A regulatory framework is an authority document falling under any of following categories: regulations (rules of law that, if not followed, can result in penalties), guidelines, standards, best practices.

A policy framework represents internal documents issued by the Organization, such as code of conducts, standard security measures and similar.

A control directive is an interpretation of the law and contributes to the enforcement of any regulation article your organization has to comply with.

A risk is a hazard of greater or lesser probability to which an organization is exposed.

A risk type defines a risk typology standardized within the context of an organization.

A business policy is a directive whose purpose is to govern or guide the company. A business policy serves as the basis for defining business rules and governing corporate processes. A business policy is always under the control of the company. It allows to control, guide and formalize the strategies and tactics of the company.