| Accountability | Clear ownership for a decision, record, action, or outcome. |
| Acknowledgement | Confirmation that a user has read or accepted a policy, notice, or assignment. |
| Appetite Breach | A risk level that exceeds the organization’s agreed tolerance. |
| Approval | A formal decision to accept, reject, publish, close, or move a record forward. |
| Asset | A business, information, technology, or operational item that has value and may need protection. |
| Assessment | A structured review of controls, obligations, evidence, or maturity against a defined scope. |
| Audit Finding | A gap, weakness, or observation identified during audit or assurance activity. |
| Control | A process, policy, procedure, technical measure, or activity designed to reduce risk or support compliance. |
| Control Owner | The person accountable for operating, evidencing, or maintaining a control. |
| Corrective Action | Work required to fix a finding, issue, or non-compliance. |
| Due Date | The date by which a response, review, approval, or remediation should be completed. |
| Evidence | Information that proves a statement, control operation, remediation, or compliance response. |
| Exception | A formal temporary deviation from a policy, control, or requirement. |
| Finding Severity | The importance or impact level of an audit finding. |
| Framework | A standard, regulation, policy set, or control structure used for assessments. |
| Inherent Risk | Risk level before considering treatment or existing controls. |
| Issue | A trackable problem, task, or remediation item requiring an owner and due date. |
| KPI | A key performance indicator used to measure program health or performance. |
| Likelihood | The chance that a risk event may occur. |
| Non-Compliance | A requirement or control that is not met or not supported by sufficient evidence. |
| Policy | An approved rule or expectation that users or business areas must follow. |
| Policy Owner | The person accountable for policy content, review, and lifecycle. |
| Residual Risk | Risk level remaining after controls or treatment are considered. |
| Review Date | The next date when a record should be checked for accuracy and continued relevance. |
| Risk | The effect of uncertainty on objectives. In the platform, it is usually described as an event, cause, and impact. |
| Risk Acceptance | A documented decision to accept a risk instead of reducing, transferring, or avoiding it. |
| Risk Impact | The consequence if a risk occurs. |
| Risk Owner | The person accountable for monitoring and managing a risk. |
| Risk Register | The central list of identified risks, scores, owners, treatment, and status. |
| Risk Treatment | The chosen response to a risk, such as mitigate, avoid, transfer, accept, or monitor. |
| Scope | The boundary of an assessment, audit, policy, report, or review. |
| Segregation of Duties | Separating responsibilities so the same person does not perform conflicting actions, such as submitting and approving the same item. |
| Status | The current lifecycle stage of a record. |
| Third Party | An external vendor, supplier, partner, or service provider. |
| Threshold | A value that determines whether a KPI or risk is acceptable, warning, or critical. |
| Treatment Owner | The person responsible for completing a risk treatment or mitigation action. |
| Workflow | The sequence of submission, review, approval, change request, closure, or escalation steps. |