GRACE IT - Governace Risk & Compliance (GRC)

Information Technology has become the backbone for all business delivery and so is an extremely critical factor in the success of the enterprise. Any failures in IT can set the organization up for a lot of different risks including fines for non-compliance, legal suits, reputation risks as well as operational risks of not being able to conduct business.

Setting up the IT standards , policies and procedures for IT applications and the IT processes in the organization and evaluation them for adherence and exceptions closely is key to ensure that operational risks from IT do create risks to the business. These include security management, ensure no unauthorized access from within and outside of the organization, records management, business continuity and disaster management , application release management, configuration management, and ensuring that all the hardware and software in the organization are managed. It also includes vendor due diligence prior to engagement and ongoing monitoring to ensure that the vendors do not create risk by their application / hardware / data / business continuity failures.

Reflecting the importance of IT in business the industry now demands a SAS 70 Certification of all service provider. SAS 70 - is an internationally recognized third party assurance audit designed for service organizations. It has become the most widely accepted compliance initiative that provides service organizations a benchmark to compare their internal controls and processes against industry best practices. Statement on Auditing Standards No. 70 (SAS 70) was originally created in 1992 and over the past five to ten years become globally recognized as one of the highest forms of third party assurance.

SAS 70 Certification is being sought from every service provider, be they prime brokers, custodian, fund administrators in the financial services industry, Pharma or IT infrastructure provider. GRACE IT-GRC helps you build the framework of policies and procedures, keep track of your hardware, networking and application infrastructure as well as ensure the defined processes are adhered to by conducting periodic risk assessments, internal controls monitoring and audits. GRACE-IT GRC not only helps you attain the SAS 70 Certification but also maintain the same level of high customer service and business continuity and build your reputation as a reliable service provider.

GRACE-ITGRC with its SaaS (Software as a service) model helps you quickly put together a continuous due diligence, assessment and monitoring process for all of these IT processes to enable you to identify problem areas and take remedial action in a business as usual way. It enables you to build assurance in your own processes and that of the service provider’s capability to continue to provide adequate service during contingency. IT GRC comes with the ITIL (IT Infrastructure Library ) best practice suggestions.

GRACE-ITGRC helps you build the process for a standardized, comprehensive and up-to-date process to help you with auditable information for the SAS 70 certification process.

Be able to conduct operational due diligence of service provider activities in a standardized way and see risk trends early

Always have data of all your books and records as well as business continuity plans from each vendor

Have the latest copy of all the contracts and service level agreements in one place

Have a well defined agreed policy and procedure between service provider and your organization that can prevent violations from the vendor

Be able to identify, non-compliance, operational and business continuity risks early and ensure risk is mitigated without affecting your organization

Be operationally efficient in managing the service provider processes, risk and compliance information centrally. Having them spread out in multiple excel files, documents and paper trails makes the process inefficient and labor intensive to retrieve and produce it for audit

Help senior management be confident that there is no business continuity risk from vendors

Have up-to-date and integrated view of risks on service provider processes can allow you to save your fund from non-compliance violations, faulty vendor business processes and business continuity issues. This allows you to focus on the key risks quickly

Early identification and control reduces cost of mitigation

Be able to search and retrieve information with least time and cost for audits and assessments

Have better internal control, regulatory compliance & enhanced predictability

Build ownership, responsibility and accountability for risk and its management

Institutionalize the risk management process

Own the knowledge in the enterprise and not lose it when key people leave

Policies & Procedures

Policies and procedure definitions repository where you can add, update, review and release policies, procedures, disclosures
Version histories and provides access to the latest policy and procedure organization

Organized inventory of your IT assets

Up-to-date IT Inventory of hardware, software, applications, networks, firewalls, switches, databases, licenses, service level agreements ensures that you have complete track of all your assets in one central place

Assessments & Audits

Calendar for procedure and vendor assessments & audits
Standardized Audit and assessment checklists
Manage the assessment and audit planning and review process
Monitor the progress of assessment and audit execution and collect deliverables when ready through project and task reporting
Record findings,do impact analysis, identify the risks from the findings and establish a process for risk mitigation
Monitor the tasks and costs of the risk mitigation process till closure
Task reporting of mitigation tasks, and project reporting to monitor the progress of mitigation projects
Standardized risk scoring, review and risk reporting on for each risk
Mechanism for you to build standardized checklists for audits and assessments that can be reused for each subsequent audit and can be changed to suit the particular audit
Alerts on due dates, over dues and late dues in activities and tasks

Internal Controls Management

Functions for internal control definitions of periodic service provider related processes; For e.g., release management, security management, configuration management, privacy of customer data, customer service, help desk, network management etc.
Process for monitoring the internal control through test definitions, periodicity of testing and reporting
Process for test issue reporting and review to bring to light the issues and risks early
Process to create mitigation strategies for the issues and risks identified and monitor the mitigation progress
Information on all issues and trends in each internal control

Interface with operational reports

An interface to bring in reports from operational systems as well as exception reports and a method to mark risks from there and escalate them where necessary

Vendor Due Diligence

Conduct due diligence during the service provider selection for process adherence, business continuity and other practice through comprehensive standardized checklists with BCP and disaster recovery questionaires
Record all the due diligence information and review the due diligence findings internally
Record all service provider details, contract documents and service level agreements and updates to these documents
Record of reasons for selection / rejection of the vendor
Set up alerts for periodic due diligence of vendors to ensure for process monitoring
Receive alerts and record actions, comments, documents and risks identified from the periodic monitoring and review them internally
Be able to record risks from there and put mitigation / escalation / risk reporting mechanism in place
Be a one place for all the information gathered on an vendor firm from a operational and business continuity perspective

The Dashboard

The powerful dashboard brings together the umbrella of all information related to risk
Allows deep drill down on all information across due diligence, assessments and audits, internal controls
and tasks associated with management of the risk and reports on mitigation task status
Slice and dice of information to bring different trends to view
Queries and Reports that can be exported to Excel / PDF formats