Concepts GRC and Risk Management

Practice shows that jargon raises question marks. We have therefore drawn up a list of risk management concepts. Do you have more questions about risk management? Then contact us!

What is GRC software? What is a GRC tool?

GRC software is the collection of software that supports Governance, Risk and Compliance (GRC) activities. GRC is the integral set of capabilities that enables an organization to confidently achieve goals, address uncertainty, and act with integrity.

In addition to the GRC activities, modern GRC software also supports the ability to perform an audit, handle incidents and support mitigation strategies such as through insurance and contracts with third parties. A supplier of GRC software must of course also be certified, such as the ISO 27001 standard.

Promotion holder
The person or organization (part) designated to implement the  risk management measure  to be carried out under the responsibility of the  risk manager.

See action holder

See risk manager

Control measure
An activity that in any way aims at eliminating , avoiding or minimizing the  cause or the effect of an unwanted event >> see NARIS® Risk management

Gross risk
Risk without control measures

Corrective measure
A measure that aims to achieve the intended objectives after an undesirable event has occurred

Endogenous risk
A risk of which the suggestibility and responsibility lies within one’s own organization (seen from the person who reports on it)

See consequence

See risk owner

ERM model or risk management model
A standard risk management model. For example; COSO Enterprise Risk Management (integral), ISO 31000 guidelines (integral), RISMAN (projects), Management of Risk (M_o_R)

Exogenous risk
risk whose suggestibility and responsibility lies outside one’s own organization (as seen from the person reporting on it).

A person who supervises risk meetings. Process supervisor

An event that has or may affect the achievement of the intended objectives.

The effect resulting from the occurrence of a  risk.

GRC framework
Governance risk and compliance is a model in which the risks are linked to the governance and compliance activities of the organization. As a result, it is better integrated into the organization.

Initial risk
The assessment of the  risk without the effects of control measures< /em>.

Perspectives to look at a project in different ways to aid in the identification of risks.

See consequence

See event

Internal control
Processes aimed at providing reasonable assurance about achieving objectives.

The possibility of an event occurring expressed as a value between 0 and 1.

Qualitative risk analysis
risk analysis in which the risks of are ranked in order of importance on the basis of a qualitative assessment.

Quantitative risk analysis
risk analysis in which the magnitude of the  opportunity and of the  consequence of the risks and uncertainties quantitatively, so in numbers, are estimated.

Mitigating measure

See control measure

Net risk
Risk including control measure, also called residual risk

Undesirable event
An event that has or may have a negative influence on the achievement of the intended objectives.

Undesirable top event
An event that is used in the  risk analysis  as the most undesirable event em>.

Unfamiliarity with the actual and/or future situation.

Operational Risk Management
< /strong>Operational risk refers to the risk that arises as a result of the failure or inadequacy of internal processes, human and technical deficiencies, e n unexpected external events. The risks are known and it is especially important whether the control measures are actually operational.


  • An organized group of activities , resources and people working towards common goals. Stakeholders
  • Groups and individuals whose interests are represented or influenced by the organization.
  • Governing body – Those accountable to stakeholders for the success of the organization.
  • Management – ​​The individuals, teams, and support functions designated to provide products and/or services to the organization’s customers.
  • Internal audit