GRCaaS

Governance Risk Compliance as a Service

GRC Automation Simplified

Agenda

• How was GRC developed?

• What exactly is GRC?

• The role of GRC in ISMS

• Impact of GRC

• Types of GRC

• The role IT-GRC in IT-RMC

• IT-GRC Foundation

• Why to deploy IT-GRC Management System?

How was GRC developed?

GRC framework was developed as a consequence of well-known public events such as Enron scandal in October 2001, eventually lead the bankruptcy of the Enron Corp.

Followed by the dissolution of Arthur Andersen, one of the largest audit and accounting partnerships in the world

In addition to begin the largest bankruptcy reorganization in American history at the time, Enron attributed as the biggest audit failure

How was GRC developed?

Because of the scandal, new regulations and legislation enacted to expand the accuracy of financial reporting for public companies

One piece of legislation, Sarbanes-Oxley Act, increased penalties for destroying, altering, or fabricating records in federal investigations or for attempting to defraud shareholders

The act also increased the accountability of auditing firms to remain unbiased and independent of their clients

What is GRC

GRC Definition Governance Risk Compliance is an integrated approach used by corporations to act in accordance with the guidelines set for each category

GRC is not a single activity, but rather a firm-wide approach to achieving high standards in all three overlapping categories

What is GRC

IT-GRC specifics key capabilities• Controls and policy library

• Policy distribution and response

• IT Controls self-assessment and measurement

• IT Asset repository

• Remediation and exception management

• Vendors Management

• Reporting

• Advanced IT risk evaluation and compliance dashboards

The role of GRC

The business impact• 70% to 80% of market value comes from hard-to-assess

intangible assets such as brand equity, intellectual capital and goodwill

• Organizations are especially vulnerable to incidents that may damage their reputations, oftentimes with unforeseen consequences

The role of GRC

From Ernst & Young survey of 137 Global Institutional Investors:

• 82% will pay a premium for companies that demonstrate successful risk management

• 61% will not invest where there is evidence of poor risk management

• 41% would withdraw investment where there is a perceived lack of appropriate risk management

IT-GRC in ISMS Information Security Management Systems

Internal effectiveness

Customer confidence

External security risks

Compliance &

regulationsISMS

ISMS overall management system based on a Risk approach to: Establish, Implement, Operate, Monitor, Review and Improve Information Security

Impact of GRC

• Emergence of new regulatory compliances

• Alteration of corporate governance landscape

• Organizations are held accountable for accuracy and integrity in their business operations

• Effective and reliable governance and compliance procedures is the need of the hour

Types of GRC

eGRC IT-GRCFocus Enterprise Only IT

Content supplied by Customer Prepopulated

Deployment type Lengthy - large number of variables

Short - Well defined framework

Controls Financial Control & Labor Standards• Regulatory Compliance• Business Processes• Import and Export Laws• Health and Safety• Security• Infrastructure• and much more

IT security systems and applications• Vulnerability• Configuration management • Change management• IT-Risk management• IT-Regulatory Compliance• and more

Success rate Low - Due to complexity and lack of buying from key stakeholders

Very high – Due to it focus and defined SOW, stakeholders support and measurable KPI and KRI

Resetting IT-GRC definition at Gartner

IT-GRC is essentially enterprise GRC functions focused on IT specific needs

For the last two years, IT-GRC has started to bifurcate into:• IT-related GRC functions • Security operations functions

IT-GRC at Gartner

The role of IT-GRC in IT-RMC

IT-GRC specifics key capabilities Controls and policy library Policy distribution and response IT Controls self-assessment and measurement IT Asset repository Remediation and exception management Vendors Management Reporting, Scorecards, Dashboard Advanced IT risk evaluation and compliance dashboards

Why GRC

Step One - Define Policies and Compliance

o Map Policies & Regulation to controls

o Identify Assets and Vendors

o Identify Risk Profile

Step Two - MeasureTest Controlso Create customized Assessments

o Measure inherent Risk & Compliance

o Measure Policy training effectiveness

o Test Vendor Risk

Step Three - ManageManage Risk & Compliance

o Create interactive real time GRC Dashboards for mobile devices

o Demonstrate Compliance

o Manage Incidents, Threats and Vulnerabilities

GRC is a centralized and cohesive system which, incorporates:• Internal Audits• External Regulatory Compliance • Risk Management

Why to deploy IT-GRC Management System?• Better management of workflow as compared to the hassle of

using spreadsheets or auditors provided software

• Because different groups in the organization are looking for audit and risk compliance management solutions

• Effective management of compliances to avoid chaos, difficulties and confusion

• Improves reporting and dashboarding

• Holistic view of risk management and compliance activities

• Supports rationalization of compliance and risk management activities across the platform

CMLgroup GRCaaS

Contact us today to discuss your IT-GRC requirements

+ 1 646 827-2291www.cmlgroup.comInfo@cmlgroup.com