GRC Fundamentals

What is GRC

GRC stands for Governance, Risk Management and Compliance.

Governance:
 The culture, policies, processes, laws and institutions that define the structure by which companies are
directed and managed.
 Governance = Setting the rules

Risk Management:
 The process for ensuring that important business processes and behaviors remain within the tolerances
associated with those policies and decisions, going beyond which creates an unacceptable potential for loss.
 Risk = Ensuring the correct controls are in place and functioning

Compliance:
 The process of adherence to policies and decisions. Policies can be derived from internal directives,
procedures and requirements or from external laws, regulations, standards and agreements.

Confidential
GRC helps organizations effectively put policies and controls in place
to address all its compliance obligations, while at the same time
gathering information that helps proactively run the business.

IN A GRC makes you do things right way, keeps track of things that every
individual does in any department of the organization and raises an

NUTSHELL alert when things go off track.

GRC seek to create a system and culture so that compliance with

external regulations, enforcement of internal policies and risk
management are automated as much as possible and can evolve in an
orderly fashion as business and compliance needs changes.

Confidential
Present Enterprise Challenges

Rapid Digital Growing Digital Rising cost of Greater Reliance of

Transformation Risk 3rd and 4th Parties
global compliance

Pandemics Increasing Disengaged Disconnected tools,

Reputational Risk Employees systems and processes

More than ¾ of companies running a GRC tools have implemented multiple GRC solutions, covering various verticals in their
Confidential Organization
GRC Approach to overcome
challenges

Hierarchy Structure Establish consistent hierarchy structure to enable effective management of GRC

Governance Model Establish strong governance and accountability for GRC processes
GRC Program

Process Structure Standardize and streamline processes across the enterprise to achieve optimization

Risk Management Establish common Risk Management methodology to standardize risk assessment & reporting
Methodology across the enterprise

Standardized Identify enterprise-wide reporting requirements & standardize reports to enable effective
decision making
Reporting

Common Control Establish integrated control framework to address various regulatory and internal control
requirements
Framework
Confidential
GRC Benefits

Manage Comply Visualize Investigate Centralize Enable

Manage the life Comply with Visualize and Investigate and Centralize Enable risk-based
cycle of corporate regulations in the communicate risk resolve cyber and business , business-aligned
and IT policies most efficient at all levels of the physical incidents continuity and internal audit
way business disaster recovery
planning

Confidential
Building Blocks of GRC

RISK

Compliance

Audit

Confidential
What is Risk Management ?

 Risk is an uncertain event that may have a positive

or negative impact on the project.

 Risk Management is the process of identifying and

migrating risk.

Confidential
Risk Management Process

Plan Risk Qualitative

Identify Risk
Management Risk Analysis

Quantitative Plan Risk Monitor and

Risk Analysis Response Control Risk

Confidential
Effective use of resources

Promoting continuous improvement

Fewer shocks and failures

Strategic business planning

Risk Management Raised awareness of significant risks.
benefits Quick grasp of new opportunities

Enhancing communication

Reassuring stakeholders

Recognition of responsibility and accountability.

Confidential
What is Compliance ?Risk is an uncertain event that may have a positive or negative impact on the
project.
• Risk Management is the process of identifying and migrating risk.

 Compliance means conforming to a rule, such as a

specification, policy, standard or law. Regulatory
compliance describes the goal that organizations
aspire to achieve in their efforts to ensure that they
are aware of and take steps to comply with
relevant laws, policies, and regulations

 Compliance ensures that an organization has the

processes and internal controls to meet the
requirements imposed by governmental bodies,
regulators, industry mandates or internal policies.
Confidential
Compliance Program

Assess
Document Policy Enhancing
Effectiveness of
and Risk communication
Controls

Disclosure and
Define and Certification of
Control Monitoring
Document Controls Compliance
Process

Compliance Score Compliance

Remediate Issues
Generation Reporting

Confidential
Reduce Legal
Risk Reduction
Issues

Improve Increase
Operation and Business
Safety Reputation

Compliance Business
Strategy
Quick grasp of
new
benefits Alignment opportunities

Compliance
Reduce
enhances
unforced errors
consistency

Driver of
change and
innovation

Confidential
What is Audit ?

Audit is independent review and examination of

Plan
records and activities to assess the adequacy of
controls, to ensure compliance with established
policies and operational procedures, and to
recommend necessary changes in controls,
policies, or procedures.

Audit Life
Act cycle

Confidential
Check
Steps of an Audit

PLANNING TESTING

REPORTING

Confidential
Objectives of Audit

Improve Data
Integrity

Improved
Safe guarding System
of Assets Effective
ness

Improved System
Efficiency
Confidential
GRC Success Journey

Timely
Implementation Performance
GRC ensures productivity at its best
implementation of
recommendations
on set schedule.. 06 01

Effective Build Quality

Strategies intended to 05 GRC 02 GRC helps to maintain a
optimize resources desired level of excellence

04 03
Return on
Agility
Investment
GRC helps to adapt, change quickly, and
Alignment with strategic objectives of the succeed in a rapidly changing environment
organization. for better ROI

Confidential
Q&A