This article contains a list of terms that are used throughout the 6clicks platform including their corresponding definitions.




Action – A task identified to be performed by a user to address or manage a risk, issue, or incident. Actions can be in the form of control responsibilities, issue actions, or risk treatment plan actions.

Assessment – The process of collecting and analyzing information related to potential impacts on an organization's technical and business operations.

Assessment template – A collection of predetermined sets of questions that can be used within an assessment.

Attestation – A technique used internally within an organization to assess the effectiveness of risk management and control processes by a control owner.

Authority A standard, law, or regulation applicable to your organization, including industry standards, guidelines, and federal, state, or local laws developed by an external organization, as well as internal compliance requirements.


Breach – A type of issue or incident involving a failure to comply with or non-adherence to an authority.


Control –  A measure or mechanism established to manage inherent risk, encompassing processes, policies, reviews, training, and approvals. Controls can be administrative, technical, or legal in nature.

Control set – A collection of controls associated with specific responsibilities implemented to comply with a standard, law, or regulation, or manage risk.

Corrective action – A specific type of action implemented to address the root cause of identified risks, issues, or incidents in order to eliminate non-conformities and close compliance gaps.


Detective control – A control designed to recognize occurrences or changes in circumstances that may affect operations and alert management when they occur.

Domain – An area within an organization, project, or system where potential risks exist and need to be identified, analyzed, and managed.


Impact – Damage, either financial or non-financial, caused by an incident. 

Incident – Any event that disrupts or has the potential to disrupt normal business operations, compromise the security or integrity of data, or violate company policies or regulations. 

Inherent risk – The risk level or exposure that exists before any actions, such as the implementation of controls, are taken to mitigate the risk.

Issue – A problem identified in the organization that requires investigation, remediation activities, or preventative measures to be taken.


Likelihood – The probability that a risk event will occur during the period being assessed.


Metric – A quantifiable measurement or indicator used to assess, track, and evaluate performance, progress, or effectiveness within an organization. 


Near Miss – An event where the standard control environment fails to detect or prevent an incident from occurring, but the potential impact was prevented or did not result as predicted.


Playbook – A list of required steps and actions to successfully respond to a scenario such as an incident.

Policy – A collection of principles, guidelines, or frameworks that are adopted or designed by an organization to achieve its long-term goals.

Preventative control – A control designed to prevent an issue, error, fraud, or other event from occurring.

Project – A set of coordinated activities, tasks, and resources aimed at achieving specific objectives within defined scope, quality, time, and cost constraints.

Provision – A detailed breakdown of the clause and requirements outlined and defined by a standard, law, or regulation (authority) including any applicable attributes.


Question-Based Assessment (QBA) – A review conducted to assess various aspects of operations within an organization using a structured set of questions designed to gather specific information.


Register – An official list or record set up and used to manage sets of data for an organization such as assets, risks, issues, and other related data sets. 

Requirement-Based Assessment (RBA) – A review conducted to assess various aspects of operations within an organization based on its compliance with specific provisions in an authority.

Residual risk – The potential risk that remains after all applicable controls or mitigation measures have been implemented.

Respondent – A subscriber, who can be either an internal or external (third-party) user, capable of receiving notifications for tasks or actions to be performed on the platform.

Responsibility – A duty or obligation linked to controls and assigned to individuals or groups to ensure the implementation or completion of specific actions or tasks.  Responsibilities can be one-off or recurring tasks.

Risk – A measure of the likelihood that unplanned events on an organization’s operations will occur and impact the achievement of strategy and business objectives.

Risk appetite – A target level of loss exposure that the organization views as acceptable, given business objectives and resources.

Risk event – A specific occurrence or incident that has the potential to impact the objectives or operations of an organization. A risk event is often associated with the realization of a particular risk or threat.

Risk libraries – A collection of pre-defined risks that can be considered relevant to an organization, project, or system through a risk review.

Risk matrix – A tool used to provide a visual representation of the relationship between the likelihood and potential impact of a particular risk.

Risk rating – Overall weighting of a risk which is based on a combination of the likelihood and impact of the risk to the organization.

Risk review – A mechanism used on a frequent basis to re-evaluate an organization's risk environment, risk events, and their relative likelihood and impact.

Risk tolerance – The degree of variance from the organization’s risk appetite that the organization is willing to tolerate.

Risk treatment plan – A set of corrective actions identified and implemented by an organization to prevent, accept, mitigate, or transfer risks.

Risk workflow – A predefined sequence of activities established by an organization to guide the systematic identification, assessment, treatment, and management of risks throughout their lifecycle.


Task – An actionable item assigned to a user that has been created in the platform.

Third-party – An external entity, such as a supplier, vendor, or service provider, with whom an organization has an agreement to deliver goods, services, or support directly to the organization or its customers.

Trust Portal – An online portal for sharing self-assessments and policies with external stakeholders.


Vulnerability – A weakness or flaw within an organization's systems, infrastructure, or operations that could be exploited by threat actors and lead to potential harm, loss, or damage to assets, data, or operations.