GLOSSARY


This section provides a glossary of Performance & Risk Management terms that you may find useful. Click on a letter below to find the word you want or simply scroll through the list. 

A/ B/ C/ D/ E/ F/ G/ H/ I/ J/ K/ L/ M/ N/ O/ P/ R/ S/ T/ U/ V/ W/


Application Controls

Programmed procedures in application software, and related manual procedures, designed to help ensure the completeness and accuracy of information processing. Examples include computerized edit checks of input data, numerical sequence checks, and manual procedures to follow up on items listed in exception reports.

Source : COSO Integrated Internal Controls Framework, COSO Integrated Risk Management Framework


Balanced Scorecard

A performance measurement tool, focusing on an organisation’s activities in terms of its vision and strategies, to give a comprehensive view of the performance. The key new element is focusing not only on financial outcomes but also on the non-financial measures that drive those outcomes.

Source : Henley MBA Dissertation – At the Intersection

Basel II

A capital adequacy framework applicable to Financial Services industry, covering areas such as Credit, Market and Operational Risk and how capital should be allocated to cover each of these areas.

Source : Henley MBA Dissertation At the Intersection

Board

Organisation’s governing body. This includes a board of directors, head of a legislative body or agency, supervisory board, or the board of trustees or governors of a not-for-profit organisation.

Source : BS31100:2008

Business Continuity Management (BCM)

Holistic management process that identifies potential threats to an organisation and the impacts to business operations that those threats, if realized might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities.

Source : BS31100:2008 [BS25999, modified]

Business Drivers

The critical factors that determine the success or failure of an organization’s strategy and its ability to deliver shareholder value.

Also known as Strategic Drivers.

Source: www.riskbasedperformance.com


Category

One of three groupings of objectives of internal control, control activities or controls. The categories are effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations. The categories overlap, so that a particular objective, for example, might fall into more than one category.

Source : COSO Integrated Internal Controls Framework

Compliance

Used with “objectives”: having to do with conforming with laws and regulations applicable to an entity.

Source : COSO Integrated Internal Controls Framework

Component

One of five elements of internal control. The internal control components are the control environment, risk assessment, control activities, information and communication, and monitoring. Source : COSO Integrated Internal Controls Framework
There are eight enterprise risk management components: the entity’s internal environment, objective setting, event identification, risk assessment, risk response, control activities, information and communication, and monitoring.

Source : COSO Integrated Internal Controls Framework

There are eight enterprise risk management components: the entity’s internal environment, objective setting, event identification, risk assessment, risk response, control activities, information and communication, and monitoring.

Source : COSO Integrated Risk Management Framework

Computer Controls

(1) Controls performed by computer, i.e., controls programmed into computer software (contrast with Manual Controls). (2) Controls over computer processing of information, consisting of general controls and application controls (both programmed and manual).

Source : COSO Integrated Internal Controls Framework

Consequence

Outcome of an incident that will have an effect on an organisation’s objectives.

Source : BS31100

Note 1: There can be a range of consequences from one incident.
Note 2: A consequence can be certain or uncertain and can have positive or negative impact on objectives.

Context

Environment in which the organisation seeks to achieve its objectives.

Source : BS31100:2008 [ISO Guide 73, modified]

Control

(1) A noun, used as a subject, e.g., existence of a control — a policy or procedure that is part of internal control. A control can exist within any of the five components. (2) A noun, used as an object, e.g., to effect control — the result of policies and procedures designed to control; this result may or may not be effective internal control. (3) A verb, e.g., to control — to regulate; to establish or implement a policy that effects control.

Source : COSO Integrated Internal Controls Framework

1. A noun, denoting an item, e.g., existence of a control – a policy or procedure that is part of internal control. A control can exist within any of the eight components. 2. A noun, denoting a state or condition, e.g., to effect control – the result of policies and procedures designed to control; this result may or may not be effective internal control. 3. A verb, e.g., to control – to regulate; to establish or implement a policy that effects control.

Source : COSO Integrated Risk Management Framework

Measure to modify risk.

Note 1: Controls are the result of risk treatment.
Note 2: Controls include any process, policy, device, practice, or other actions designed to modify risk.

Source : BS31100:2008 [ISO Guide 73]

Update on Wednesday, March 11, 2009 at 09:57PM by Andrew Smart
A control is a process or process step designed to maintain process integrity and reduce the likelihood and impact of risks. These must be specific enough to enable ownership by an individual role.

Source: Client Contribution

COSO

Committee of Sponsoring Organizations of the Treadway Commission – a private sector initiative whose major objective is to identify the factors that cause fraudulent financial reporting and to make recommendations to reduce its incidence.

Source : Henley MBA Dissertation At the Intersection

Criteria

A set of standards against which an internal control system can be measured in determining effectiveness. The five internal control components, taken in the context of inherent limitations of internal control, represent criteria for internal control effectiveness for each of the three control categories. For one category, reliability of financial reporting, there is a more detailed criterion, the material weakness concept.

Source : COSO Integrated Internal Controls Framework

A set of standards against which enterprise risk management can be measured in determining effectiveness. The eight enterprise risk management components, taken in the context of inherent limitations of enterprise risk management, represent criteria for enterprise risk management effectiveness for each of the four objectives categories.

Source : COSO Integrated Risk Management Framework


Deficiency

A perceived, potential or real internal control shortcoming, or an opportunity to strengthen the internal control system to provide a greater likelihood that the entity’s objectives are achieved.

Source : COSO Integrated Internal Controls Framework

A condition within enterprise risk management worthy of attention that may represent a perceived, potential, or real shortcoming, or an opportunity to strengthen enterprise risk management to provide a greater likelihood that the entity’s objectives will be achieved.

Source : COSO Integrated Risk Management Framework

Design

1) Intent. As used in the definition of internal control, the internal control system design is intended to provide reasonable assurance as to achievement of objectives; when the intent is realized, the system can be deemed effective. (2) Plan; the way a system is supposed to work, contrasted with how it actually works.

Source : COSO Integrated Internal Controls Framework

1. Intent. As used in the definition, enterprise risk management is intended to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance as to achievement of objectives. 2. Plan; the way a process is supposed to work, contrasted with how it actually works.

Source : COSO Integrated Risk Management Framework

Detective Control

A control designed to discover an unintended event or result (contrast with Preventive Control).

Source : COSO Integrated Internal Controls Framework


Effected

Used with an internal control system: devised and maintained.

Source : COSO Integrated Internal Controls Framework

Used with enterprise risk management: devised and maintained.

Source : COSO Integrated Risk Management Framework

Effective Internal Control

Internal control can be judged effective in each of the three categories, respectively, if the board of directors and management have reasonable assurance that:

They understand the extent to which the entity’s operations objectives are being achieved.
Published financial statements are being prepared reliably.
Applicable laws and regulations are being complied with.
This is a state or condition of internal control.

Source : COSO Integrated Internal Controls Framework

Effective Internal Control System

A synonym for Effective Internal Control.

Source : COSO Integrated Internal Controls Framework

Enterprise Risk Management

Approach to managing all of an organisation’s key business risks and opportunities with the intent of maximizing stakeholder value.

Source : BS31100:2008 [Risk and Insurance Management Society]

Enterprise Risk Management Process

A synonym for enterprise risk management applied in an entity.

Source : COSO Integrated Risk Management Framework

Entity

An organisation of any size established for a particular purpose. An entity, for example, may be a business enterprise, not-for-profit organisation, government body, or academic institution. Terms used as synonyms include organisation and enterprise.

Source : COSO Integrated Internal Controls Framework, COSO Integrated Risk Management Framework

Ethical Values

Moral values that enable a decision maker to determine an appropriate course of behavior; these values should be based on what is “right,” which may go beyond what is “legal.”

Source : COSO Integrated Internal Controls Framework

Event

An incident or occurrence, from sources internal or external to an entity, that affects achievement of objectives.

Source : COSO Integrated Risk Management Framework

Occurrence or change of a particular set of circumstances.

Note 1: Nature, likelihood and consequence of an event cannot be fully knowable.
Note 2: An event can be on ore more occurrences, and can have several causes.
Note 3: Likelihood associated with the event can be determined.
Note 4: An event can consist of a non-occurrence of one or more circumstances.
Note 5: An event with a consequence is sometimes referred to as an “incident”.
Note 6: An event where no loss occurs may also be referred to as a “near-miss”, “near-hit”, “close call” or “dangerous occurrence”

Source : BS31100:2008 [ISO Guide 73]


Financial Reporting

Used with “objectives” or “controls”: having to do with the reliability of published financial statements.

Source : COSO Integrated Internal Controls Framework


General Controls

Policies and procedures that help ensure the continued, proper operation of computer information systems. They include controls over data center operations, system software acquisition and maintenance, access security and application system development and maintenance. General controls support the functioning of programmed application controls. Other terms sometimes used to describe general controls are general computer controls and information technology controls.

Source : COSO Integrated Internal Controls Framework

Policies and procedures that help ensure the continued, proper operation of computer information systems. They include controls over information technology management, information technology infrastructure, security management, and software acquisition, development, and maintenance. General controls support the functioning of programmed application controls. Other terms sometimes used to describe general controls are general computer controls and information technology controls.

Source : COSO Integrated Risk Management Framework


Impact

Result or effect of an event. There may be a range of possible impacts associated with an event. The impact of an event can be positive or negative relative to the entity’s related objectives.

Source : COSO Integrated Risk Management Framework

Incident

Event in which a loss occurred or could have occurred regardless of severity.

Source : BS31100:2008

Inherent Limitations

Those limitations of all internal control systems. The limitations relate to the limits of human judgment; resource constraints and the need to consider the cost of controls in relation to expected benefits; the reality that breakdowns can occur; and the possibility of management override and collusion.

Source : COSO Integrated Internal Controls Framework

Those limitations of enterprise risk management. The limitations relate to the limits of human judgment; resource constraints, and the need to consider the cost of controls in relation to expected benefits; the reality that breakdowns can occur; and the possibility of management override and collusion.

Source : COSO Integrated Risk Management Framework

Inherent Risk

Exposure arising from a specific risk before any action has been taken to manage it.

Source : BS31100:2008

Integrity

The quality or state of being of sound moral principle; uprightness, honesty and sincerity; the desire to do the right thing, to profess and live up to a set of values and expectations.

Source : COSO Integrated Internal Controls Framework, COSO Integrated Risk Management Framework

Internal Control

A process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

Effectiveness and efficiency of operations.
Reliability of financial reporting.
Compliance with applicable laws and regulations.
Source : COSO Integrated Internal Controls Framework, COSO Integrated Risk Management Framework

Internal Control System

A synonym for internal control applied in an entity.

Source : COSO Integrated Internal Controls Framework, COSO Integrated Risk Management Framework


Key Control Indicator (KCI)

An indicator which is used by organizations to help define its controls environment and monitor levels of control relative to desired tolerances.

KCIs are used to answer the question:”Are our organization’s internal controls effective? Are we ‘in control’?”

Source : www.riskbasedperformance.com

Key Performance Indicator (KPI)

An indicator which enables an organization to define its performance targets based on its goals and objectives and to monitor its progress towards achieving these targets.

KPIs are used to answer the question: “Are we achieving our desired levels of performance?”

Source : www.riskbasedperformance.com

Key Risk

Most significant risks are those on which the Board or equivalent focuses.

Source : BS31100:2008

Key Risk Indicator (KRI)

An indicator which is used by organizations to help define its risk profile and monitor changes in that profile.

KRIs are used to answer the question: “How is our risk profile changing and is it within our desired tolerance levels?”

Source : www.riskbasedperformance.com


Level of Risk

Magnitude of a risk expressed in terms of the combination of consequences and their likelihood.

Source : BS31100:2008 [ISO Guide 73]

Likelihood

“The possibility that a given event will occur. Terms sometimes take on more specific connotations, with “likelihood” indicating the possibility that a given event will occur in qualitative terms such as high, medium, and low, or other judgmental scales, and
“probability” indicating a quantitative measure such as a percentage, frequency of occurrence, or other numerical metric.”

Source : COSO Integrated Risk Management Framework

Chance of something happening.

Note: The word “likelihood” is used to refer to the chance of something happening, whether defined, measured or determined objectively or subjectively, and described using general terms (such as unlikely, likely, almost certain) or mathematically (such a probability or a frequency over a given time period).

Source : BS31100:2008 [ISO Guide 73, modified]


Management Controls

Controls performed by one or more managers at any level in an organisation.

Source : COSO Integrated Internal Controls Framework

Management Intervention

Management’s actions to overrule prescribed policies or procedures for legitimate purposes; management intervention is usually necessary to deal with non-recurring and non-standard transactions or events that otherwise might be handled inappropriately by the system (contrast this term with Management Override).

Source : COSO Integrated Internal Controls Framework, COSO Integrated Risk Management Framework

Management Override

Management’s overruling of prescribed policies or procedures for illegitimate purposes with the intent of personal gain or an improperly enhanced presentation of an entity’s financial condition or compliance status (contrast this term with Management Intervention).

Source : COSO Integrated Internal Controls Framework, COSO Integrated Risk Management Framework

Management Process

The series of actions taken by management to run an entity. An internal control system is a part of and integrated with the management process.

Source : COSO Integrated Internal Controls Framework

The series of actions taken by management to run an entity. Enterprise risk management is a part of and integrated with the management process.

Source : COSO Integrated Risk Management Framework

Manual Controls

Controls performed manually, not by computer (contrast with Computer Controls).

Source : COSO Integrated Internal Controls Framework

MiFID

Markets in Financial Instruments Directive – Introduced a single market and regulatory regime for investment services across the European Union and European Economic Area. The key objectives behind the directive are;

1. to complete the EU single market for investment services
2. to respond to changes/innovations in the securities markets
3. to protect investors.

Source : Henley MBA Dissertation At the Intersection


Near Miss

Operational failure that did not result in a loss or give rise to an inadvertent gain.

Source : BS31100:2008


Objectives Category

One of four categories of entity objectives – strategic, effectiveness and efficiency of operations, reliability of reporting, and compliance with applicable laws and regulations. The categories overlap, so that a particular objective might fall into more than one category.

Source : COSO Integrated Risk Management Framework

Operational Risk

Risk of loss or gain, resulting from inadequate or failed internal processes, people and systems or from external events.

Source : BS31100:2008

Operations

Used with “objectives” or “controls”: having to do with the effectiveness and efficiency of an entity’s operations, including performance and profitability goals, and safeguarding resources.

Source : COSO Integrated Internal Controls Framework

Used with “objectives”: having to do with the effectiveness and efficiency of an entity’s activities, including performance and profitability goals, and safeguarding resources against loss.

Source : COSO Integrated Risk Management Framework

Opportunity

The possibility that an event will occur and positively affect the achievement of objectives.

Source : COSO Integrated Risk Management Framework


Policy

Management’s dictate of what should be done to effect control. A policy serves as the basis for procedures for its implementation.

Source : COSO Integrated Internal Controls Framework, COSO Integrated Risk Management Framework

Preventive Control

A control designed to avoid an unintended event or result (contrast with Detective Control).

Source : COSO Integrated Internal Controls Framework

Procedure

An action that implements a policy.

Source : COSO Integrated Internal Controls Framework, COSO Integrated Risk Management Framework

Programme Risk

Risk associated with transforming strategy into solutions via a collection of projects.

Source : BS31100:2008

Project Risk

Risk relating to delivery of a product or service, usually with the constraints of time, cost and quality.

Source : BS31100:2008

Published Financial Statements

Financial statements, interim and condensed financial statements and selected data derived from such statements, such as earnings releases, reported publicly.

Source : COSO Integrated Internal Controls Framework


Reasonable Assurance

The concept that internal control, no matter how well designed and operated, cannot guarantee that an entity’s objectives will be met. This is because of Inherent Limitations in all internal control systems.

Source : COSO Integrated Internal Controls Framework

The concept that enterprise risk management, no matter how well designed and operated, cannot provide a guarantee regarding achievement of an entity’s objectives. This is because of Inherent Limitations in enterprise risk management.

Source : COSO Integrated Risk Management Framework

Reliability of Financial Reporting

Used in the context of published financial statements, reliability is defined as the preparation of financial statements fairly presented in conformity with generally accepted (or other relevant and appropriate) accounting principles and regulatory requirements for external purposes, within the context of materiality. Supporting fair presentation are the five basic financial statement assertions:

1. existence or occurrence,
2. completeness,
3. rights and obligations,
4. valuation or allocation, and
5. presentation and disclosure.

When applied to interim or condensed financial statements or selected data derived from such statements, the factors representing fair presentation and the assertions apply only to the extent they are relevant to the presentation.

Source : COSO Integrated Internal Controls Framework

Reportable Condition

An internal control deficiency related to financial reporting; it is a significant deficiency in the design or operation of the internal control system, which could adversely affect the entity’s ability to record, process, summarize and report financial data consistent with the assertions of management in the financial statements.

Source : COSO Integrated Internal Controls Framework

Reporting

Used with “objectives”: having to do with the reliability of the entity’s reporting, including both internal and external reporting of financial and non-financial information.

Source : COSO Integrated Internal Controls Framework

Residual Risk

The remaining risk after management has taken action to alter the risk’s likelihood or impact.

Source : COSO Integrated Risk Management Framework

Risk remaining after risk treatment.

Source : BS31100:2008 [ISO Guide 73, modified]

Risk

The possibility that an event will occur and adversely affect the achievement of objectives.

Source : COSO Integrated Risk Management Framework

Effect of uncertainty on objectives.

Note 1: An effect is a deviation from the expected – positive and/or negative.
Note 2: Objectives can have different aspects, such as financial, health and safety, and environmental goals, and can apply at different levels, such as strategic, organization-wide, project, product and process.
Note 3: Risk is often characterized by reference to potential events, consequences, or a combination of these and how they can affect the achievement of objectives.
Note 4: Risk is often expressed in terms of a combination of the consequences of an event or a change in circumstances, and the associated likelihood of occurrence.

Source : BS31100:2008 [ISO Guide 73]

Update by Andrew Smart- The possibility of an event causing an unexpected, detrimental (i.e. threats) deviation from the anticipated outcomes of business activities. This definition is not aimed at assessing the possibility of performance risks.

Source: Client Contribution

Risk Acceptance

Informed decision to take a particular risk.

Note 1: Risk acceptance can occur without risk treatment or during the process of risk treatment.
Note 2: Risk acceptance can also be a process.
Note 3: Risk accepted are subject to monitoring and review.

Source : BS31100:2008 [ISO Guide 73]

Risk Aggregation

Process to combine individual risks to obtain a more complete understanding of risk.

Source : BS31100:2008 [ISO Guide 73]

Risk Analysis

Process to comprehend the nature of risk and to determine the level of risk.

Note: Risk analysis provides the basis for risk evaluation and decisions about risk treatment

Source : BS31100:2008 [ISO Guide 73]

Risk Appetite

The broad-based amount of risk a company or other entity is willing to accept in pursuit of its mission (or vision).

Source : COSO Integrated Risk Management Framework

Amount and type of risk that an organization is prepared to seek, accept or tolerate.

Source : BS31100:2008 [ISO Guide 73, modified]

Risk appetite is about clarifying the amount and type of risk that an organisation is willing to accept to achieve their objectives.

Source : www.riskbasedperformance.com

Risk Assessment

Overall process of risk identification, risk analysis and risk evaluation.

Source : BS31100:2008

Risk Avoidance

Decision not to be involved in, or to withdraw from, an activity based on the level of risk.

Source : BS31100:2008 [ISO Guide 73, modified]

Risk Criteria

Terms of reference against which the significance of a risk is evaluated.

Note 1: Risk criteria are based on the context, and are regularly reviewed to ensure continued relevance.
Note 2: Risk criteria can be derived from standards, laws and policies.

Source : BS31100:2008 [ISO Guide 73, modified]

Risk Evaluation

Process of comparing results of risk analysis against risk criteria to determine whether the level of risk is acceptable or tolerable.

Note: Risk evaluation assists in the decision about risk treatment.

Source : BS31100:2008 [ISO Guide 73, modified]

Risk Exposure

Extent to which an organisation is subject to an event.

Source : BS31100:2008 [ISO Guide 73]

Update by Andrew Smart

Risk Exposure = (Probability of event occurring) X (Impact of event)

Source: www.riskbasedperformance.com

Update by Andrew Smart

The consequences, as a combination of impact and likelihood, which may be experienced if a specific risk is realised.

Source: Client Contribution

Risk Financing

Form of risk treatment involving contingent arrangements for the provision of funds to meet the financial consequences should they occur.

Source : BS31100:2008 [ISO Guide 73, modified]

Risk Identification

Process of finding, recognizing and describing risks.

Note 1: Risk identification involves the identification of risk sources, events and their causes and their potential consequences.
Note 2: The identification can involve historical data, theoretical analysis, informed and expert opinions, and the stakeholders’ needs.

Source : BS31100:2008 [ISO Guide 73, modified]

Risk Management

Coordinated activities to direct and control an organization with regard to risk.

Source : BS31100:2008 [ISO Guide 73]

Risk Management Framework

Set of components that provide the foundations and organisational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management processes throughout the organisation.

Note 1: The foundations include the objectives, mandate and commitment to manage risk.
Note 2: the organizational arrangements include plans, relationships, accountabilities, resources, processes and activities.
Note 3: The risk management framework is embedded within the organization’s overall strategic and operational policies and practices.

Source : BS31100:2008 [ISO Guide 73]

Risk Management Governance

Systems, structures, tone and behaviours by which the organization is directed and controlled, and accountabilities clearly assigned.

Note: Corporate governance permits decision to be effectively made, objectives set and performance monitored to ensure the efficient and effective use of resources and safeguard assets.

Source : BS31100:2008

Risk Management Policy

Overall intentions and direction of an organisation related to risk management.

Source : BS31100:2008 [ISO Guide 73]

Risk Management Process

Systematic application of management policies, procedures and practices to the tasks of communication, consulting, establishing the context, identifying, analyzing, evaluating, treating, monitoring and reviewing risk.

Source : BS31100:2008 [ISO Guide 73]

Risk Mitigation

Measures taken to reduce an undesired consequence.

Source : BS31100:2008 [ISO Guide 73]

Risk Owner

Person or entity with the accountability and authority for managing the risk and any associated risk treatments.

Source : BS31100:2008 [ISO Guide 73]

Update by Andrew Smart
The role or committee that is responsible for ensuring a set of appropriate and effective controls are in place to reduce the likelihood and impact of an identified risk.

Source: Client Contribution

Risk Profile

Description of a set of risk.

Note: The set of risks can contain those that relate to the whole organization, part of the organization, or as otherwise defined.

Source : BS31100:2008 [ISO Guide 73]

Risk Register

Record of information about identified risks.

Source : BS31100:2008

Risk Response

Acceptance of a risk or action taken to address it.

Source : BS31100:2008

Risk Retention

Acceptance of the benefit of gain, or burden of loss, from a particular risk.

Note 1: Risk retention includes the acceptance of residual risks.
Note 2: The level of risk retained may depend on risk criteria.

Source : BS31100:2008 [ISO Guide 73]

Risk Sharing

Form of risk treatment involving the agreed distribution of risk with other parties.

Source : BS31100:2008 [ISO Guide 73, modified]

Risk Source

Anything which alone or in combination has the intrinsic potential to give rise to risk.

Source : BS31100:2008 [ISO Guide 73]

Risk Tolerance

The acceptable variation relative to the achievement of an objective.

Source : COSO Integrated Risk Management Framework

Organisation’s readiness to bear the risk after risk treatments in order to achieve its objectives.

Note: Risk tolerance can be limited by legal or regulatory requirements

Source : BS31100:2008

Risk Transfer

Sharing with another party the burden of loss or benefit of gain for a risk.

Note: This might be achieved through legislation, contract, insurance or other means.

Source : BS31100:2008

Risk Treatment

Process of developing, selecting and implementing controls.

Note 1: Risk treatment can involve: avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk; seeking an opportunity by deciding to start or continue with an activity likely to create or enhance the risk; removing the source of the risk; changing the nature and magnitude of likelihood; changing the consequences; sharing the risk with another party or parties; and retaining the risk by choice.
Note 2: Risk treatments that deal with negative consequences are sometimes referred to as risk mitigation, risk elimination, risk prevention, risk reduction, risk repression and risk correction.

Source : BS31100:2008 [ISO Guide 73]


Sarbanes-Oxley

Sarbanes-Oxley Act of 2002, also known as the Public Company Accounting Reform and Investor Protection Act of 2002 and commonly referred to as SOX or Sarbox. This US based legislation sets the standard of governance of companies reporting to the SEC, and their auditors.

Source : Henley MBA Dissertation At the Intersection

Stakeholder

Parties that are affected by the entity, such as shareholders, the communities in which the entity operates, employees, customers, and suppliers.

Source : COSO Integrated Risk Management Framework

Person or group concerned with, affected by, or perceiving themselves to be affected by an organisation.

Note: A decision maker is also a stakeholder

Source : BS31100:2008

Strategic

Used with “objectives”: having to do with high-level goals that are aligned with and support the entity’s mission (or vision).

Source : COSO Integrated Risk Management Framework

Strategic Risk

Risk concerned with where the organization wants to go, how it plans to get there, and how it can ensure survival.

Source : BS31100:2008

Strategy Map

Provides a uniform and consistent way to describe strategy, so that objectives and measures can be established and managed.

Provides the missing link between strategy formulation and strategy execution.

The Strategy map is based on several principles:

1. Strategy balances contradictory forces.
2. Strategy is based on a differentiated customer value proposition.
3. Value is created through internal business processes.
4. Strategy consists of simultaneous, complementary themes.
5. Strategic alignment determines the value of intangible assets.
– Human capital
– Information capital
– Organisation capital

Source : Strategy Maps (2004)


Types of Internal Controls

Detective: Designed to detect errors or irregularities that may have occurred.

Corrective: Designed to correct errors or irregularities that have been detected.

Preventive: Designed to keep errors or irregularities from occurring in the first place.


Uncertainty

Inability to know in advance the exact likelihood or impact of future events.

Source : COSO Integrated Risk Management Framework