PT | ES | EN Sign In

Terms and Definitions

The terms and definitions presented below were used in the book Risk Management in Property Security - - and in the Total-Risk risk assessment method. It is recommended to consult the ABNT ISO GUIA 73 and ABNT NBR ISO 31000 standards, which served as a reference for the development of this list. The definitions contained herein are not intended to conclude or exhaust the themes covered in the book, but rather to serve as a driving force for new, more complete, and adequate definitions, to be developed in the future.

1 - External environment or external context: Characteristics and information related to the external environment of the studied reference system. The context in which the organization develops its activities and seeks to achieve its objectives. Specifically, it includes streets, neighborhoods, cities, and countries. In an abstract way, it involves culture, customs, society, politics, laws, economics, technological maturity, and economics.

2 - Internal environment or internal context: Environment in which the reference system is inserted. It involves in a concrete way the entire physical and logical structure of the organization and in an abstract way people, organizational culture, internal processes, activities developed in the organization, organizational structure, functions, responsibilities, policies, strategies, objectives, information systems, and process for taking decision (formal and informal).

3 - Threat: Any announcement, act, indication, circumstance, danger, or event with the potential to harm, frighten, cause damage, generate losses, negative consequences, or uncertainty in the organization's objectives. The threat is one of the risk components. In ABNT ISO GUIDE 73: 2009, the terms source of risk and event have approximate meanings to those used in this book for threat.

4 - Risk Analysis: intrinsic activity to the risk assessment process aimed at explaining how the risk is present in a given reference system (organization). It occurs after the identification of risks and provides the necessary data for the next one, the assessment of actual risks. It is at this stage that the risk and its variables (threat, vulnerability, probability, impact, and controls) are quantified and qualified, providing reliable estimates for risk assessment. The estimates produced during the risk analysis will serve as a benchmark for future risk assessments.

5 - Active: Are the assets and rights that the company has at any given time. It can be represented by any equipment, infrastructure, material, information, tangible assets, intangible assets, or activities that have value for their owner. For didactic purposes, we classify assets into three categories: physical assets (examples: car, computer, building, etc.); immaterial assets (examples: information and image); and intellectual assets (examples: employees and people who work directly in the organization's processes).

6 - Risk assessment: Process of comparing the results of the risk analysis with the risk criteria to determine whether the risk or its magnitude is acceptable or tolerable. Risk assessment should positively assist in the decision-making process regarding the implementation or adequacy of controls (risk treatment).

7 - BIA (Business Impact Analysis): The business impact analysis aims to identify, map and analyze the critical processes of the organization (including the necessary resources), the extent of any damages, the evolution of the impact over time (hours, days and weeks of inactivity) and the losses resulting from the disruption of business processes.

8 - Actuarial Sciences: Area of knowledge that supports the calculation of the value of insurance, pensions, retirement, etc. Have a conceptual basis in science as economics, accounting, mathematics, administration and finance.

9 - Communication: Act, effect, or process of transmitting and receiving messages in an uninterrupted and structured way. It must be interactive and bidirectional. In security, it aims to provide, share or obtain data, reports and information of interest within the management activities. The information may refer to context, threats, vulnerabilities, consequences, nature, probability, assessment, acceptability, control, treatment or other aspects of security management. It must support the decisions through the influence and not the imposition of power. The components of communication are: sending areas, receivers, messages, propagation channel, means of communication, response and environment in which the communicative process takes place. The communication process suffers interference due to noise, interpretation, understanding and context.

10 - Consequence: Result perceived after the materialization of a risk. It is the perceived impact after a threat exploits the organization's vulnerability. Negative or positive effect of an event that affects the organization's objectives. An event can generate more than one consequence and a consequence can generate one or more events. The consequences can be expressed both quantitatively and qualitatively. The term impact can also be used.

11 - Crisis: distressing situation, serious moment, dangerous situation, serious difficulties. The crisis may have consequences, the need for rapid adaptations and imbalance in the organization or its processes. The evolution of the crisis can bring benefits or losses to the organization, depending on the speed, effectiveness and efficiency of the response. Every crisis necessarily leads to increased vulnerability, greater exposure to threats, and requires the ability to adapt and react. In the field of psychology, in particular developmental psychology, the concept of crisis is explained as the whole situation of biological, psychological or social change, requiring additional effort from the person or group to maintain balance or emotional stability. It corresponds to moments in the life of a person or a group when there is a rupture in their psychic homeostasis and loss or change of the usual stabilizing elements.

12 - Risk criteria: Reference used as a parameter for the risk assessment process in an organization. To define the risk criteria, the critical success factors of the organization, the objectives of the organization, the internal context and the external context are taken into account. May influence the risk of criteria: organizational culture, culture of the country or region, standards, policies, laws, among others.

13 - Decision maker, decision maker or customer-decision maker: In this work we use this terminology to refer to the president, CEO, responsible executive or simply the client-contractor of the consultancy service or security project. We are referring to the organization's professional responsible for contracting security services, deciding on what actions should be developed in response to information obtained through risk assessment. Usually, this professional will also be the holder or owner of the assessed risks.

14 - Risk treatment strategy: The organization's approach to assessing risks and eventually defining forms of treatment to modify them by adapting existing controls or implementing new controls. Possible actions of the organization to risk are: take (accept), sharing, finance (act in consequence), move away or avoid risk. There are also other nomenclatures on the market to designate these possible attitudes towards risk. Search and retain are also possible attitudes to risk, however, rarely seen in the equity security. The risk treatment process may involve one of the following actions or a combination of them: changing the probability, the impact, controlling the threat or resizing the vulnerabilities. The risk treatment strategy can also be referred to as risk mitigation, risk prevention or attitude to risk.

15 - Structure of safety management: 
 set of processes, people and activities that provide the organizational bases for studies, projects, implementation, monitoring, critical analysis and continuous improvement of the security management structure throughout the organization. The basis of the structure includes the strategy, objectives, policies, resources involved, responsibilities, processes and activities. The safety management structure must be present in all areas, processes, activities and locations of the organization.

16 - Event or risk event: Occurrence, absence of occurrence or change in a specific set of circumstances with or without impact to the organization. A risk event can have many causes from different sources, generated by factors: human (from action - or human omission - directly or indirectly, voluntarily or involuntarily); natural (from natural phenomena); technical (due to failure or inadequate use of equipment, tools or instruments); and biological (caused by animals or microorganisms).

17 - Critical success factors: Critical success factors (FCS) are criteria that can define the success or failure of one or more objectives defined in the strategic planning of a given organization. The FCS may be considered differences in the definition of strategies that will be adopted by the organization and the need that they have to satisfy the customer through these factors. FCS are identified through a study of the organization's own objectives or derivatives of them, and established as fundamental conditions to be fulfilled for the institution to survive and prosper. When properly defined, the FCS become references for the organization's activities.

18 - Crisis management: Atypical activity in order to identify, obtain and implement specific processes and strategic resources for crisis solution. Establishes actions and responsibilities for conducting the process. Must first be developed and revised regularly to remain effective and avoid consequences that may originate from risk events intrinsic to the organization's activities. It is characterized by the state of great tension, with a high probability of worsening, difficult to predict unfolding and extension.

19 - Risk management: Actions or processes coordinated to lead and control a company or organization in everything that is related to risk. It can also be described as security risk management to objectively designate which part of the organization's risks will be managed.

20 - Risk identification: Structured and coordinated activity that aims to recognize, locate, point, understand, name, distinguish and differentiate the risks of an organization and its components (threat, vulnerability, probability, impact and controls). The risk identification process may involve (but is not limited to) observations, interviews and supporting tests (experiments).

21 - Impact: The same as a consequence, the result of a risk event that affects the organization's objectives. Impact is one of the components of risk.

22 - Financial impact: Conversion and sum in monetary values of all direct (or intrinsic), indirect (or subjective) consequences, arising from the materialization of a risk or group of risks.

23 - Inspection: Act or effect of inspecting.

24 - Safety manual: Set of rules, regulations and safety procedures grouped in the same notebook, folder, book or computer file, organized in order determined by the person responsible for compliance, with the objective of disciplining the execution of safety activities within the microprocesses and in the organization's macro process.

25 - Method: In science, the method consists of a series of coded steps to be followed in more or less structured way in order to achieve specific scientific goals. We can understand methods as: Manner of saying, doing, teaching a thing, according to certain principles and in a certain order. Manner to act. Rational search for explanations: cartesian method. Method synonyms: arrangement, manner, order, process and system. For the purposes of this work, we refer to the working method, or simply method, to denote the way in which a consulting activity is organized, structured and developed.

26 - Methodology: It should be noted that the word methodology is often used when the word method would be more appropriate. The term methodology includes the following concepts, in relation to a particular discipline or field of study: collection of theories, concepts and ideas; comparative study of different approaches or methods; and criticism of an individual method. The methodology is the study of methods. It aims to capture and analyze the characteristics of various methods, evaluate their capabilities, potentials, limitations or distortions and criticize the assumptions or implications of their use, in addition to being a discipline that studies the methods, the methodology is a thorough, detailed explanation, rigorous and exact of all action developed in the method (path) of the research work.

27 - Modus operandi: Latin expression meaning "mode of operation". It means the way to act or perform an activity, usually performed in the same way, making it possible to identify who performed it.

28 - Safety standards: Regulate and provide security procedures on mandatory guidelines related to an organization. They can be grouped by theme or by related subjects, organized in order determined by the organization about its applicability.

29 - Organization: For the purposes of this study, we consider any private, public, community, association, group of people or even an individual to be an organization. Not limited to sector or area of activity.

30 - Business continuity plan: from the English Business Continuity Plan - BCP, established by ABNT NBR 15999 Part 1, it is the preventive development of a set of strategies, action plans and activities aiming to ensure that essential services are identified and preserved after occurrence from disaster to return to normal. The business continuity plan is the responsibility of the organization's directors. It consists of the following plans: contingency plan; crisis management plan (PAC); disaster recovery plan (PRD); and operational continuity plan (PCO). These plans aim to formalize actions to be developed in times of crisis, recovery, continuity and resumption, preventing the organization's critical business processes from being affected and causing financial losses.

31 - Security management plan: Form, manner, sequence of activities within the security management structure that specifies the approach, management components and the human, technical and organizational resources to be used to manage security against the risks identified in the organization. The plan can include rules, procedures, controls, activities, actions, practices, assignments, responsibilities, steps to be followed, chronology of activities and can be applied to part of a process, department, physical structure or the entire organization.

32 - Disaster Recovery Plan (or Disaster Recovery Plan - DRP): documented process indicating responsibilities and actions to be taken to recover an organization's critical services and processes after extreme events with total or partial stop of its activities and processes. It aims to return to normality in the shortest time, minimizing consequences that may lead to the disappearance of the organization. The planning consists of several phases and can provide for the following steps: initial planning of activities; vulnerability assessment and definition of requirements of the organization or project; identification, analysis and evaluation of business consequences; detailing the consequences in different scenarios; development of the plan itself; simulation plan; maintenance and update plan; and deployment.

33 - Emergency plan: Systematization of a set of rules, logical, technical and administrative procedures, structured to minimize or avoid consequences resulting from predictable disasters such as fire. Through efficient management of available resources, it provides a quick and effective response. It aims to protect the organization's life, environment and assets, as well as contribute to business continuity. It provides technical and operational information about the physical structure of the organization and its critical areas.

34 - Safety management policy: Declaration by the organization containing its intentions and general guidelines related to the risks involved in its activities and how they will be treated by the safety management structure.

35 - Assumptions or context: Identification and establishment of internal and external risk variables related to a reference system (organization). Usually identified and defined from field surveys, interviews, research and various investigations. They are necessary to establish the scope of work related to safety management and the risk criteria that will be used in the risk assessment process.

36 - Probability: It is the possibility or chance that something (uncertain or known event) will occur, regardless of whether it is possible to measure, define or determine. The probability, when related to risk, can be described and defined in an objective or subjective way, qualitative or quantitative, using general or mathematical terms. In mathematical terms, the probability varies between 0 (impossible to occur) and 1 (unmistakable certainty of something going on). Probability is one of the components of risk. Depending on the context used, the word probability can appear as possibility, viability, expectation, risk, uncertainty, doubt, assumption, luck, hope or bad luck.

37 - Safety procedures: Manner to act, sequence of actions or instructions to be followed to solve problems and perform tasks related to safety.

38 - Risk assessment process: Complete and comprehensive process that involves identification, risk analysis and risk assessment of a reference system (organization). It is part of an organization's security management process.

39 - Risk management process: This is a structured process that expands the risk assessment process to allow management activity. For complete understanding consult, ABNT ISO GUIDE 73:2009.

40 - Security management process: 
systematic application of policies, standards, procedures and administration practices for security management activities in the organization. It also involves risk management activities.

41 - Decision-making process: cognitive process by which a strategy and a set of actions are chosen, among several options, based on risk assessments, scenarios, environments, opinions, studies and other factors. The decision-making process must produce a final choice, that is, decision-making refers to the process of choosing the most appropriate path for the company, in a given circumstance.

42 - Project: The word project comes from the Latin word projectum from the Latin verb proicere, "before an action", which in turn comes from pro-, which denotes precedence, something that comes before anything else in time (in parallel with the Greek πρό) and iacere, "to do". Therefore, the word "project" actually meant "before an action" originally. These are the main characteristics of the projects: they are temporary, with a defined beginning and end; they are planned, executed and controlled; deliver unique products, services or results; they are developed in stages and continue incrementally with progressive elaboration; are performed by people; and have limited resources. The PMBOK Guide, a guide on project management, is widely recognized as good practice and used as a basis by the Project Management Institute (PMI). This same guide identifies its recurring elements in project management, which are five: Start; planning; execution; monitoring and control; and closure. Ten are the areas managed in the projects: integration; scope; costs; quality; acquisitions; human resources; communications; risk; time; and stakeholders. In this work, we refer to the project as any activity developed by the consultant with the following main characteristics: being temporary, having a defined beginning and end; be planned, executed and controlled; deliver service or only result; be developed in stages; and have defined and controlled resources.

43 - Protect: Defend, preserve, protect, shelter or protect people, goods, information and image from the risk event. Protection is often related to containing threat or reducing existing vulnerability.

44 - Security features or security controls: are all activities, practices, actions, processes, procedures, equipment, technologies, standards, policies or measures capable of modifying the organization's risks. Didactically, the security features are divided into: human, technical and organizational. They aim to protect the organization's assets and people from threats, reducing vulnerabilities or probability, or limiting undesirable consequences.

45 - Impact reduction: Control of the extent of the consequences that certain risk can produce.

46 - Risk: Effect (positive or negative) of uncertainty on objectives, which can cause deviations. The risk has as variables: threat, vulnerability, probability, impact and controls. The risk is intrinsic to human activities and can only be eliminated completely when the corresponding activity(ies) is/are closed. Risks can be classified in different ways and with different criteria. One of the most used ways to verify the magnitude or level of a risk considers the combination of the impact (consequence) and the probability.

47 - Residual risk: A risk cannot be eliminated without also eliminating the activity involved. Therefore, the treatment of all risk, with the purpose of bringing it to levels accepted by the organization, presupposes residual risks. Any risk remaining after being properly treated can be considered residual risk or retained risk.

48 - Security: State, quality, condition of what is perceived to be safe, free from danger, safe, protected. Perception, sensation or feeling of being protected from risks, dangers, losses, threats or consequences. The feeling of security can be perceived differently by stakeholders within the same project, department or organization.

49 - Corporate security: Also known as institutional security, corporate security or organization security. It aims to address risk events and their variables - threat, vulnerability, probability, impact and controls - through processes that involve human, technical and organizational resources in order to reduce uncertainties in the organization's objectives. Protects people, goods, information, image and the environment. It uses appropriate techniques, seeking a balance between investment, protection and risk level, always focusing on the organization's objectives and its critical success factors.

50 - Sensation of insecurity (or perception of risk): Perception, sensation, vision or feeling that something may happen, producing consequences different from those expected. Increase in the negative effect of uncertainty on the organization's objectives.

51 - Sinister: Occurrence has materialized that impacts, causes damage, injury, loss, suffering or death. The incident is the result of one or more events with negative consequences (examples: fire, accident, theft, burglary etc.) for the organization or person.

52 - Reference system (SR): For the purpose of this study, we consider the reference system all or part of a private, public, community, association, group of people or individuals. The didactic difference between the definition of organization and frame of reference is that the second may be limited to an installation, person, process, project, asset, fraction, part or activity of an organization. The SR is the object or objective from which the risk assessment is developed.

53 - SLA (service level agreement): Service level agreement for the effective control of this quality in the provision of services. It can refer to a process or the entire organization.

54 - Vulnerability: intrinsic characteristics of an organization, process, activity or object resulting in susceptibility to one or more threats that can lead to a sinister (or accident) with an impact. Weakness, predisposition or weaknesses intrinsic to an organization, structure or equipment resulting in susceptibility to a threat (source of risk), allowing access to goods or people, which may cause consequences, damage or loss (impact). Different organizations have different exposure levels for the same vulnerabilities. Vulnerability is one of the components of risk.