4T Model
As part of their Risk Evaluation process, many organisations use the 4T Model to categorise their decisions. The 4Ts are Treat, Tolerate, Terminate and Transfer.
AML / CFT
Anti-Money Laundering and Countering the Financing of Terrorism. These are legislative acts which cover offences which can have an ecomonic impact on the financial security of a country.
Accountability Principle
Under GDPR, it is not enough to be compliant with the regulation but you must be able to provide demonstrable evidence of your compliance activity.
BCP
The Business Continuity Plan is a set of strategies and processes to deal with disruptions (usually severe) and ensure the organisation can maintain essential services at pre-defined levels, within an acceptable timeframe.
BYOD (Bring Your Own Device)
A practice whereby an organisation encourages its employees to use their own device (smart phone / tablet) for business purposes. Originally thought to increase employee use of technology and to reduce costs.
Biofuels
Are ‘renewable’ fuels that are derived from biomass - biological materials such as algae, plants, and biowaste. Biofuels are produced in a short period of time, contrary to the very slow natural processes involved in the production of ‘non-renewable’ fossil fuels. Examples of biofuels are ethanol, methanol, biodiesel, and Sustainable Aviation Fuels.
Business Continuity Plan (BCP)
A plan to ensure continuity of business operations in the event of a serious incident
Business Impact Analysis (BIA)
A Business Impact Analysis is a risk assessment technique for understanding consequences and their likelihood when an organisation experiences a disruption. It provides an understanding of the capability needed to manage a disruptive incident.
CEO
Chief Executive Officer is the most senior person within an organisation.
CFO
Chief Finance Officer is a senior person within an organisation who has responsibility for the sound financial mangement of the organision.
CRO
Chief Risk Officer is a senior role within an organisation which is responsible for a companies risk management.
CRSA
Control Risk Self-Assessment is a self audit exercise which reports on the current status of controls and control activities within the organisation.
CSRD
Corporate Sustainability Reporting Directive is an EU regulatory framework that effects companies that are listed in the EU. The framework requires that companies share information on how they monitor their ESG practices.
CTO
Chief Technology Officer is senior role which is responsible for an organisations technology strategy.
Carbon
Is a chemical element that serves as the building block of life and is essential for the structure of organic compounds. In the context of sustainability and the environment, ‘carbon’ often refers to carbon dioxide (CO2), a greenhouse gas released into the atmosphere primarily through human activities like burning fossil fuels and deforestation. Increasing levels of carbon dioxide contribute to global warming and climate change, making efforts to reduce carbon emissions crucial for a sustainable future.
Carbon Footprint
Is the total amount of greenhouse gases, primarily carbon dioxide, emitted directly or indirectly by an individual, organization, event, or product throughout its lifecycle. It expresses environmental impact in terms of carbon emissions, helping to assess and manage contributions to climate change. Efforts to reduce a carbon footprint involve minimizing energy consumption, using cleaner technologies, and supporting carbon offset projects to achieve greater sustainability.
Carbon Neutral
Means achieving a balance between carbon emissions produced and carbon removed or offset from the atmosphere. This is achieved by taking action to reduce one’s level of emissions and supporting initiatives that absorb or mitigate an amount of carbon equal to the level produced, resulting in a net-zero carbon footprint.
Carbon Offsetting
Involves compensating for your carbon emissions by supporting projects that reduce or capture an equivalent amount of carbon dioxide from the atmosphere. This helps to counterbalance environmental impact, promoting sustainability and climate goals.
Carbon Sequestration
Is the process of the capture and removal of carbon from the atmosphere and its storage in biological or geological matter (e.g. soil, forests, grasslands, bodies of water, rocks).
Carbon Sink
Anything, such as an organism or natural environment, which stores more carbon than it emits.
Carbon Source
Anything, such as an organism or natural environment, which emits more carbon than it absorbs.
Carbon Trading
Is also known as ‘emissions trading’ or ‘cap-and-trade’ and is a market-based approach to controlling carbon emissions. It involves organisations ‘trading’ the ‘unused’ part of their allocated emissions allowance with other organisations. So, an organisation emitting less than its allocated allowance can sell its surplus allowance to organisations that have exceeded their limits. This creates financial incentives for emission reductions and promotes environmental sustainability while allowing flexibility in meeting emissions targets.
Chain Outsourcing
Sometimes referred to as Fourth Parties, where a third party outsources part of the work to one of their third-parties (fourth party to you)
Climate Change
Refers to significant changes in global temperature, precipitation, wind patterns and other measures of climate that occur over time. It is connected to rising levels of carbon dioxide and other greenhouse gases in the Earth’s atmosphere.
Consequence
The outcome of an event affecting objectives – also known as risk Impact.
Consumer Duty
A set of standards creted by the Financial Conduct Authority (FCA) that apply across U.K. financial services
Consumer Protection Code
Consumer Protection Code Ireland is a set of regulations published by the Central Bank of Ireland (CBI) which applies to financial services
Control
A measure that maintains and / or modifies risk.
Critical Business Process
A core activity that is essential to an organisations functioning.
Critical or Important Function
A Critical or Important Function is a function, the disruption of which would materially impair the - financial performance of a firm soundness / continuity of its services and activities continuing compliance
Cyber Security
Generally, the term refers to the security deployed to protect information that is stored on computers. Depending on context, it can also be used to describe those actions aimed at preventing and detecting attacks on systems from external parties.
DDoS
Distributed Denial of Service. This is a form of electronic attack involving multiple computers (usually compromised) which send repeated requests or pings to a server to load it down and render it inaccessible for a period of time.
DMZ (De-Militarised Zone)
This a physical or logical sub-network that contains and exposes an organisation’s external-facing services to an untrusted network – usually a larger network such as the Internet. An external network node can access only what is exposed in the DMZ, while the rest of the organisation’s network is firewalled. If its design is effective, it allows the organisation extra time to detect and address breaches before they can further penetrate into the internal network.
DORA
The Digital Operational Resilience ActThe Digital Operational Resilience Act (DORA) is an EU regulation aimed at ensuring the financial sector can withstand, respond to, and recover from all types of ICT-related disruptions and threats. It establishes uniform requirements for cybersecurity, incident reporting, testing, and third-party risk management. DORA seeks to enhance the resilience of financial entities by setting standards for ICT risk management and mandating robust oversight of critical third-party service providers, thereby promoting financial stability and consumer protection within the EU.
DPO Function
The tasks that the DPO is responsible for carrying out.
Data Audit
The means of documenting all of the personal data the organisation processes, the processing it is subjected to and the purposes for which it is processed.
Data Controller
The individual or private organisation, public authority, agency or other body that decides why and how personal data will be processed (GDPR, Article 4.7).
Data Minimisation Principle
To process (i.e. collect, store, use, etc.) only the minimum data necessary for the specified purpose.
Data Processing
Any manual or automated activity carried out on personal data, from collection to destruction and everything in between.
Data Processor
The individual or private organisation, public authority, agency or other body which processes personal data on behalf of the controller. The controller may also be the processor (GDPR, Article 4.8).
Data Protection Impact Assessment (DPIA)
When a proposed processing activity is “likely to result in a high risk to the rights and freedoms of natural persons” the data controller must carry out a DPIA. A DPIA is a process that systematically describes and assesses the need for and the proportionality of the data processing activity. The DPIA must include an assessment of the risks to the rights and freedoms of the data subjects and must also provide measures for addressing those risks and ensuring the protection of the personal data (GDPR, Article 35).
Data Protection Officer (DPO)
The individual, team or contractor nominated by the data controller to oversee the organisation’s data protection planning, training and other activities to ensure compliance with GDPR.
Data Retention Period
The length of time that personal data will be kept by the data controller, or the data processor on instruction from the data controller. It must be no more than is necessary for the purposes for which the data is processed. Once that defined period lapses, the data must be deleted or converted into a form that does not permit the identification of its subject(s). For some sectors and / or in certain circumstances, there are legal requirements that govern retention periods for particular data and these trump GDPR. However, data controllers should ensure that they retain only the data specified by the legal requirement and delete or anonymise the remainder.
Data Set
A grouping of personal data that has been collected for a specific purpose (e.g. customer contact data; employee payroll data; etc.).
Data Subject
The individual to whom the personal data relates.
Data Subject Request / Data Access Request
The method by which a data subject can request all of the personal data relating to them that is held by an individual or an organisation, free of charge.
Dependency
The necessary people, processes, information, technology, facilities, and third parties required to deliver a business service.
ERM
Enterprise Risk Management is an intergrated, organisation wide, approach to managing risks.
Emissions
Are substances released into the air and are measured by their concentrations (or parts per million) in the atmosphere.
Encryption
This is the process of encoding a message or information in such a way that only authorised parties can access it. An authorised recipient can easily decrypt the message with the encryption key provided by the originator.
European Supervisory Authorities (ESAs)
The European Supervisory Authorities (ESAs) are three agencies established under the European system of financial supervision with a mandate to develop and implement a common regulatory framework and foster a consistent and effective approach to financial supervision in the EU. The ESAs are - The European Securities and Markets Authority (ESMA) The European Banking Authority (EBA) The European Insurance and Occupational Pensions Authority (EIOPA)
Explicit Consent
Active consent in the form of an unambiguous written or spoken statement by the data subject where they have been presented with a clear option to agree or disagree with the processing of their personal data for a specified purpose.
FCA
Financial Conduct Authority is the U.K's financial service regulator.
Firewall
The device that monitors and controls traffic to and from a network.
GDPR
General Data Protection Act - also known as EU GDPR. The General Data Protection Regulation is the legal framework issued collectively by the European Parliament, the European Commission and Council of the European Union with the aim of unifying and strengthening data protection for all EU citizens.
GRC
Governance Risk and Compliance is a system that organizations use to structure governance, risk management, and regulatory compliance.
Global Temperature
Is an average of air temperature recordings measured by land and sea weather stations as well as some satellites. Worldwide, the period from 2006 to 2015 was the warmest decade on record since modern global record-keeping began in 1880.
Global Warming
In the early 1960s scientists recognised that the level of carbon dioxide in the atmosphere was increasing. Later they discovered that methane, nitrous oxide and other gases were also rising. Because these gases trap heat and warm the Earth just as a greenhouse traps heat from the sun, scientists concluded that increasing levels of these ‘greenhouse gases’ would increase global warming.
Greenwashing
Refers to the deceptive practice of portraying a company, product, or action as environmentally friendly or sustainable when it in fact is lacking in substantial effort or adherence to true environmental standards. This misleading communication can misguide consumers and investors, undermining genuine sustainability efforts and the overall credibility of responsible practices.
ICT
Information and Communications Technology generally refers to all the IT infrastructure (inhouse and in the Cloud) plus the voice and data connectivity required to deliver a business service.
ICT Risk
ICT risk refers to the potential for loss or damage due to failures, vulnerabilities, or threats within information and communication technology systems. This includes cyberattacks, system malfunctions, data breaches, and other disruptions that can compromise data integrity, availability, and confidentiality.
ICT-related incident
ICT-related incidents are unplanned events that compromise the security of the network and information systems. They can have an adverse impact on the availability, authenticity, integrity and confidentiality of data, or on the services provided by a firm.
Impact Tolerances
Impact tolerances define the maximum acceptable level of disruption to a business service. (See MTO, RTO and RPO)
Inherent Risk
The level of risk posed before the systems and controls are considered. Other terms used include Pre-Control and Gross risk.
Integrity
In the context of computer systems, integrity refers to methods of ensuring that data is real, accurate and safeguarded from unauthorised user modification.
Intrusion Detection System (IDS)
IDS was originally a technology used to detect whether an attacker has or has attempted to gain unauthorised access to computer resources. It is now generally included in IPS solutions.
Intrusion Prevention System (IPS)
IPS is a network security technology that examines network traffic flows and prevents unauthorised access to systems and information.
Legal Basis for Processing
There are six legal bases that a data controller can rely on for processing personal data: 1. the data subject has given active consent to the processing for one or more purposes that have been previously disclosed to them; 2. the processing is necessary in the context of or to enter into a contract; 3. the processing is necessary for the data controller’s compliance with a legal obligation; 4. the processing is necessary to protect the vital interests of the data subject or another individual; 5. the processing is necessary in the public interest or to exercise the data controller’s official authority; 6. the processing is necessary for the legitimate interests of the data controller - however, these interests cannot override the interests or the fundamental rights of the data subject, particularly where that individual is a child (GDPR, Article 6).
Level of Risk
The magnitude of a risk or combination of risks – expressed as the product of consequence and likelihood.
Likelihood
The chance that something will happen – also known as risk Frequency.
MTO
The Maximum Tolerable Outage or maximum time that a service can be interrupted before significant damage is experienced by the organisation / its customers.
Malware
The software that is specifically designed to disrupt, damage, or gain authorised access to a computer system.
Mitigation Potential
Is a measurement of the amount of carbon that can be stored to balance the release of carbon. It is a key factor in discussions about power plants and vehicles.
NIS2
NIS2 Directive
NIST
National Institute of Standards and Technology
Net Zero
Refers to achieving a balance between the total amount of greenhouse gases emitted and the amount removed from the atmosphere. It involves reducing emissions through various means and offsetting remaining emissions by supporting projects that capture or absorb an equivalent amount of greenhouse gases. The goal is to effectively neutralise the impact of human activities on climate change, contributing to a more sustainable and balanced environment.
ORM
Operational Risk Management
OSP
An Outsourced Service Provider is a third-party that has been contracted to deliver all or part of a service that the organisation is offering to its customers.
One Stop Shop (OSS)
A mechanism for organisations established in the EU and engaged in cross-border personal data processing. It allows these organisations to deal with a single lead supervisory authority (LSA) for most of their processing activities.
PIML
Plan, Implement, Measure, Learn
Penetration Test
Often referred to as Pen Test, this is the practice of testing a computer system, network or Web application to find vulnerabilities that an attacker could exploit.
Personal Data
Any information relating to a data subject. It’s a very broad concept; you might be surprised at what’s included.
Phishing
A phisher uses an email to entice its recipient to click on a link or to fill out a form or to open an attachment. In the past, phishing was usually recognisable by the use of poor English but today they are much more sophisticated. Phishing emails look like they are coming from a legitimate source and clicking on the link it contains could cause malware to be downloaded onto your computer. Some phishing emails ask for a form to be filled – they are looking for personal information / bank account details / credit card details / etc. Completing these forms are likely to lead to your account being compromised.
Pillars of DORA
There are 5 pillars within the DORA act. These are: ICT Risk Management ICT Incident Management Digital Operational Resilience Testing ICT Third-Party Risk Information Sharing
Privacy Policy
This is where an organisation sets out how the principles of data protection are applied to all of its data processing activities – including employee, customer and third-party data.
Privacy Statement
More specific than a privacy policy; it’s an organisation’s clear and concise public declaration of how the principles of data protection are applied to data processed on its website.
Process Mapping
A planning and management tool that visually describes the flow of work. This is usually supported by detailed documentation of all dependencies including people, processes, information, technology, facilities, and third parties service providers.
Proportionality Principle
In the context of the Digital Operational Resilience Act (DORA), the proportionality principle refers to the requirement that the measures and controls implemented by firms to ensure resilience are commensurate with the nature, scale, and complexity of their operations. This means that smaller or less complex firms may, depending on risk factors, adopt simpler, less burdensome measures, while larger or more complex firms are expected to implement more robust and comprehensive controls. This principle ensures that regulatory requirements are applied in a balanced manner, avoiding a one-size-fits-all approach and ensuring that all firms can effectively manage their ICT risk.
Pseudonymisation
The technique of modifying personal data in such a way that it can no longer be associated with the data subject without the addition of other information.
RPO
The Recovery Point Objective refers to the point in time in the past that it is acceptable to go back to for the backed-up data. E.g. is it ok to go back to last night’s back up? Or is a more recent backup required.
RTO
The Recovery Time Objective usually refers to the time that those responsible for system recovery have to get the system(s) up and running…from the time they get the order to invoke the recovery plan. It will always be less than the MTO.
Register of Information
The Register of Information is a comprehensive record that must capture detailed information relating to all contractual arrangements with third-party ICT service providers and on the use of those services. The Register must distinguish between arrangements that support Critical or Important functions and those that do not. Firms will be obliged to make their full Register of Information available to the competent authority on request.
Regulatory Technical Standard (RTS)
A Regulatory Technical Standard (RTS) is a type of regulatory instrument used in the European Union (EU) to provide detailed technical specifications for the implementation of certain aspects of the Digital Operational Resilience Act (DORA).
Renewable Energy
Is energy derived from sources that will renew themselves within our lifetime. Renewable energy sources include wind, sun, water, biomass, and geothermal energy.
Residual Risk
The level of risk remaining after risk treatment and controls are considered. Other terms used include Post-Control and Net risk.
Resilience
The ability of an organisation to deliver critical operations through disruption.
Risk
The effect of uncertainty on objectives. If an outcome has little or no effect on the achievement of your objectives then it is not a risk you need to consider.
Risk Analysis
A process for comprehending the nature of risk and determining the level of risk. Risk Owners identify controls that are in place and any missing controls in order to understand the level of current risk.
Risk Appetite
The amount and type of risk that an organisation is willing to retain. Usually, an organisation will produce a ‘Risk Appetite Statement’ that describes its risk appetite. Note: some internal policies will also have risk appetite statements.
Risk Assessment
The overall process of Risk Identification, Risk Analysis and Risk Evaluation.