CMLGroup - What is GRC?

GRCaaS
Governance Risk Compliance as a Service
GRC Automation Simplified

Agenda
• How was GRC developed?
• What exactly is GRC?
• The role of GRC in ISMS
• Impact of GRC
• Types of GRC
• The role IT-GRC in IT-RMC
• IT-GRC Foundation
• Why to deploy IT-GRC Management System?

How was GRC developed?
GRC framework was developed as a consequence of well-known
public events such as Enron scandal in October 2001, eventually
lead the bankruptcy of the Enron Corp.
Followed by the dissolution of Arthur Andersen, one of the
largest audit and accounting partnerships in the world
In addition to begin the largest bankruptcy reorganization in
American history at the time, Enron attributed as the biggest
audit failure

How was GRC developed?
Because of the scandal, new regulations and legislation enacted
to expand the accuracy of financial reporting for public
companies
One piece of legislation, Sarbanes-Oxley Act, increased penalties
for destroying, altering, or fabricating records in federal
investigations or for attempting to defraud shareholders
The act also increased the accountability of auditing firms to
remain unbiased and independent of their clients

What is GRC
GRC Definition
Governance Risk Compliance is an integrated approach used by
corporations to act in accordance with the guidelines set for
each category
GRC is not a single activity, but rather a firm-wide approach to
achieving high standards in all three overlapping categories

What is GRC
IT-GRC specifics key capabilities
• Controls and policy library
• Policy distribution and response
• IT Controls self-assessment and measurement
• IT Asset repository
• Remediation and exception management
• Vendors Management
• Reporting
• Advanced IT risk evaluation and compliance dashboards

The role of GRC
The business impact
• 70% to 80% of market value comes from hard-to-assess
intangible assets such as brand equity, intellectual capital and
goodwill
• Organizations are especially vulnerable to incidents that may
damage their reputations, oftentimes with unforeseen
consequences

The role of GRC
From Ernst & Young survey of 137 Global
Institutional Investors:
• 82% will pay a premium for companies that demonstrate
successful risk management
• 61% will not invest where there is evidence of poor risk
management
• 41% would withdraw investment where there is a
perceived lack of appropriate risk management

IT-GRC in ISMS
Information Security Management Systems
Internal effectiveness
Customer
confidence
External security risks
Compliance
&
regulations
ISMS
ISMS overall management system based on a Risk approach to:
Establish, Implement, Operate, Monitor, Review and Improve Information Security

Impact of GRC
• Emergence of new regulatory compliances
• Alteration of corporate governance landscape
• Organizations are held accountable for accuracy and
integrity in their business operations
• Effective and reliable governance and compliance
procedures is the need of the hour

Types of GRC
eGRC IT-GRC
Focus Enterprise Only IT
Content supplied by Customer Prepopulated
Deployment type Lengthy - large number of variables Short - Well defined framework
Controls Financial Control & Labor
Standards
• Regulatory Compliance
• Business Processes
• Import and Export Laws
• Health and Safety
• Security
• Infrastructure
• and much more
IT security systems and applications
• Vulnerability
• Configuration management
• Change management
• IT-Risk management
• IT-Regulatory Compliance
• and more
Success rate Low - Due to complexity and lack
of buying from key stakeholders
Very high – Due to it focus and defined
SOW, stakeholders support and
measurable KPI and KRI

Resetting IT-GRC definition at Gartner
IT-GRC is essentially enterprise GRC functions focused on IT
specific needs
For the last two years, IT-GRC has started to bifurcate into:
• IT-related GRC functions
• Security operations functions

The role of IT-GRC in IT-RMC
IT-GRC specifics key capabilities
 Controls and policy library
 Policy distribution and response
 IT Controls self-assessment and measurement
 IT Asset repository
 Remediation and exception management
 Vendors Management
 Reporting, Scorecards, Dashboard
 Advanced IT risk evaluation and compliance dashboards

Why GRC
Step One - Define
Policies and Compliance
o Map Policies & Regulation to controls
o Identify Assets and Vendors
o Identify Risk Profile
Step Two - Measure
Test Controls
o Create customized Assessments
o Measure inherent Risk & Compliance
o Measure Policy training effectiveness
o Test Vendor Risk
Step Three - Manage
Manage Risk & Compliance
o Create interactive real time GRC
Dashboards for mobile devices
o Demonstrate Compliance
o Manage Incidents, Threats and
Vulnerabilities
GRC is a centralized and cohesive system which, incorporates:
• Internal Audits
• External Regulatory Compliance
• Risk Management

Why to deploy IT-GRC Management
System?
• Better management of workflow as compared to the hassle of
using spreadsheets or auditors provided software
• Because different groups in the organization are looking for
audit and risk compliance management solutions
• Effective management of compliances to avoid chaos,
difficulties and confusion
• Improves reporting and dashboarding
• Holistic view of risk management and compliance activities
• Supports rationalization of compliance and risk management
activities across the platform

CMLgroup GRCaaS
Contact us today to discuss your
IT-GRC requirements
+ 1 646 827-2291
www.cmlgroup.com
Info@cmlgroup.com

CMLGroup - What is GRC?

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (11)

Similar to CMLGroup - What is GRC?

Similar to CMLGroup - What is GRC? (20)

Recently uploaded

Recently uploaded (20)

CMLGroup - What is GRC?