The Association of Governance, Risk & Compliance
Glossary of Terms
Below you will find a list of terms and their definitions concerning what is of greatest importance to our work as a community for professionals in the fields of compliance, governance, risk management and cybersecurity.
As with everything in life, this list is a work in progress, so if you see that there are any terms that have been unintendedly left out, let us know and we’ll add them to the fray.
Accountability can be defined as being held responsible or answerable for one’s actions or lack thereof. This encompasses issues of blameworthiness, liability and one’s responsibility to give an honest account of what has transpired in any given situation.
Anti-Money Laundering (AML)
Anti-Money Laundering, or AML for short, includes all the rules, regulations, processes and laws implemented to stop criminals from receiving as legitimate income any money that was obtained via illegal means. As part of the set of AML regulations governing the financial sector, financial institutions and service providers must keep close tabs on their clients and their transactions and report to the relevant authorities when any suspicious activity crosses their desks. Generally speaking, AML regulations focus on illicit activities such as tax evasion, bribery, profiting from the sale of illegal products and services, and manipulating the financial markets, among others.
Antitrust laws are regulations that have been developed by governments to protect consumers from predatory business practices, limit the power amassed by a single or small group of companies, and ensure fair competition. These rules focus on a series of questionable business activities such as market allocation, bid rigging, price fixing, oligopolies and monopolies.
Audit Program or Plan
An audit program, also referred to as an audit plan, is a plan that documents the different audit procedures an auditor will perform or follow to validate that a firm has complied with its regulatory obligations. Developing such a plan is crucial to determine those areas of greatest risk and carry out the audit process in an effective manner.
In the financial world, a blacklist is a list of jurisdictions that have not been deemed cooperative when it comes to the battle against money laundering, tax evasion and avoidance, and financial terrorism. These types of lists are released to exert pressure on these countries to fall in line and put in place the necessary regulations to curtail illicit practices. Such lists are updated on an ongoing basis with countries either added or removed based on their overall performance in tackling these issues.
Bribery is the practice of giving, receiving, offering or asking for money or any other valuable asset to influence a decision often being made by someone in a position of power or control. Generally, bribery involves governmental officials or members of a corporation. Bribery is proved in a court of law when it is shown that the bribe’s recipient has actually made a change to their behavior on behalf of the person handing out the gift.
Business Continuity Planning (BCP)
Business continuity planning incorporates a series of standards and procedures by which a company can prevent and recover from any potential threats being faced. It allows a company to perform appropriate risk management and ensure it remains resilient in times of crisis or hardship.
Business sustainability or corporate sustainability is the practice by which a company balances its financial and economic objectives with its societal and environmental obligations or concerns, developing a holistic system that promotes and ensures responsible, ethical and ongoing success.
Code of Conduct or Ethics
A code of conduct or ethics is a set of rules, principles and practices that govern employees’ behavior within a company. This code generally requires that employees and directors carry out their duties with honesty, integrity and transparency whenever they are representing their company.
More specifically, there are two types of code that are relevant to the financial sector. A value-based code sets forth the company’s main values and instills them among its employees. A compliance-based code, on the other hand, requires that employees comply with the many regulations established by their country’s relevant authorities and the industry in which they operate.
Combating the Financing of Terrorism (CFT)
As defined by the IMF, Combating the Financing of Terrorism, or CFT, refers to the regulations, laws and procedures set in place to combat “the solicitation, collection or provision of funds with the intention that they may be used to support terrorist acts or organizations.” Generally speaking, terrorist financing is the financing of terrorist acts, terrorists or terrorist organizations by individuals or groups of people.
Compliance, or more specifically regulatory or corporate compliance, can be defined as a company’s obligation to adhere to and follow a specific set of regulations set forth by local and international law when delivering its goods or services. This also includes obeying internal policies and procedures established by the company to detect whether a rule has been broken and prevent it from being penalized by the regulatory authorities. Simply put, compliance is key as it protects companies from any reputational or financial damage.
Compliance culture is the set of values, beliefs and behaviors held by a company and its employees regarding how it governs, assures and manages its regulatory compliance obligations. This includes identifying those requirements, holding strong views about the impact of compliance on conduct and decisions, and following a model of appropriate and compliant behavior.
Compliance Framework or Program
A compliance framework or program is a series of best practices and guidelines used by companies to comply with the many regulations set forth by regulatory authorities within their industry. Besides using this framework to meet its regulatory requirements, companies often put in place such programs to boost security, evaluate internal controls and potential risks, and finetune business processes. Compliance frameworks or programs should be highly flexible and designed to easily adapt to the many rapid regulatory and technological changes being experienced these days by the financial services sector.
Compliance risk is the danger faced by a company when it fails to follow the relevant authority’s rules and regulations or its own internal controls and best practices. These dangers include financial fines, bankruptcy, imprisonment, reputational damage, and material or monetary loss.
Confidentiality is a set of rules or a promise that limits or places restrictions on the access to certain types of information.
Corporate Social Responsibility (CSR)
Corporate social responsibility describes a company’s voluntary corporate initiatives and actions in the spheres of community development, the environment and human rights. CSR programs are generally used to give back to society, boost a firm’s reputation and strengthen its overall brand.
Customer Due Diligence
Customer due diligence is the process by which companies identify their customers and determine that they are in fact who they claim they are. At its most basic level, this process involves receiving a copy of their actual passport or national ID, a valid residential address, date of birth and recent photo, among others. Additional information may be required based on the transaction being performed or service being offered. The intended nature of the business relationship and transaction, details on the source of the wealth or funds, and additional identification information on the beneficial owner may be required if the risk of money laundering is deemed to be high.
Cyber security, also known as information technology security, refers to the policies and procedures established by a company to protect its computers, servers, networks, software and applications, electronic equipment, and stored data from hackers and other types of malicious attacks. Most companies these days store an infinite amount of information, including sensitive data on intellectual property, personal details and financial performance. Being susceptible to attacks during which these data are lost, made public or used to damage a company’s reputation is a serious risk for most companies.
A data breach is a confirmed incident in which sensitive, confidential, private or otherwise protected data has been accessed and/or disclosed in an unauthorized fashion.
Data classification is the process of organizing data into categories that make it easy to retrieve, sort and store for future use. Generally, data classification determines which items are more sensitive than others and helps define the types of controls that need to be put in place to protect the data from unauthorized disclosures.
Data protection is the process by which a company safeguards information from it being corrupted, compromised, stolen or lost. Interestingly enough, data protection toes the line between the use and sharing of data for business purposes, an individual’s right to privacy, and the regulatory framework set forth by governments to properly manage this data.
Ethical dilemmas are situations that require an individual or company to make an ethical judgment call. Many times, these problems involve more than one right answer and they are unlikely to offer a win-win solution in which the interested parties get everything they want.
Ethics or moral philosophy involves the study of what’s considered to be morally right and wrong. More specifically, in the business sector, it involves studying those practices that are deemed to be correct when confronted with controversial subjects such as corporate governance, insider trading, bribery, CSR, fiduciary obligations, tax avoidance and harassment in the workplace.
Financial fraud is the practice of taking someone’s money or assets via illicit or illegal means. This might include tax fraud, credit card fraud, wire fraud, securities fraud, and bankruptcy fraud. More specifically, as explained by Investopedia, fraud is “the false representation of facts, whether by intentionally withholding important information or providing false statements to another party for the specific purpose of gaining something that may not have been provided without the deception.”
General Data Protection Regulation (GDPR)
The General Data Protection Regulation, or GDPR, is the framework ruling the way data can be collected, used, processed and stored within the European Union. This law, which came into effect in 2018, set forths “rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.” Furthermore, it “protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.”
Governance, or more specifically corporate governance, can be considered the umbrella under which our other core subjects rest. This term refers to the many rules, processes, systems and practices put in place to successfully direct a company and define its overall corporate behavior. Governance incorporates all major aspects of management including action plans, KPIs, internal controls and procedures and financial disclosure, as well as cybersecurity, compliance and risk management, just to list a few.
Governance culture involves the values, beliefs and behaviors that define how a company’s processes, resources and structure itself are externally directed, controlled and evaluated, including by the involvement of the Board of Directors. This also determines how power and decision-making authority is allocated within the company and how the organization interacts with and responds to its stakeholders.
Governance Risk Compliance Cybersecurity (GRCC)
GRCC is the set of capabilities that enables an organization to reliably achieve its objectives while addressing uncertainty and acting with integrity. It encompasses governance, assurance and management of performance, risk, compliance and cybersecurity.
In the business world, independence is most commonly understood to mean freedom from conflicting interests. More specifically, this represents the ability to make a decision or act in ways which are free from conflict between one’s personal interests and the interests of the party on whose behalf one is making the decision.
Integrity is the overall quality of being honest and ethical. When applied to the business world, this means complying with all relevant regulations, acting with transparency, caring for your employees and co-workers, following industry best practices and admitting mistakes, among others.
As defined by Investopedia, internal controls refer to “the mechanisms, rules, and procedures implemented by a company to ensure the integrity of financial and accounting information, promote accountability, and prevent fraud.” Additionally, these types of controls may provide a company with assistance in bettering “operational efficiency by improving the accuracy and timeliness of financial reporting.”
Know Your Client (KYC)
Not unlike customer due diligence, Know Your Client, or KYC, is used in the investment world as the way by which investor advisors obtain detailed information about their clients. This information may include their risk tolerance, tax status, investment experience, liquidity, financial knowledge, and the amount of money they are willing to invest, to name a few. KYC processes protect both the investor and service provider, as it specifically determines what types of investments are deemed to be appropriate based on the client’s details. Closely following the KYC rule also builds a greater sense of trust between the investor advisor and their clients.
Morals define what a person or company believes to be right or wrong and these may vary depending on one’s country, culture, socioeconomic status and age, among others. Typically, morals are set by a source of authority greater than the individual such as a government or society as a whole.
Ransomware is malicious software that invades your computer, locking it up until a fee is paid. Criminals looking to make some extra cash will embed ransomware in email links, a website or instant messages. The best way to prevent being a victim to ransomware is to use a reliable antivirus software, never click on unknown links or open strange files, and make sure the computer’s firewall is always on.
Risk Assessment Framework (RAF)
A risk assessment framework, or RAF, is a set of best practices and guidelines used to analyze, prioritize and handle any security risk potentially faced by an information technology company. This program is generally established to determine whether there are any low or high risk areas that the company should consider in order to prevent future attacks or abuses. This information should be shared in a way that is understood by both technical and non-technical decision makers.
In simple terms, risk exposure measures the potential loss a company may experience from a future event or activity. Companies often rank risks by multiplying their probability of happening times their potential loss if they do take place. This allows them to pinpoint those deemed to be minor and have a plan in place for the more consequential ones.
Risk Management or Assessment
As its name states, risk management is the process by which a company identifies potential risks to its financial wellbeing, assesses them and puts in place specific policies or procedures to either reduce or eliminate those risks.
Risks, of course, come in all shapes and sizes. Market fluctuations, compliance, security and fraud, competition, operational hazards, interest rate fluctuations and debt, and reputational issues such as lawsuits, poor reviews and customer dissatisfaction, to list a few, can all be of risk to a company. Being fully aware of these risks and proactively tackling them by putting in motion a plan to curtail or eliminate them is of essence to any company’s survival and success.
Transparency, in this case financial transparency, means the practice of making as much financial information as possible accessible and available to the government, investors, consumers and civil society as a whole. In other words, it means that a company has nothing to hide and is willing to share its financial records and practices with regulators and other interested parties. This includes, for example, disclosing to customers all the fees, interest rates and penalties involved in the opening of a bank account or when making a specific investment.
Values are the core beliefs an individual or company holds that define how they behave and act in a personal and professional setting. It generally determines what is right and fair, as well as what is of worth and importance to their existence and role in society.
A whistleblower is a person who, generally while working for a company, opts to disclose the company’s wrongdoings to someone higher up in the company or the public. These wrongdoings could include fraud, bribery, sexual harassment, tax evasion, money laundering, etc. More specifically, an internal whistleblower will reveal these wrongdoings to the human resource department, senior manager or CEO, while an external whistleblower might go straight to the media, police or regulators.