GRC Glossary
Gain insight into some of the essential foundational concepts necessary to navigate the GRC landscape effectively and understand RISMA’s governance, risk, and compliance approach.
ABC stands for Anti-Bribery and Corruption. The term refers to the policies, procedures, and measures an organization implements to prevent, detect, and address bribery and corrupt practices. These efforts may be grounded in international and national legislations to promote ethical business practices and ensure that organizations operate with integrity.
AML stands for Anti-Money Laundering. It describes the process of preventing, identifying, and reporting suspicious financial transactions that may indicate money laundering activities. These efforts are rooted in various legislations—both international and national—aimed at preventing criminals from exploiting the financial system to launder money and finance terrorism.
Annex A is an integral part of the ISO 27001 standard, listing a series of classified security controls that organizations must use to demonstrate compliance with the standard. Annex A contains 93 controls divided into four categories:
-
Organizational
-
People
-
Physical
-
Technological
Based on these controls, the Statement of Applicability (SoA) is created, detailing how each control is implemented, adjusted, or excluded. Annex A and the SoA are, therefore, closely connected.
Article 15 is part of the EU's General Data Protection Regulation (GDPR) and focuses on the data subject's right of access to their personal data. The right of access allows the data subject to request and review the personal data an organization processes about them, as well as obtain information about the data processing activities. The purpose of Article 15 is to promote transparency in data processing and ensure greater control for the data subject.
Article 20 is part of the EU's General Data Protection Regulation (GDPR) and concerns the data subject's right to data portability. This right allows the data subject to receive a copy of the personal data they have provided to the organization. The data must be delivered in a commonly used and machine-readable format.
Additionally, Article 20 enables the data subject to request that the data be transferred directly to another data controller without obstruction, provided it is technically feasible.
Article 30 is part of the EU's General Data Protection Regulation (GDPR) and aligns with the regulation's emphasis on accountability. The article establishes the requirement for data controllers to maintain a record of their organization's processing activities. Similarly, data processors must maintain a record of the processing activities they perform on behalf of a data controller.
Article 32 is part of the EU's General Data Protection Regulation (GDPR) and focuses on the security of personal data processing for data controllers and processors. It requires organizations to implement technical and organizational security measures appropriate to the risks associated with data processing.
The article also specifies that personal data must only be processed by authorized personnel acting under the instructions of the data controller or data processor or in accordance with national or EU legislation. The goal is to ensure a high level of security and protection for personal data.
CIS18, also known as the Center for Internet Security’s 18 Controls, is a framework of specific security controls developed to enhance cybersecurity in organizations worldwide. The controls provides detailed guidance on identifying, prioritizing, and implementing security measures to protect organizational data and systems.
Compliance refers to complying with the applicable laws, standards, and requirements that govern an organization – such as industry-specific standards, the GDPR, and ethical norms.
The goal of compliance is to ensure that an organization avoids breaches of these rules, thereby upholding high-quality standards, building stakeholder trust, and enhancing transparency in its operations. Compliance is an ongoing process that demands continuous vigilance and adaptation to new regulations or changing business conditions.
Contract management is the comprehensive process of managing an organization's contracts from inception to completion. This process involves drafting contracts, negotiating terms, fulfilling contractual obligations, renegotiating agreements when necessary, and formally closing legally binding documents. The objective is to streamline contract administration and enhance value creation by ensuring that contracts align with the organization's overall business strategy and goals.
CSDDD stands for Corporate Sustainability Due Diligence Directive. It is an EU directive that imposes obligations on organizations to perform due diligence on environmental and human rights issues.
In practice, this means that organizations subject to the directive must implement due diligence processes related to their activities and value chains to identify, prevent, and mitigate negative impacts on human rights and the environment. The directive aims to ensure that certain companies are held accountable for their societal and environmental impacts through binding legal obligations rather than mere recommendations.
CSR, which stands for Corporate Social Responsibility, describes an organization's efforts to integrate social and environmental considerations into its daily operations. Through a well-defined CSR strategy, an organization sets goals and implements initiatives that positively contribute to society and the environment. This approach is crucial for achieving sustainability goals and plays a vital role in enhancing the company's reputation and long-term success.
CSRD stands for Corporate Sustainability Reporting Directive, and it is an EU directive that establishes a range of requirements for companies’ sustainability reporting. The aim of the directive is to standardize reporting processes and enhance transparency in sustainability across Europe, making it easier for investors, suppliers, and customers to understand and evaluate an organization's sustainability efforts.
Data ethics focuses on the responsible and careful collection, processing, and use of data. In addition to ensuring compliance with the law, data ethics entails a deep respect for individuals’ data, recognizing its value and safeguarding its protection. This principle should not merely be viewed as a legal obligation but should be embedded as a core value within the company’s culture from management to every employee.
Data minimization is a principle of GDPR that emphasizes that personal data should only be collected and processed when necessary for a clearly defined purpose. According to GDPR Article 5(1)(c), data must be relevant and limited to what is necessary in relation to the purpose, and organizations must avoid collecting unnecessary information.
LEARN ABOUT DATA DATA MINIMIZATION →
Data governance is a strategic and operational discipline aimed at controlling and managing an organization’s data resources. The primary purpose of data governance is to maximize the value of data and ensure that data is used both effectively and responsibly. It includes the overall control of availability, usability, integrity and security of the data used in an organization.
A retention policy outlines guidelines and procedures for handling personal data from collection to deletion. It should specify deletion timelines, methods, and confirmation processes. By using deletion policies and procedures, you ensure that you do not inadvertently store data that should have been deleted.
DORA, Digital Operational Resilience Act, is an EU regulation aimed at strengthening the digital operational resilience of the financial sector and providers of information and communication technology (ICT services). The regulation focuses on safeguarding the financial sector’s critical infrastructure by mandating supplier management and regular threat-based assessments, thereby ensuring enhanced protection of information systems.
The concept of 'double materiality' embodies the idea that organizations not only impact the environment and society (Impact Materiality), but also that sustainability risks can financially affect the organization (financial materiality).
The Corporate Sustainability Reporting Directive (CSRD) requires companies to integrate the double materiality principle into their reporting to provide transparent and reliable insight into how their activities impact the environment and society, as well as the sustainability risks they face.
DPIA stands for Data Protection Impact Assessment, a mandatory process under the EU’s General Data Protection Regulation (GDPR). It is a process that helps organizations identify and mitigate data protection risks that may affect an individual's privacy.
DPO stands for Data Protection Officer. The DPO's role is to advise and monitor the data controller's compliance with the General Data Protection Regulation. While all public authorities are required to appoint a DPO, private companies are only obligated to do so if they meet specific conditions related to the processing of personal data.
EBA, or the European Banking Authority, is an EU authority responsible for ensuring consistent regulation and supervision of the banking sector across EU member states. Its objective is to promote financial stability and efficiency.
EIOPA, or the European Insurance and Occupational Pensions Authority, is an EU authority whose mission is to protect the public interesst by contributing to the stability and effectiveness of the financial system for the EU’s economy, citizens, and businesses. This is achieved through regulation and supervisory practices.
ESG, which stands for Environmental, Social, and Governance, represents an approach where organizations assess and improve their sustainability efforts across these three key areas. This method is used, among other things, in relation to the CSRD, enabling organizations to quantify and communicate their sustainable contributions and impact within the areas of environment, social responsibility, and good corporate governance.
An ESG report provides a detailed and transparent overview of an organization’s performance across environmental, social, and governance aspects. It enables comparison and assessment of sustainability initiatives across companies and sectors. Through the report, the organization’s core values, culture, and sustainability strategy are showcased, offering stakeholders insight into how ESG-related risks and opportunities are managed.
ESRS, or European Sustainability Reporting Standards, developed by EFRAG, sets the framework for how companies must report on their sustainability efforts. The standards include 12 topics covering environmental, social, and governance areas, and require companies to disclose their strategy, targets, and value chains in relation to cross-cutting matters, as well as define materiality.
Overall, the 12 ESRSs cover the following:
-
General principles for sustainability reporting
-
General disclosure requirements
-
Specific disclosure requirements focusing on 10 ESG topics
The EU Green Deal is a set of initiatives aimed at enabling a 55% reduction in current CO2 emissions by 2030 (compared to 1990) and achieving climate neutrality. The European Green Deal aims to increase resource efficiency by moving to a clean, circular economy, halting climate change, reversing biodiversity loss, and reducing pollution.
The EU taxonomy is part of the EU’s climate strategy aimed at achieving climate neutrality by 2050. It introduces a unified classification system that defines which economic activities are considered environmentally sustainable. This creates a standardized approach to defining sustainability, making it easier for companies to demonstrate and communicate their sustainability efforts.
Financial controls are safeguards established to ensure effective, robust, and reliable financial reporting while mitigating the risk of material errors. They are relevant for both large and small businesses, and there are several reasons to maintain a strong control environment and practical tools in this area.
Financial Materiality refers to the aspects of an organization’s activities that have a significant impact on its financial performance. This can include a wide range of factors, from operational and legal risks to environmental and social consequences.
GDPR stands for General Data Protection Regulation. GDPR strengthens individuals’ rights over their personal data and places responsibility on organizations to ensure secure data processing and protection. Organizations are required to meet specific data protection obligations and demonstrate compliance by documenting that their internal procedures and policies align with GDPR requirements.
Governance, also known as corporate governance, refers to the rules, structures, processes, and guidelines that form the foundation of how a company is operated and managed. It includes principles related to ethics, risk management, compliance, and effective administration, with the aim of ensuring responsible decision-making, accountability, and transparency throughout the organization.
GRC stands for Governance, Risk, and Compliance, representing a holistic approach to managing and aligning governance, risk management, and regulatory compliance within an organization. It involves setting objectives, defining strategy, and making decisions (governance), assessing potential risks (risk), and ensuring adherence to laws and regulations (compliance) — all to safeguard organizational integrity and promote efficient operations.
GRC maturity (Governance, Risk, and Compliance maturity) refers to an organization's ability to effectively manage and integrate governance, risk management, and compliance into its processes. It concerns how well an organization has developed its methods and systems to ensure that these areas are structured, consistent, and aligned with relevant regulations and guidelines.
Impact Materiality is a key component of the broader ESG approach, focusing on how an organization’s activities impact various external factors, such as climate change, human rights, labor rights, corruption, and other related issues. It emphasizes the organization’s responsibility to assess and report on its social and environmental impact, in addition to its financial performance.
Incident management is a critical process that involves a structured approach to identifying, reporting, assessing, handling, and learning from incidents within an organization. This process involves establishing clear guidelines and policies to ensure a swift and effective response, aiming to minimize damage and downtime while enhancing overall security measures.
An ISAE 3000 report is an auditor’s statement that documents an organization’s implementation of the necessary procedures and controls to comply with data protection regulations and their security requirements.
ISAE 3402 is an international standard used for auditing an organization’s IT controls. The report serves as evidence that the organization complies with all applicable legal requirements related to IT security and demonstrates good IT practices.
ISMS, or Information Security Management System, is a structured approach to managing information security that integrates processes, technology, and personnel to protect an organization’s information through effective risk management.
ISO 27001 is commonly used as a foundation for information security efforts. While the standard does not prescribe specific security measures, it provides a framework of best practices to safeguard data both internally and externally.
ISO 27001 is an international standard that forms the foundation for an effective information security management system. The standard focuses on best practices and guidelines for managing information security both internally and externally.
The purpose of ISO 27001 is to protect the confidentiality, integrity, and availability of an organization’s information.
ISO 27701 – the privacy protection standard – is an extension of ISO 27001. It introduces specific workflows and measures that enhance privacy protection within an organization. Focusing on aspects such as data classification, access control, risk assessment, and incident management, ISO 27701 serves as a practical tool to support compliance with GDPR.
ISO standards are international benchmarks that provide organizations with a practical framework across various areas, including finance, social responsibility, and the environment. Implementing an ISO standard within an organization means standardizing processes and procedures, ensuring consistency and quality in task execution.
LIA stands for Legitimate Interests Assessment. An LIA is conducted to document the balancing test that an organization is required to perform when it intends to process personal data based on the legitimate interests legal basis.
NFRD stands for the Non-Financial Reporting Directive. It was an EU directive requiring large EU companies with more than 500 employees, including publicly listed companies, insurance firms, and banks, to disclose non-financial and diversity information related to ESG (environmental, social responsibility, and corporate governance).
NFRD has since been replaced by the CSRD (Corporate Sustainability Reporting Directive), which revises and strengthens the current requirements for corporate sustainability reporting.
NIS2 is an updated version of the original NIS Directive (also known as the Network and Information Security Directive). Focused on enhancing cybersecurity and protecting critical infrastructures and services, NIS2 broadens its scope to include a wider range of sectors and companies.
NIS2 requires both public authorities and private companies to implement technical, operational, and organizational security measures to manage the risks threatening their information systems and networks effectively.
NSIS stands for National Standard for Identity Assurance Levels. NSIS is the Danish implementation of the European eIDAS Regulation, designed to ensure that EU citizens can access public systems across member states. NSIS plays a crucial role in identity solutions such as MitID, MitID Erhverv, and NemLog-in, as well as various decentralized solutions.
OHS, or Occupational Health and Safety, refers to the practices and policies that aim to ensure a safe and healthy work environment for employees by preventing work-related injuries and illnesses.
Policy management is the process of creating, maintaining, and ensuring compliance with policies within an organisation. The purpose of policy management is to ensure that the organisation's actions align with its values, goals, legal requirements, and industry standards.
QMS, or Quality Management System, is a structured framework of procedures and processes designed to enhance the efficiency and quality of an organization’s products, services, and operations.
A risk assessment is a process through which organizations identify, analyze, and evaluate risks associated with their operations or a specific activity. The purpose of assessing these risks is to understand the likelihood of undesirable events occurring and to determine the potential consequences if the organization is unable to prevent them.
Risk management is the process of identifying risks, assessing their potential impact, and determining the most effective way to address them within an organization. It equips the organization with strategies to balance risk-taking with risk mitigation, with the overall goal of preventing or minimizing potential events that could reduce revenue, lead to insolvency, or damage the organization’s reputation.
SFDR stands for Sustainable Finance Disclosure Regulation and is an EU regulation that provides specific guidelines regarding the disclosure obligations of financial market participants and financial advisors in relation to the integration of environmental, social, and governance (ESG) factors.
The disclosure requirements are designed to help investors understand how financial institutions approach sustainability, ensuring a stronger basis for informed decision-making before investing.
The EU’s Sustainable Finance Package (SFP) is a set of measures designed to support sustainable financing and investment in Europe. The SFP is an integral part of the EU’s strategy to achieve its climate goals. It should be seen as a step toward transforming the financial sector into a key driver of growth in the sustainable economy within the EU.
SoA stands for “Statement of Applicability” and is an integral and essential part of the ISO 27001 standard for information security. The SoA document is a mandatory list of the control measures specified in the standard. It serves as the link between risk assessment and risk treatment by documenting the organization's current level of information security, as well as the controls that have been selected or excluded during the process.
Supply Chain Management involves evaluating, managing, and monitoring an organization’s relationships with external suppliers to ensure their products and services meet established quality and safety standards. This process includes everything from initial due diligence and supplier selection to ongoing evaluation and risk management of the business relationships.
TIA stands for "Transfer Impact Assessment". In practice, it is an assessment that must be carried out by the parties involved in transferring personal data from a country within the EU/EEA to a country outside the EU/EEA. The parties are referred to as the data importer and the data exporter.
Third-party risk Management (TPRM) is an integral part of an organization's overall risk management strategy and contributes to supply chain security. This process focuses on identifying, assessing, and managing the risks associated with entering into business relationships with third parties such as suppliers, distributors, subcontractors, service providers, and partners.
VSME, or Voluntary Reporting Standards for SMEs, is a voluntary sustainability reporting standard specifically designed for small and medium-sized enterprises. EFRAG developed it to help smaller companies document sustainability efforts, improve ESG performance, and adapt to future ESG regulations. VSME provides a structured approach for reporting on ESG initiatives, while remaining flexible enough to accommodate the diverse business models and capabilities of SMEs.
The Transparency Act or Åpenhetsloven is a Norwegian law that gives consumers the right to request documentation showing that human rights and working conditions for all workers in the production chain are respected and upheld. This law obligates companies to account for the conditions underlying the production of the goods purchased by consumers.