How big should the sample be?

It depends on control frequency. Daily controls typically require 25 samples; quarterly controls require 2.

Operations Dictionary

The reference library for operational risk, resilience, compliance, controls, vendor risk and process improvement terminology. Each entry pairs a clear definition with examples, best practices, common mistakes and related workbooks.

Audit

Issue Management

The structured tracking and remediation of audit, risk, and compliance issues.

Internal Audit

Independent assurance over governance, risk and control effectiveness.

Business Continuity

The capability to continue delivering products and services at acceptable levels following a disruption.

BIA (Business Impact Analysis)

A structured analysis of the impact a disruption would have on each critical business process.

RTO (Recovery Time Objective)

The maximum acceptable time to restore a process after disruption.

RPO (Recovery Point Objective)

The maximum acceptable data loss measured in time.

Compliance

Compliance Monitoring

Ongoing surveillance to ensure compliance with regulatory and policy obligations.

SOX (Sarbanes-Oxley)

US legislation requiring public companies to certify the effectiveness of internal controls over financial reporting.

Controls

Control Testing

Structured testing of a control's design and operating effectiveness.

ITGC (IT General Controls)

Controls over the IT environment that support the reliable operation of application controls.

COSO (Committee of Sponsoring Organizations)

The most widely used internal control framework — five components and seventeen principles.

Key Control

A control whose failure would result in a material risk being unmitigated.

Operational Risk

The risk of loss from inadequate or failed processes, people, systems, or external events.

KRI (Key Risk Indicator)

A forward-looking metric used to monitor changes in risk exposure.

RCSA (Risk and Control Self-Assessment)

A structured process where business lines assess their own risks and controls.

Three Lines of Defence

A risk governance model separating business ownership, oversight, and independent assurance.

Loss Event

A realised operational risk event that resulted in actual loss.

Operations

SOP (Standard Operating Procedure)

A documented, repeatable instruction for performing an operational task.

Incident Management

The structured response to operational incidents from detection through resolution and learning.

Service Level Agreement (SLA)

A contractual commitment between provider and customer on the level of service delivered.

Performance

KPI (Key Performance Indicator)

A quantifiable measure of performance against a strategic or operational objective.

Process Improvement

Root Cause Analysis

A structured method for identifying the underlying cause of an incident or defect.

Process Mapping

A visual and structural representation of how a process is performed end-to-end.

Resilience

Operational Resilience

The ability of a firm to deliver important business services through disruption.

Important Business Service (IBS)

A service whose disruption could cause intolerable harm to customers or the market.

Impact Tolerance

The maximum tolerable disruption to an Important Business Service before causing intolerable harm.

Vendor Risk

The risk to an organisation arising from its use of external vendors.

Third Party Risk

The risk arising from any external party that has access to data, systems, or critical processes.

Concentration Risk

The risk arising from over-reliance on a single vendor, system, geography or counterparty.