Governance, Risk, and Compliance (GRC) is an integrated approach for organizations to adhere to established guidelines across these categories, heavily influenced by events like the Enron scandal. It encompasses various components like IT-GRC, which focuses on IT-specific needs, and emphasizes the importance of effective risk management to enhance market value and protect reputations. Deploying an IT-GRC management system improves workflow management, compliance handling, and reporting efficiency.

1. GRCaaS
Governance Risk Compliance as a Service
GRC Automation Simplified

2. Agenda
• How was GRC developed?
• What exactly is GRC?
• The role of GRC in ISMS
• Impact of GRC
• Types of GRC
• The role IT-GRC in IT-RMC
• IT-GRC Foundation
• Why to deploy IT-GRC Management System?

3. How was GRC developed?
GRC framework was developed as a consequence of well-known
public events such as Enron scandal in October 2001, eventually
lead the bankruptcy of the Enron Corp.
Followed by the dissolution of Arthur Andersen, one of the
largest audit and accounting partnerships in the world
In addition to begin the largest bankruptcy reorganization in
American history at the time, Enron attributed as the biggest
audit failure

4. How was GRC developed?
Because of the scandal, new regulations and legislation enacted
to expand the accuracy of financial reporting for public
companies
One piece of legislation, Sarbanes-Oxley Act, increased penalties
for destroying, altering, or fabricating records in federal
investigations or for attempting to defraud shareholders
The act also increased the accountability of auditing firms to
remain unbiased and independent of their clients

5. What is GRC
GRC Definition
Governance Risk Compliance is an integrated approach used by
corporations to act in accordance with the guidelines set for
each category
GRC is not a single activity, but rather a firm-wide approach to
achieving high standards in all three overlapping categories

6. What is GRC
IT-GRC specifics key capabilities
• Controls and policy library
• Policy distribution and response
• IT Controls self-assessment and measurement
• IT Asset repository
• Remediation and exception management
• Vendors Management
• Reporting
• Advanced IT risk evaluation and compliance dashboards

7. The role of GRC
The business impact
• 70% to 80% of market value comes from hard-to-assess
intangible assets such as brand equity, intellectual capital and
goodwill
• Organizations are especially vulnerable to incidents that may
damage their reputations, oftentimes with unforeseen
consequences

8. The role of GRC
From Ernst & Young survey of 137 Global
Institutional Investors:
• 82% will pay a premium for companies that demonstrate
successful risk management
• 61% will not invest where there is evidence of poor risk
management
• 41% would withdraw investment where there is a
perceived lack of appropriate risk management

9. IT-GRC in ISMS
Information Security Management Systems
Internal effectiveness
Customer
confidence
External security risks
Compliance
&
regulations
ISMS
ISMS overall management system based on a Risk approach to:
Establish, Implement, Operate, Monitor, Review and Improve Information Security

10. Impact of GRC
• Emergence of new regulatory compliances
• Alteration of corporate governance landscape
• Organizations are held accountable for accuracy and
integrity in their business operations
• Effective and reliable governance and compliance
procedures is the need of the hour

11. Types of GRC
eGRC IT-GRC
Focus Enterprise Only IT
Content supplied by Customer Prepopulated
Deployment type Lengthy - large number of variables Short - Well defined framework
Controls Financial Control & Labor
Standards
• Regulatory Compliance
• Business Processes
• Import and Export Laws
• Health and Safety
• Security
• Infrastructure
• and much more
IT security systems and applications
• Vulnerability
• Configuration management
• Change management
• IT-Risk management
• IT-Regulatory Compliance
• and more
Success rate Low - Due to complexity and lack
of buying from key stakeholders
Very high – Due to it focus and defined
SOW, stakeholders support and
measurable KPI and KRI

12. Resetting IT-GRC definition at Gartner
IT-GRC is essentially enterprise GRC functions focused on IT
specific needs
For the last two years, IT-GRC has started to bifurcate into:
• IT-related GRC functions
• Security operations functions

13. IT-GRC at Gartner

14. The role of IT-GRC in IT-RMC
IT-GRC specifics key capabilities
 Controls and policy library
 Policy distribution and response
 IT Controls self-assessment and measurement
 IT Asset repository
 Remediation and exception management
 Vendors Management
 Reporting, Scorecards, Dashboard
 Advanced IT risk evaluation and compliance dashboards

15. Why GRC
Step One - Define
Policies and Compliance
o Map Policies & Regulation to controls
o Identify Assets and Vendors
o Identify Risk Profile
Step Two - Measure
Test Controls
o Create customized Assessments
o Measure inherent Risk & Compliance
o Measure Policy training effectiveness
o Test Vendor Risk
Step Three - Manage
Manage Risk & Compliance
o Create interactive real time GRC
Dashboards for mobile devices
o Demonstrate Compliance
o Manage Incidents, Threats and
Vulnerabilities
GRC is a centralized and cohesive system which, incorporates:
• Internal Audits
• External Regulatory Compliance
• Risk Management

16. Why to deploy IT-GRC Management
System?
• Better management of workflow as compared to the hassle of
using spreadsheets or auditors provided software
• Because different groups in the organization are looking for
audit and risk compliance management solutions
• Effective management of compliances to avoid chaos,
difficulties and confusion
• Improves reporting and dashboarding
• Holistic view of risk management and compliance activities
• Supports rationalization of compliance and risk management
activities across the platform

17. CMLgroup GRCaaS
Contact us today to discuss your
IT-GRC requirements
+ 1 646 827-2291
www.cmlgroup.com
Info@cmlgroup.com