing sensitive information securely. It includes risk assessments, access controls, incident response, and continuous improvement practices.
ISO 31000
A global standard for risk management that provides principles, a framework, and a process for managing risk. It helps organisations improve decision-making, planning, and prioritisation by embedding risk-aware practices into all areas.
K
Key Performance Indicator (KPI)
Key performance indicators are a common and effective method of measuring the success of a security program, particularly over time. These KPIs can be determined prior to the commencement of the program and are then analysed and tracked as activities take place. By analysing KPIs alongside other security metrics—such as risk indicators and compliance—an organisation can gain visibility into how the security program and team are progressing in achieving defined goals.Key Risk Indicator (KRI)
A measure used to indicate the potential presence, level, or trend of a risk. KRIs help organisations detect emerging risks early, enabling timely mitigation before they escalate.M
Mitigation Plan
A defined strategy outlining actions to reduce the likelihood or impact of potential risks. Mitigation plans are part of the broader risk treatment process and often include assigned responsibilities, timelines, and follow-up monitoring.
Monitoring
An ongoing process of tracking the effectiveness of controls, risk indicators, and compliance measures. It ensures early detection of issues and supports informed decision-making across governance, risk, and compliance functions.
O
Objective
A clear, measurable goal that an organisation sets to achieve its mission. Objectives guide strategy, operations, and risk management decisions.Operational Risk
The risk of loss resulting from inadequate or failed internal processes, people, systems, or external events. It includes risks such as fraud, system failures, or process breakdowns.Opportunity
A circumstance or set of conditions that, if managed effectively, could help an organisation achieve its objectives or create additional value.Organisational Resilience
The ability of an organisation to anticipate, prepare for, respond to, and adapt to incremental change and sudden disruptions in order to survive and prosper.P
Policy
A formal statement of principles and rules that guides decisions and achieves rational outcomes. Policies ensure consistency and compliance with laws, regulations, and internal standards.
Procedure
A defined sequence of actions or steps designed to implement a policy or process in a consistent and repeatable way.
Proactive Risk Management
An anticipatory approach to identifying and managing risks before they materialise, with the aim of minimising potential disruption and maximising opportunity.
R
Raw Risk
A risk before any controls or mitigation measures have been applied.
Relative Risk
A measure of risk, comparing the risk in one group to the risk in another.
Residual Risk
The exposure or risk that remains after all attempts to identify and eliminate it have been applied.
Risk
In the context of Governance, Risk Management, and Compliance (GRC), a risk is any event or condition, positive or negative, that could impact your organisation’s ability to achieve its objectives. Risks are not limited to worst-case scenarios; they can also be tied to opportunities that carry uncertainty.
Risk Appetite
The level of risk an organisation is willing to accept in pursuit of its objectives, guiding its strategic decisions and risk management practices.
Risk Analysis
The process of identifying and analysing potential issues that could negatively impact key business initiatives or projects.
Risk Assessment
The overall methodology or process used to identify risk elements and evaluate them.
Risk Avoidance
The decision to avoid involvement in activities deemed too risky or that do not align with the organisation’s risk appetite.
Risk Concentration
The exposure to a single risk or group of similar risks that might aggregate to produce a loss.
Risk Criteria
The standards, benchmarks, or parameters used within an organisation to assess and make decisions about risk.
Risk Identification
The process of finding, recognising, and describing risks.
Risk Level
The magnitude of a risk or the number of risks in a particular category or group.
Risk Management
Risk management is the process of identifying, assessing, and responding to the risks that could impact your organisation’s ability to achieve its goals. It’s not just about avoiding threats, effective risk management also helps you spot opportunities, optimise decision-making, and strengthen resilience.
Risk Mitigation
Corrective actions taken to reduce the likelihood or impact of risks.
Risk Owner
The individual or entity responsible for managing risk and ensuring that appropriate treatment measures are implemented.
Risk Retention
The acceptance of the burden of loss, or benefit of gain, from a particular risk when the potential cost of managing it in other ways exceeds the benefits.
Risk Scenario
A hypothetical situation that describes a specific sequence of events that leads to a risk event occurring.
Risk Strategy
An organisation’s approach to addressing and assessing risks. Can include risk management policies, objectives, and plans.
Risk Tolerance
The predefined level of risk that an organisation is prepared to accept in pursuit of its objectives before action is deemed necessary to reduce the risk.
Risk Treatment
The process of selecting and implementing measures to modify risk, including mitigation, transfer, avoidance, or acceptance.
Root Cause
Underlying or initiating risk source or driver that produces certain outcomes or changes the impact of an outcome or outcomes. Commonly used to describe the point in a chain of events or conditions where an intervention could reasonably be implemented to improve performance or prevent an undesirable outcome. (Adapted from ANSI/ASIS/RIMS Risk Assessment Standard, RA.1-2015)
Root Cause Analysis
A systematic approach for identifying and assessing risks whereby a defined risk is analysed through questions such as “what can make this happen?”.
S
Second Line of Defence
Functions that support and oversee risk — such as compliance, legal, and data protection — helping ensure controls are properly designed and operating effectively.Scenario Analysis
A technique used to assess the impact of different risk events by evaluating possible future states and their potential effects on the organisation.Security Controls
Safeguards or countermeasures put in place to protect the confidentiality, integrity, and availability of information systems.Strategic Risk
Risks that could significantly impact an organisation’s ability to achieve its strategic objectives — often related to market shifts, innovation, competition, or regulatory changes.T
Third Line of Defence
The internal audit function that provides independent assurance on the effectiveness of governance, risk management, and internal controls. It operates independently from management to ensure objectivity and credibility.Three Lines Model
A governance framework that divides organisational roles into three lines: (1) operational management, which owns and manages risk; (2) risk and compliance functions, which oversee risk; and (3) internal audit, which provides independent assurance.Tolerance (Risk Tolerance)
The acceptable level of deviation from an organisation’s risk appetite for achieving its objectives. It reflects how much risk can be tolerated before management needs to act.Transparency
The open and honest disclosure of relevant information to stakeholders, fostering trust and accountability in governance, risk, and compliance practices.Testing Controls
A process in which compliance or audit teams assess whether internal controls are working effectively to prevent or detect errors, fraud, or non-compliance.Third-Party Risk Management (TPRM)
The process of identifying, assessing, and mitigating risks that arise from third-party vendors or partners who have access to your systems, data, or services.Threat
A potential cause of an unwanted incident that could result in harm to a system or organisation.Treatment Plan
A documented strategy that outlines specific steps to address a risk, including actions, timelines, responsibilities, and resources required to implement mitigation measures.V
Validation
The process of ensuring that a system, process, or control operates according to its intended design and meets required standards or objectives.
Value at Risk (VaR)
A quantitative technique used to estimate the potential loss in value of an asset or portfolio over a defined period for a given confidence interval.
Value Creation
The process through which an organisation delivers products or services that contribute to stakeholder goals while achieving sustainable business outcomes.
Vendor Risk Management
The process of identifying, assessing, and mitigating risks associated with third-party suppliers and service providers, particularly those with access to critical systems or sensitive data.
Vulnerability
A weakness or gap in an organisation’s defences that could be exploited by threats to cause harm, loss, or disruption. Vulnerabilities may be technical, procedural, or organisational.
Your Central Hub for GRC, Risk, Audit & Compliance Excellence
Discover More in Symbiant’s GRC Knowledge Centre
Looking for even more insights, tools, and practical guidance? Visit the Symbiant GRC Knowledge Centre, your all-in-one hub for governance, risk, compliance (GRC), and audit resources.
Explore our guides, in-depth glossary definitions, industry-specific best practices, and demonstration videos, all organised by industry, organisation size, and compliance framework (including ISO 27001, GDPR, Cyber Essentials, and more).
Whether you’re a charity, SME, or global enterprise, you’ll find tailored content to help you streamline processes, strengthen compliance, and achieve your business objectives, all backed by Symbiant’s award-winning, enterprise-grade GRC, Risk Management & Audit software.
Hover to Explore our Solutions.
Symbiant
All-in-One GRC & Audit
Management Powerhouse
Symbiant’s flexible, modular platform streamlines governance, risk, compliance, and audit—so you can reduce complexity, adapt fast, and stay focused on achieving your objectives.
Our Solution at a Glance:
Risk Management Software
The Symbiant Risk Management Software module enables organisations to identify, understand, and manage risks with ease and efficiency. It provides a streamlined approach to monitoring, assessing, and mitigating risks, ensuring informed decisions and compliance.
AI-Powered Assistant
Symbiant AI connects data across your organisation, delivering actionable insights and seamless workflows. From logical, data-driven risk scoring to uncovering root causes and predicting the domino effect of control failures, Symbiant AI empowers smarter, faster decisions. Eliminate duplicate risks in seconds, refine controls, identify emerging risks, and so much more—all tailored to your business.
Audit Management Software
The Symbiant Audit Management Software module streamlines audit planning, action tracking, and time management. It automatically pulls relevant data, allows easy report customisation, and generates professional audit reports.
Risk Management Software
The Symbiant Risk Management Software module enables organisations to identify, understand, and manage risks with ease and efficiency. It provides a streamlined approach to monitoring, assessing, and mitigating risks, ensuring informed decisions and compliance.
AI-Powered Assistant
Symbiant AI connects data across your organisation, delivering actionable insights and seamless workflows. From logical, data-driven risk scoring to uncovering root causes and predicting the domino effect of control failures, Symbiant AI empowers smarter, faster decisions. Eliminate duplicate risks in seconds, refine controls, identify emerging risks, and so much more—all tailored to your business.
Audit Management Software
The Symbiant Audit Management Software module streamlines audit planning, action tracking, and time management. It automatically pulls relevant data, allows easy report customisation, and generates professional audit reports.
unbeatable pricing