Absolute Assurance Permalink

A level of assurance that is impossible to achieve.

Usage Notes

Absolute assurance is not attainable because of limitations including the nature of evidence and the characteristics of misconduct, mistakes and miscalculations (especially intentional fraud). Thus, even when assurance activities are conducted with the highest levels of objectivity and competence, it is still impossible to achieve absolute assurance.

Part of: Level of Assurance

Also related to: Assurance , Level of Assurance

ACCEPT (Design Option) Permalink

An intentional design decision to embrace, or concede to the current level of risk, reward, and compliance.

Usage Notes

Sometimes ACCEPT is used when embracing or conceding to a planned level of risk, reward, or compliance.

Accountable Permalink

The characteristic of an individual who takes responsibility and ownership for tasks and their outcomes, transcending a narrow job description.

Usage Notes

The quality of an individual who assumes responsibility and ownership, going beyond the idea of "it's not my job"

This involves maintaining a balance between stepping up without overstepping boundaries, avoiding both the lack of accountability that manifests as blame-shifting and excessive accountability that may encroach on others' roles.

Action & Control Permalink

A specific way, usually used in combination, that an organization addresses risk, reward, and compliance.

Action & Control Type

A method to organize actions & controls, based on whether they are proactive, detective, or responsive to risk, reward, or compliance.

Action & Control Category

A method to organize actions & controls, according to the specific resources they involve.

Action & Control Orientation

A method to organize actions & controls, based on whether they primarily support management, governance, or assurance activities.

Action & Control Category Permalink

A method to organize actions & controls, according to the specific resources they involve.

Policy Action & Controls

Formal statements and rules about organizational intentions and expectations used to address risk, reward, and compliance.

People Actions & Controls

Human factors, including structure, accountability, education, and enablement used to address risk, reward, and compliance.

Process Action & Controls

Decisions about how and when to perform activities, and where and to whom to assign accountability used to address risk, reward, and compliance.

Physical Actions & Controls

Physical safeguards, barriers, or constraints, such as fences, locks, guards, cameras, or other protective mechanisms, used to address risk, reward, and compliance.

Information Actions & Controls

Communications and reports up, down, and across the organization used to address risk, reward, and compliance.

Technology Action & Controls

Hardware and software systems used to address risk, reward, and compliance.

Financial Action & Controls

Insurance, captives, hedging, reserves, or other financial instruments used to address risk, reward, and compliance.

Action & Control Orientation Permalink

A method to organize actions & controls, based on whether they primarily support management, governance, or assurance activities.

Usage Notes

Some actions & controls may serve management, governance, and assurance orientations. In fact, it is desirable for actions & controls to serve all three orientations to avoid duplication and complexity.

Management Actions & Controls

Actions & controls that primarily serve management activities to address opportunities, obstacles, and obligations.

Governance Actions & Controls

Actions & controls that primarily serve governance activities to constrain and conscribe the organization or some aspect of it.

Assurance Actions & Controls

Actions & controls that primarily serve assurance activities.

Action & Control Type Permalink

A method to organize actions & controls, based on whether they are proactive, detective, or responsive to risk, reward, or compliance.

Proactive Actions & Controls

Actions & controls that promote or enable favorable events and prevent or deter unfavorable events.

Detective Actions & Controls

Actions & controls that detect the occurrence of favorable and unfavorable events.

Responsive Actions & Controls

Actions & controls that aim to accelerate or compound the benefit of favorable events, and correct or recover from the harm of unfavorable events.

Agile Permalink

Evidence that the organization can respond quickly and positively to changes and stress.

Usage Notes

Agility is often measured by tracking how long it takes to adapt to a change in circumstances. For example:

When a new regulation is announced, how long does it take to address it?

When a new customer requirement is uncovered, how long does it to deliver value?

When a change in organizational structure happens, how long does it take other areas of the organization to respond?

Part of: Total Performance™

Synonyms: Responsive

Ambiguous Permalink

A property that refers to the presence of multiple, unclear, or conflicting interpretations of conditions, events, or behaviors in a system.

Usage Notes

These questions help to understand if a situation is ambiguous:

  1. Is there a prevailing lack of clarity on how to interpret the situation?
  2. Are multiple, and often contradictory, interpretations possible for the situation?
  3. Is the context or frame of reference for the situation unclear or subject to frequent changes?

Part of: VUCA

Analysis Criteria Permalink

The criteria used to analyze, quantify and select ways to address risk, reward, and compliance.

Antifragile Permalink

A property or description of systems that increase in capability to thrive as a result of stressors, shocks, volatility, noise, mistakes, faults, attacks, or failures.

Usage Notes

The concept was developed by Nassim Nicholas Taleb in his book, Antifragile, and in technical papers.

Many professionals who aim for organizational resilience say that "getting stronger" has always been an objective of resilience and that "antifragile" may be considered a "maximal form of resilience."

See canonical synonym: Resilient

Appetite Permalink

A range for the value of an indicator that defines a preferred or expected level of variation around a target.

Usage Notes

Any variation within the appetite would be considered expected and normal. No adjustments to actions & controls are necessary when a system operates within the appetite.

Appreciation Incentives Permalink

Incentives to perform favorable behaviors that provide meaningful gratitude and acknowledgement to the individual that otherwise would not be available.

Part of: Incentives

Assessment Procedures Permalink

See canonical synonym: Review Procedures

Assurance Permalink

The act of objectively and competently evaluating subject matter to provide conclusions and confidence that statements and beliefs about the subject matter are justified and true.

Assurance Provider

Someone who conducts assurance activities.

Objectivity (in Assurance)

The degree to which an Assurance Provider can be impartial, disinterested, independent, and free to conduct necessary activities and to form an opinion about the subject matter.

Competence (in Assurance)

The degree to which an Assurance Provider can use sophisticated, professional, and structured techniques to evaluate subject matter.

Evaluate

The act of judging subject matter by comparing evidence against suitable criteria.

Subject Matter

Identifiable statements, conditions, events, or activities for which there is evidence.

Level of Assurance

A measure of the degree of confidence that an assurance provider can deliver to an information consumer about statements an information provider makes about the subject matter.

Assurance Assessment

An objective and competent evaluation of subject matter to provide conclusions and confidence that statements and beliefs about the subject matter are justified and true.

Assurance Actions & Controls Permalink

Actions & controls that primarily serve assurance activities.

Usage Notes

Assurance actions & controls should only be designed and operated if management or governance actions & controls are insufficient for assurance activities.

Assurance Assessment Permalink

An objective and competent evaluation of subject matter to provide conclusions and confidence that statements and beliefs about the subject matter are justified and true.

Usage Notes

Providing conclusions and enhancing the confidence of stakeholders are key objectives of any assurance assessment.

Part of: Assurance

Assurance Provider Permalink

Someone who conducts assurance activities.

Assurance Risk Permalink

The risk that an assurance assessment provides inaccurate conclusions, especially inaccurate positive conclusions, that statements about the subject matter are justified and true.

Usage Notes

A meaningful misunderstanding happens when information producers make inaccurate statements to information consumers about subject matter. Common reasons for inaccurate statements include:

  • Misconduct. The information producer intentionally made inaccurate statements.
  • Mistakes. The information producer made statements that turned out to be inaccurate because of errors in underlying systems, actions, and controls.

Audience Permalink

The person or group that is intended to receive a message.

Part of: Channel

Synonyms: Receiver

Also related to: Student , Communicator

Audit & Assurance Discipline Permalink

A critical discipline that provides methods to enhance confidence that the organization is reliably achieving objectives, addressing uncertainty, and acting with integrity

AVOID (Design Option) Permalink

A design option to cease all activity or terminate sources that give rise to the opportunity, obstacle, or obligation.

Part of: Design Options

Also related to: ACCEPT (Design Option)

Behaviors Permalink

Observable actions of a person or group of people, informed by beliefs and values.

Also related to: Values , Beliefs

Beliefs Permalink

Unobservable ideas and assumptions of a person or group, often caused by experience, perception, and personality.

Part of: Culture

Also related to: Values , Behaviors

Benefit Permalink

A measure of the positive impact that an event has on the organization.

Part of: Impact, Reward, Consequence

Also related to: Harm

Best Possible Value Permalink

A value of an indicator that is likely to be achieved under the best possible assumptions and best possible execution.

Also related to: Indicator , Committed Value , Stretch Value

See canonical synonym: Target

Board of Directors Permalink

A group of individuals elected by shareholders to represent their interests and to manage the business and affairs of the organization.

Usage Notes

The board of directors often delegates substantial authority to management and provide more oversight of management and major corporate decisions, and hold a fiduciary duty to protect shareholders' interests.

Part of: Internal Stakeholders

See canonical synonym: Governing Authority

Boundary Permalink

Mandatory Boundary

Obligations that an organization must address because of some legitimate authority (e.g., laws, rules, regulations).

Voluntary Boundary

Obligations an organization chooses to address because of voluntary decisions (e.g., contracts, agreements and values).

See canonical synonym: Obligation

Business Model Permalink

A model that describes how a company creates, delivers, and captures value for its stakeholders. It defines the fundamental aspects of a company's operations, such as its target customers, value proposition, revenue streams, cost structure, and key resources and activities.

Business Unit Permalink

An organizational unit that is subordinate to the enterprise and often responsible for specific products, customers, or geography.

Usage Notes

Business unit may be used even when the organization is not a “business” (e.g., government agency, a nonprofit organization)

Capacity Permalink

A range for an indicator that defines the maximum level of variation around a target that the organization is unwilling, unable and incapable to address; and may result in jeopardy or ruin.

Career Opportunities Incentives Permalink

Incentives to perform favorable behaviors that provide access to career path opportunities that otherwise would not be available.

Part of: Incentives

Cause Permalink

The trigger or potential trigger of events that lead to a consequence including agents or forces that are responsible for bringing something into existence or changing it.

Usage Notes

Causes tend to be narrative, descriptive, or qualitative in nature. When quantifying causes, the term likelihood is typically used.

Prospect

A cause that has the potential to eventually result in benefit.

Hazard

A cause that has the potential to eventually result in harm.

Part of: Event, Cause, Event, Consequence (CEC) Model

Synonyms: Source

Also related to: Consequence

Cause, Event, Consequence (CEC) Model Permalink

An integrated model that illustrates the causes and consequences associated with events.

Usage Notes

Cause

The trigger or potential trigger of events that lead to a consequence including agents or forces that are responsible for bringing something into existence or changing it.

Event

Something that happens, including a change in condition or behavior.

Consequence

The outcome or potential outcome of an event or series of events.

Channel Permalink

The medium used to get the message from the communicator to the audience.

Audience

The person or group that is intended to receive a message.

Communicator

The person or group that sends or signals a message.

Also related to: Message

Climate Permalink

The collective perception about self, surroundings, and others – including perceptions about culture, some aspect of culture, or some topical area.

Part of: Culture

Also related to: Mindsets

Code of Conduct Permalink

The Code of Conduct sets out the principles, values, standards, or rules of behavior that guide the organization's decisions, procedures, and systems. The Code of Conduct is, in effect, a set of the most important core policies.

Usage Notes

The Code of Conduct is, perhaps, the most important policy in an organization.

Synonyms: Code of Ethics

Also related to: Policy

Code of Ethics Permalink

See canonical synonym: Code of Conduct

Collaborative Permalink

The quality of an individual to engage in productive relationships and teamwork, understanding their fundamental role in achieving greater outcomes.

Usage Notes

This characteristic necessitates a balance to avoid underuse, which may lead to isolation and antagonism, and overuse, which may create a social atmosphere without clear accountability.

Part of: Protector Mindset™

Also related to: Accountable

Committed Value Permalink

A value of an indicator that is likely to be achieved given current assumptions and planned execution.

Usage Notes

When used, this can be considered synonymous with Target

Communicator Permalink

The person or group that sends or signals a message.

Message

The content of what is communicated.

Part of: Channel

Synonyms: Sender

Also related to: Audience

Competence Permalink

The ability to do something successfully.

Competence (in Assurance) Permalink

The degree to which an Assurance Provider can use sophisticated, professional, and structured techniques to evaluate subject matter.

Usage Notes

Being “competent” in assurance means to be cognitively and physically capability of using sophisticated, professional, and structured techniques to evaluate subject matter.

Part of: Assurance, Level of Assurance

Also related to: Assurance Provider

Complex Permalink

A property that refers to the interconnected, interdependent, and interrelated nature of the parts of a system that often give rise to nonlinear dynamics, emergent properties and unpredictable outcomes.

Usage Notes

These questions help to understand if a situation is complex:

  1. Are there a multitude of interconnected variables that need to be considered?
  2. Does the situation involve navigating through numerous layers of complexity?
  3. Are the solutions multifaceted, necessitating a thorough consideration of a wide array of elements?

Part of: VUCA

Compliance Permalink

A measure of the degree to which obligations are proven to be addressed.

Compliance & Ethics Discipline Permalink

A critical discipline that provides methods to identify and address mandatory and voluntary obligations and the underlying ethical principles and values.

Compliance Management Permalink

The act of managing processes and resources to achieve the desired level of compliance.

Part of: GRC

Also related to: Compliance , Key Compliance Indicator (also KCI)

Compound/Accelerate Actions & Controls Permalink

Actions & controls that compound, accelerate, and increase the impact of favorable events to maximize benefit and promote future occurrence.

Condition Permalink

A state of reality.

Also related to: Event

Consequence Permalink

The outcome or potential outcome of an event or series of events.

Usage Notes

Consequences tend to be narrative, descriptive, or qualitative in nature. When quantifying consequences, the term impact is typically used.

Impact

A measure that estimates the consequence of an event.

Harm

A measure of the negative impact that an event has on the organization.

Benefit

A measure of the positive impact that an event has on the organization.

CONTROL (Design Option) Permalink

A design option to implement actions that govern and manage the opportunity, obstacle, or obligation according to its nature.

Usage Notes

Using the word "control" by itself is sometimes used to mean "action & control"

Convergent Thinking Permalink

Focused on high-likelihood possibilities, most favorable/unfavorable conditions and events, current and most relevant circumstances, and most rewarding/riskiest outcomes.

Also related to: Divergent Thinking

Correct/Recover Actions & Controls Permalink

Actions & controls that slow down or decrease the impact of unfavorable events, and return the organization to its original state, stable state, or superior state after harm has occurred to minimize harm and prevent future occurrences.

Usage Notes

Returning the organization to its original state or stable state is a sign of resilience.

Returning the organization to a superior state is a sign of antifragility.

Recovery Actions & Controls

Actions & controls that return the organization to its original state, stable state, or superior state after harm has occurred.

Corrective Actions & Controls

Actions & controls that safeguard the organization or some asset after an unfavorable event occurs.

Corrective Actions & Controls Permalink

Actions & controls that safeguard the organization or some asset after an unfavorable event occurs.

Usage Notes

Corrective actions & controls and Recovery actions & controls are related but slightly different.

For example, restoring a server to a clean image is a corrective control because it solves the immediate problem of a malware intrusion, while recovering the server data from backup is a recovery control because it returns the server to a known previous good state allowing the business to resume normal operation.

Creditor Permalink

An individual, institution, or entity to whom the organization owes money or services.

Critical Disciplines Permalink

The background disciplines that comprise the interdisciplinary approach to GRC, including: Governance & Oversight, Strategy & Performance, Risk & Decision Support, Compliance & Ethics, Security & Continuity, and Audit & Assurance.

Governance & Oversight Discipline

A critical discipline that provides methods to guide, constrain and conscribe the organization to achieve its purpose, mission, vision, and values.

Strategy & Performance Discipline

A critical discipline that provides methods to guide, arrange and operate resources to achieve objectives and monitor performance.

Risk & Decision Support Discipline

A critical discipline that provides methods to identify and address the effect of uncertainty on objectives, including ways to support decisions under uncertainty.

Compliance & Ethics Discipline

A critical discipline that provides methods to identify and address mandatory and voluntary obligations and the underlying ethical principles and values.

Security & Continuity Discipline

A critical discipline that provides methods to identify and address threats to critical physical and digital assets and infrastructure.

Audit & Assurance Discipline

A critical discipline that provides methods to enhance confidence that the organization is reliably achieving objectives, addressing uncertainty, and acting with integrity

Also related to: Protector Skillset™

Culture Permalink

An emergent property of a group of people caused by the interaction of individual beliefs, values, mindsets, and behaviors and demonstrated by observable norms and articulated opinions that shape beliefs, values, mindsets, and behaviors in wide-ranging and durable ways.

Usage Notes

Culture has a bi-directional relationship with individuals. It is both an emergent property of a group of individual beliefs, as well as something that shapes individual beliefs.

Values

Fundamental beliefs, principles, and ideals that an organization, group, or individual demonstrates and adheres to when making decisions and acting.

Climate

The collective perception about self, surroundings, and others – including perceptions about culture, some aspect of culture, or some topical area.

Mindsets

Individual perceptions about self, surroundings, and others – including perceptions about culture, some topical area, or how to approach work.

Beliefs

Unobservable ideas and assumptions of a person or group, often caused by experience, perception, and personality.

Norms

Customs, rules, or expectations that a group socially reinforces, usually through informal means.

Current Residual Risk Permalink

The level of residual risk under currently operating actions & controls.

Part of: Residual Risk

Current Skill Level Permalink

Existing level of skill a person, or “typical” person in a group, possesses.

Customer Permalink

An individual, institution, or entity that purchases products or services.

Usage Notes

  • The customer is sometimes considered the "most important stakeholder" because without a customer, an organization cannot provide value.
  • For departments or teams, the customer may include a superior, subordinate, or peer organizational unit. For governmental entities, the customer is a constituent or regulated entity.

Damage Permalink

See canonical synonym: Harm

Decision-Making Criteria Permalink

The principles, values, rules, variables, conditions, targets, tolerances, and other thresholds used to select an option or make a decision.

Direction-Setting Criteria

The criteria used to set the direction for the organization and its objectives based on external/internal context, culture, and stakeholder needs.

Objective-Setting Criteria

The criteria used to set objectives and results in accordance with the organization’s direction.

Identification Criteria

The criteria used to identify opportunities, obstacles, and obligations that stand in front of the organization and its objectives.

Analysis Criteria

The criteria used to analyze, quantify and select ways to address risk, reward, and compliance.

Design Criteria

The criteria used to select actions & controls that address risk, reward, and compliance.

Demographic Factors Permalink

External factors that include gender, age, ethnicity, knowledge of languages, disabilities, mobility, home ownership, employment status, religious belief or practice, culture and tradition, living standards, and income level.

Part of: External Factors

Department Permalink

A department is subordinate to the enterprise and often cuts across multiple business units providing shared services such as human resources, information technology (IT), compliance, risk management, and other services.

Descriptive Norms Permalink

Observation of what individuals do, providing information about what is “normal” in a particular culture.

Part of: Norms

Design Criteria Permalink

The criteria used to select actions & controls that address risk, reward, and compliance.

Design Effectiveness Permalink

Evidence of logically designed actions & controls relative to objectives, opportunities, obstacles, and obligations. This is accomplished by evaluating the design actions & controls against suitable criteria.

Design Options Permalink

Broad design decisions to address an opportunity, obstacle, or obligation.

Usage Notes

Design options address both risk and reward. The term Risk Response is sometimes used when applied only to risks.

ACCEPT (Design Option)

An intentional design decision to embrace, or concede to the current level of risk, reward, and compliance.

SHARE (Design Option)

To outsource, joint ventures, partnerships, buy insurance, or use other financial instruments to address the opportunity, obstacle, or obligation.

AVOID (Design Option)

A design option to cease all activity or terminate sources that give rise to the opportunity, obstacle, or obligation.

TRANSFER (Design Option)

A special case of a sharing design option where an attempt is made to give close to 100% of responsibility and consequence to a third party.

CONTROL (Design Option)

A design option to implement actions that govern and manage the opportunity, obstacle, or obligation according to its nature.

Synonyms: Response Options

Design Review Procedure Permalink

A procedure that compares the documentation of the design of a system against suitable criteria that defines an acceptable design of that system.

Usage Notes

Suitable criteria is often available by using available standards or best practices.

Suitable criteria for assessing the GRC Capability Model (or some aspect of it) is available in the GRC Assessment Tools.

Detective Actions & Controls Permalink

Actions & controls that detect the occurrence of favorable and unfavorable events.

Usage Notes

Unfavorable events include incidents of non-compliance.

Deterrent Permalink

A type of action and control that reduces the likelihood of an event from occurring.

Usage Notes

Often, a deterrent refers to a specific action, control, or strategy employed to reduce the likelihood of an event by instilling fear, risk, or negative consequences, thereby reducing the probability of its happening.

Direction-Setting Criteria Permalink

The criteria used to set the direction for the organization and its objectives based on external/internal context, culture, and stakeholder needs.

Directives Permalink

Policy, process, and technology that encourage favorable events.

Divergent Thinking Permalink

Considering all possibilities, conditions and events, circumstances, and outcomes.

Also related to: Convergent Thinking

Duration Permalink

A measure that estimates how long an event or impact might last.

Economic Factors Permalink

External factors that include growth, exchange, inflation, and interest rates.

Part of: External Factors

Economic Incentives Permalink

Incentives to perform favorable behaviors that provide monetary compensation, bonuses, profit-sharing or gain-sharing that otherwise would not be available.

Part of: Incentives

Education Activity Permalink

See canonical synonym: Learning Activity

Effect Permalink

A measure that estimates the likelihood and impact that an event has on objectives.

Risk

A measure of the negative, unfavorable effect of uncertainty on objectives.

Reward

A measure of the positive, favorable effect of uncertainty on objectives.

Also related to: Event , Objective

Effective Permalink

An aspect of Total Performance which demonstrates evidence of logically designed actions & controls that address appropriate objectives, opportunities, obstacles, and obligations; and evidence that these actions & controls are operating as designed.

Part of: Total Performance™

Synonyms: Sound

Efficient Permalink

An aspect of Total Performance which demonstrates evidence that the organization productively uses financial, human, and other capital resources without wasted effort or expense.

Part of: Total Performance™

Synonyms: Lean

Enterprise Permalink

The most superior unit that encompasses the entirety of the organization.

Usage Notes

Enterprise may be used even when the organization is a government agency, a nonprofit organization, or a small organization.

Environmental Factors Permalink

External factors that include ecological and environmental aspects such as climate and natural resources.

Part of: External Factors

Ethics Permalink

Values that define right and wrong decisions and actions based on the norms of a group.

Usage Notes

Ethics get their authority from external social systems relating to a specific group. Ethics are often codified in a set of rules that apply to a member of the group (e.g., lawyers, doctors, and accountants follow the ethical system adopted by those in the field).

Ethics and morals are sometimes used interchangeably, but these words have nuanced meanings. Much of the confusion between these two words can be traced back to their origins. For example, the word “ethic” comes from Old French (etique), a set of rules for customs and behaviors, whereas Late Latin (ethica) and Greek (ethos) referred to customs or moral philosophies. “Morals” comes from Late Latin’s moralis, which refers to appropriate behavior and manners in society. The two words originally had very similar meanings.

Also related to: Morals , Values

Evaluate Permalink

The act of judging subject matter by comparing evidence against suitable criteria.

Subject Matter

Identifiable statements, conditions, events, or activities for which there is evidence.

Suitable Criteria

Benchmarks used to evaluate subject matter that yield consistent and meaningful results.

Part of: Assurance

Event Permalink

Something that happens, including a change in condition or behavior.

Usage Notes

All events have a cause. Most events have a consequence. However, some causes and consequences may be ambiguous, complex, or uncertain.

Cause

The trigger or potential trigger of events that lead to a consequence including agents or forces that are responsible for bringing something into existence or changing it.

Consequence

The outcome or potential outcome of an event or series of events.

Executive Management Permalink

See canonical synonym: Executive Team

Executive Team Permalink

A group of executives, often a group of the senior-most executives in an organization.

Usage Notes

The Executive Team is often referred to as the "C-Suite" because the individuals on the Executive Team hold titles such as "chief executive officer," "chief financial officer," and "chief legal officer."

Executives Permalink

Senior-most managers with broad responsibilities over the entire organization or some significant part of the organization (e.g., all technology, all sales, and marketing, all administration, all finance).

Usage Notes

Executives often have words such as “chief” in their titles, such as “chief executive officer” or “chief operating officer.”

Part of: Workforce

Also related to: Executive Team

Extended Enterprise Permalink

See canonical synonym: Third Party

External Context Permalink

See canonical synonym: External Factors

External Factors Permalink

Categories of sources and forces that originate outside of the organization including: industry factors, market factors, economic, technology, societal, legal, political, environmental, demographic factors.

Industry Factors

External factors that include new entrants, competitors, suppliers, customers, substitutes, and industry norms.

Market Factors

External factors that include customer trends, demographics, and economic conditions.

Economic Factors

External factors that include growth, exchange, inflation, and interest rates.

Technology Factors

External factors include technological aspects like R&D activity, automation, storage, computation, technology incentives, innovations in materials, mechanical efficiency, and the rate of technological change.

Societal Factors

External factors that include cultural aspects, attitudes, customs, and norms.

Legal and Regulatory Factors

External factors that include laws, rules, regulations, litigation, and judicial or administrative opinions.

Political Factors

External factors that relate to how the government intervenes in the economy, including laws, rules, regulations, tax policy, and political stability.

Environmental Factors

External factors that include ecological and environmental aspects such as climate and natural resources.

Demographic Factors

External factors that include gender, age, ethnicity, knowledge of languages, disabilities, mobility, home ownership, employment status, religious belief or practice, culture and tradition, living standards, and income level.

Geopolitical Factors

External factors that include sanctions, export controls, and potential military conflicts.

Synonyms: External Context

External Stakeholders Permalink

An individual, institution, or entity outside of the organization that is affected by, or has an interest in, the company's decisions and activities.

Usage Notes

These stakeholders do not directly participate in the company's operations but can influence or be influenced by the company's business outcomes. Examples of external stakeholders include customers, suppliers, creditors, investors, regulators, the government, competitors, the media, and the community or society in which the company operates. The company's decisions and policies often aim to consider and balance the interests of both internal and external stakeholders.

Customer

An individual, institution, or entity that purchases products or services.

Investor

An individual, institution, or entity that provides capital to the organization either by purchasing shares (thus becoming shareholders), bonds, or other financial instruments, with the expectation of receiving a financial return.

Shareholder

An individual, institution, or entity that owns shares or stock (or some functionally comparable instrument) in the organization.

Creditor

An individual, institution, or entity to whom the organization owes money or services.

Lender

An individual, institution, or entity that provides funds to the organization with the expectation that the funds will be paid back in full, usually with interest.

Supplier

An individual, institution, or entity that provides goods or services to the organization.

Regulator

Government or independent authorities that oversee and control specific aspects of the organization's practices. They set standards and rules that the organization must follow and can impose penalties for non-compliance.

Media

Various channels of communication, like newspapers, television, radio, and online platforms, which can shape public perception of the organization.

Society

The local, national, or global population affected by the organization's operations.

Part of: Stakeholder

Factor Permalink

A category of forces in the internal or external context.

Feedback Permalink

The reaction from the audience to a message.

Fifth Line of Accountability Permalink

The Governing Authority (Board) is ultimately accountable and responsible for the governance, management, and assurance of performance, risk, and compliance. While the governing authority may choose to delegate, this plenary accountability means that the governing authority must use due care to ensure that the right systems are in place to learn about and address important performance, risk, and compliance issues – especially those that present “red flags.”

Financial Action & Controls Permalink

Insurance, captives, hedging, reserves, or other financial instruments used to address risk, reward, and compliance.

Financial Capital Permalink

Liquidity, budgets, and other economic resources.

Part of: Resources

First Line of Accountability Permalink

Individuals and teams that own and manage performance, risk, and compliance associated with day-to-day operational activities.

Folkways Permalink

Informal norms that govern everyday behaviors and social etiquette that are not strictly enforced, but where violations may lead to mild disapproval or social awkwardness (e.g., table manners, punctuality, and appropriate dressing).

Part of: Norms

Force Permalink

A cause that is an emergent property of volatility, uncertainty, complexity, or ambiguity in the internal or external context.

Fourth Line of Accountability Permalink

The Executive team is accountable and responsible for the portfolio of organization-wide performance, risk, and compliance. The Fourth Line gains information from the First Line and the Second Line and assurance from the Third Line to make decisions about managing performance, risk, and compliance.

Fractal Permalink

The property of self-similarity or the repetition of patterns at different scales in a system or structure.

Usage Notes

In fractal geometry, a fractal is a mathematical set that exhibits self-similarity and has a structure that is similar at every scale. Fractals are often found in nature, such as in the branching patterns of trees, the veins of leaves, or the shapes of clouds.

In organizations, fractality is used to describe the self-similar patterns and structures of social networks and interactions, as well as in the study of collective behavior and decision-making.

Fractality means that problems and solutions can replicate and scale to multiple levels of the organization.

Frequency Permalink

A measure that estimates how often the same event might occur.

Geopolitical Factors Permalink

External factors that include sanctions, export controls, and potential military conflicts.

Part of: External Factors

Governance Permalink

The act of indirectly guiding, controlling, and evaluating an entity by constraining and conscribing resources.

Usage Notes

Govern. To govern; governing

Part of: GRC

Governance & Oversight Discipline Permalink

A critical discipline that provides methods to guide, constrain and conscribe the organization to achieve its purpose, mission, vision, and values.

Governance Actions & Controls Permalink

Actions & controls that primarily serve governance activities to constrain and conscribe the organization or some aspect of it.

Usage Notes

Governance actions & controls are added when management actions & controls do not provide enough information or guidance to constrain and conscribe the organization.

Governing Authority Permalink

The most superior level of accountability and authority.

Usage Notes

  • The governing authority is often responsible for balancing the competing needs of stakeholders so that it can guide, constrain, and conscribe the organization to reliably achieve objectives, address uncertainty, and act with integrity to meet these needs.
  • The governing authority is often a board of directors if the organization in scope is an enterprise.
  • The governing authority may be an oversight committee if the organization in scope is a business unit or department.

Synonyms: Board of Directors

GRC Permalink

An initialism that stands for Governance, Risk, and Compliance, and is an interdisciplinary approach of integrated capabilities, interconnected relationships, and interlinked shared values, which enable Principled Performance.

Usage Notes

GRC, as an initialism, denotes governance, risk, and compliance — but the full story of GRC is so much more than those three words.

The acronym GRC was created as a shorthand reference to the critical capabilities that must work together to achieve Principled Performance — the capabilities that integrate the governance, management, and assurance of performance, risk, and compliance activities.

This includes work done by departments in governance, strategy, risk, compliance, security, audit, finance, legal, IT, and HR. But it also includes operators in lines of business, the executive suite, and the board itself.

While GRC was created by OCEG in 2003, the first peer-reviewed academic paper on the topic was published in 2007 by OCEG founder Scott Mitchell in the International Journal of Disclosure and Governance.

This groundbreaking paper influenced the related software and services industry and began open-source GRC standards.

  • GRC is the pathway to Principled Performance.
  • GRC is a collection of integrated capabilities to enable Principled Performance.
  • GRC is a collection of integrated capabilities that enable an organization to reliably achieve objectives, address uncertainty, and act with integrity.
  • GRC is an interdisciplinary approach of integrated capabilities, interconnected relationships, and interlinked shared values, which enable Principled Performance.
Governance

The act of indirectly guiding, controlling, and evaluating an entity by constraining and conscribing resources.

Risk Management

The act of managing processes and resources to address risk while pursuing reward.

Compliance Management

The act of managing processes and resources to achieve the desired level of compliance.

Also related to: Principled Performance

GRC Capability Model™ Permalink

The collection of capabilities that help an organization reliably achieve objectives, address uncertainty, and act with integrity formalized and documented in the GRC Capability Model™ from OCEG.

Usage Notes

The GRC Capability Model is the pathway to Principled Performance and comprises several capabilities from critical disciplines including:

  • Governance & Oversight
  • Strategy & Performance
  • Risk & Decisions
  • Compliance & Ethics
  • Security & Continuity
  • Audit & Assurance

Habitual Behaviors Permalink

Semi-automatic human actions informed by beliefs and values and governed by free will and discipline.

Harm Permalink

A measure of the negative impact that an event has on the organization.

Part of: Impact, Risk, Consequence

Synonyms: Damage

Also related to: Benefit

Hazard Permalink

A cause that has the potential to eventually result in harm.

Part of: Risk, Cause

Synonyms: Threat

Also related to: Obstacle

Helpline Permalink

A live or on-demand channel for individuals to ask questions before or while they are engaged in a task.

Hotline Permalink

A live or on-demand channel for individuals to report problems.

Also related to: Helpline

Human Capital Permalink

The collective knowledge, skills, abilities, and experiences of an organization's workforce, along with the relationships, attitudes, and values that enable them to work together to achieve the organization's objectives

Part of: Resources

Identification Criteria Permalink

The criteria used to identify opportunities, obstacles, and obligations that stand in front of the organization and its objectives.

Impact Permalink

A measure that estimates the consequence of an event.

Benefit

A measure of the positive impact that an event has on the organization.

Harm

A measure of the negative impact that an event has on the organization.

Part of: Risk, Reward, Consequence

Incentives Permalink

Incentives include financial and non-financial things that encourage favorable conduct.

Usage Notes

There are two parts to an incentive:

  • Promise - Incentives must be announced in advance of the expected conduct.
  • Payoff - Incentives must be delivered as promised and meet or exceed the expectations of the individual. Otherwise, news will spread that the incentives aren't what they appear to be.
Economic Incentives

Incentives to perform favorable behaviors that provide monetary compensation, bonuses, profit-sharing or gain-sharing that otherwise would not be available.

Appreciation Incentives

Incentives to perform favorable behaviors that provide meaningful gratitude and acknowledgement to the individual that otherwise would not be available.

Status Incentives

Incentives to perform favorable behaviors that provide access to esteemed roles, promotions or other visible recognition that otherwise would not be available.

Professional Development Incentives

Incentives to perform favorable behaviors that provide access to professional development opportunities such as training or tuition reimbursements that otherwise would not be available.

Career Opportunities Incentives

Incentives to perform favorable behaviors that provide access to career path opportunities that otherwise would not be available.

Independence Permalink

The state of being free from structural or functional conditions that threaten the ability of the assurance provider to perform assurance activities with objectivity and without any undue influence. It includes the independence of the assurance provider from those who own, manage, operate, or support the activity being assured.

Usage Notes

To achieve the degree of independence necessary to deliver the desired Level of Assurance, an Assurance Provider should have direct and unrestricted access to information producers and information consumers.

Indicator Permalink

A measure of progress toward or status of an objective.

Target

An expected or planned value for an indicator.

Appetite

A range for the value of an indicator that defines a preferred or expected level of variation around a target.

Tolerance

A range for an indicator that defines an acceptable, though not preferred, level of variation around a target the organization is willing and able to address.

Capacity

A range for an indicator that defines the maximum level of variation around a target that the organization is unwilling, unable and incapable to address; and may result in jeopardy or ruin.

Indicator Targets & Ranges (ITR) Model Permalink

A model that describes how indicator targets and ranges such as appetite, tolerance and capacity relate to one another and can be used to evaluate total performance.

Usage Notes

The Indicator Targets & Ranges (ITR) Model is a robust model that provides a complete explanation of how to set targets and important ranges of values to evaluate the total performance of an indicator.

Indicator

A measure of progress toward or status of an objective.

Target

An expected or planned value for an indicator.

Appetite

A range for the value of an indicator that defines a preferred or expected level of variation around a target.

Tolerance

A range for an indicator that defines an acceptable, though not preferred, level of variation around a target the organization is willing and able to address.

Capacity

A range for an indicator that defines the maximum level of variation around a target that the organization is unwilling, unable and incapable to address; and may result in jeopardy or ruin.

Industry Factors Permalink

External factors that include new entrants, competitors, suppliers, customers, substitutes, and industry norms.

Part of: External Factors

Information Actions & Controls Permalink

Communications and reports up, down, and across the organization used to address risk, reward, and compliance.

Information Capital Permalink

Data, communications, and intelligence.

Part of: Resources

Information Consumer Permalink

An individual, group, or any entity that receives information sent from any source within the organization. Information is used as evidence to evaluate and compare against given criteria to provide a certain level of assurance.

Synonyms: Information User

Also related to: Assurance , Assurance Provider

Information Producer Permalink

An individual, group, or any entity that produces data/information to send to another individual, group, or entity that requests such information for the purpose of providing assurance.

Also related to: Assurance , Assurance Provider

Information User Permalink

See canonical synonym: Information Consumer

Inherent Effect Permalink

The effect of uncertainty in the absence of actions & controls.

Inherent Risk Permalink

The level of risk in the absence of actions & controls.

Also related to: Residual Risk

Injunctive Norm Permalink

Perceived behavior of what most people approve of, providing information on what one “should” do.

Part of: Norms

Instructor Permalink

Individual who teaches.

Intangible Resources Permalink

Resources that refer to non-physical assets, such as knowledge, brand equity, and organizational culture.

Part of: Resources

Integrated Action & Control Model™ Permalink

A structure that considers the purpose and types of actions & controls used for the governance, management, and assurance of performance, risk, and compliance.

Usage Notes

Integrated Action & Control Model
Proactive Actions & Controls

Actions & controls that promote or enable favorable events and prevent or deter unfavorable events.

Detective Actions & Controls

Actions & controls that detect the occurrence of favorable and unfavorable events.

Responsive Actions & Controls

Actions & controls that aim to accelerate or compound the benefit of favorable events, and correct or recover from the harm of unfavorable events.

Integrated Performance Support Permalink

A function that provides the exact information needed to solve a learner’s question at the moment of need. The goal is to increase performance by empowering individuals with self-help resources in the flow of work rather than interrupting work with periodic and episodic learning.

Also related to: Helpline

Integrated Plan Permalink

An integrated plan details processes and resources allocated to reliably achieve objectives, address uncertainty, and act with integrity.

Integrity Permalink

The state of being whole and complete by fulfilling obligations, honoring promises, and cleaning up the mess if a promise was broken.

Usage Notes

One way to evaluate integrity is with the formula Integrity = Promises Kept / Promises Made.


Sometimes factors outside of the control of the organization prevent promises from being honored. For example, an organization makes an implicit promise to every employee that they will be gainfully employed so long as the employee adds value. However, external factors, such as an economic downturn, might prevent the organization from honoring the employment promise, even if the employee is adding value. To maintain integrity, then, an organization must do its best to help the employee find gainful employment.

Intention (Call to Action) Permalink

What the communicator wants the audience to believe, value, or do as a consequence of the message.

Internal Audit Permalink

A function inside of the organization that helps the workforce, especially management, reliably achieve objectives, address uncertainty, and act with integrity by providing assurance that the right objectives, opportunities, obstacles, and obligations are addressed in the right way, to increase the total performance.

Usage Notes

Internal audit objectively and competently evaluates subject matter to provide conclusions and confidence that statements and beliefs about the subject matter are justified and true. This is especially important for key objectives, opportunities, obstacles, and obligations to make sure that the organization is operating within acceptable levels of risk/reward and compliance.

Internal Context Permalink

See canonical synonym: Internal Factors

Internal Factors Permalink

Categories of sources and forces that originate inside of the organization.

Synonyms: Internal Context

Internal Stakeholders Permalink

Stakeholders with an internal influence from within the organization; Personnel (and unions that represent the workforce), Managers, Executives, Board members, and Owners (who are involved in the organization).

Workforce

The collection of individuals the organization employs.

Owners

Individuals or entities that possess legal ownership and control of the organization.

Board of Directors

A group of individuals elected by shareholders to represent their interests and to manage the business and affairs of the organization.

Part of: Stakeholder

Investor Permalink

An individual, institution, or entity that provides capital to the organization either by purchasing shares (thus becoming shareholders), bonds, or other financial instruments, with the expectation of receiving a financial return.

Involuntary Behaviors Permalink

Automatic, often instinctual human actions informed by beliefs and values and governed by nature.

Key Compliance Indicator (also KCI) Permalink

Indicators that help govern, manage, and provide assurance about compliance related to an objective.

Also related to: Compliance , Compliance Management

Key Milestone Indicator (also KMI) Permalink

A Boolean value (yes/no) or a percentage value (% complete) that measures the degree to which a milestone is met.

Key Performance Indicator (also KPI) Permalink

Indicators that help govern, manage, and provide assurance about performance related to an objective.

Key Risk Indicator (also KRI) Permalink

Indicators that help govern, manage, and provide assurance about risk related to an objective.

Key Risks Permalink

Highest priority risks that an organization selects, usually based on key objectives.

Usage Notes

An organization is free to voluntarily select its key risks. Key risks should be defined and selected based on their relationship to key objectives.

Lagging Indicators Permalink

Indicators that provide information about past events or conditions.

Leaders Permalink

Individuals at any level of the organization who have the de facto attention and respect of the workforce regardless of their title or position.

Part of: Workforce

Synonyms: Leadership

Leadership Permalink

See canonical synonym: Leaders

Leading Indicators Permalink

Indicators that provide information about future events or conditions.

Lean Permalink

See canonical synonym: Efficient

Learner Permalink

See canonical synonym: Student

Learning Activity Permalink

A directed collection of learning content that achieves learning objectives by enhancing student ability from current skill level to target skill level.

Usage Notes

Learning activities may be synchronous or asynchronous and may be in-person or online.

Student

Individual who learns.

Learning Objective

Statements that define an educational activity's expected goal(s). Learning objectives can be used to structure the content of educational activities.

Learning Outcome

A statement that reflects what the learner will be able to do as a result of participating in the educational activity.

Current Skill Level

Existing level of skill a person, or “typical” person in a group, possesses.

Target Skill Level

The desired level of skill a person, or “typical” person in a group, is expected to possess.

Learning Content

The content in a learning activity includes text, image, audio, and video and takes the form of lecture, discussion, debate, and demonstration.

Synonyms: Education Activity

Learning Content Permalink

The content in a learning activity includes text, image, audio, and video and takes the form of lecture, discussion, debate, and demonstration.

Learning Objective Permalink

Statements that define an educational activity's expected goal(s). Learning objectives can be used to structure the content of educational activities.

Learning Outcome Permalink

A statement that reflects what the learner will be able to do as a result of participating in the educational activity.

Legal and Regulatory Factors Permalink

External factors that include laws, rules, regulations, litigation, and judicial or administrative opinions.

Part of: External Factors

Lender Permalink

An individual, institution, or entity that provides funds to the organization with the expectation that the funds will be paid back in full, usually with interest.

Level of Assurance Permalink

A measure of the degree of confidence that an assurance provider can deliver to an information consumer about statements an information provider makes about the subject matter.

Usage Notes

A greater degree of Assurance Objectivity and a greater degree of Assurance Competence generally result in a higher Level of Assurance.

Level of Assurance as a function of Competence and Objectivity
Objectivity (in Assurance)

The degree to which an Assurance Provider can be impartial, disinterested, independent, and free to conduct necessary activities and to form an opinion about the subject matter.

Competence (in Assurance)

The degree to which an Assurance Provider can use sophisticated, professional, and structured techniques to evaluate subject matter.

Lower Assurance

A more limited level of assurance resulting from activities such as self-assessments and benchmarking performed by the personnel responsible for the subject matter.

Absolute Assurance

A level of assurance that is impossible to achieve.

Reasonable Assurance

A special type and level of assurance, provided by external auditors as part of a financial audit or examination, that subject matter conforms to suitable criteria and is free from material error.

Limited Assurance

A level of assurance resulting from reviews, compilations, and other activities performed by competent personnel who are sufficiently objective about the subject matter.

Likelihood Permalink

A measure that estimates the occurrence of an event.

Part of: Risk, Reward

Limited Assurance Permalink

A level of assurance resulting from reviews, compilations, and other activities performed by competent personnel who are sufficiently objective about the subject matter.

Lines of Accountability™ Model (also LoA) Permalink

A model that helps organizations govern, manage and provide assurance over performance, risk, and compliance by allocating specific responsibilities to different individuals or groups within the organization and creating a layered approach to produce and preserve value.

Usage Notes

The Lines of Accountability Model segregates responsibilities so that each “line” or group has the appropriate objectivity and competence to address the nature of the required work.

This model is "fractal" in nature and may be applied at both the organizational level or some lower level such as a team. Hence, while the Lines of Accountability Model is presented using five lines, the reality is that organizations comprise unique and idiosyncratic arrangements of people, processes, information, and technology.

Lines of Accountability Model

Importantly, the Lines of Accountability Model recognizes that a single department or function may perform activities associated with multiple lines of accountability.

For example, an accounting department may function as a "first line" when it records financial transactions, and as a "second line" when it analyses the performance of a business unit or reconciles each sale with a receipt of cash.

Further, consider a sole proprietor who may “physically” have just one “line” in their organization – namely, themselves. Despite this arrangement, the Lines of Accountability Model may be applied by thoughtfully segregating activities in time and space by just one person.

For example, the sole proprietor may perform daily bookkeeping with an aim toward efficiency and accuracy (first line). Then, once a month, and though not completely objective, this same person may perform “desk checking” and review of their own work (second line). Quarterly, they may conduct some strategic planning and review (fourth line). A meticulous sole proprietor may even take a weekend at the end of the year to trace transactions to perform assurance activities (third line) before preparing materials for an external auditor. And being a board member (fifth line), this same person may perform some “ultimate accountability” activities by filing the annual report to keep the organization in good standing with the tax authority.

Contrast this with a global enterprise with many business units and dozens of lines of accountability with varying degrees of scope and scale. Each business unit may have multiple lines of accountability, providing varying degrees of service to other departments and business units.

Hence, every organization will have a unique arrangement of the Lines of Accountability based on the size, scope, and preferences of the board and executive management. What is critical is that the arrangement helps the organization be reliable.

First Line of Accountability

Individuals and teams that own and manage performance, risk, and compliance associated with day-to-day operational activities.

Second Line of Accountability

Individuals and teams that establish performance, risk, and compliance programs for the First Line. The Second Line provides oversight through frameworks, standards, policies, tools, and techniques to support performance, risk, and compliance management. The Second Line often manages its own portfolio of objectives and associated performance, risk, and compliance. The Second Line may provide limited assurance over First Line activities.

Third Line of Accountability

Individuals and teams that specialize in and provide a high level of assurance on activities performed by the First Line and Second Line. The Third Line may include internal audit, external audit or outside experts who are sufficiently objective and competent.

Fourth Line of Accountability

The Executive team is accountable and responsible for the portfolio of organization-wide performance, risk, and compliance. The Fourth Line gains information from the First Line and the Second Line and assurance from the Third Line to make decisions about managing performance, risk, and compliance.

Fifth Line of Accountability

The Governing Authority (Board) is ultimately accountable and responsible for the governance, management, and assurance of performance, risk, and compliance. While the governing authority may choose to delegate, this plenary accountability means that the governing authority must use due care to ensure that the right systems are in place to learn about and address important performance, risk, and compliance issues – especially those that present “red flags.”

Lower Assurance Permalink

A more limited level of assurance resulting from activities such as self-assessments and benchmarking performed by the personnel responsible for the subject matter.

Management (as a GRC Concept) Permalink

The act of directly guiding, controlling, and evaluating an entity by arranging and operating resources.

Management Actions & Controls Permalink

Actions & controls that primarily serve management activities to address opportunities, obstacles, and obligations.

Usage Notes

Management actions & controls comprise most of the work performed by the organization.

Whenever possible, management actions & controls should be used by both the governing authority and assurance providers to avoid unnecessary complexity and duplication.

Management Team Permalink

A group of managers who are responsible for an area of the business.

Usage Notes

Often, the Management Team comprises the most senior managers for that particular area. For example, if the area of the business is the financial operations, then the management team may comprise the chief financial officer, the lead controller, and the treasurer.

See canonical synonym: Managers

Managers Permalink

Personnel who manage others.

Usage Notes

Qualifiers such as “senior managers” refer to managers with more responsibility in scale or scope, while “junior managers” have less responsibility.

Part of: Workforce

Synonyms: Management Team

Mandatory Boundary Permalink

Obligations that an organization must address because of some legitimate authority (e.g., laws, rules, regulations).

Part of: Obligation, Boundary

Market Factors Permalink

External factors that include customer trends, demographics, and economic conditions.

Part of: External Factors

Material Fact Permalink

A fact is material if there is a substantial likelihood that a reasonable information user would consider it important in making a decision, or if it would have been viewed by the reasonable information user as having significantly altered the 'total mix' of information made available and used to make the decision.

Usage Notes

This definition is based on the standard of materiality articulated by the U.S. Supreme Court in TSC Industries v. Northway, 426 U.S. 438, 449 (1976). While the original standard was applied to financial reporting information in the United States, it is often used as a basis for global financial reporting, cybersecurity reporting and sustainability reporting.

A more direct quote of the original standard would be "a fact is material if there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision or if it would have been viewed by the reasonable investor as having significantly altered the 'total mix' of information made available."

Material Misstatement Permalink

A material misstatement refers to a significant error or omission in financial statements that could potentially influence the decisions of information consumers of those statements. It can be caused by an error, fraud, or the misapplication of accounting principles. Material misstatements can affect the accuracy and reliability of financial information and may cause financial statements to be misleading or incomplete. Materiality is determined based on the size and nature of the misstatement, as well as its potential impact on the financial statements and the decisions of users of those statements.

Material Misstatements Permalink

A special case of Meaningful Misunderstanding where the information producer makes a significant error or omission in financial statements that could potentially influence the decisions of information consumers.

Maturity Permalink

The level of development, progress, or sophistication of a particular process, function, or organization

Maturity Model Permalink

A structured framework that is used to assess and measure an organization's maturity or level of development in a particular area. Maturity models typically define a series of levels, each representing a higher level of maturity, and identify specific characteristics, practices, or capabilities that organizations should demonstrate to achieve each level.

Meaningful Misunderstanding Permalink

Meaningful misunderstanding occurs when an information producer makes statements that contain material errors or omissions that could affect the decisions of information users of those statements.

Usage Notes

The risk of meaningful misunderstanding determines the purpose and nature of assurance and assessment activities.


Material Misstatements are a special case of Meaningful Misunderstanding where the information producer makes a significant error or omission in financial statements that could potentially influence the decisions of information consumers.

Material Misstatements

A special case of Meaningful Misunderstanding where the information producer makes a significant error or omission in financial statements that could potentially influence the decisions of information consumers.

Means Permalink

Usage Notes

One may talk about the "ways and means" that an organization uses to reliably achieve objectives, address uncertainty, and act with integrity.

Also related to: Ways

See canonical synonym: Resources

Media Permalink

Various channels of communication, like newspapers, television, radio, and online platforms, which can shape public perception of the organization.

Message Permalink

The content of what is communicated.

Part of: Communicator

Also related to: Channel

Message Cadence Permalink

The velocity and frequency of sending a message.

Mindsets Permalink

Individual perceptions about self, surroundings, and others – including perceptions about culture, some topical area, or how to approach work.

Part of: Culture

Also related to: Climate

Mission Permalink

An objective that states who the organization serves, what it does, and what it hopes to achieve today and in the long term.

Usage Notes

The mission statement is often used to guide decision-making and priority-setting within the organization, and serves as a clear and consistent statement of its overall purpose and direction.

Part of: Purpose

Monitoring Permalink

Ongoing and periodic activities that observe actions & controls, and the information generated by these controls, to gauge effectiveness, efficiency, responsiveness, and resilience.

Morals Permalink

Values that define good and bad (evil) decisions and actions based on a system of beliefs or personal intuitions.

Usage Notes

Morals get their authority from personal intuitions, a "higher power," or other systems of beliefs.

When a society, organization, or group fully embodies a specific system of beliefs, the ethics and morals of that group may be almost synonymous. For example, a religious organization may find its "ethical code" and "moral code" synonymous. For example, a political organization may find its ethics nearly synonymous with the moral code embodied by the political system of belief.

Even though morals may come from an external system of beliefs (e.g., religious or political), morals (unlike ethics) are often internalized and expressed in nuanced ways that are specific to the individual.

Ethics tend to be embodied and expressed in consistent ways across individuals. Morals tend to be embodied and expressed in nuanced, idiosyncratic ways across individuals.

Also related to: Ethics , Values

Mores Permalink

More formalized and serious norms that are deeply ingrained in a culture and have moral significance. Violating mores can lead to severe social disapproval, ostracism, or even legal consequences (e.g., honesty, respect for elders, and adherence to religious practices).

Part of: Norms

Noise Permalink

Anything that causes difficulties during the communication process.

Norms Permalink

Customs, rules, or expectations that a group socially reinforces, usually through informal means.

Descriptive Norms

Observation of what individuals do, providing information about what is “normal” in a particular culture.

Proscriptive Norms

Customs, rules, or expectations that discourage behavior the group deems negative (e.g., “do not cheat”).

Prescriptive Norms

Customs, rules, or expectations that encourage behavior the group deems positive (e.g., “be honest”).

Injunctive Norm

Perceived behavior of what most people approve of, providing information on what one “should” do.

Folkways

Informal norms that govern everyday behaviors and social etiquette that are not strictly enforced, but where violations may lead to mild disapproval or social awkwardness (e.g., table manners, punctuality, and appropriate dressing).

Mores

More formalized and serious norms that are deeply ingrained in a culture and have moral significance. Violating mores can lead to severe social disapproval, ostracism, or even legal consequences (e.g., honesty, respect for elders, and adherence to religious practices).

Part of: Culture

Objective Permalink

A measurable outcome to achieve.

Part of: Principled Performance

Also related to: Strategic Goals , Indicator , Effect

Objective-Setting Criteria Permalink

The criteria used to set objectives and results in accordance with the organization’s direction.

Objectivity (in Assurance) Permalink

The degree to which an Assurance Provider can be impartial, disinterested, independent, and free to conduct necessary activities and to form an opinion about the subject matter.

Part of: Assurance, Level of Assurance

Also related to: Assurance Provider

Obligation Permalink

A requirement that an organization must or should address because of a promise, whether mandatory or voluntary.

Mandatory Boundary

Obligations that an organization must address because of some legitimate authority (e.g., laws, rules, regulations).

Voluntary Boundary

Obligations an organization chooses to address because of voluntary decisions (e.g., contracts, agreements and values).

Synonyms: Boundary

Also related to: Obstacle , Compliance

Obstacle Permalink

An uncertain future event that may, on balance, have a negative effect on objectives.

Part of: Risk

Synonyms: Threat

Also related to: Hazard , Opportunity , Obligation

Operating Effectiveness Permalink

Evidence that actions & controls operate as intended. This is accomplished by substantive testing of information generated by actions & controls to judge actual results against expected results.

Operating Geographies Permalink

Legal jurisdictions where the organization operates.

Operating Review Procedure Permalink

A procedure that compares the actual events or transactions performed by a system (including people, processes and technologies) against the expected events and transactions given the design of the system.

Opportunity Permalink

An uncertain future event that may, on balance, have a positive effect on objectives.

Part of: Reward

Also related to: Obstacle

Org Chart Permalink

See canonical synonym: Organizational Chart

Organization Permalink

See canonical synonym: Organization in Scope

Organization in Scope Permalink

The organizational unit in scope for applying the GRC Capability Model.

Usage Notes

The Organization in Scope may be at any level including:

  • Enterprise
  • Business Unit
  • Department
  • Team

Some professionals even apply the GRC Capability Model at an individual level, though the guidance provided is intended for organizations with multiple people.

Organizational Level

A hierarchical tier within an organization that is responsible for specific tasks, functions, decisions, actions, and controls.

Organizational Layer

A unit within an organization that is responsible for specific tasks, functions, decisions, actions, and controls and typically referenced in relationship to other layers.

Organizational Unit

A specific subdivision of an organization that is formed for the purpose of achieving particular objectives.

Synonyms: Organization

Also related to: Organizational Level

Organizational Chart Permalink

A diagram that shows the structure of an organization and the relationships and relative ranks of its parts and positions/jobs

Synonyms: Org Chart

Organizational Layer Permalink

A unit within an organization that is responsible for specific tasks, functions, decisions, actions, and controls and typically referenced in relationship to other layers.

Usage Notes

When "organizational layer" is used, it typically involves some "layering" of organizational units to achieve an objective. For example:

  • Having multiple layers of protection to address a particular risk
  • Having multiple layers so that an important strategic priority isn't forgotten

Organizational Level Permalink

A hierarchical tier within an organization that is responsible for specific tasks, functions, decisions, actions, and controls.

Usage Notes

Organizational Layers and Units
Superior Level

Organizational units to which the organization in scope is accountable.

Peer Level

Organizational units that are lateral to the organization in scope and often report to or are accountable to the same superior unit.

Subordinate Level

Organizational units that are accountable to the organization in scope.

Organizational Unit Permalink

A specific subdivision of an organization that is formed for the purpose of achieving particular objectives.

Enterprise

The most superior unit that encompasses the entirety of the organization.

Business Unit

An organizational unit that is subordinate to the enterprise and often responsible for specific products, customers, or geography.

Department

A department is subordinate to the enterprise and often cuts across multiple business units providing shared services such as human resources, information technology (IT), compliance, risk management, and other services.

Team

The smallest organizational unit. Teams may be part of a department or maybe cross-functional. Teams may be permanent or temporary.

Owners Permalink

Individuals or entities that possess legal ownership and control of the organization.

Usage Notes

Owners, unlike external shareholders or investors, tend to have direct operational involvement in the organization.

Paragons Permalink

Role models that encourage favorable events.

Peer Level Permalink

Organizational units that are lateral to the organization in scope and often report to or are accountable to the same superior unit.

Usage Notes

Recall that the Organization in Scope may be an enterprise, business unit, department or team. Thus the "Peer Level" would be a unit that shares a common Superior Level to which both the Organization in Scope and the Peer Level report.

People Actions & Controls Permalink

Human factors, including structure, accountability, education, and enablement used to address risk, reward, and compliance.

Performance Permalink

See canonical synonym: Reward

Performance Management Permalink

The act of managing processes and resources to pursue reward while addressing risk.

Personnel Permalink

See canonical synonym: Workforce

Physical Actions & Controls Permalink

Physical safeguards, barriers, or constraints, such as fences, locks, guards, cameras, or other protective mechanisms, used to address risk, reward, and compliance.

Physical Capital Permalink

The physical assets of an organization, including manufactured goods, buildings, equipment, and infrastructure.

Part of: Resources

Planned (Simulated) Stress Permalink

Scenarios that use historical, hypothetical, or simulated events to test how forces will be addressed.

Planned Residual Risk Permalink

The level of residual risk under planned (or desired) actions & controls.

Part of: Residual Risk

Policy Permalink

A broad articulation of what the organization expects on a particular topic, that describes the “why” or intent, considers context, sets the tone, and changes infrequently.

Prescriptive Policy

A policy that states what to do.

Proscriptive Policy

A policy that says what not to do.

Policy Action & Controls Permalink

Formal statements and rules about organizational intentions and expectations used to address risk, reward, and compliance.

Part of: Action & Control Category

Also related to: Policy

Political Factors Permalink

External factors that relate to how the government intervenes in the economy, including laws, rules, regulations, tax policy, and political stability.

Part of: External Factors

Prescriptive Norms Permalink

Customs, rules, or expectations that encourage behavior the group deems positive (e.g., “be honest”).

Part of: Norms

Prescriptive Policy Permalink

A policy that states what to do.

Part of: Policy

Prevent/Deter Actions & Controls Permalink

Actions & controls that decrease the likelihood of an unfavorable event by preventing or deterring it from happening.

Part of: Proactive Actions & Controls

Also related to: Deterrent

Principled Performance Permalink

To reliably achieve objectives, address uncertainty, and act with integrity.

Usage Notes

Principled Performance is the goal of GRC. Principled Performance is an approach to business (and life!) that helps organizations reliably achieve objectives, address uncertainty and act with integrity.

Note that “Reliably” pertains to all other parts of the definition. Thus Principled Performance means to:

  • reliably achieve objectives;
  • reliably address uncertainty; and
  • reliably act with integrity.
Reliably

To thoughtfully, consistently, dependably, and transparently do something.

Objective

A measurable outcome to achieve.

Uncertainty

A state of being unsure about something due to incomplete knowledge or underlying randomness making it difficult to understand with complete confidence.

Integrity

The state of being whole and complete by fulfilling obligations, honoring promises, and cleaning up the mess if a promise was broken.

Also related to: GRC

Proactive Permalink

The quality of an individual to anticipate and act on situations, reducing the risk of unforeseen problems.

Usage Notes

This trait requires a balance, preventing both an underuse that can result in inaction or timidity and an overuse that might lead to rash decisions or a state of constant flux without stability.

Part of: Protector Mindset™

Also related to: Accountable

Proactive Actions & Controls Permalink

Actions & controls that promote or enable favorable events and prevent or deter unfavorable events.

Prevent/Deter Actions & Controls

Actions & controls that decrease the likelihood of an unfavorable event by preventing or deterring it from happening.

Promote/Enable Actions & Controls

Actions & controls that increase the likelihood of a favorable event by promoting, enabling and incentivizing it to happen.

Procedure Permalink

A detailed articulation of what the organization expects on a particular topic, that describes the “how to” or instructions, guides implementation, and is audience-specific.

Process Permalink

A series of actions or steps to achieve an objective.

Synonyms: Ways

Process Action & Controls Permalink

Decisions about how and when to perform activities, and where and to whom to assign accountability used to address risk, reward, and compliance.

Professional Development Incentives Permalink

Incentives to perform favorable behaviors that provide access to professional development opportunities such as training or tuition reimbursements that otherwise would not be available.

Part of: Incentives

Promote/Enable Actions & Controls Permalink

Actions & controls that increase the likelihood of a favorable event by promoting, enabling and incentivizing it to happen.

Directives

Policy, process, and technology that encourage favorable events.

Paragons

Role models that encourage favorable events.

Incentives

Incentives include financial and non-financial things that encourage favorable conduct.

Proscriptive Norms Permalink

Customs, rules, or expectations that discourage behavior the group deems negative (e.g., “do not cheat”).

Part of: Norms

Proscriptive Policy Permalink

A policy that says what not to do.

Part of: Policy

Prospect Permalink

A cause that has the potential to eventually result in benefit.

Part of: Reward, Cause

Protector Permalink

A GRC Professional who spends substantial time producing and preserving value and serving as a stabilizing force in their organization.

Protector Mindset™

Traits that strengthen the way that a high-performing Protector makes decisions and appraises problems, solutions, people, and reality. These traits include being: Collaborative, Accountable, Stable, Proactive, Visionary, and Versatile.

Protector Skillset™

Interdisciplinary skills that strengthen the way that a high-performing Protector does their job including the critical disciplines.

Protector Mindset™ Permalink

Traits that strengthen the way that a high-performing Protector makes decisions and appraises problems, solutions, people, and reality. These traits include being: Collaborative, Accountable, Stable, Proactive, Visionary, and Versatile.

Stable

The quality of an individual to consistently provide calm, composed and orderly influence within volatile, uncertain, complex and ambiguous environments.

Versatile

The quality of an individual to employ a multi-disciplinary approach and a wide range of skills to address complex issues.

Accountable

The characteristic of an individual who takes responsibility and ownership for tasks and their outcomes, transcending a narrow job description.

Collaborative

The quality of an individual to engage in productive relationships and teamwork, understanding their fundamental role in achieving greater outcomes.

Proactive

The quality of an individual to anticipate and act on situations, reducing the risk of unforeseen problems.

Visionary

The quality of an individual to maintain a long-term, optimistic perspective and remain purpose-driven, even amidst distractions.

Part of: Protector

Also related to: Accountable

Protector Skillset™ Permalink

Interdisciplinary skills that strengthen the way that a high-performing Protector does their job including the critical disciplines.

Part of: Protector

Also related to: Critical Disciplines

Purpose Permalink

The purpose states who the organization serves, what it does, what it believes, what is stands for, what it hopes to achieve in the near term and long term, and why all of this matters; usually through its Mission, Vision and Values statements.

Mission

An objective that states who the organization serves, what it does, and what it hopes to achieve today and in the long term.

Vision

An objective that describes what the organization aspires to be and why it matters.

Values

Fundamental beliefs, principles, and ideals that an organization, group, or individual demonstrates and adheres to when making decisions and acting.

RACI Matrix Permalink

A chart that describes the participation of various roles in completing tasks or deliverables for a project or business process.

Usage Notes

RACI is an acronym derived from the four key responsibilities most typically used: responsible, accountable, consulted, and informed.

  • R = Responsible (also recommender)
    Those who do the work to complete the task. There is at least one role with this role, although others can be delegated to assist in the work required.
  • A = Accountable (also approver or final approving authority)
    Those who are ultimately answerable for the correct and thorough completion of the deliverable or task, ensure the prerequisites of the task are met, and delegate the work to those responsible. In other words, an accountable must sign off (approve) work that the responsible person provides. There must be only one person or entity accountable for each task or deliverable.
  • C = Consulted (sometimes consultant or counsel)
    Those whose opinions are sought, typically subject-matter experts, and with whom there is two-way communication.
  • I = Informed (also informee)
    Those who are kept up-to-date on progress, often only on completion of the task or deliverable, and with whom there is just one-way communication.

Reasonable Assurance Permalink

A special type and level of assurance, provided by external auditors as part of a financial audit or examination, that subject matter conforms to suitable criteria and is free from material error.

Receiver Permalink

See canonical synonym: Audience

Recovery Actions & Controls Permalink

Actions & controls that return the organization to its original state, stable state, or superior state after harm has occurred.

Usage Notes

Corrective actions & controls and Recovery actions & controls are related but slightly different.

For example, restoring a server to a clean image is a corrective control because it solves the immediate problem of a malware intrusion, while recovering the server data from backup is a recovery control because it returns the server to a known previous good state allowing the business to resume normal operation.

Regulator Permalink

Government or independent authorities that oversee and control specific aspects of the organization's practices. They set standards and rules that the organization must follow and can impose penalties for non-compliance.

Reliably Permalink

To thoughtfully, consistently, dependably, and transparently do something.

Residual Effect Permalink

The effect of uncertainty in the presence of actions & controls.

Residual Risk Permalink

The level of risk in the presence of actions & controls.

Current Residual Risk

The level of residual risk under currently operating actions & controls.

Planned Residual Risk

The level of residual risk under planned (or desired) actions & controls.

Also related to: Inherent Risk

Resilient Permalink

Evidence that the organization can withstand or recover quickly from difficult conditions and even become stronger after stress.

Part of: Total Performance™

Synonyms: Antifragile

Resources Permalink

A general term referring to Capital Resources that include tangible and intangible assets and capabilities that an organization may use to achieve objectives.

Tangible Resources

Resources that refer to physical assets, such as land, buildings, and equipment.

Intangible Resources

Resources that refer to non-physical assets, such as knowledge, brand equity, and organizational culture.

Financial Capital

Liquidity, budgets, and other economic resources.

Human Capital

The collective knowledge, skills, abilities, and experiences of an organization's workforce, along with the relationships, attitudes, and values that enable them to work together to achieve the organization's objectives

Physical Capital

The physical assets of an organization, including manufactured goods, buildings, equipment, and infrastructure.

Information Capital

Data, communications, and intelligence.

Technology Capital

Hardware, software, and related technological resources that an organization may use to achieve its objectives.

Synonyms: Means

Response Options Permalink

See canonical synonym: Design Options

Responsive Permalink

See canonical synonym: Agile

Responsive Actions & Controls Permalink

Actions & controls that aim to accelerate or compound the benefit of favorable events, and correct or recover from the harm of unfavorable events.

Correct/Recover Actions & Controls

Actions & controls that slow down or decrease the impact of unfavorable events, and return the organization to its original state, stable state, or superior state after harm has occurred to minimize harm and prevent future occurrences.

Compound/Accelerate Actions & Controls

Actions & controls that compound, accelerate, and increase the impact of favorable events to maximize benefit and promote future occurrence.

Review Procedures Permalink

Procedures performed by an assurance provider to review or assess subject matter.

Design Review Procedure

A procedure that compares the documentation of the design of a system against suitable criteria that defines an acceptable design of that system.

Operating Review Procedure

A procedure that compares the actual events or transactions performed by a system (including people, processes and technologies) against the expected events and transactions given the design of the system.

Reward Permalink

A measure of the positive, favorable effect of uncertainty on objectives.

Usage Notes

IACM Focused on Reward
Likelihood

A measure that estimates the occurrence of an event.

Impact

A measure that estimates the consequence of an event.

Prospect

A cause that has the potential to eventually result in benefit.

Benefit

A measure of the positive impact that an event has on the organization.

Opportunity

An uncertain future event that may, on balance, have a positive effect on objectives.

Part of: Effect

Synonyms: Performance

Also related to: Event , Risk

Risk Permalink

A measure of the negative, unfavorable effect of uncertainty on objectives.

Usage Notes

IACM Focused on Risk
Likelihood

A measure that estimates the occurrence of an event.

Impact

A measure that estimates the consequence of an event.

Harm

A measure of the negative impact that an event has on the organization.

Hazard

A cause that has the potential to eventually result in harm.

Obstacle

An uncertain future event that may, on balance, have a negative effect on objectives.

Part of: Effect

Also related to: Event , Reward

Risk & Decision Support Discipline Permalink

A critical discipline that provides methods to identify and address the effect of uncertainty on objectives, including ways to support decisions under uncertainty.

Risk Appetite Permalink

The level and type of risk the organization is WILLING to address given the level and type of reward it pursues.

Also related to: Appetite

Risk Capacity Permalink

The MAXIMUM cumulative level and type of risk that the organization can address. Anything over the risk capacity may affect the organization’s survival.

Also related to: Capacity

Risk Management Permalink

The act of managing processes and resources to address risk while pursuing reward.

Part of: GRC

Risk Target Permalink

The level and type of risk the organization EXPECTS to address given the level and type of reward it pursues.

Risk Tolerance Permalink

The level and type of risk the organization is UNWILLING to exceed given the level and type of reward it pursues.

Also related to: Tolerance

Scope Permalink

The boundaries, limitations, and extent where the GRC Capability Model is applied. The scope is often expressed in terms of organizational unit, geographic area, or functional department.

Second Line of Accountability Permalink

Individuals and teams that establish performance, risk, and compliance programs for the First Line. The Second Line provides oversight through frameworks, standards, policies, tools, and techniques to support performance, risk, and compliance management. The Second Line often manages its own portfolio of objectives and associated performance, risk, and compliance. The Second Line may provide limited assurance over First Line activities.

Security & Continuity Discipline Permalink

A critical discipline that provides methods to identify and address threats to critical physical and digital assets and infrastructure.

Sender Permalink

See canonical synonym: Communicator

Senior Management Permalink

See canonical synonym: Executive Team

SHARE (Design Option) Permalink

To outsource, joint ventures, partnerships, buy insurance, or use other financial instruments to address the opportunity, obstacle, or obligation.

Usage Notes

TRANSFER is a special case of SHARING where an attempt is made to give close to 100% of consequence to another party such as an insurance company.

Shareholder Permalink

An individual, institution, or entity that owns shares or stock (or some functionally comparable instrument) in the organization.

Skill Gap Permalink

The difference between the current skill level and the target skill level.

SMART Criteria Permalink

Criteria used to design/set Objectives to work with Indicators; to be specific, measurable, achievable (yet aspirational), relevant, and time-bound.

Societal Factors Permalink

External factors that include cultural aspects, attitudes, customs, and norms.

Part of: External Factors

Society Permalink

The local, national, or global population affected by the organization's operations.

Sound Permalink

See canonical synonym: Effective

Source Permalink

See canonical synonym: Cause

Stable Permalink

The quality of an individual to consistently provide calm, composed and orderly influence within volatile, uncertain, complex and ambiguous environments.

Usage Notes

This trait includes an avoidance of neurotic or chaotic behavior and an ability to distance oneself from emotional turmoil, while at the same time steering clear from an overuse of stability that may come across as indifferent or uncaring.

Part of: Protector Mindset™

Also related to: Accountable

Staff Permalink

Junior-level personnel who typically do not manage others.

Part of: Workforce

Synonyms: Team Members

Stakeholder Permalink

A self-legitimizing person, group, or other entity with a direct or indirect stake in the organization's actions because of actual or perceived impact.

Internal Stakeholders

Stakeholders with an internal influence from within the organization; Personnel (and unions that represent the workforce), Managers, Executives, Board members, and Owners (who are involved in the organization).

External Stakeholders

An individual, institution, or entity outside of the organization that is affected by, or has an interest in, the company's decisions and activities.

Stakeholder Expectation Permalink

(also Stakeholder Want, Stakeholder Need)
A general term that refers to what a stakeholder requests, wants, or expects from the organization.

Stakeholder Need Permalink

See canonical synonym: Stakeholder Expectation

Stakeholder Want Permalink

See canonical synonym: Stakeholder Expectation

Status Incentives Permalink

Incentives to perform favorable behaviors that provide access to esteemed roles, promotions or other visible recognition that otherwise would not be available.

Part of: Incentives

Strategic Goals Permalink

Long-term objectives typically at higher levels of the organization.

Also related to: Objective

Strategy & Performance Discipline Permalink

A critical discipline that provides methods to guide, arrange and operate resources to achieve objectives and monitor performance.

Stress Permalink

A significant magnitude of force applied to the organization.

Stretch Value Permalink

A value that is unlikely to be achieved, but still possible.

Student Permalink

Individual who learns.

Usage Notes

A student is a specialized term to refer to the target audience for communications and learning activities.

Part of: Learning Activity

Synonyms: Learner

Also related to: Audience

Subject Matter Permalink

Identifiable statements, conditions, events, or activities for which there is evidence.

Part of: Assurance, Evaluate

Also related to: Suitable Criteria

Subordinate Level Permalink

Organizational units that are accountable to the organization in scope.

Usage Notes

Recall that the Organization in Scope may be an enterprise, business unit, department or team. Thus the "Subordinate Level" would be any unit that reports to the Organization in Scope.

Suitable Criteria Permalink

Benchmarks used to evaluate subject matter that yield consistent and meaningful results.

Part of: Evaluate

Also related to: Subject Matter

Superior Level Permalink

Organizational units to which the organization in scope is accountable.

Usage Notes

Recall that the Organization in Scope may be an enterprise, business unit, department or team. Thus the "Superior Level" would be the unit to which the Organization in Scope reports.

Supplier Permalink

An individual, institution, or entity that provides goods or services to the organization.

System Permalink

A collection of interconnected, interdependent, and interrelated parts that interact with each other to form a coherent whole. In the context of organizations, these parts may be people, processes, information, physical assets, digital assets, financial capital, and other resources.

Tangible Resources Permalink

Resources that refer to physical assets, such as land, buildings, and equipment.

Part of: Resources

Target Permalink

An expected or planned value for an indicator.

Target Skill Level Permalink

The desired level of skill a person, or “typical” person in a group, is expected to possess.

Team Permalink

The smallest organizational unit. Teams may be part of a department or maybe cross-functional. Teams may be permanent or temporary.

Part of: Organizational Unit

Also related to: Organizational Level

Team Members Permalink

See canonical synonym: Staff

Technology Action & Controls Permalink

Hardware and software systems used to address risk, reward, and compliance.

Technology Capital Permalink

Hardware, software, and related technological resources that an organization may use to achieve its objectives.

Part of: Resources

Technology Factors Permalink

External factors include technological aspects like R&D activity, automation, storage, computation, technology incentives, innovations in materials, mechanical efficiency, and the rate of technological change.

Part of: External Factors

Third Line of Accountability Permalink

Individuals and teams that specialize in and provide a high level of assurance on activities performed by the First Line and Second Line. The Third Line may include internal audit, external audit or outside experts who are sufficiently objective and competent.

Third Party Permalink

A partner that conducts substantial actions & controls on behalf of the organization.

Usage Notes

Organizations often “outsource” actions & controls to third parties to benefit from their competence while focusing the organization's efforts on its core competencies. Even when an organization outsources actions & controls, it is crucial to recognize that the organization often retains legal or reputational responsibility for any problems in the extended enterprise.

Threat Permalink

See canonical synonym: Obstacle, Hazard

Timescale Permalink

The expected or planned time frame to achieve an objective or meet a target.

Timing Permalink

A measure that estimates when an event or impact might occur.

Tolerance Permalink

A range for an indicator that defines an acceptable, though not preferred, level of variation around a target the organization is willing and able to address.

Total Performance™ Permalink

A model of balanced performance that includes effectiveness (soundness), efficiency (leanness), agility (responsiveness), and resiliency (antifragility).

Effective

An aspect of Total Performance which demonstrates evidence of logically designed actions & controls that address appropriate objectives, opportunities, obstacles, and obligations; and evidence that these actions & controls are operating as designed.

Efficient

An aspect of Total Performance which demonstrates evidence that the organization productively uses financial, human, and other capital resources without wasted effort or expense.

Agile

Evidence that the organization can respond quickly and positively to changes and stress.

Resilient

Evidence that the organization can withstand or recover quickly from difficult conditions and even become stronger after stress.

TRANSFER (Design Option) Permalink

A special case of a sharing design option where an attempt is made to give close to 100% of responsibility and consequence to a third party.

Usage Notes

Examples for transfer include:

  • Purchasing insurance for particular eventualities
  • Transferring responsibility for processes to a third party / vendor
  • Outsourcing sales and marketing activities

Even though a process is transferred to a third party, ultimate accountability is often retained with the organization.

TREAT (as a Design Option) Permalink

See canonical synonym: CONTROL (Design Option)

Uncertain Permalink

A property that refers to the lack of predictability or clarity regarding the future behavior or outcomes of a system due to limited information, intricate interactions between system parts, the influence of internal and external factors, or physical nature of the system.

Usage Notes

These questions help to understand if a situation is uncertain:

  1. Is predicting future outcomes based on past trends proving difficult?
  2. Is there a pervasive lack of clarity about what the future holds in this situation?
  3. Is it difficult to determine how external factors may affect the outcome due to a high degree of unpredictability?

Part of: VUCA

Uncertainty Permalink

A state of being unsure about something due to incomplete knowledge or underlying randomness making it difficult to understand with complete confidence.

Unit Permalink

See canonical synonym: Organizational Unit

Values Permalink

Fundamental beliefs, principles, and ideals that an organization, group, or individual demonstrates and adheres to when making decisions and acting.

Usage Notes

Values are often expressed and codified as a list of attributes with associated definitions or descriptions of what they mean.

Values often highlight those ethics and morals that are most important to an organization, group, or individual.

Part of: Culture, Purpose

Also related to: Ethics , Morals , Beliefs , Behaviors

Velocity Permalink

A measure that estimates how quickly an event or impact might occur.

Versatile Permalink

The quality of an individual to employ a multi-disciplinary approach and a wide range of skills to address complex issues.

Usage Notes

This attribute involves a balance, avoiding the underutilization that can lead to a narrow problem-solving approach and the overuse which may result in overly complicated and impractical solutions.

Part of: Protector Mindset™

Also related to: Accountable

Vision Permalink

An objective that describes what the organization aspires to be and why it matters.

Usage Notes

The vision is often used to inspire and motivate employees, stakeholders, and customers and serves as a guidepost for long-term strategic planning.

Part of: Purpose

Visionary Permalink

The quality of an individual to maintain a long-term, optimistic perspective and remain purpose-driven, even amidst distractions.

Usage Notes

This attribute involves a delicate balance, warding off the underuse that can lead to a narrow and pessimistic outlook and the overuse that can result in overly abstract and unrealistic goals.

Part of: Protector Mindset™

Also related to: Accountable

Volatile Permalink

A property that refers to the susceptibility of a system and its parts to experience rapid, significant and often unpredictable changes.

Usage Notes

These questions help identify if a situation is volatile:

  1. How rapidly are conditions changing in the situation?
  2. Are there recurrent and drastic fluctuations in the activities or circumstances?
  3. Are sudden and significant changes the norm in this context?

Part of: VUCA

Voluntary Behaviors Permalink

Intentional human actions informed by beliefs and values and governed by free will and discipline.

Voluntary Boundary Permalink

Obligations an organization chooses to address because of voluntary decisions (e.g., contracts, agreements and values).

Part of: Obligation, Boundary

VUCA Permalink

A reality that an organization must face that is volatile, uncertain, complex, and ambiguous.

Volatile

A property that refers to the susceptibility of a system and its parts to experience rapid, significant and often unpredictable changes.

Uncertain

A property that refers to the lack of predictability or clarity regarding the future behavior or outcomes of a system due to limited information, intricate interactions between system parts, the influence of internal and external factors, or physical nature of the system.

Complex

A property that refers to the interconnected, interdependent, and interrelated nature of the parts of a system that often give rise to nonlinear dynamics, emergent properties and unpredictable outcomes.

Ambiguous

A property that refers to the presence of multiple, unclear, or conflicting interpretations of conditions, events, or behaviors in a system.

Ways Permalink

Usage Notes

One may talk about the "ways and means" that an organization uses to reliably achieve objectives, address uncertainty, and act with integrity.

Also related to: Means

See canonical synonym: Process

Workforce Permalink

The collection of individuals the organization employs.

Executives

Senior-most managers with broad responsibilities over the entire organization or some significant part of the organization (e.g., all technology, all sales, and marketing, all administration, all finance).

Managers

Personnel who manage others.

Staff

Junior-level personnel who typically do not manage others.

Leaders

Individuals at any level of the organization who have the de facto attention and respect of the workforce regardless of their title or position.

Part of: Internal Stakeholders

Synonyms: Personnel

Also related to: Executive Team