Each industry has its fair share of acronyms and terminology that can be difficult to learn. To someone outside the industry, these phrases may seem like a foreign language. In Healthcare, HMO (health maintenance organization) is widely used, in marketing we say SEO for search engine optimization, and in retail, you may hear POP for point of purchase. These are just a few examples that are so widely used, you may have already been familiar with them. However, within risk management, the amount of terminology used arguably increases drastically since the field overlaps with many different areas. Due to the complexity and immensity of risk management, it can be difficult for professionals in the field to understand some of the data in their assessments or audits. Below, we’ll cover some of the most likely to be encountered terminology and provide some extra resources. Utilize this list to brush up before performing or reviewing an assessment/audit, onboarding a new team member, or helping someone outside of the industry understand better. Definitions and acronyms are posted below in separate sections in alphabetical order and will be updated periodically.



Authorized Economic Operator. World Customs Organization’s standard to secure global trade.


California Consumer Privacy Act. Privacy rights and consumer protection for residents of California.


Chemical Facility Anti-Terrorism Standards. Cybersecurity and Infrastructure Security Agency’s program focused specifically on security at high-risk chemical facilities.


Consumer Financial Protection Bureau. An organization responsible for creating, supervising, and enforcing the Federal consumer financial protection laws.


Control Objectives for Information and Related Technologies. A framework created by ISACA for control processes and governance of information systems and technology.


The Customs-Trade Partnership Against Terrorism. This is a voluntary supply chain security program led by U.S. Customs and Border Protection (CBP) focused on improving the security of private companies’ supply chains with respect to terrorism.


Drug Enforcement Administration. Combats drug trafficking and distribution and covers controlled substance storage security.


Federal Emergency Management Agency. Supports the effort to build, sustain, and improve the capability to respond to, recover from, and mitigate hazards.


Federal Financial Institutions Examination Council. Creates principles, standards, and report formats that promote uniformity in the financial industry.


The General Data Protection Regulation. A regulation created to strengthen and unify data protection for all individuals within the European Union (EU).


Gramm-Leach-Bliley Act. Federal law in the US to control the ways that financial institutions deal with the private information of individuals.


Health Insurance Portability and Accountability Act. Ensures equal access to certain health and human services and protects the privacy and security of health information.


The Health Information Technology for Economic and Clinical Health Act. Brings additional compliance standards to healthcare organizations regarding breach notification for unauthorized disclosure of unsecured PHI.


International Association for Healthcare Security and Safety. Promotes and develops educational research into the maintenance and improvement of healthcare security and safety management


Information Systems Audit and Control Association. An international professional association focused on IT governance.


International Organization for Standards. They develop standards to ensure the quality, safety, and efficiency of products, services, and systems.


National Credit Union Administration. An independent federal agency created by the United States Congress to regulate, charter, and supervise federal credit unions.


National Fire Protection Association. Disaster/Emergency Management and Business Continuity/Continuity of Operations Programs.


National Institute of Standards and Technology. Security and Privacy Controls for Federal Information Systems and Organizations.


Occupational Safety and Health Administration. Guidelines for preventing workplace violence for healthcare and social service workers.


Payment Card Industry Data Security Standards. Information security standard for organizations that handle branded credit cards from the major card schemes.


Protected Health Information. Any information regarding health status, provision of health care, or payment for health care that can be linked to a specific person.


Sarbanes-Oxley Compliance. Requires that all publicly held companies must establish internal controls and procedures for financial reporting to reduce the possibility of corporate fraud.


Business Continuity Planning

Business continuity planning is the process of creating plans, processes, policies, or anything that can be used in the prevention and recovery from a threat to your business. The goal is to enable your organization to keep running during and after the negative event. For example, if your organization is located in Florida, it would be wise to have a business continuity plan that states how job functions will change and operations can continue remotely in the event of a hurricane.


Compliance is simply following or adhering to a law, policy, standard, or any other document. Within risk management, it’s important to measure compliance to determine your level of risk. Utilizing a document or content library that specifies best practices or regulations will help you identify areas of risk within your own organization when you are not compliant.


Consequence is related to impact and is the result of an event that affects business objectives. These results can be both positive and negative, and multiple consequences can stem from a single event. Potential losses include monetary loss, reputational loss, or regulatory sanctions.


Controls are policies, procedures, or technical safeguards that are implemented by an organization to prevent a particular issue. An important component of risk management, controls are necessary to avoid or minimize negative impact. Controls can include video surveillance, software patches, or employee training.


Criticality is the measure of how important something is, or how critical action is. Generally, the higher the consequence, the higher the criticality. You want to view this facility, system, machine, etc. in relation to the organization as a whole.

Gap Score

Gap score refers to the gap of where your organization is and where it should be in terms of vulnerability based on the lack of controls.


An event can refer to a single occurrence, multiple occurrences, or a nonoccurrence, as well as a change in circumstances. For example, a cybersecurity event can refer to a series of breaches within a month-long period.


A framework is a set of criteria that detail how to best protect an organization. It will provide a detailed and structured process for completing numerous risk management activities. An example is the NIST risk management framework for securing information systems.


Likelihood is the probability of an event occurring. This is a factor in calculating a risk score.


Mitigation is the act of reducing the impact or severity of a risk. This is typically referred to within risk management as a task for lessening a risk after it is identified.


Monitoring means to consistently review and observe. In risk management, this is key to knowing whether current controls are effective or need to be reevaluated.


Risk is simply the possibility of a negative event occurring. According to ISO 31000, risk is the “effect of uncertainty on objectives.” Risk management centers around making the unknown known, and either eliminating or preparing for the occurrence as well as possible.

Risk Score

A risk score is attained by calculating several factors, such as threat level, criticality, gap score, and consequence. The purpose of a risk score is to inform your organization on the severity of a risk and provide suggestions towards how to properly allocate resources. Learn more about risk scoring here.


A stakeholder is a person who has an interest in an organization and affects the business. Typically referring to investors, but can also refer to employees, suppliers, vendors, etc.


Tolerance is the ability or willingness to allow something. In the scope of risk management, we use tolerance as a way to define the ability of an organization to withstand the negative effects associated with a particular risk. This is often defined as a threshold.

Performing Risk Assessments

Now that you’ve familiarized yourself with the risk management terminology, it’s time to perform an assessment. Utilize RiskWatch’s free platform to perform a physical security, information security, compliance, vendor, supplier, client, or another type of assessment.

Subscribe for our latest posts


Try any of our products, free.

Riskwatch products are easy to use, free to try, and can be customized to fit your business needs.

Leave a Reply

Your email address will not be published. Required fields are marked *