Each industry has its fair share of acronyms and terminology that can be difficult to learn. To someone outside the industry, these phrases may seem like a foreign language. In Healthcare, HMO (health maintenance organization) is widely used, in marketing we say SEO for search engine optimization, and in retail, you may hear POP for point of purchase. These are just a few examples that are so widely used, you may have already been familiar with them. However, within risk management, the amount of terminology used arguably increases drastically since the field overlaps with many different areas. Due to the complexity and immensity of risk management, it can be difficult for professionals in the field to understand some of the data in their assessments or audits. Below, we’ll cover some of the most likely to be encountered terminology and provide some extra resources. Utilize this list to brush up before performing or reviewing an assessment/audit, onboarding a new team member, or helping someone outside of the industry understand better. Definitions and acronyms are posted below in separate sections in alphabetical order and will be updated periodically.

Acronyms

AEO

Authorized Economic Operator. World Customs Organization’s standard to secure global trade.

CCPA

California Consumer Privacy Act. Privacy rights and consumer protection for residents of California.

CFATS

Chemical Facility Anti-Terrorism Standards. Cybersecurity and Infrastructure Security Agency’s program focused specifically on security at high-risk chemical facilities.

CFPB

Consumer Financial Protection Bureau. An organization responsible for creating, supervising, and enforcing the Federal consumer financial protection laws.

COBIT 5

Control Objectives for Information and Related Technologies. A framework created by ISACA for control processes and governance of information systems and technology.

C-TPAT

The Customs-Trade Partnership Against Terrorism. This is a voluntary supply chain security program led by U.S. Customs and Border Protection (CBP) focused on improving the security of private companies’ supply chains with respect to terrorism.

DEA

Drug Enforcement Administration. Combats drug trafficking and distribution and covers controlled substance storage security.

FEMA

Federal Emergency Management Agency. Supports the effort to build, sustain, and improve the capability to respond to, recover from, and mitigate hazards.

FFIEC

Federal Financial Institutions Examination Council. Creates principles, standards, and report formats that promote uniformity in the financial industry.

GDPR

The General Data Protection Regulation. A regulation created to strengthen and unify data protection for all individuals within the European Union (EU).

GLBA

Gramm-Leach-Bliley Act. Federal law in the US to control the ways that financial institutions deal with the private information of individuals.

HIPAA

Health Insurance Portability and Accountability Act. Ensures equal access to certain health and human services and protects the privacy and security of health information.

HITECH

The Health Information Technology for Economic and Clinical Health Act. Brings additional compliance standards to healthcare organizations regarding breach notification for unauthorized disclosure of unsecured PHI.

IAHSS

International Association for Healthcare Security and Safety. Promotes and develops educational research into the maintenance and improvement of healthcare security and safety management

ISACA

Information Systems Audit and Control Association. An international professional association focused on IT governance.

ISO

International Organization for Standards. They develop standards to ensure the quality, safety, and efficiency of products, services, and systems.

NCUA

National Credit Union Administration. An independent federal agency created by the United States Congress to regulate, charter, and supervise federal credit unions.

NFPA

National Fire Protection Association. Disaster/Emergency Management and Business Continuity/Continuity of Operations Programs.

NIST

National Institute of Standards and Technology. Security and Privacy Controls for Federal Information Systems and Organizations.

OSHA

Occupational Safety and Health Administration. Guidelines for preventing workplace violence for healthcare and social service workers.

PCI DSS

Payment Card Industry Data Security Standards. Information security standard for organizations that handle branded credit cards from the major card schemes.

PHI

Protected Health Information. Any information regarding health status, provision of health care, or payment for health care that can be linked to a specific person.

SOX

Sarbanes-Oxley Compliance. Requires that all publicly held companies must establish internal controls and procedures for financial reporting to reduce the possibility of corporate fraud.

Definitions

Business Continuity Planning

Business continuity planning is the process of creating plans, processes, policies, or anything that can be used in the prevention and recovery from a threat to your business. The goal is to enable your organization to keep running during and after the negative event. For example, if your organization is located in Florida, it would be wise to have a business continuity plan that states how job functions will change and operations can continue remotely in the event of a hurricane.

Compliance

Compliance is simply following or adhering to a law, policy, standard, or any other document. Within risk management, it’s important to measure compliance to determine your level of risk. Utilizing a document or content library that specifies best practices or regulations will help you identify areas of risk within your own organization when you are not compliant.

Consequence

Consequence is related to impact and is the result of an event that affects business objectives. These results can be both positive and negative, and multiple consequences can stem from a single event. Potential losses include monetary loss, reputational loss, or regulatory sanctions.

Controls

Controls are policies, procedures, or technical safeguards that are implemented by an organization to prevent a particular issue. An important component of risk management, controls are necessary to avoid or minimize negative impact. Controls can include video surveillance, software patches, or employee training.

Criticality

Criticality is the measure of how important something is, or how critical action is. Generally, the higher the consequence, the higher the criticality. You want to view this facility, system, machine, etc. in relation to the organization as a whole.

Gap Score

Gap score refers to the gap of where your organization is and where it should be in terms of vulnerability based on the lack of controls.

Event

An event can refer to a single occurrence, multiple occurrences, or a nonoccurrence, as well as a change in circumstances. For example, a cybersecurity event can refer to a series of breaches within a month-long period.

Framework

A framework is a set of criteria that detail how to best protect an organization. It will provide a detailed and structured process for completing numerous risk management activities. An example is the NIST risk management framework for securing information systems.

Likelihood

Likelihood is the probability of an event occurring. This is a factor in calculating a risk score.

Mitigation

Mitigation is the act of reducing the impact or severity of a risk. This is typically referred to within risk management as a task for lessening a risk after it is identified.

Monitoring

Monitoring means to consistently review and observe. In risk management, this is key to knowing whether current controls are effective or need to be reevaluated.

Risk

Risk is simply the possibility of a negative event occurring. According to ISO 31000, risk is the “effect of uncertainty on objectives.” Risk management centers around making the unknown known, and either eliminating or preparing for the occurrence as well as possible.

Risk Score

A risk score is attained by calculating several factors, such as threat level, criticality, gap score, and consequence. The purpose of a risk score is to inform your organization on the severity of a risk and provide suggestions towards how to properly allocate resources. Learn more about risk scoring here.

Stakeholder

A stakeholder is a person who has an interest in an organization and affects the business. Typically referring to investors, but can also refer to employees, suppliers, vendors, etc.

Tolerance

Tolerance is the ability or willingness to allow something. In the scope of risk management, we use tolerance as a way to define the ability of an organization to withstand the negative effects associated with a particular risk. This is often defined as a threshold.

Performing Risk Assessments

Now that you’ve familiarized yourself with the risk management terminology, it’s time to perform an assessment. Utilize RiskWatch’s free platform to perform a physical security, information security, compliance, vendor, supplier, client, or another type of assessment.