GRC Glossary

A

Attestation: The act of evidencing or proofing something. In Hornbill GRC this may relate to a manual task in a Control lifecycle, where a user is required to provide confirmation and evidence that the controls are in fact in place.

Audit: Internal or External assessment of one or multiple Controls and their. An audit allows for each control to be assessed from the perspective of being fit for purpose and being operationally enforced to evidence compliance.

Audit Outcomes: A history of all audits conducted against a control.

Audit Register: A collection of Controls

Audit Schedule: A calendar view of scheduled audits

Authority Document: An external set of authoritative rules against which we must comply, they are authoritative rules that are not of our own creation. These authoritative rules can come in the form of regulations, principles, standards, guidelines, best practices, policies, and procedures. Each Authority Document contains one or multiple rules in the form of sections and citations.

Authorising Users: Users can be linked to each entities such as Policies, Policies, and Controls, and can be automatically invoked by lifecycle processes to perform approval activities in phases of the entity lifecycle.

B

Before Treatment Level: This is the assessment made against a risk before any response or treatment of the risk is made. The criteria for the risk assessment will be governed by the defined risk criteria in the operational risk register the risk is linked too.

C

Citation: A specific requirement in an Authority Document, a requirement which you are required to be compliant with.

Control: An entity which is used to evidence compliance

Compliant: An indicator to represent a control's status

Compliance: Means conforming with stated requirements. In GRC this refers to the auditing of controls to evidence compliance against policy statement requirements, which may in term be linked to one or more citations in external Authority Documents.

D

E

Evidence: Used to provide proof that a control is fit for purpose and being operationally followed

Exempt: Indicates if a control is not required to be audited

F

G

Governance: Describes the overall management approach through which senior executives direct and control the entire organization. Policies can be used to record the governance and their objectives. Policies statements can be used to break down the policy into more manageable pieces. Controls can be configured to manage the objectives of the Policy statements. Governance can both be internally led, and or externally enforced through regulations, laws, guidance which may apply to a business both based on territory and industry. Authority Documents and Citations are used to record the requirements of the external governance.

H

I

J

K

L

Lifecycle: The entity process which is used to used to manage each phase of a GRC entities life. For example a lifecycle to manage a Policy from draft, approval, monitoring and retirement

M

N

O

Operational Risk Register: Organize risks into logical groupings, and define relevant risk assessment criteria which will be applied to any risks contained in the register.

P

Procedure: Define areas such as responsibilities, reporting, applicable time frames,

Q

R

Risk: Something which may result in an impact / loss to the organization

Risk Assessment: Each risk can be assessed when identified (before treatment and after treatment), the risk assessment for each risk will look at the impact and likelihood, and automate values based on the risk matrix defined against the Risk Register the risk is linked too.

Risk Event: The recording and management of an event which is tied to an identified risk.

Risk Management: is the set of processes through which management identifies, analyzes, and, where necessary, responds appropriately to risks that might adversely affect realization of the organization's business objectives. The response to risks typically depends on their perceived gravity, and involves controlling, avoiding, tolerating or transferring them to a third party, whereas organizations routinely manage a wide range of risks (e.g. technological risks, commercial/financial risks, information security risks etc.).

S

T

U

V

W

X

Y

Z