Risk Assessment and Mitigation
Expert-defined terms from the Compliance Audit and Assurance course at London School of Planning and Management. Free to read, free to share, paired with a professional course.
Asset Identification – The process of cataloguing all physical, digital,… #
Related terms: asset inventory, critical asset. Example: creating a spreadsheet of servers, databases, and proprietary software. Practical application: ensures that risk assessments cover every item that could generate a compliance breach. Challenges: hidden assets, rapid technology changes, and incomplete documentation can lead to gaps.
Audit Scope – The boundaries and objectives that define which processes,… #
Related terms: audit plan, risk based auditing. Example: limiting the audit to procurement and vendor management for a supplier‑related regulation. Practical application: focuses resources on high‑risk areas. Challenges: scope creep, insufficient stakeholder alignment, and overlooking inter‑dependencies.
Baseline Controls – Minimum control standards that an organization adopts… #
Related terms: control framework, minimum security standards. Example: implementing password complexity rules as a baseline for all user accounts. Practical application: provides a consistent starting point for risk mitigation. Challenges: baseline may become outdated, and over‑reliance can mask emerging threats.
Business Impact Analysis – A systematic study that evaluates the potentia… #
Related terms: BIA, continuity planning. Example: estimating revenue loss if the customer data platform is unavailable for 48 hours. Practical application: informs risk prioritisation and mitigation budgeting. Challenges: quantifying intangible impacts and aligning BIA results with compliance objectives.
Control Gap – A deficiency where existing controls do not fully address a… #
Related terms: control weakness, deficiency. Example: lack of segregation of duties in the finance module of an ERP system. Practical application: highlights areas for remediation. Challenges: detecting gaps in complex environments and ensuring timely closure.
Control Self‑Assessment – A process in which owners of business processes… #
Related terms: CSA, internal audit. Example: a department manager scoring the adequacy of data encryption practices. Practical application: promotes ownership and early detection of issues. Challenges: subjectivity, inconsistent scoring, and potential bias.
COSO Framework – A widely accepted model for designing, implementing, and… #
Related terms: internal control, enterprise risk management. Example: using COSO to map controls that mitigate GDPR non‑compliance. Practical application: provides a structured approach to risk mitigation. Challenges: adapting the generic framework to specific regulatory nuances.
Data Integrity – The accuracy, completeness, and consistency of data thro… #
Related terms: data quality, information assurance. Example: ensuring that transaction logs are not altered after entry. Practical application: supports reliable risk assessments and compliance reporting. Challenges: detecting subtle corruption and maintaining integrity across disparate systems.
Data Loss Prevention – Technologies and policies designed to prevent unau… #
Related terms: DLP, information protection. Example: a DLP solution that blocks copy‑and‑paste of credit‑card numbers to external drives. Practical application: reduces the likelihood of data‑related compliance breaches. Challenges: high false‑positive rates and balancing usability with security.
Due Diligence – A systematic investigation to assess the risks associated… #
Related terms: risk assessment, compliance review. Example: evaluating a vendor’s compliance with ISO 27001 before signing a contract. Practical application: informs risk‑mitigation decisions and contractual safeguards. Challenges: obtaining reliable evidence and keeping assessments current.
Enterprise Risk Management – An integrated, organization‑wide approach to… #
Related terms: ERM, risk appetite. Example: a board‑level ERM committee that reviews cyber‑risk heat maps quarterly. Practical application: aligns mitigation activities with business goals. Challenges: siloed risk functions and insufficient executive engagement.
Exposure – The magnitude of potential loss associated with a specific ris… #
Related terms: risk exposure, loss event. Example: a $2 million exposure for a breach of personal data under a privacy law. Practical application: helps prioritise remediation based on financial impact. Challenges: estimating exposure for emerging threats and indirect costs.
Failure Mode – A way in which a component or process can fail, potentiall… #
Related terms: FMEA, risk scenario. Example: a server power‑supply failure causing loss of service. Practical application: guides targeted mitigation, such as redundant power supplies. Challenges: comprehensive identification of all plausible failure modes.
GRC (Governance, Risk, and Compliance) – A coordinated set of practices t… #
Related terms: integrated risk management, policy management. Example: a GRC platform that links policy updates to risk registers and audit schedules. Practical application: reduces duplication and improves visibility. Challenges: integration complexity and cultural resistance.
Heat Map – A visual representation that plots risks by likelihood and imp… #
Related terms: risk matrix, risk visualization. Example: a 5‑by‑5 matrix where high‑impact/high‑likelihood risks appear in red. Practical application: aids stakeholders in quickly identifying priority risks. Challenges: oversimplification and subjectivity in assigning scores.
Incident Response – A structured set of procedures for detecting, analysi… #
Related terms: IR plan, forensic analysis. Example: a playbook that initiates legal notification after a data breach. Practical application: limits damage and ensures compliance with breach‑notification statutes. Challenges: coordination across teams and maintaining up‑to‑date procedures.
Internal Control – Policies, procedures, and mechanisms designed to achie… #
Related terms: control activity, control environment. Example: automatic reconciliation of inventory balances. Practical application: provides assurance that risks are being mitigated. Challenges: control design complexity and monitoring effectiveness.
Key Risk Indicator – A metric that signals a change in the level of risk… #
Related terms: KRI, risk monitoring. Example: a sudden increase in failed login attempts. Practical application: enables proactive mitigation before a breach occurs. Challenges: selecting meaningful indicators and avoiding alert fatigue.
Likelihood – The probability that a risk event will occur, typically expr… #
Related terms: probability, risk scoring. Example: assigning a “medium” likelihood to phishing attacks based on historical data. Practical application: feeds into risk matrices and prioritisation. Challenges: limited data and subjective judgement.
Loss Event – An occurrence that results in a measurable negative impact,… #
Related terms: incident, risk event. Example: a ransomware infection that forces system downtime. Practical application: provides a basis for calculating exposure. Challenges: attributing cause and quantifying indirect effects.
Mitigation Strategy – A planned set of actions aimed at reducing the like… #
Related terms: risk treatment, control implementation. Example: deploying multi‑factor authentication to lower credential‑theft risk. Practical application: translates risk assessments into concrete steps. Challenges: resource constraints and change‑management resistance.
Operational Risk – The risk of loss resulting from inadequate or failed i… #
Related terms: business risk, process risk. Example: errors in manual data entry that lead to non‑compliant reporting. Practical application: requires continuous monitoring and process improvement. Challenges: difficulty isolating root causes and measuring impact.
Owner Accountability – The responsibility assigned to an individual or gr… #
Related terms: risk owner, responsibility matrix. Example: a compliance officer who oversees GDPR controls for the marketing department. Practical application: clarifies who must act on mitigation tasks. Challenges: unclear ownership and overloaded responsibilities.
Probability – A numeric expression of the chance that a particular risk e… #
Related terms: likelihood, statistical analysis. Example: a 0.2 probability (20 %) that a supply‑chain disruption will happen in a year. Practical application: feeds quantitative risk models. Challenges: limited data and bias in expert estimates.
Process Mapping – Visual documentation of the steps, inputs, and outputs… #
Related terms: workflow diagram, value‑stream mapping. Example: a flowchart of the customer onboarding process showing data‑collection checkpoints. Practical application: reveals where controls may be missing. Challenges: keeping maps current as processes evolve.
Qualitative Risk Assessment – An evaluation of risk based on descriptive… #
g., high, medium, low) rather than precise numerical values. Related terms: subjective rating, risk matrix. Example: rating the impact of a regulatory fine as “high” due to potential brand damage. Practical application: useful when data is scarce. Challenges: inconsistency between assessors and difficulty in aggregating results.
Quantitative Risk Assessment – A numerical analysis that estimates risk e… #
Related terms: Monte Carlo simulation, expected loss. Example: calculating an expected annual loss of $500 k from phishing attacks using historical incident rates. Practical application: supports cost‑benefit analysis of controls. Challenges: data quality, model complexity, and assumptions transparency.
Risk Appetite – The amount and type of risk an organization is willing to… #
Related terms: risk tolerance, risk preference. Example: accepting low‑impact privacy‑risk in exchange for faster product releases. Practical application: guides decision‑making and resource allocation. Challenges: communicating appetite across the enterprise and aligning it with regulatory limits.
Risk Assessment – The systematic process of identifying, analysing, and e… #
Related terms: risk analysis, risk identification. Example: a risk assessment that uncovers inadequate access controls for financial systems. Practical application: forms the basis for mitigation planning. Challenges: scope definition, data collection, and maintaining relevance over time.
Risk Control – Any action, policy, or mechanism that modifies the likelih… #
Related terms: mitigation measure, preventive control. Example: implementing encryption at rest for sensitive databases. Practical application: directly addresses identified risk gaps. Challenges: ensuring controls remain effective as threats evolve.
Risk Exposure – The product of risk likelihood and impact, representing t… #
Related terms: expected loss, risk magnitude. Example: a 30 % likelihood of a compliance breach with a $1 million impact yields a $300 k exposure. Practical application: helps rank risks for mitigation. Challenges: accurate estimation of both components.
Risk Matrix – A two‑dimensional chart that plots risk likelihood against… #
Related terms: heat map, risk scoring. Example: a matrix where risks in the red zone require immediate remediation. Practical application: visual tool for prioritising actions. Challenges: subjective scoring and oversimplification of complex risks.
Risk Monitoring – Ongoing activities that track the status of identified… #
Related terms: continuous monitoring, KRI tracking. Example: weekly review of audit findings against remediation deadlines. Practical application: ensures that mitigation measures stay effective. Challenges: data overload and insufficient automation.
Risk Register – A central repository that records identified risks, their… #
Related terms: risk log, risk database. Example: an Excel‑based register listing each GDPR‑related risk with assigned owners. Practical application: provides a single source of truth for risk‑management activities. Challenges: maintaining accuracy, version control, and stakeholder engagement.
Risk Reporting – The communication of risk information to stakeholders, o… #
Related terms: risk disclosure, board reporting. Example: a quarterly risk report presented to the audit committee highlighting remediation progress. Practical application: supports informed decision‑making. Challenges: balancing detail with brevity and ensuring relevance to diverse audiences.
Risk Response – The set of options an organization can select to address… #
Related terms: risk treatment, risk mitigation. Example: transferring cyber‑risk through a cyber‑insurance policy. Practical application: determines the appropriate action for each risk. Challenges: aligning response with risk appetite and regulatory constraints.
Risk Tolerance – The acceptable deviation from risk appetite for a specif… #
Related terms: risk appetite, risk limits. Example: tolerating a low‑impact data‑classification breach but not a high‑impact privacy violation. Practical application: sets clear limits for decision makers. Challenges: defining measurable thresholds and monitoring compliance.
Scenario Analysis – A technique that explores the effects of plausible fu… #
Related terms: what‑if analysis, stress testing. Example: modelling the impact of a new data‑protection law on existing processes. Practical application: prepares mitigation plans for high‑impact possibilities. Challenges: selecting realistic scenarios and obtaining accurate assumptions.
Segregation of Duties – A control principle that distributes critical tas… #
Related terms: SOX control, dual control. Example: requiring separate personnel for invoice approval and payment execution. Practical application: reduces risk of unauthorized transactions. Challenges: operational constraints, especially in small teams, and maintaining compliance with evolving regulations.
Stakeholder Analysis – The identification and assessment of individuals o… #
Related terms: interest mapping, communication plan. Example: recognising regulators, customers, and internal audit as key stakeholders for a data‑privacy audit. Practical application: ensures that risk mitigation addresses stakeholder expectations. Challenges: conflicting priorities and changing stakeholder landscapes.
Threat – Any circumstance or event with the potential to cause loss, dama… #
Related terms: risk source, adversary. Example: a cyber‑criminal group targeting financial institutions. Practical application: informs the identification of risk scenarios. Challenges: rapidly evolving threat vectors and limited visibility into attacker capabilities.
Vulnerability – A weakness in a system, process, or control that could be… #
Related terms: security flaw, control deficiency. Example: unpatched software on a web server exposing a known exploit. Practical application: prioritises remediation based on severity. Challenges: discovering hidden vulnerabilities and keeping inventories current.
Weighted Scoring – A method of assigning numerical values to risk attribu… #
Related terms: risk ranking, risk prioritisation. Example: giving impact a weight of 0.6 and likelihood 0.4 to generate a composite score. Practical application: enables objective comparison of disparate risks. Challenges: selecting appropriate weights and avoiding bias.
Audit Findings – Specific observations identified during an audit that in… #
Related terms: non‑conformity, observation. Example: discovering that access logs are not retained for the mandated 12‑month period. Practical application: drives corrective action plans. Challenges: ensuring findings are actionable and not overly generic.
Audit Trail – A chronological record that documents the sequence of activ… #
Related terms: log file, record of evidence. Example: a system log showing who modified user permissions and when. Practical application: provides evidence for compliance verification. Challenges: log volume, retention policies, and ensuring integrity.
Baseline Assessment – An initial evaluation of an organization’s current… #
Related terms: gap analysis, initial audit. Example: measuring current controls against ISO 27001 before a certification effort. Practical application: establishes a reference point for future improvement. Challenges: scope creep and resource intensity.
Control Activity – A specific policy, procedure, or mechanism that mitiga… #
Related terms: control, preventive measure. Example: requiring dual‑approval for high‑value purchases. Practical application: directly addresses identified risk gaps. Challenges: over‑design leading to inefficiency and under‑design causing exposure.
Control Environment – The set of standards, structures, and attitudes tha… #
Related terms: tone at the top, governance. Example: leadership emphasizing ethical behaviour and compliance. Practical application: shapes how controls are perceived and enforced. Challenges: cultural inertia and inconsistent messaging.
Control Monitoring – The ongoing activities that assess whether controls… #
Related terms: continuous monitoring, control testing. Example: quarterly testing of password policy enforcement. Practical application: detects control failures early. Challenges: resource constraints and balancing automation with manual review.
Control Testing – The execution of procedures to evaluate the design and… #
Related terms: substantive testing, audit test. Example: sampling transactions to verify that segregation of duties is enforced. Practical application: provides evidence for audit conclusions. Challenges: sampling risk and test scope definition.
Compliance Gap – A shortfall where an organization’s practices do not mee… #
Related terms: non‑compliance, deficiency. Example: lacking documented procedures for data‑subject access requests under GDPR. Practical application: highlights remediation priorities. Challenges: identifying hidden gaps and aligning remediation with business priorities.
Compliance Management System – An integrated collection of policies, proc… #
Related terms: CMS, regulatory framework. Example: a software platform that tracks policy updates, training, and audit schedules. Practical application: centralises compliance activities and reduces duplication. Challenges: system integration and keeping content current.
Control Owner – The individual responsible for the design, implementation… #
Related terms: risk owner, accountability. Example: the IT security manager who owns the firewall configuration control. Practical application: clarifies responsibility for control performance. Challenges: role overload and unclear delegation.
Control Self‑Assessment Score – The numerical or qualitative result that… #
Related terms: CSA rating, assessment outcome. Example: a score of “4 out of 5” indicating strong control performance. Practical application: feeds into risk rating calculations. Challenges: consistency across departments and avoiding inflated scores.
Control Weakness – A shortfall in a control that reduces its ability to m… #
Related terms: control deficiency, control gap. Example: a password policy that allows reuse across systems. Practical application: directs remediation focus. Challenges: distinguishing minor inefficiencies from critical failures.
Critical Success Factor – An element that is essential for an organizatio… #
Related terms: CSF, key driver. Example: achieving 100 % encryption of customer data to meet privacy regulations. Practical application: aligns risk treatment with strategic priorities. Challenges: identifying CSFs that are both realistic and measurable.
Data Classification – The process of categorising data based on its sensi… #
Related terms: information classification, data handling. Example: labeling personal health information as “confidential” and applying strict access controls. Practical application: guides appropriate protection measures. Challenges: consistent application across the enterprise and evolving classification needs.
Data Retention Policy – A set of rules that define how long different typ… #
Related terms: record retention, archiving policy. Example: retaining financial transaction logs for seven years to satisfy tax regulations. Practical application: ensures compliance with legal mandates and reduces storage risk. Challenges: balancing business needs with regulatory timelines and managing deletions securely.
Data Subject Access Request – A request by an individual to obtain, corre… #
Related terms: DSAR, right to be forgotten. Example: a customer asks for a copy of all data the company holds about them under GDPR. Practical application: triggers verification and response processes. Challenges: meeting response timelines and verifying identity without breaching privacy.
Decision‑Tree Analysis – A graphical method for evaluating the possible o… #
Related terms: risk modelling, cost‑benefit analysis. Example: comparing the cost of implementing encryption versus purchasing cyber‑insurance. Practical application: supports rational selection of mitigation measures. Challenges: complexity in modelling multiple branches and uncertainties.
Detectability – The likelihood that a risk event will be discovered befor… #
Related terms: monitoring capability, early warning. Example: high detectability for unauthorized access due to robust logging. Practical application: influences risk scoring and control design. Challenges: hidden threats and limited monitoring coverage.
Enterprise Architecture – The comprehensive blueprint of an organization’… #
Related terms: EA, IT roadmap. Example: mapping data flows to identify where personal data traverses multiple systems. Practical application: aids in locating risk exposure points. Challenges: keeping the architecture up‑to‑date and integrating legacy systems.
External Audit – An independent examination performed by a third‑party au… #
Related terms: independent audit, certification audit. Example: a SOC 2 audit of a cloud service provider. Practical application: provides assurance to regulators and customers. Challenges: coordination, scope definition, and audit fatigue.
Financial Risk – The possibility of monetary loss arising from market flu… #
Related terms: market risk, credit risk. Example: exposure to fines for non‑compliant anti‑money‑laundering reporting. Practical application: informs budgeting for remediation. Challenges: quantifying regulatory fines and indirect costs.
Forensic Investigation – A systematic approach to collect, preserve, and… #
Related terms: digital forensics, e‑discovery. Example: analysing log files to determine the source of a data breach. Practical application: supports root‑cause analysis and legal response. Challenges: maintaining chain of custody and avoiding evidence contamination.
Gap Analysis – A comparison between current state and desired compliance… #
Related terms: baseline assessment, compliance gap. Example: assessing current password policies against NIST recommendations. Practical application: creates a remediation roadmap. Challenges: scope creep and incomplete data collection.
Governance Framework – The structure of policies, roles, responsibilities… #
Related terms: board charter, policy hierarchy. Example: a corporate governance charter that outlines audit committee responsibilities. Practical application: aligns risk and compliance activities with corporate objectives. Challenges: ensuring cross‑functional adherence and avoiding duplication.
Incident Severity Level – A classification that indicates the seriousness… #
Related terms: incident classification, response tier. Example: a “critical” level incident for a widespread ransomware attack. Practical application: determines escalation paths and resource allocation. Challenges: consistent categorisation and avoiding under‑estimation.
Internal Audit – An independent, objective assurance function that evalua… #
Related terms: audit department, risk assurance. Example: conducting a quarterly audit of vendor risk management practices. Practical application: identifies control weaknesses and recommends improvements. Challenges: maintaining objectivity and managing audit scope.
ISO 27001 – An international standard that specifies requirements for est… #
Related terms: ISMS, security standard. Example: achieving ISO 27001 certification to demonstrate robust data‑protection controls. Practical application: provides a structured framework for risk treatment. Challenges: resource intensity and aligning with other regulatory frameworks.
Key Control – A control that is critical to achieving compliance objectiv… #
Related terms: critical control, core control. Example: the change‑management approval process for production systems. Practical application: focuses audit attention on high‑impact controls. Challenges: identifying truly key controls and avoiding over‑reliance on a few.
Legal Risk – The possibility of loss arising from violations of laws, reg… #
Related terms: regulatory risk, compliance risk. Example: exposure to penalties for failing to file mandatory financial disclosures. Practical application: drives compliance programs and mitigation planning. Challenges: rapidly changing legal landscape and cross‑jurisdictional complexities.
Loss Expectancy – The anticipated monetary loss from a risk event, calcul… #
Related terms: expected loss, risk exposure. Example: a 0.05 probability of a $2 million fine yields a $100 k loss expectancy. Practical application: informs cost‑benefit analysis of controls. Challenges: accurate estimation of both probability and impact.
Management Review – A periodic evaluation by senior leadership of the eff… #
Related terms: board review, performance assessment. Example: an annual review of the risk register and mitigation progress. Practical application: ensures alignment with strategic objectives. Challenges: obtaining timely, accurate data and executive engagement.
Mitigation Cost – The total expense associated with implementing, operati… #
Related terms: cost of control, budget allocation. Example: the annual licensing cost for endpoint detection and response software. Practical application: supports financial justification of controls. Challenges: hidden ongoing costs and measuring ROI.
Monitoring Frequency – The interval at which a particular control or risk… #
Related terms: review cadence, audit cycle. Example: monthly monitoring of privileged‑access logs. Practical application: balances risk exposure with resource availability. Challenges: setting appropriate frequencies without causing fatigue.
Operational Resilience – The ability of an organization to continue deliv… #
Related terms: business continuity, disaster recovery. Example: maintaining transaction processing during a ransomware attack by activating backup systems. Practical application: mitigates impact and protects regulatory standing. Challenges: integrating resilience planning with compliance requirements.
Policy Management – The processes for creating, approving, distributing,… #
Related terms: policy lifecycle, document control. Example: a policy management system that notifies employees of updates to the data‑privacy policy. Practical application: ensures consistent policy adherence. Challenges: version control and user awareness.
Process Risk – The risk that a business process will fail to achieve its… #
Related terms: operational risk, control gap. Example: inaccurate data entry in a tax‑reporting workflow leading to filing errors. Practical application: drives process redesign and control strengthening. Challenges: mapping complex end‑to‑end processes and quantifying impact.
Regulatory Change Management – The systematic approach to tracking, asses… #
Related terms: compliance monitoring, change impact analysis. Example: updating privacy procedures in response to a new data‑protection law. Practical application: ensures timely adaptation to legal requirements. Challenges: volume of changes and cross‑functional coordination.
Remediation Plan – A detailed roadmap that outlines actions, responsibili… #
Related terms: corrective action, mitigation plan. Example: a 90‑day plan to implement multi‑factor authentication across all user accounts. Practical application: provides clear guidance for closing deficiencies. Challenges: resource constraints and tracking progress.
Risk Appetite Statement – A formal declaration that articulates the level… #
Related terms: risk tolerance, risk policy. Example: “We will accept low‑impact privacy risks that do not affect core services.” Practical application: informs decision‑making at all levels. Challenges: translating high‑level language into actionable thresholds.
Risk Assessment Methodology – The documented approach that defines how ri… #
Related terms: assessment framework, risk process. Example: using a 5‑point scale for likelihood and impact combined with weighted scoring. Practical application: ensures consistency across assessments. Challenges: keeping methodology current with emerging threats.
Risk Register Review – The periodic examination of the risk register to v… #
Related terms: risk governance, risk update. Example: quarterly review meetings to close resolved risks and add new ones. Practical application: maintains relevance of risk data. Challenges: ensuring participation and preventing stale entries.
Risk Transfer – The allocation of risk exposure to another party, typical… #
Related terms: risk sharing, insurance. Example: purchasing cyber‑insurance to cover breach‑related costs. Practical application: reduces financial impact while retaining some responsibility. Challenges: policy limits, exclusions, and reliance on third‑party performance.
Risk‑Based Auditing – An audit approach that focuses resources on areas #
Risk‑Based Auditing – An audit approach that focuses resources on areas