CHAPTER 12: GRC Glossary

TL;DR – Key Takeaways from Chapter

i. Shared language is essential for joined-up GRC
Consistent terminology prevents confusion and misalignment across teams.
ii. Definitions reflect real-world use
Terms are defined as they are applied in practice, not abstract theory.
iii. The glossary supports cross-team communication
It helps practitioners explain GRC concepts clearly to non-specialists.
iv. It underpins consistency across the guide
Shared definitions make every chapter easier to apply and connect.

GRC: Governance, Risk, and Compliance; how an organization is directed, how uncertainty is managed, and how obligations are met.

Risk: The effect of uncertainty on objectives; what could happen and how it would affect services, customers, and strategy.

Risk appetite: The amount and type of risk leadership is willing to take in pursuing objectives, usually expressed in high-level statements.

Risk thresholds/tolerances: Specific limits that show when a risk has gone too far and needs action.

Risk scenario: A concrete description of a risk using cause → event → impact.

Scenario-based risk: An approach that describes risks as specific events and impacts rather than broad categories.

Risk register: A structured list of risk scenarios, ratings, treatments, and links to services and owners.

Risk treatment: The decision taken for a risk: accept, reduce, transfer/share, or avoid.

Accept (risk treatment): Choose to live with the risk within appetite, with no major changes.

Reduce (risk treatment): Strengthen or add controls, or change processes and designs, to lower risk.

Transfer/share (risk treatment): Use contracts, insurance, or partnerships so some impact is borne by others.

Avoid (risk treatment): Stop, delay, or redesign the activity so the risk no longer exists in its current form.

Inherent risk: The level of risk before controls are considered.

Residual risk: The level of risk after existing controls and treatments are taken into account.

Control (internal control): A behavior, process, configuration, or rule designed to keep risk within appetite or support compliance.

Control owner: The role responsible for making sure a control is defined, implemented, and kept up to date.

Manual control: A control performed by people rather than technology alone.

Automated control: A control performed by systems or tools without manual steps.

Hybrid control: A control that combines manual and automated elements.

Issues and actions register: The shared list of issues and follow-up actions across audits, incidents, assessments, and regulatory work.

Program loop: The higher-level cycle where you set direction, design controls, implement, and improve based on feedback.

First line: Business and operations teams that own services, processes, vendors, and most risks and controls in practice.

Second line: Risk, compliance, security, privacy, and TPRM teams that set standards, methods, and provide challenge and support.

Third line: Internal audit, providing independent assurance that governance, risk management, and controls work as intended.

GRC platform: A technology platform that supports GRC processes and objects in one model.

Enterprise risk management: Organization-wide risk management focused on the few risks that could materially change direction or strategy.

Top risks: A small set of higher-impact risks that leadership agrees to track, discuss, and use to steer decisions.

Risk themes: Clusters of scenarios that point to the same underlying exposure.

Near miss: An event that could have been a significant incident but was caught or limited before major impact.

Incident: An event that disrupts normal operations or causes a meaningful deviation from expected performance or security.

Material change: A change significant enough that it should trigger re-assessment, decision, and updates to controls, contracts, or records.

Enterprise risk review: A periodic leadership forum that refreshes top risks, discusses trends, and confirms alignment with reality.

Enterprise risk operating rhythm: The overall cadence of enterprise reviews, domain reviews, planning cycles, and ongoing intake of incidents and regulatory changes.

Cyber risk: Risk of loss, disruption, or harm arising from attacks, misuse, or failures involving information systems and data.

Operational resilience: The ability to keep important services running and recover quickly when disruptions occur.

Cyber resilience: The aspect of resilience focused on cyber incidents, attacks, and technical failures.

Ransomware: Malware that encrypts data or systems and demands payment or other concessions to restore access.

Attack path: The route an attacker could take through systems, identities, and integrations to achieve an impact.

Vulnerability scanning: Automated checking of systems for known weaknesses that attackers could exploit.

Penetration testing: Authorized attempts to exploit vulnerabilities to understand what an attacker could realistically achieve.

Red teaming: Simulated attacker exercises focused on testing detection and response under realistic, adversarial conditions.

Purple teaming: Collaborative exercises where defenders and simulated attackers work together to test and strengthen detection and response.

Threat hunting: Proactive search through data and systems for signs of compromise or suspicious behavior.

Attack surface: The systems, services, and interfaces that are exposed to potential attackers.

Cyber incident: An incident with a primary cause in security failures such as compromise, exfiltration, ransomware, or misconfiguration.

Tabletop exercise: A discussion-based simulation of a scenario that walks through how an incident would unfold and how teams would respond.

Playbook: A predefined set of steps and roles for responding to a specific incident type or scenario.

Obligation: A specific requirement from laws, regulations, standards, contracts, or internal policies.

Standards and frameworks: Structured sets of requirements or controls such as ISO, NIST, SOC 2, PCI DSS, and others.

Supervisory guidance: Regulator statements, expectations, and industry codes that shape what “good enough” looks like.

Internal policy: A high-level rule that sets expected behavior or direction inside the organization.

Internal control framework: A single, rationalized list of internal controls that map to risks and obligations and are reused across domains.

Regulatory change management: The process for spotting, assessing, deciding on, and implementing regulatory and contractual changes over time.

Regulatory change pipeline: The defined steps (scan, triage, assess, decide, implement, review) that each change passes through.

SCF (Secure Controls Framework): A large, industry control library often used as input when designing a condensed internal control framework.

UCF (Unified Compliance Framework): A commercial framework that harmonizes many external requirements into a unified control view.

PCI DSS: Payment Card Industry Data Security Standard; sets requirements for handling cardholder data and related environments.

SOX: Sarbanes-Oxley Act; drives requirements around financial reporting controls, access, and auditability.

SOC 2: An attestation framework that reports on controls related to security, availability, processing integrity, confidentiality, and privacy.

Regulatory inspection: A review or examination by a regulator or authority to check how well obligations are being met.

AI governance requirement: An obligation or expectation related to how AI is designed, used, monitored, and controlled.

Privacy and data protection: The discipline focused on how personal data is collected, used, shared, stored, and protected.

Personal data: Information that relates to an identified or identifiable individual.

Data subject: The individual to whom personal data relates.

Data subject rights: Rights individuals have over their data, including access, correction, deletion, and objection.

Record of Processing Activities (RoPA): A structured inventory of processing activities, linked to services, purposes, data subjects, systems, vendors, and legal bases.

Processing activity: A distinct use of personal data for defined purposes within specific services, systems, and vendors.

Legal basis/legal bases: The legal reason for processing personal data such as contract, legitimate interest, or consent.

Data minimization: Collecting and retaining only the data needed for defined purposes and no more.

DPIA (Data Protection Impact Assessment): A structured assessment of privacy risks and mitigations for high-risk processing.

TIA (Transfer Impact Assessment): An assessment of privacy and legal risks when transferring personal data across borders, especially from stricter to less strict regimes.

Privacy incident: An incident where personal data is exposed, misused, or processed contrary to obligations or expectations.

Cross-border transfer: Movement of personal data between jurisdictions or regions with different legal regimes.

Consent mechanism: The way individuals are asked for, record, and manage consent for specific processing activities.

Sector-specific privacy obligations: Privacy rules that intersect with sector controls, such as PCI DSS or SOX, influencing access, logging, retention, and segregation.

Third-party risk: Risk created when external providers deliver services, handle data, or have access to systems on your behalf.

Third-Party Risk Management (TPRM): The lifecycle for identifying, assessing, monitoring, and treating risk in vendor and supply-chain relationships.

Vendor: The legal entity or group you buy services or products from.

Engagement: The specific service or set of services you consume from a vendor, with defined data, access, and criticality.

Vendor vs engagement: The distinction between the overall legal entity and each particular service relationship, which can have different risks.

Tiering (TPRM): Classifying engagements based on criticality, data sensitivity, access level, and resilience impact.

Due diligence: Pre-engagement checks such as questionnaires, document reviews, certifications, and independent reports.

Contract and onboarding: The stage where risk and control expectations are written into contracts and internal teams align on how the engagement will work.

Change event (TPRM): A change in data, access, region, integration, or service scope that should trigger an update to the engagement record and risk assessment.

Vendor-related incident: An incident where a vendor’s failure, outage, breach, or misconfiguration materially affects your services or data.

Horizontal platform: A widely used, cross-industry platform such as a cloud provider, identity platform, or communication tool.

Vertical/sector-specific provider: A provider focused on a particular industry, domain, or niche service.

Supply chain dependence: Reliance on layers of external technology and services such that a single provider issue can cascade across services and regions.

Continuity plan: A documented approach for how a service continues or recovers under disruption.

Resilience themes: Cross-cutting exposure patterns that shape resilience work, such as platform dependence or vendor outages.

Major incident: A high-impact incident affecting critical services, customers, or regulatory obligations.

Internal audit: An independent function that provides assurance to the board and leadership on governance, risk management, and controls.

Assurance: Evidence-based confidence that controls and processes are designed and operating effectively.

Second-line assurance: Testing and review activities performed by second-line teams separate from internal audit.

Audit finding: An observation from an audit or assurance review that shows a control gap, weakness, or deviation.

Assurance plan: A forward-looking plan of what controls, services, and themes will be tested over a period.

Audit scoping: The process of deciding which services, entities, vendors, and controls an audit will cover.

Shared issues and actions register: The central place where audit findings, incidents, regulatory outcomes, and self-identified issues are tracked.

Continuous assurance: An operating model where testing and signals about control health occur regularly, not just once a year.

Audit readiness: The state of having clear control definitions, mappings, and evidence so audits can be run and answered efficiently.

Entities and regions: Legal entities, jurisdictions, and business units in which the organization operates.

Cloud provider: An external provider of infrastructure, platforms, or software services hosted in the cloud.

Identity platform: A platform that manages authentication, authorization, and user access for systems and services.

SaaS (Software as a Service): Software delivered over the internet and managed by a third-party provider.

Integration: A technical connection between systems that allows data exchange or process automation.

Production environment: Live systems and data that underpin real customer and business operations.

Attack surface (technical): The externally and internally exposed systems, interfaces, and configurations that attackers could target.

Risk report: A structured update on risk scenarios, treatments, incidents, and trends for a given audience.

Enterprise risk report: A risk summary tailored for senior leadership and the board, focusing on top risks, appetite, and trends.

GRC committee: A governance group that coordinates GRC priorities, reviews risks and metrics, and aligns domains.

GRC maturity model: A staged view of how GRC capabilities evolve from manual and disjointed to intelligence-led; used as a reference to plan practical next steps.