GRC & Risk Management Glossary

ERM stands for Enterprise Risk Management. It is the structured, organisation-wide approach to identifying, assessing, treating and monitoring the risks that could prevent the organisation from achieving its objectives. ERM is the risk pillar of GRC: it focuses specifically on risk, whereas GRC also covers governance and compliance disciplines.

GRC stands for Governance, Risk and Compliance. It is an integrated discipline that combines how an organisation is run and overseen (governance), how the things that could go wrong are identified and managed (risk), and how legal, regulatory and policy obligations are met (compliance). The point of bundling them is that they share most of the same source data: the same risks, controls, evidence and owners.

CSA stands for Control Self-Assessment. It is the same idea as RCSA but with the emphasis on control effectiveness rather than risk identification. In practice, most modern frameworks have merged the two into "RCSA". The control self-assessment focuses on whether each control in the library is operating as designed, with evidence supporting the rating.

Gross risk (also called inherent risk) is the level of risk before any controls are applied - the raw exposure. It is assessed independently of whether controls actually exist, representing the theoretical baseline. Gross risk is paired with net (post-control) risk to show how much work the control environment is doing.

KRI stands for Key Risk Indicator. KRIs are leading metrics tied to specific risks - for example system downtime, complaint volume or training completion rate - that signal whether a risk is moving up or down between formal review cycles. Strong KRIs have defined thresholds and clear escalation routes.

Net risk is the level of risk after controls have been applied - the actual current exposure. In most mid-market ERM and RCSA programmes, residual risk is another label for the same post-control position as net risk. The gap between gross and net risk represents the effect of the control environment.

Operational risk is the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events. It includes IT failures, fraud, conduct issues, third-party failures and process breakdowns - but excludes strategic and reputational risk. Operational risk is the home of RCSA, the risk event log and most KRIs.

RCSA stands for Risk and Control Self-Assessment. It is a structured process where the first line of defence (business owners who run the day-to-day processes) identify risks in their area, map the controls that mitigate those risks, and assess whether those controls are designed and operating as intended. It is the standard mechanism in operational risk for pushing risk ownership to the front line, with second-line oversight providing challenge.

Residual risk is the level of risk remaining after controls have been applied. In most mid-market ERM frameworks, residual risk is interchangeable with net risk - both describe the post-control position. Some large banks and insurers separate them by formal definition; outside that context, the labels refer to the same score.

Risk appetite is the level and type of risk an organisation is willing to accept in pursuit of its objectives. It is set by the board and expressed at the level of each principal risk. Risk reports must show whether the organisation is operating within appetite - presenting net risk scores alongside approved appetite thresholds and explicitly flagging breaches.

A risk matrix is a grid that plots each risk by likelihood (frequency) and impact (severity), with cells coloured to indicate the resulting rating. The 5x5 risk matrix is the most common format in mid-market and regulated firms. The matrix is a triage and conversation tool - useful for portfolio prioritisation, but only as good as the financial and non-financial harm definitions sitting underneath each band.

A risk register is the canonical list of risks an organisation faces, recorded in a structured format. Each entry typically captures the risk description, its owner, its gross (inherent) and net (residual) score, the controls in place to mitigate it, and any open actions to bring it within appetite. A risk register is forward-looking (what could happen) and should be distinguished from a risk log (what has happened).

Target risk is the residual risk score the organisation is aiming to achieve once planned actions have been completed. It is forward-looking: it represents where the risk position should sit after current open actions, control improvements or strategic initiatives are delivered. Target risk usually sits inside risk appetite by design.

The first line of defence is operational management - the people running day-to-day business processes. They own the risks in their area, operate the controls that mitigate those risks, and are accountable for the residual risk position. In a healthy framework, the first line - not the risk team - is the source of truth on what the risks actually are.

Internal audit is the independent assurance function that sits in the third line of defence. It tests whether the GRC framework operates effectively, reports findings to the Audit Committee, and is structurally separate from the executive management it audits. In mid-market firms, internal audit is frequently co-sourced or outsourced to preserve independence.

The second line of defence is the risk, compliance and other oversight functions. They set the methodology, maintain policy, run the assessment calendar, train the first line, and provide constructive challenge. The second line is not there to perform first-line work; it is there to ensure that work is performed to the required standard.

The third line of defence is internal audit - the independent assurance function that tests whether the framework actually works. The third line reports to the board's Audit Committee, not to executive management, and forms an independent opinion on whether the risks reported are the risks that genuinely exist and the controls relied upon are operating as designed.

The Three Lines of Defence model (also written 3 Lines of Defence, or "Three Lines of Defense" in US spelling) is a governance framework that separates risk management into three roles: the first line owns and manages risks, the second line oversees and challenges, and the third line provides independent assurance. The IIA updated it to "The Three Lines Model" in 2020.

The Audit Committee is a sub-committee of the board, typically comprised of independent non-executive directors. It oversees the integrity of financial reporting, the effectiveness of internal controls, and the work of internal audit. In UK regulated firms, the Audit Committee is the primary governance forum for the third line of defence.

Board risk reporting is the periodic pack delivered to the board or risk committee, summarising the organisation's risk position, appetite breaches, material movements, KRIs and open actions. It is a curated narrative pack rather than a register dump - typically produced quarterly on a structured six-week cadence.

The Risk Committee is a sub-committee of the board responsible for overseeing the risk management framework, setting and reviewing risk appetite, and challenging the executive on material risk positions. In smaller mid-market firms, the Audit and Risk functions are often combined into a single Audit and Risk Committee.

A risk owner is a named individual - never a team or job title - who is accountable for managing a given risk: keeping the assessment current, ensuring the controls operate, and driving any open actions to closure. If a risk owner cannot articulate their top three risks in a brief conversation, the risk is not genuinely owned.

A control is a policy, procedure, system setting, check or approval that reduces the likelihood or impact of a risk materialising. Controls are characterised by their type (preventive, detective, corrective), their nature (manual or automated), their owner and their evidence of operation. "Management review" is not a testable control unless the evidence that proves it works is defined.

A control library is the central catalogue of every control in the organisation, with each entry capturing the control description, its owner, the risks it mitigates, the assessment cycle and the evidence of operation. A working library is the connective tissue between the risk register, the policy framework and the compliance obligations register.

COSO ERM is the Enterprise Risk Management framework published by the Committee of Sponsoring Organizations of the Treadway Commission. The 2017 update reframed ERM around five components - Governance and Culture, Strategy and Objective-Setting, Performance, Review and Revision, and Information, Communication and Reporting - and is widely referenced by US-listed firms.

FAIR (Factor Analysis of Information Risk) is a quantitative model for analysing risk - particularly information and cyber risk - in financial terms. It asks "what range of loss, how often?" and produces a probability distribution of expected loss rather than a single matrix score. FAIR is increasingly used alongside qualitative matrices for material risk decisions.

The IIA Three Lines Model is the 2020 update by the Institute of Internal Auditors to the original "Three Lines of Defence" model. It dropped the word "defence" to better reflect that the lines are complementary roles rather than adversarial defence layers. Both names remain in active use; the underlying framework is unchanged.

ISO 31000 is the international standard for risk management, providing principles and guidelines for designing and operating an ERM framework. It is principles-based (not prescriptive) and is often used alongside qualitative tools like the risk matrix for governance and documentation. ISO 31000 was first published in 2009 and significantly revised in 2018.

The FCA is the Financial Conduct Authority, the UK conduct regulator for financial services firms. Its risk and governance expectations - particularly through the SYSC sourcebook - are a primary driver of GRC framework design in UK regulated firms. FCA enforcement fines have exceeded £200m annually in recent years.

The FRC is the Financial Reporting Council, the UK regulator for auditors, accountants, actuaries and corporate governance. It publishes the UK Corporate Governance Code (the source of Provision 29) and the UK Stewardship Code. The FRC will be replaced by ARGA (Audit, Reporting and Governance Authority) once primary legislation is enacted.

ICAAP stands for Internal Capital Adequacy Assessment Process. It is the regulatory requirement on PRA-regulated banks and investment firms to assess and document the capital they need to hold against the risks they run. The ICAAP document feeds the supervisor's SREP (Supervisory Review and Evaluation Process) and informs the firm's capital buffer requirement.

ORSA stands for Own Risk and Solvency Assessment. It is the equivalent of ICAAP for insurers under the UK Solvency II regime: a structured, forward-looking self-assessment of the insurer's overall risk profile, capital needs and solvency position. The ORSA report is reviewed by the board and submitted to the PRA.

The PRA is the Prudential Regulation Authority, part of the Bank of England. It is the UK prudential regulator for banks, building societies, credit unions, insurers and major investment firms - focused on capital adequacy, solvency and operational resilience. PRA Supervisory Statements (e.g. SS1/21 on operational resilience) drive significant GRC investment in dual-regulated firms.

Provision 29 is the requirement in the UK Corporate Governance Code (effective 1 January 2026) that boards of UK premium-listed companies publicly declare the effectiveness of their material internal controls. It covers four control categories - financial, operational, compliance and reporting - and requires evidence-based annual board attestation.