cmlgroup - what is grc?
DESCRIPTION
The presentation sheds light on the concept of GRC (Governance, Risk and Compliance). Features associated to GRC, such as - its history, its impact on businesses, types etc are covered here. Here is the list of the topics covered: 1. How was GRC developed? 2. What exactly is GRC? 3. The role of GRC in ISMS 4. Impact of GRC 5. Types of GRC 6. The role IT-GRC in IT-RMC 7. IT-GRC Foundation 8. Why to deploy IT-GRC Management System?TRANSCRIPT
GRCaaS
Governance Risk Compliance as a Service
GRC Automation Simplified
Agenda
• How was GRC developed?
• What exactly is GRC?
• The role of GRC in ISMS
• Impact of GRC
• Types of GRC
• The role IT-GRC in IT-RMC
• IT-GRC Foundation
• Why to deploy IT-GRC Management System?
How was GRC developed?
GRC framework was developed as a consequence of well-known public events such as Enron scandal in October 2001, eventually lead the bankruptcy of the Enron Corp.
Followed by the dissolution of Arthur Andersen, one of the largest audit and accounting partnerships in the world
In addition to begin the largest bankruptcy reorganization in American history at the time, Enron attributed as the biggest audit failure
How was GRC developed?
Because of the scandal, new regulations and legislation enacted to expand the accuracy of financial reporting for public companies
One piece of legislation, Sarbanes-Oxley Act, increased penalties for destroying, altering, or fabricating records in federal investigations or for attempting to defraud shareholders
The act also increased the accountability of auditing firms to remain unbiased and independent of their clients
What is GRC
GRC Definition Governance Risk Compliance is an integrated approach used by corporations to act in accordance with the guidelines set for each category
GRC is not a single activity, but rather a firm-wide approach to achieving high standards in all three overlapping categories
What is GRC
IT-GRC specifics key capabilities• Controls and policy library
• Policy distribution and response
• IT Controls self-assessment and measurement
• IT Asset repository
• Remediation and exception management
• Vendors Management
• Reporting
• Advanced IT risk evaluation and compliance dashboards
The role of GRC
The business impact• 70% to 80% of market value comes from hard-to-assess
intangible assets such as brand equity, intellectual capital and goodwill
• Organizations are especially vulnerable to incidents that may damage their reputations, oftentimes with unforeseen consequences
The role of GRC
From Ernst & Young survey of 137 Global Institutional Investors:
• 82% will pay a premium for companies that demonstrate successful risk management
• 61% will not invest where there is evidence of poor risk management
• 41% would withdraw investment where there is a perceived lack of appropriate risk management
IT-GRC in ISMS Information Security Management Systems
Internal effectiveness
Customer confidence
External security risks
Compliance &
regulationsISMS
ISMS overall management system based on a Risk approach to: Establish, Implement, Operate, Monitor, Review and Improve Information Security
Impact of GRC
• Emergence of new regulatory compliances
• Alteration of corporate governance landscape
• Organizations are held accountable for accuracy and integrity in their business operations
• Effective and reliable governance and compliance procedures is the need of the hour
Types of GRC
eGRC IT-GRCFocus Enterprise Only IT
Content supplied by Customer Prepopulated
Deployment type Lengthy - large number of variables
Short - Well defined framework
Controls Financial Control & Labor Standards• Regulatory Compliance• Business Processes• Import and Export Laws• Health and Safety• Security• Infrastructure• and much more
IT security systems and applications• Vulnerability• Configuration management • Change management• IT-Risk management• IT-Regulatory Compliance• and more
Success rate Low - Due to complexity and lack of buying from key stakeholders
Very high – Due to it focus and defined SOW, stakeholders support and measurable KPI and KRI
Resetting IT-GRC definition at Gartner
IT-GRC is essentially enterprise GRC functions focused on IT specific needs
For the last two years, IT-GRC has started to bifurcate into:• IT-related GRC functions • Security operations functions
IT-GRC at Gartner
The role of IT-GRC in IT-RMC
IT-GRC specifics key capabilities Controls and policy library Policy distribution and response IT Controls self-assessment and measurement IT Asset repository Remediation and exception management Vendors Management Reporting, Scorecards, Dashboard Advanced IT risk evaluation and compliance dashboards
Why GRC
Step One - Define Policies and Compliance
o Map Policies & Regulation to controls
o Identify Assets and Vendors
o Identify Risk Profile
Step Two - MeasureTest Controlso Create customized Assessments
o Measure inherent Risk & Compliance
o Measure Policy training effectiveness
o Test Vendor Risk
Step Three - ManageManage Risk & Compliance
o Create interactive real time GRC Dashboards for mobile devices
o Demonstrate Compliance
o Manage Incidents, Threats and Vulnerabilities
GRC is a centralized and cohesive system which, incorporates:• Internal Audits• External Regulatory Compliance • Risk Management
Why to deploy IT-GRC Management System?• Better management of workflow as compared to the hassle of
using spreadsheets or auditors provided software
• Because different groups in the organization are looking for audit and risk compliance management solutions
• Effective management of compliances to avoid chaos, difficulties and confusion
• Improves reporting and dashboarding
• Holistic view of risk management and compliance activities
• Supports rationalization of compliance and risk management activities across the platform