A dictionary of terms and their definitions and the common interpretation of acronyms used by the risk and security systems developer, tech writer, manager, etc. especially useful for understanding ads for Risk and Security Managers in control of systems in the Australian government, business and industrial environments.
absolute standard = an object that under specified conditions defines, represents, or records the level or magnitude of a unit. Usually expressed as a measuring device, a definition or equation. An example of an absolute standard is the "boiling point" of water. This is scientifically the point at which water is converted to steam (because of local temperature conditions). This is an absolute moment physically. The standard boiling point of water is 100 degrees C or 240 degrees F. The actual boiling point of water can never be an accurately predicted because local conditions impact on exactly what temperature this conversion will take place. However, this standard is used in scientific work every day. See also Standards, Comparative Standard, Normative Standard, International Standards
accept (retain) = after risks have been reduced or transferred, there may be residual risks that are accepted or retained, meaning to do nothing and "accept the risk"
acceptable risk = the risk is at a level at which it is decided that should the event occur the consequences can be absorbed into current operation and no treatment is considered possible, useful or necessary
acceptance = 1. to receive officially and consent to pay, as by a signed agreement
acceptance = 2. approve progress of a software system or component to the next process or phase
acceptance = 3. take into use
acceptance criteria = a set of standards, rules, or tests on which an acceptance judgement or decision can be based
acceptance testing = formal testing conducted by users to determine whether or not a system contains the agreed functionality and satisfies their acceptance criteria. As a result of this testing, the owner can decide whether or not to accept the system as presented
accident = an unexpected, undesirable event: car accidents on icy roads. An external event risk. See also casualty
achievement / plan ratio = the actual result achieved at a particular moment in the plan compared to the planned result, expressed as a percentage or a fraction
ACSI 33 = Australian Communications Security Instructions 33
ACSI 33 SECURITY-IN-CONFIDENCE version = contains the security policies and guidance for all classifications
ACSI 33 UNCLASSIFIED version = contains only policies and guidlines for PUBLIC DOMAIN, UNCLASSIFIED, IN-CONFIDENCE, RESTRICTED, and PROTECTED
activity = a specified pursuit assigned to a person in a procedure. The lowest level in a work breakdown structure
activity diagram = the structure representing different activities performed in a particular business area
actual = measured, verified result
actual risk = a possible risk that has been subjected to risk analysis and for which the risk cannot be eliminated as insignificant
actuary = mathematician/statistician employed by insurance and government to collect and interpret numerical data, provide information on risk management, calculate and evaluate premiums, insurance propositions and proposals, uncertain future events, employee benefits, medical insurance and pension plans, and social welfare programs such as social security and Medicare
agreement = the definition of terms and conditions under which a working relationship will be conducted. See also service level agreement
algorithm = a. a procedure or a set of steps that may be used to solve a problem
algorithm = b. The logical sequence of operations to be performed in the execution of a program
analysis = a systematic investigation of a problem or issue, involving the break up of the problem or issue into smaller units for a more detailed study. See also business analysis, risk analysis,
approved business case = the business case after it has been approved by the relevant financial authority
archiving strategies = the short and long term plans for storing a the company's key risk control documents to ensure legal completion, compliance and future availability
arson = the crime of maliciously, voluntarily, and wilfully setting fire to the building, buildings, or other property of another, or of burning one's own property for an improper purpose, such as to collect insurance. A criminal risk
AS 3806:2006 = Compliance programs; See SAI Global
AS 8000:2003 = Corporate governance - Good governance principles; See SAI Global
AS IEC 60812:2008 = Analysis techniques for system reliability - Procedure for failure mode and effects analysis (FMEA); See SAI Global
AS IEC 61025:2008 = Fault tree analysis (FTA); See SAI Global
AS IEC 61882:2003 = Hazard and operability studies (HAZOP studies) - Application guide; See SAI Global
AS/NZS 3931 = Risk analysis of technological systems - Application guide
AS/NZS 4360:2004 = Risk management; See SAI Global
AS/NZS 4360:SET = Risk Management Set; See SAI Global
AS/NZS 4360:2004 = Risk management; See AS/NZS ISO 31000:2009
AS/NZS 4360:SET = Risk Management Set; See AS/NZS ISO 31000:2009
AS/NZS 4801:2001 = Occupational health and safety management systems - Specification with guidance for use; See SAI Global
AS/NZS 4801:2001 = Occupational health and safety management systems-Specification with guidance for use
AS/NZS 4804:2001 = Occupational health and safety management systems-General guidelines on principles, systems and supporting techniques
AS/NZS 4804 = Occupational health and safety management systems - General guidelines on principles, systems and supporting techniques
AS/NZS ISO 9000 = Quality management systems - Fundamentals and vocabulary
AS/NZS ISO 9001:2008 = Quality management systems - Requirements; See SAI Global
AS ISO 10002:2006 = Customer satisfaction - Guidelines for complaints handling in organisations
AS/NZS ISO 14001 = Environmental management systems - Requirements with guidance for use
AS/NZS ISO 14004 = Environmental management systems - General guidelines on principles, systems and supporting techniques
AS/NZS ISO 14050 = Environmental management - Vocabulary
AS/NZS ISO 15489 = Records management
AS/NZS ISO/IEC 17799:2006 =
AS/NZS ISO 19011 = Guidelines for quality and/or environmental management systems auditing; See SAI Global
AS/NZS ISO/IES 27001:2006 = ; See SAI Global
AS/NZS ISO 31000:2009 = Risk management - Principles and guidelines; See SAI Global
asset management = a line of business under WGOR Method #1, Level 1
ATG = acceptance test group
ATP = acceptance test plan
ATRF = acceptance test results form
ATS = acceptance test scripts
Attorney General's Protective Security Manual =
audit = an independent assessment of products and processes to confirm compliance with requirements, conducted by a trained and authorised person. See Internal audit
audit trail = clerical or automated methods for tracing the transactions that affect the contents of a database
auditability = an IT Risk
Australian Government Protective Security Manual =
authority = power exercised by the Board of Directors or assigned by the Board to another individual or group within the company. Authority usually involves the power to make policy and commit the company. See also levels of authority
availability = an IT Risk
avoid = avoid the risk by deciding not to proceed with the activity likely to generate the risk (where this is practicable)
BA = business analysis
BA = business analyst
BAU = business as usual
BCP (pronounced letter by letter) = business continuity planning
benchmark = an agreed method of measuring achievement of a goal by setting a comparative or normative standard
benchmarking = a process of comparing the measured achievement of an organisation in a specific area with levels obtained by other organisations in that area to identify opportunities for improvement
benefit = gain
benefit = See cost/benefit
Beta Testing = See UAT
BI = business intelligence
BIA (pronounced letter by letter) = See Business Impact Analysis
Board = colloquial expression for Board of Directors
Board of Directors = a official group of directors elected (usually) at the Annual General Meeting to represent the shareholders of the company and protect and further their interests. This is the highest authority in the company
board submission = a formal approach in writing to the board to seek approval or endorsement of a proposal or action
BOD = Board of Directors
bombing = a colloquial expression for wilfully and maliciously detonating an explosive device for the purpose of causing damage or loss of life. A criminal risk
bribe = something, such as gifts, money or a favour, offered or given to a person in a position of trust to influence that person's views or conduct
bribery = the act or practice of offering, giving, or taking a bribe. A criminal risk
BRP = business recovery plan
BRS = business requirements statement
budget = a periodic, planned program of probable expenditure
budget submission = a submission to the budget approving authority to include an item or items in an already approved budget
business analysis = a systematic investigation of a business area, its business rules, functions, work flows, requirements and data. It can be carried out by IT professionals and/or by business analysts from the business area
business case = a formal proposal to provide a solution to a business need submitted by the user to seek approval for the provision of funding. IT is not the only provider of a business case and the need may not always seek or require an IT solution. a business case is always preceded by a project concept document
business disruption = to throw a business or a line of business or a business sector into confusion or disorder: An external event risk
business impact analysis = look at a strategic plan to see what impact it is likely to have on the company as a whole or if there are other changes implied from the execution of the strategic plan that may impact on the decision
business need = See business requirement
business plan = See business case
business requirement = a need the business must satisfy to continue to operate normally or to effect planned improvements. They are not necessarily technical in nature and may not always be computer or IT oriented
business requirements statement = a document that records the needs of the business for project outcomes. These must be expressed in business terms and not as a list of technical requirements
business resumption plan = See disaster recovery plan
business risk = a colloquial name for any risk that could affect the business decision in hand
capacity = the ability to receive, hold, or absorb. A measure of this ability; volume. The maximum amount that can be contained: a trunk filled to capacity. An IT Risk
casualty = an accident related to or resulting from malicious or wilful acts of harm. A criminal risk. See also Accident
catastrophic = a qualitative descriptor implying such things as huge financial loss, serious reputation loss, death, etc
category = See Risk Category
cause = originate, bring into being, create, make, or produce. Having identified a list of events, it is necessary to consider possible causes and scenarios including checklists, judgements based on experience and records, flow charts, brainstorming, systems analysis, scenario analysis and systems engineering techniques depending on the nature of the activities under review and the types of risk associated
change control = the systematic proposal, costing, justification, risk assessment, evaluation, approval / disapproval, coordination, and implementation of all proposed changes
change control procedure = the process by which a change is proposed, evaluated, approved or rejected, scheduled, implemented and tracked
change request = an officially recognized form (paper or electronic) by which users can submit their requirements for product modification/enhancement or service provision. The submission of a formal fully documented request, to include details of the change required, justification for the change and endorsed by key stakeholders
change management impact analysis report = a report which analyses proposed changes and identifies key changes such as
changes to policy, process or procedure; = change in product or production characteristics; changes to user access; changes to project objectives, project costs, project performance and likely gaps; changes to management information reporting; and any other impact on risk (credit, market or operational)
changed legal environment = an unplanned event in which the legal environment changes, new laws or new ways of dealing with the law. An external event risk. An example: a new law relating to safety increases the cost of building
changed political environment = an unplanned event in which the political environment changes, new laws or new ways of dealing with the law. An external event risk. An example: a new regime in Afghanistan bans non-Islamic banking
civil disaster = an unplanned event, a catastrophe causing widespread destruction and distress; relating to citizens and their interrelations with one another or with the state. An external event risk
clarity ( tasks and responsibilities) = lack of clarity in defining tasks and responsibilities can lead to confusion, loss of productivity and related losses. An organisation risk
clients with questionable dealings = failure to identify client's history of questionable dealings can lead to an increase in failure rate. A criminal risk
clients with questionable reputation = failure to identify a client's bad reputation can lead to an increase in failure rate. A criminal risk
commercial banking = a line of business under WGOR Method #1, Level 1. Includes: consumer banking; private banking; corporate banking; commercial real estate;
comparative standard = an acknowledged measure of (quantitative or qualitative) value used in comparison. Usually expressed as a logical relationship, a set of or array of definitions or equations contained within a formal relationship, or mathematical formula. Measurement can only be comparative, and, when measuring in the real world, standards are very important. For example, pressure under the sea is measured in "atmospheres", that is to say one atmosphere under water is equal to the same pressure that one would experience from the air standing at sea level. The standard for 1 atmosphere is 10 meters, meaning that, in the sea, every 10 meters you descend pressure increases by the same amount as that pressure experienced from the air at sea level. This standard is not an accurate measurement and in fact there cannot ever be an accurate measurement, as pressure changes at sea level depending on local circumstances. This standard is nevertheless a useful standard and one which is responsible for saving many lives. See also standards, absolute standard, normative standard, international standards
compliance = to act in accordance with the rules, to follow the rules exactly as stated
compliant = tested against a particular standard
confidence level = an assumption of the VaR model about how confident we are about the results of the normal distribution, such as 99%, meaning that we expect unexpected losses to occur one day in 100
confidentiality = done or communicated in confidence; secret. company is entrusted with the confidence and personal information of the customer, the unauthorised disclosure of which poses a threat to the customer and to the company's relationship with the customer. An IT Risk
conflict of interest = any relationship which is not, or appears not to be, in the best interests of the company. A conflict of interest could prejudice an individual's ability to carry out his/her duties objectively
conservative risk model = an assumption in the Risk Preview Model. This model assumes a conservative stance, that is to say, the outcome of LIKELIHOOD * CONSEQUENCE is the higher risk factor of the two elements. See also Risk Preview Model
consequence = the outcome of an event or situation expressed qualitatively or quantitatively, being a loss, injury, disadvantage or gain. See also risk analysis
contingency plan = a set of provisions to ensure that an information system can continue to operate in another (possibly degraded) mode when an event occurs that interrupts or destroys the information processing capabilities
continuity = the ability to maintain continuous service. An IT risk
contract = a binding agreement between two parties, especially enforceable by law, or a similar internal agreement wholly within an organisation. See service level agreement
control = any action taken by management to enhance the likelihood that established objectives and goals will be achieved. The result of planning, organising and directing by management. See also directive control, detective control, internal control, preventive control
control environment = a colloquial expression referring to an array of elements affecting the way business is controlled. It refers to such things as the significance of control within the company, the role of the Board and Management in the control process, awareness of control throughout the company and levels of compliance with control routines. The control environment will be affected by: integrity and ethics; management's philosophy and operating style; organisational structure; assignment of authority and responsibility; HR policies and practices; and competence of personnel. See also directive control, detective control, internal control, preventive control
controllability = an IT Risk
corporate governance = an organisation risk
corrective action = an action taken to eliminate the causes of an existing problem, defect or other undesirable situation in order to prevent recurrence
correlation coefficient = a measure of the interdependence of two random variables that ranges in value from -1 to +1, indicating perfect negative correlation at -1, absence of correlation at zero, and perfect positive correlation at +1
corrupt = to wilfully destroy or subvert the honesty or integrity or moral standing of associated staff members. A criminal risk
covariance = a statistical measure of the variance of two random variables that are observed or measured in the same mean time period. This measure is equal to the product of the deviations of corresponding values of the two variables for their respective means
CP (pronounced letter by letter) = Contingency Planning
CRE = credit risk exposure
credit risk = the speculative risk of borrower default related to the extension of any authorised or unauthorised credit
credit risk capital charge =
credit risk exposure = total outstandings for this product
credit risk model = a model used for defining the response of the company to credit risk
CRF = change request form
criminal risk = under WGOR Method #1, criminal risk includes the following elements: internal fraud / external fraud; money laundering; corruption; theft / robberies; personal safety; terrorism / vandalism; intentional breaching of standards and values. Examples of criminal risk are: theft, embezzlement, misappropriation, forgery; clients with questionable dealings/reputation; bribes (gifts or money); loss of assets; casualties, physical security; hostage taking, kidnapping and extortion; arson, bombing; front running, insider trading, rogue trading, sexual harassment, market manipulation.
critical process = a process that must be performed if a product is to be delivered to its (internal or external) market place
DC 09/30140724 BS ISO 26000 = Guidance on social responsibility; See SAI Global
DC 09/30185799 BS EN ISO 11354-1 = Advanced automation technologies and their applications. Part 1. Framework for enterprise interoperability; See SAI Global
deliverable = any output that has been produced by a project team, that is expected, or promised. Examples of deliverables are: project plan; business case; post implementation review; logical design; database design; implementation plan; test plan and completed software applications. Deliverables are identified in the project management plan. See also project deliverable
dependency = a. a certainty in system design formally derived (i.e. by logic) from assumptions or requirements
dependency = b. An absolutely sequential relationship between events
dependency = See also requirement
development and implementation risk = an IT Risk
development life cycle = See life cycle
disaster = (a) an unplanned event having fatal or ruinous results
disaster = (b) a sudden, accidental event causing massive death, injury, or damage. Examples of common natural causes of disasters include earthquakes, floods, hurricanes and typhoons, tornadoes, tsunamis, volcanic eruptions, wildfires, landslides and avalanches. Disasters produced by human forces include accidents involving passenger-carrying airplanes, ships, and trains; collapse of buildings, bridges, tunnels, and mines; and explosions and fires unintentionally triggered by humans
disaster recovery plan = a plan for recovering from a disaster to pre-disaster condition as far as possible. Sometimes called a Business Resumption Plan (BRP)
domain = See risk domain
DR 09053 CP = Business continuity - Managing disruption related risk - Part 1: Specification; See SAI Global
DR AS/NZS ISO/IEC 38500 CP = Corporate governance of information technology; See SAI Global
DRP (pronounced letter by letter) = See Disaster Recovery Plan
DSD = Defence Signals Directorate
DSD certification framework =
DSD Infosec-Registered Assessor Program (I-RAP) =
emergency = a fix which is required urgently. Undertake immediate problem resolution and conduct emergency migration procedures. To be followed by normal testing and PIR close out
embezzlement = to take (money, for example) for one's own use in violation of a trust. A criminal risk
Emergency Response Planning (ERP) =
encryption = scrambling of the content of network packets
EOD = End Of Day
EOM = End Of Month
EOW = End Of Week
EOY = End Of Year
ERP = Emergency Response Planning
ethics dictionary = some important words for corporate ethics
expert advice = the owner/sponsor seeks input from Internal Audit, Information Security, Physical Security, Risk Management and/or other areas to ensure that the Risk Register analysis is complete
external audit = an examination, by examiners independent of the company, of records or financial accounts to check their accuracy
external event risk = under WGOR Method #1, external event risk includes the following elements: natural disasters; civil disasters; outsourcing risk / supplier risk; political risk; changed legal / political environment; liability risk; business disruption risk. Examples of external event risk are: accidents, fire, flood, storm, earthquake; terrorist acts, revolt; level of dependency, monopoly with provider, misuse of confidential data, breach of service level agreement; war, expropriation of assets, business blocked, financial markets disturbances; changes of regime (e.g. of tax or regulatory authorities); lawsuits (from e.g. customers, suppliers, government); energy failure, external telecommunications failure, failure of transports.
external fraud = a deception deliberately practiced by a person or entity outside the company in order to secure unfair or unlawful gain. A criminal risk
extortion = to obtain money or benefit from the company by coercion or intimidation. A criminal risk
failure modes, effects and criticality analysis = each failure mode identified is ranked according to the combined influence of its likelihood of occurrence and the severity of its consequences
fault tree analysis = a systems engineering method for representing the logical combinations of various system states and possible causes which can contribute to a specified event (called the top event)
file = a set of related records treated as a unit
file note = an informal record kept on file as a reminder of an event or conversation or containing technical information that may be required again at a later date
FMEA = failure mode and effects analysis
FMECA = failure modes, effects and criticality analysis
forgery = to make a copy of (usually signature), usually (but not always) with the intent to defraud. A criminal risk
fraud = a deception deliberately practiced by a person or group of persons in order to secure unfair or unlawful gain. See internal fraud and external fraud
frequency = a measure of likelihood expressed as the number of occurrences of an event in a given time. An example of frequency: 500 near misses per month. See also likelihood and probability
front running = to set up an apparently respectable person, group, or business to be used as a cover for secret or illegal activities. A criminal risk
function = a colloquial expression for the specific purpose or characteristic activities of an entity
functional = Related to or pertaining to function
Gantt chart = a graphical view of a schedule that shows start and finish dates, and progress of each recorded activity. It may also show activity dependencies
gap analysis = formal analysis of the difference between a system specification and a particular set of functional analysis and user requirements
GB 002:2007 = The Business Excellence Framework; See SAI Global
General Reserve = standard capital charges made for risk based on historical experience. Aggregate amounts for each category of loans
goal = a target expressed in an absolute physical measurable outcome that is intended to be reached by a given moment in time. See objective
governance = clear delineation of authority and responsibility for risk-related activities across the company, at all levels
hazard = a source of potential harm ISO/IEC Guide 51
hazard = See risk exposure. Note this is what we call a hazard in the Finance world so that it is not confused with the risks of personal accident and injury of the engineering world
HB 18.2 = Standarization and related activities - General vocabulary
HB 141:2004 = Risk financing guidelines; See SAI Global
HB 158:2006 = Delivering assurance based on AS/NZS 4360 Risk Management; See SAI Global
HB 203:2006 = Environmental risk management - Principles and practices; See SAI Global
HB 205-2004 = OH&S Risk Management Handbook
HB 221:2004 = Business Continuity Management
HB 231:2004 = Information security risk management guidelines
HB 246:2004 = Guidelines for Managing Risks in Sport and Recreation; See SAI Global
HB 254:2005 = Governance, risk management and control assurance' summarizes strategies used by organizations to implement Control Assurance Plans; See SAI Global
HB 436:2004 = Risk management guidelines - Companion to AS/NZS 4360:2004, See AS/NZS ISO 31000:2009
HR risk = under WGOR Method #1, HR risk (or Human Relations risk) includes the following elements: quality of management; integrity; recruitment; development; competence; retention; appraisal; release; capacity; key personnel. Examples of HR risk are: leadership skills, integrity, risk awareness; new hirers, yr. of experience, competence; availability and usage of HR strategy and policy, training, code of conduct, understanding of product; skills to performs tasks; satisfaction, motivation, compensation, years on the job, educational level; clear objectives, uniform; wrongful dismissal; work pressure; loss of clients.
holding period = an assumption of the VaR model of the most frequently chosen holding period, such as ten (10) days
hostage taking = to hold a person or persons in a conflict in captivity as security that specified terms will be met by the opposing party. A criminal risk
impact = consequence
impact analysis =
infrastructure = an IT Risk
internal audit = an independent appraisal function within the company to examine and evaluate the company's own (organisation, procedures and) activities to assure they are adequate and that the activities comply with the requirements of the company's policies. The objective of internal audit is to assist members of the company in the effective discharge of their responsibilities. To this end, internal audit furnishes them with analyses, appraisals, recommendations, counsel, and information concerning the activities reviewed. The audit objective includes promoting effective control at reasonable cost
internal control = a process carried out within the company designed to provide reasonable assurance regarding the achievement of the following objectives: The reliability and integrity of information; compliance with policies, plans, procedures, laws, regulations, and contracts; the safeguarding of assets; the economical and efficient use of resources; and the accomplishment of established business objectives and goals.
internal fraud = a deception deliberately practiced by a person or group of persons inside the company in order to secure unfair or unlawful gain. A criminal risk
internal product = a service or product provided by a unit at company for another productive unit as part of a critical process
internal product value = the value of the product is the opportunity cost of performing the critical processes that gave rise to the product. That is to say, how much would it cost to "outsource" the product or to employ an outside agency to perform the critical process?
internal service level agreement = a formal agreement between two departments in which specific requirements are established for quality and delivery speed. See service level agreement
International Standards = the risk management concepts employed in the Risk Management Policy Manual are generally based on AS/NZS 4360:2004. Operational Risk Concepts are based on WGOR Level 1. Any concept of quality employed is generally based on ISO 9001:2000; See AS/NZS ISO 31000:2009
insider trading = to use one's special knowledge or access to confidential information to conduct trading for special benefit. A criminal risk
insignificant = a qualitative descriptor implying such things as low financial loss, no customer loss, work-arounds, etc
intentional breaching of standards and values = a criminal risk
International Organisation for Standardization = an international organisation responsible for producing (ISO) standards for many industries
investment banking = a line of business under WGOR Method #1, Level 1
I-RAP = Infosec-Registered Assessor Program (DSD)
irregularity = the intentional misstatement or omission of significant information in accounting records, financial statements, other reports, documents or records. Irregularities include: a. fraudulent financial reporting which renders financial statements misleading; and b. misappropriation of assets. Irregularities may involve: falsification or alteration of accounting or other records, and supporting documents; intentional misapplication of accounting principles; and misrepresentation or intentional omission of events, transactions, or other significant information.
ISO/IEC Guide 51 = Safety aspects - Guidelines for their inclusion in standards
ISO/IEC Guide 73 = Risk management - Vocabulary - Guidelines for use in standards
ISO Standard = a document published by the IOS which provides an internationally recognized set of rules for undertaking various activities
ISO Guide 73:2009 = Risk management - Vocabulary; See SAI Global
ISO/DIS 26000 = Guidance on social responsibility; See SAI Global
ISO 31000:2009 = Risk management - Principles and guidelines; See SAI Global
ISO/IEC 31010:2009 = Risk management - Risk assessment techniques; See SAI Global
issues list = a database or paper list of items affecting a project or other work. These may be positive or negative and they represent something which exists, as opposed to a risk, which as not yet happened
ITSEC = Organisation responsible for certifying security products
IT risk = under WGOR Method #1, IT risk (or information technology risk) includes the following elements: Technology investment risk; development and implementation risk; project risk; reliability; continuity; recoverability; availability; performance; confidentiality; controllability / auditability; capacity; infrastructure. Examples of IT risk are: cost / time overruns, definition of business requirements; availability and usage of standards, documentation, user acceptance; manageability, effectiveness, efficiency; correctness, completeness, timeliness; fall back, contingency; criticality; user satisfaction, capacity, integration with systems / processes; logical and physical access controls, privacy, encrypting; logging of activities; ability to perform tasks; compatibility, transparency, upgrading possible.
key stakeholder = See stakeholder
kidnap = to seize and detain unlawfully and usually for ransom. A criminal risk
LCR = loss from credit risk
liability risk = an external event risk
life cycle = the term Development Life Cycle is often used to describe the methodology used to define and document the planning, managing and recording of events and activities that are required for a business product or process from the moment of its inception to the moment it is replaced or abandoned. In IT, the methodology is called system development life cycle (SDLC). In banking, the methodology is called product development life cycle (PDLC). The formal explication of and commitment to these development life cycles is important to risk management because it clearly defines all the processes and allows us to see clearly where risk management routines can make a difference to performance within the company. See also SDLC
likelihood = used as qualitative description of probability and frequency
line of business = under WGOR Method #1, Level 1, there are four lines of business: commercial banking; investment banking; asset management; other.
liquidity risk = a subcategory of market risk. The risk that the company will not have sufficient liquid assets to meet normal operating requirements
local forms & templates = forms and templates designed for use only within the business domain of the person approving them
loss = any negative consequence, financial or otherwise
loss of assets = a criminal risk
loss exposure = a measure of possible loss that could arise from an actual risk. See also maximum potential loss exposure
loss potential = an attempt is made to prioritise items appearing on the risk register by financial or reputation loss potential
major = a qualitative descriptor implying such things as major financial loss, reputation losses, extensive injuries, loss of production capability, company causes disaster with no detrimental effects on society, etc
management committee = a formally appointed group of senior managers, with certain delegated responsibilities
market manipulation = to use one's power over the market for shrewd or devious management, especially for one's own advantage. A criminal risk
market risk = all price and interest rate risks, tied to managing the company's assets and liabilities
market risk model = a model used for defining the response of the company to Market Risk
maximum potential loss exposure = the maximum amount of loss that is possible/likely from an actual risk
migrate risk = to move a risk to another. See also risk transfer
milestone = a scheduled event for which one is held accountable and that is used to measure progress. A milestone is "cognitive", meaning it is an event that people can easily "see", "envision" or will intuitively know they have reached it when they get there. It is therefore something which naturally acts as a goal. A milestone differs from a phase which is a period of time in a project over which it is useful for evaluating effort, i.e. historical and analytic. For example, when the roof is completed this might be an important milestone because it allows people to work out of the sun's rays, but it may be completed at an early part of the construction phase. Another example: "100 runs" is an important milestone but the phase is the "innings". See also phase
minimise risk = to formally adopt a plan to reduce risk to the smallest possible amount, extent, size, or degree
minor = a qualitative descriptor implying such things as medium financial loss, few customers loss, first aid treatment, etc
misappropriation = to set apart for a specific use; to take possession of or make use of exclusively, often without permission, for a purpose other than that stated. A criminal risk
mission = the highest-level statement of objectives. It gives a broad description of the purpose and policy of the organisation. Its purpose is to promote an overall objective that expresses succinctly what purpose the activities of the organisation are working towards in a manner that everyone in the organisation can relate to
mitigate risk = in special circumstances it may be possible to plan things in such a way that, if the event does occur, it will have little or no impact. This is especially relevant to circumstances where risks have arisen because of bad conditions or bad planning
modelling = a formal, logically consistent, integrated set of assumptions, methods, values, measurements and applications whose purpose is to show the full ramifications of analysis employed in risk management decision-making. These models include: (1) Credit Risk Model; (2) Market Risk Model; and (3) Operations Risk Model
moderate = a qualitative descriptor implying such things as high financial loss, many customers loss but no general reputation loss, medical treatment required, etc
money Laundering= to disguise the source or nature (of illegal funds, for example) by channelling through an intermediate agent. A criminal risk
monitoring = to check, supervise, observe critically, or record the progress of an activity, action or system on a regular basis in order to identify change
motivation to change = an event or situation leads the business to develop a new product, process or procedure
MTBF = mean time between failures
MTTR = mean time to repair
natural disaster = a disaster with a natural cause, such as an earthquake, flood, hurricane or typhoon, tornado, tsunami, volcanic eruption, wildfire, landslide or avalanche An external event risk
nomenclature = an agreed naming convention or an agreed set of names
normal distribution = a theoretical frequency distribution for a set of variable data, usually represented by a bell-shaped curve symmetrical about the mean. Also called Gaussian distribution
normalcy = This model assumes normal working conditions, that is, a normal distribution
normative standard = an object that has been agreed (usually by formal internationally acclaimed bodies) to define "correct", or "best", or "recommended" or "required". These may apply to measurement (comparative), definition (absolute), but may also be used to describe process, practice, nomenclature, required magnitude for performance, recommended value for specific result, comparative process, etc. An example of a normative standard is ISO 9000 which dictates the best business practices for improving or guaranteeing "quality". In fact, one could refer to SDLC as adopted by company as a normative standard. Usually in SDLC, when we refer to "standards" we are referring to normative standards, that is to say, standards that are agreed by business or technological experts to be the "best" methods. However, comparative and Absolute Standards do play a role. See also ISO, ITME, ITSEC ISO Standard. See also standards, comparative standard, absolute standard, international standards. For an example of a normative standard see the Risk Department's Policy Manual
NPV = net present value
objective = a general statement about the direction an organisation intends to take in a particular area without stating a specific target to be reached by particular point in time (which are commonly called 'goals'). See also Business Objectives. The mission statement is made achievable by its dissection into clear 'statements of objective' that can be agreed by managerial groups within the company as acceptable and achievable
operational risk = any pure risk; i.e., our exposure to unplanned losses that arises from any non-speculative dealings
operational risk exposure = a numerical risk reading assigned to a qualitative descriptor (or set of descriptors) to assist with a better understanding of the levels of possible and actual risk involved
operational risk model = a model used for defining the response of the company to operational risk
ORE = operational risk exposure
organisation = a company, firm, enterprise or association, or other legal entity or part thereof, whether incorporated or not, public or private, that has its own function(s) and administration
organisation risk = under WGOR Method #1, Organisation Risk includes the following elements: Corporate governance; requirements (organisational set-up); and clarity (tasks and responsibilities). Examples of organisation risk are: authority, adequate information flow, clear reporting lines, overview; segregation of functions, dual control, audit, risk control; and guidelines and procedures, documented, achievable, accountability; other. A line of business under WGOR Method #1, Level 1
output = a. Information taken to a communications system for transmission out a computer system after processing. b. a position, terminal, or station from which output leaves a system. c. the result of a process
outsourcing risk = an external event risk
PCD = Project Concept Document
PDLC = Product Development Life Cycle
PDP = Product Development Plan
peer group = a group of staff members, generally working in the same area or with the same interests or responsibilities and at about the same level, used to informally review the work of another of the group
performance = an IT Risk
personal safety = a criminal risk
phase = a discrete period of time delineated by a major beginning and an ending event and that can be understood as a single concept. There are a number of established phases for planning and control of a project under SDLC. These are planning; analysis; design; package evaluation and selection; configuration and package implementation; testing; implementation; and post implementation review. See also milestone
physical security = a criminal risk
PMP = Project Management Plan
policy = a management directive or statement of intent. Frequently expressed through issuing a standard, a policy manual or a policy statement
policy manual = a document that discusses in detail all issues related to the implementation of a particular policy statement. The purpose of the policy manual is to look at the ramifications of a particular policy statement across all Divisions of the company, and to describe in detail the impact of this policy statement on particular areas of the company's operations. These may be considered as "sub-policies". All sub-policies must be completely consistent the policy statement. (Note: a policy manual often needs to consider "related policies".) The policy manual does not discuss matters at the procedural level or at the level of work instruction, except to make statements of intention, principle or purpose. For an example of a Policy Manual see the Risk Management Policy Manual
policy statement = a statement made by the Board of Directors. All policy and procedures throughout the company are considered to have their origin in one of these statements. A policy statement is often proposed to the Board by management committees or Divisional Managers, but may originate from Board Committees or from the Board themselves. A policy statement is usually kept brief to enable the Board to focus on the issues contained within it, and to completely understand its content, before giving its approval. For an example of a policy statement see operating policies
political risk = an external event risk
possible risk = a list of risks agreed upon to be considered in any risk analysis by company. There are three lists of possible risks: credit, market and operational. See also actual risk
PR = problem report
prevent = in special circumstances it may be possible to reduce the risk by changing the circumstances that give rise to the risk, that is to say, reducing the likelihood or consequence of the event, or both. Usually, however, events are seen as external to the company and therefore prevention is not a viable option
preventive controls = a formal, planned action to deter undesirable events from occurring
priority = the order in which a work will be undertaken
privacy = protection of sensitive information from access by parties without a 'need to know
probability = the likelihood of a specific outcome, measured by the ratio of the total specific outcomes to the total possible outcomes. Probability is often expressed as a number between 0 and 1, with 0 indicating an impossible outcome and 1 indicating an outcome is certain
probability = the extent to which an event is likely to occur ISO/IEC Guide 73
probability of default = grades in credit risk analysis indicating likelihood and willingness to pay: Grades as follows: Good; Special Attention; Sub-standard; Doubtful; and Bad
procedure = a. A set of manual or automated steps or activities required for accomplishing a task. A procedure is a part of a process
procedure = b. A document used to describe things that need to be done. Procedure is regarded as flowing directly from the Policy Statement. Usually, a procedure is authorised by the owner of the (technical or business) process that the procedure describes. Procedural statements are statements made by those in charge of day-to-day management (such as the Management Committee or the Divisional or Departmental Manager) (we call this person the "owner" of the procedure). Often more than one (related) procedural statement is needed to fully describe a process. The key factor dictating where a procedure starts and finishes is the logical sequence or flow of tasks required to complete the procedure. That is to say, a procedure is limited to those tasks that can be understood as a single array. A procedure must also be "owned" by only one "owner". A procedure can assign tasks to a number of different individuals or groups
process = a set of inter-related activities, which transform input into output. A productive process. An operation. A process is usually made up of a number of procedures
process audit = an audit which examines the processes that lead to the end product or service
processing risk = under WGOR Method #1, Processing Risk includes the following elements: procedures; efficiency; effectiveness; working methods; checks and balances; input error; model risk; recording; privacy and confidentiality; internal reporting; external reporting. Examples of processing risk are: documented, up to date, ownership, in line with standards; cost vs. budget; realisation of objectives and goals, satisfaction; authorised, stratification, limit adherence, according to prescribed procedures; timely reconciliation, independent valuations; wrong data, incorrect input, incorrect marked-to-market; inappropriate parameters, incorrect programming, invalid assumptions, mathematical errors; logging; clean desk, chinese walls; present, relevant, error free, actively used by management; regulatory-, financial-, tax reporting
product = Something of value that is the direct outcome of a process within the company
product acquired = a milestone in the SDLC planning process. All products have been acquired under contract and Key Stakeholders have been informed. We are now ready to install
product audit = an audit which examines the end product or service
product development life cycle = processes, activities, and tasks involved in the development, operation, and maintenance of a product, spanning the life of the product, from the definition of its requirements to the removal of the product from the market place
product development plan = product development plans are similar to a project management plan but deal with all the steps that need to be performed to introduce a new product to the marketplace, or make significant changes to an existing product. The marketing action plan is a part of the product development plan, but there are many other changes that need to be performed, such as changes to policy, procedures, accounting systems, technological upgrades and training
product implemented = a milestone in the SDLC planning process. The product is fully implemented and in production
product owner = the owner of the product at company, both market products and internal products, is the person who owns the critical process that gave rise to that particular product
product ownership = Clear delineation of authority and responsibility for "product" which involves the concept of "critical process"
production = a colloquial expression ("in production") meaning "live" or in the "real world" or a working environment in which the output is expected to be "real"
production environment = an environment made up of elements that are all considered to be in production. The production environment has many specific benefits (when testing) but also many specific risks
products register = a document for identifying all the products in the company (both internal and external) and their owners. This is a key document because "Product Ownership" is fundamental to the risk management process. Owned and maintained by the Risk Management Department
professional responsibility =
project = a body of work undertaken in a planned and controlled manner. A project must have been approved for commencement or commissioned, have a defined time frame, require resources, require funds, have a defined duration. A project ceases to be called a project upon implementation of the planned system, application, etc., into a production environment
project concept document = a document prepared to describe a business need requiring solution. It contains sufficient detail to enable management to decide whether to proceed to the preparation of a business case. It has the same format as a business case, with less detail
project concept fully developed = a milestone in SDLC planning. The project concept is fully developed, reviewed and approved and initial sponsor and initial stakeholders have been notified
project costs = a list of all costs, such as equipment, software, time or labour, necessary for the attainment of the stated objectives and goals of the project
project controls in place = a milestone in the SDLC planning process. The project is under way and all the project controls are in place. For example the project sponsor, the project board and the project manager have been appointed, project management systems have been set up and the project review team is in place
project initiation = the initial phase of a project. Its outputs are a project concept document, and a business case
project initiated & reviewed = a milestone in the SDLC planning process. The business case has been prepared and reviewed, and the sponsor and initial stakeholders have been informed. The business case is now ready to go to the financial authority for funding approval
project management = the planning, organising, coordinating, directing and controlling of any project or task with responsibility for results within a specified period of time
project management plan = an essential management document describing the approach that will be taken for a project. The plan typically describes the work to be done, the resources required, the methods to be used, the configuration management and quality assurance procedures to be followed, the schedules to be met, the project organisation, etc. See also risk management project management plan
project management = specialist terms & acronyms
project manager = a senior officer, usually from the Information Technology Division, who manages all the SDLC aspects of a project on a day to day basis. His responsibilities include controlling IT staff resourcing and time requirements for a project, budgets, schedules, IT resource allocation and tasks. He reports regularly to IT management on project issues. The term is also be used for a non-IT project
project risk = an IT Risk
project schedule = an organised set of tasks for which start and finish dates and resources have been assigned. It is prepared using package software from Microsoft
project team = all the personnel assigned to work on a Project full or part time, who are managed by the Project Manager
PSCC = Protective Security Coordination Centre (Attorney-General's Department)
PSM = Protective Security Manual (issued by the Attorney-General's Department)
pure risk = the chance of an unexpected or unplanned loss without the accompanying chance of a gain
QA = quality assurance
QC = quality control
quality = compliant with ISO 9000, ISO 9001, ISO 14000, etc.
quality assurance = all the planned and systematic activities implemented within the organisation, to provide confidence that a product or service will fulfil the user's requirements
qualitative analysis = a method of calculating risk that can be applied to products and processes that is produced/performed at such a high level of generality that it is impossible to assign numeric descriptors. Qualitative Risk Analysis is often subjective and intuitive but nevertheless has been found to be an effective method for calculating risk, because it allows us to use the manager's experience to evaluate both likelihood and consequence without getting bogged down in questions of numerical relevance and model integrity
quality audit = an audit involving the planned and systematic examination of systems, processes, procedures and products to ensure documented methods are being applied, specifications are being met and that records are being maintained to provide objective evidence of conformance
quality control = product oriented measures that ensure outputs are consistently in accordance with specifications
quantitative analysis = Uses numerical values for both likelihood and consequences using data from a variety of sources. The quality of the analysis depends on the accuracy and completeness of the numerical values used
RA (pronounced letter by letter) = Risk Analysis
RAA (pronounced letter by letter) = Risk Avoidance Analysis
recovery = restoring the system to a proper state, including recovery of data. It could involve: reconstruction of the database, so that it is restored to its pre-failure condition; restoration of the communication network or portion thereof with reconnection of the users active at the time of failure; proper restarting or other handling of transactions that were in process at the time of failure; and appropriate restarting of the software components
recoverability = an IT Risk
regulatory risk =
reliability = an IT Risk
request for information = an RFI is a document issued by the company to elicit information from the marketplace on what is available in a specific area of interest, to find out the latest developments in technology, to discover industry capability. It may be used to assist in formulating a business case in response to a perceived need in the Business. An RFI should avoid any suggestion that an immediate acquisition is intended from any supplier and it should make it quite clear that the company may or may not proceed on the basis of the information provided
request for proposal = a document issued to the marketplace requesting vendors to provide costs and details of their capability and willingness to provide systems, software, products and services, required by the company to meet a business need. An RFP is normally used to elicit proposals from vendors where the business need is clear, but the marketplace capability, availability and solution and approach alternatives are not known
request for quote = a document issued to the marketplace requesting vendors to provide costs and details of their capability and willingness to provide systems, software, products and services, required by the company to meet a business need. An RFQ is normally used for the simple supply of hardware items or shrink-wrap software. It may be used for training courses and symposiums and for any other instance where price alone will be the deciding factor. An RFQ is an extremely simplified type of request. For non-project purchases an RFQ may precede a direct purchase using Form 1
request for tender = a document issued to the marketplace requesting vendors to provide costs and details of their capability and willingness to provide systems, software, products and services, required by the company to meet a business need. An RFT is normally used for large acquisitions where the requirement is clear and the marketplace capability is known. The company is sure of the preferred solution and the approach it wants taken and is asking for detailed estimates of cost, technology and timeframes. An RFT will normally contain sections addressing contractual issues, RFT response requirements, technical specifications and a statement of work
requirement = a condition or capability that must be met by a system to satisfy a contract, standard, specification, etc
requirements (organisational set-up) = an organisation risk
residual risk = risk remaining after implementation of risk treatment HB 436:2004
residual risk = the remaining levels of risk after risk mitigation measures have been taken
response (treatment) = the owner develops a response that will eliminate, mitigate or transfer his risks and includes the response as part of his plans. There are five possible responses to an actual risk: prevent; mitigate; avoid; transfer; accept/retain
response times =
responsibility = a duty, an obligation, or a burden placed upon an individual or group within the company by someone of higher authority and involves the implied ability to act without guidance or further authority and the acceptance of personal accountability for the outcome
retain (accept)= after risks have been reduced or transferred, there may be residual risks that are accepted or retained, meaning to do nothing and "accept the risk"
RFI = Request For Information
RFP = Request for Proposal
RFQ = Request For Quote
RFT = Request for Tender
risk = some event that has a chance of happening and that, if it happens, will have an impact upon objectives and goals. It is measured in terms of consequences and likelihood (probability)
risk acceptance = an informed decision to accept the likelihood and the consequences of a particular risk
risk analysis = a systematic use of available information to determine how often and when specified events may occur and the magnitude of their likely consequences. A formal process which seeks to separate (a) minor acceptable risks from (b) major risks, and to provide data to assist in the assessment and treatment of risks
risk assessment = the overall process of risk identification, risk analysis and risk evaluation AS/NZS 4360:2004; See AS/NZS ISO 31000:2009
risk assessment = comparing the level of risk found during the analysis process with previously established risk criteria, producing a "measurement" or "level" of risk and deciding on an appropriate "response". The output of a risk assessment is a prioritised list of risks for further action
risk assessment report = a document for recording the process of risk assessment related to particular events and to assist in measuring the level of actual risk. This report is included in other management documents such as project concept document, business case, project management plan, product development plan, acquisition plans within the PMP, change management, etc. Prepared by the manager responsible for preparing the management document to which this risk assessment is to be attached. The Risk Management Department may provide technical assistance in the preparation of this document but it always remains the document of the originator
risk avoidance = an informed decision not to become involved in a risk
risk category = risks generally fall within one of two risk categories (or types): (a) speculative risk and (b) pure risk. risk control = that part of risk management which involves the provision of policies, standards and procedures to eliminate, avoid or minimise risks facing an enterprise
risk domain = risks are managed within a number of formal declared domains: such as credit risk; market risk; operational risk; etc
risk exposure = a hazard. A source of potential harm or a situation with a potential to cause loss
rsk financing = the methods applied to fund risk treatment and the financial consequence of risk. Note: in some industries risk financing only relates to funding the financial consequences of risk
risk identification = the process of determining what can happen, why and how. A formal process of identifying the risks to be managed. Comprehensive identification using a well-structured systematic process is critical, because any potential risk not identified at this stage is likely to be excluded from further analysis. Identification will include all risks whether or not they are under the control of the company
risk management = (1) the systematic application of management policies, procedures and practices to the tasks of identifying, analysing, assessing, treating and monitoring risk
risk management = (2) the logical and systematic method of identifying, analysing, assessing, treating, monitoring and communicating risks associated with any activity, function or process in a way that will enable company to build shareholder value over the long term. Risk management is as much about identifying opportunities as avoiding or mitigating losses
risk management project management plan = Some risk treatments require a Project themselves, independent of any other project, especially decisions to avoid risks by making significant changes to the working environment
risk migration = See migrate risk
risk minimization = See minimise risk
risk mitigation = the actions taken to remove the probability of a risk eventuating or of negating its effects if it eventuates. See mitigate risk
risk preview model = adopts a simplified set of descriptors, making input easy to understand and making the output simple and straightforward. These descriptors are the same for both likelihood and consequence and are therefore much more highly subjective than those implied in the operational risk model, requiring only a "gut reaction" from project managers
risk reduction = a selective application of appropriate of appropriate techniques and management principles to reduce either likelihood of an occurrence or its consequences, or both
risk register = a document for identifying all actual risks in the company (and thereby documenting the process of eliminating Potential Risks from this list so that this elimination is not performed over and over again unnecessarily). Owned and maintained by the owner/sponsor who considers industry experience to develop a list of operational, credit, market and project risks
risk retention = intentionally or unintentionally retaining the responsibility for loss, or financial burden of loss within the organisation
risk response = See response
risk transfer = shifting the responsibility or burden for loss to another party legislation, contract, insurance or other means. Risk transfer can also refer to a physical risk or part thereof elsewhere. See migrate
risk treatment = selection and implementation of appropriate options for dealing with risk. See mitigation
risk treatment action plan and schedule = certain risk treatments are permanent features of business and not just treatment projects. These need action plans and schedules, etc
risk treatment compliance declaration = certain risk treatments require a declaration on behalf of the product owner that risks have been mitigated in order to allow other events to take place
risk treatment compliance certificate = certain risk treatments need certification by persons other than the product owner (and periodic re-certification as part of the monitoring process)
risk type = See risk category
robbery = the act or an instance of unlawfully taking the property of another by the use of violence or intimidation. A criminal risk. See also theft
rogue trading = to trade in an unprincipled, deceitful, and/or unreliable fashion in order to deceive. A criminal risk
rollout response = the owner/sponsor carries-out his plan and, in so doing, and implements his risk response
routine problem = a fix which is not an emergency and can be either: Fix immediately - workaround possible until fixed Fix as soon as possible - to be included in the next release Fix as scheduled - by the Business and Maintenance Group
safety management system (SMS) = a formal system agreed by the regulator to continually identify hazards, analyse risks, and evaluate and treat risks under such regulatory requirements as Australian Airservices Act or international standards required by International Civil Aviation Organization (ICAO) or national standards as required by departments such as the Ministry of Transport resulting in an integrated set of work practices for ameliorating risk
scenario-build = models describing probable or likely scenarios for end-user testing
schedule = See project schedule
SDLC = system development life cycle
security = the protection of information and data so that unauthorised persons or systems are denied access or the ability to read or modify them while authorised persons or systems are allowed access. Also: The protection of computer hardware and software from accidental or malicious access, use, modification, destruction or disclosure. Note: The definition of Security can vary according to context
service level agreement = a legal agreement between the supplier of a service and the customer setting out in clear terms the expected levels of service and what is to occur if those levels of service are not met. See also Internal Service Level Agreement
sexual harassment = unwanted and offensive sexual advances or sexually derogatory or discriminatory remarks made by one in power to an employee. A criminal risk
simplified qualitative risk analysis = See risk preview model
SLA = Service Level Agreement
SMS = safety management system
SOX (pronounced letter by letter) = Sarbanes-Oxley compliance, corporate auditing requirements
specific reserves = a specific capital charge against of the borrower's probability of default determined during the quarterly review of all accounts in grades 4 and 5. A minimum specific charge applies to all such accounts
speculative risk = any chance where both gain and loss is possible
stakeholder = a key person in the company who has a recognized stake in the achievement of a particular business case or of its outcomes
standard deviation = a statistic used as a measure of the dispersion or variation in a distribution, equal to the square root of the arithmetic mean of the squares of the deviations from the arithmetic mean
standards = generally, a degree or level of requirement, excellence, or attainment. The word "standard" has come to mean three key main concepts: comparative standard; absolute standard; normative standard. See also international standards
strategic plan = a proposed change to any major business objectives and goals will require a strategic plan. This will include : approach that will be taken for a project; technology to be used; work to be done; resources required; dependencies; methods to be used; configuration management and quality assurance procedures to be followed; schedules to be met; organisation of the project; risks and issues
structure = the manner in which a complex whole is divided into parts and the relations between those parts
supplier = an organisation that enters into contract with the acquirer for the supply of a product. The supplier is synonymous with contractor, producer, seller, or vendor. The acquirer may designate a part of its organisation as supplier
supplier risk = an external event risk
system = an arrangement, a set, or a collection of concepts, parts, activities, and/or people that are connected or interrelated to achieve particular objectives and goals. This definition applies to both manual and automated systems. A system may also be a collection of systems (sub-systems) operating together for common objectives and goals
system development life cycle = processes, activities, and tasks involved in the development, operation, and maintenance of a software product, spanning the life of the system, from the definition of its requirements to the termination of its use
system performance test scripts = for all changes to system or applications
task = a small specified workload to be performed by people according to known standards within a relatively controlled period of time. A task is the lowest level of breakdown in a work breakdown structure (The complete breakdown is - project, phase, activity, task)
technology investment risk = an IT Risk
template = a guide in making something accurately, (comes from the name given to a tool used to accurately reproduce a product in manufacturing or in woodworking). A template is often a document or a report written in final form with spaces for particular information or inserted temporary notes containing instructions that will be followed in the completion of the document
terrorism = the unlawful use or threatened use of force or violence by a person or an organised group against people or property with the intention of intimidating or coercing societies or governments, often for ideological or political reasons. A criminal risk
test case = a case with a set of real and likely data where the result is known beforehand for testing a system against requirements following creation or change
test cycles = unit test, system (end-to-end) test, regression testing, system integration testing, user acceptance testing
test scripts = formal written scripts for test cycles
theft = the act or an instance of stealing; larceny, without the use of violence or intimidation. A criminal risk. See also robbery
transfer = reduce the risk by causing another party to bear or share some part or all of the risk because of an existing contract or relationship. Transfer the risk or the residual risk by agreeing to pay a premium now in return for the insurer accepting the risk
treatment (response) = the owner develops a response that will eliminate, mitigate or transfer his risks and includes the response as part of his plans. There are five possible responses to an actual risk: prevent; mitigate; avoid; transfer; accept/retain
TISN = Trusted Information Sharing Network (for Critical Infrastructure Protection)
UAM = user authentication methodology (the basis of user access to a secure environment)
UAM = user acceptance methodology (the basis of UAT)
UAT = user acceptance testing
user acceptance = a formal process for involving the user in the sign off of a new system. For an in-house developed system it involves early statement of user requirements, a sign off of the functional plan by the user, and the sign off by the user following user acceptance testing against the original requirements. For a purchased system it involves a user requirements statement and a gap analysis.
user acceptance testing (UAT) = the final testing stages by users of a new or changed system. The system is tested for stability and whether it is processing data according to requirements. If successful, it signals the approval by the user to implement the system live.
user access = the key to access for the user of a secure environment; usually involves some formal UAM
use case = a formal methodology for defining system requirements; a scenario; software developers and end users cooperate to define how the system will need to interact with the world, such as with an end user or another system, to achieve a specific business goal
user guide = a document written by a technical writer to give assistance to people using the system.
user manual = user guide
user requirements = practical outcomes that will impact the user that are the reason for the development of a new system or for enhancements and modifications to an existing system
user requirements documentation = a business or strategic plan containing all user requirements and the reason for their inclusion
user requirements specification = a formal list of all user requirements contained within the user requirements documentation written in a form that allows validation that changes meet user requirements
validity check = the process of analysing data to determine whether it conforms to predetermined parameters of completeness and consistency
value = See market product value and internal product value
value at risk = the measurement of likely losses, expressed in SAR. The "appetite" for losses. This model adopts the strategy of representing every actual risk with a calculation of "value at risk"
vandalism = wilful or malicious destruction of company property. A criminal risk
VaR = value at risk
verify = the process of determining whether or not the products of a given phase of the SDLC fulfil the requirements established during the previous phase
volatility = tending to vary often or widely, as in price: the ups and downs of volatile stocks. By mapping actual results against normal distribution there is a measure of volatility or value at risk
WGOR = Working Group for Operational Risk
What-if Analysis = the owner/sponsor considers industry experience to form an opinion as to how his operating environment will be altered during and after the project
work instruction = a work instruction is a document that assigns particular tasks (mentioned or implied in a procedure) to a particular individual or group. It is intended that this set of instructions can be followed precisely by this individual or group and contain enough information to allow the completion of their particular part of the procedure in a timely and efficient manner
write offs = credit facilities that are considered un-collectable, and for which all means of recovery have been exhausted, are represented by a credit risk capital charge of 100%, called a "write off"