Risk Dictionary

Term Definition
Governance, Risk and Compliance (GRC) GRC is an integrated, company-wide approach to achieve high standards in each of the three areas. Gartner defines GRC as technology solutions that “support the simplification, automation, and integration of enterprise, operational, and IT risk management processes and data.”
Operational Risk Risk or impacts resulting from inadequate or failed processes, people, and systems. Also includes risks or impacts as a result of external events. Operational Risk can be caused by people (employee errors), processes (failed oversight), technology (systems failures), and events (fraud or natural disasters).
IT Risk Risk or impacts associated with the use, ownership, operation, involvement, influence and of technology within an organization. Risks can be caused by security, performance, availability, and compliance issues. IT Risk can result in lost data, confidentiality, integrity and availability which may cause business expectations to not be met.
Technology Risk The risks or impacts associated with systems, equipment and operating systems in regards to aspects such as availability/uptime, acceptable service levels and reliability. Technology risk includes both internal resources and 3rd party technology vendors.
Enterprise Risk Management (ERM) The processes used by an organization to manage risks and harness opportunities related to the achievement of their strategic objectives.  ERM programs provide a unified picture of risk across the organization, and improves the ability to effectively manage risks.
Risk Intelligence The practice of bringing together trusted, aggregated and transparent risk data to enable confident, informed and effective business decisions. Learn more…
Business Continuity Management (BCM) and Business Continuity Planning (BCP) The process of planning and developing procedures that enable an organization to continue critical business functions during events or disruptions.
Business Impact Analysis (BIA) A process that identifies and evaluates the potential effects of a disruption of business operations, and gathers information to develop recovery strategies. Used in conjunction with Privacy Impact Assessments and Threat Risk Assessments as key components in evaluating risk.
Current Mode of Operations (CMO) and Future Mode of Operations (FMO) These terms are common in the compliance world.  A CMO describes a company's current process and approach to compliance, identifying any shortcomings and risks.  A FMO is a desired end-state, based on correcting any issues uncovered in the CMO.
Disaster Recovery (DR) The ability of an organization to provide critical technology services after it is disrupted by an incident, emergency or disaster.
Joint Application Design (JAD) A collaborative process between end-users and IT developers to identify requirements and create alignment throughout development.  Part of Iceberg's Centre of Excellence approach to integration and implementation services.
Key Performance Indicator (KPI) and Key Risk Indicator (KRI) A KPI is a quantifiable metric that reflects the critical success factors of an organization. A KRI differs somewhat in that it specifically measures the possibility of future adverse impact. Think of a KRI as a "early warning system" against potential events that could harm a company.
Privacy Impact Assessment (PIA) A process that identifies potential risks from the collection, use, sharing and administration of personal information by an organization. Used in conjunction with Business Impact Analyses and Threat Risk Assessments as key components in evaluating risk.
Security information and event management (SIEM) Refers to software products and services that combine Security Information Management (SIM) and Security Event Management (SEM).
Security Assessment and Authorization (SA&A) An independent verification of a security control to ensure that it is implemented and functioning properly.
Threat Risk Assessment (TRA) A process to determine the possible risks to IT assets, and to provide recommendations to lower the risks to acceptable levels. Used in conjunction with Business Impact Analyses and Privacy Impact Assessments as key components in evaluating risk.

Definitions adapted from various sources including Basel, ISACA, ISO/IEC and Gartner.