Newsletter | Volume 1

Issue I
Issue II
Issue III
Issue IV
Issue V
Issue VI
Issue VII
Issue VIII
Issue IX
Issue X
Issue XI
Issue XII
Issue XIII
Issue XIV
Issue XV
Issue XVI
Issue XVII
Issue XVIII
Issue XIX
Issue XX
Issue XXI
Issue XXII
Issue XXIII
Issue XXIV
Issue XXV
Issue XXVI
Issue XXVII
Issue XXVIII
Issue XXIX
Issue XXX
Issue XXXI
Issue XXXII
Issue XXXIII
Issue XXXIV
Issue XXXV
Issue XXXVI
Issue XXXVII
Issue XXXVIII

click here to

Subscribe to our newsletter



To Unsubscribe click here

A 10 point approach to the creating your GRC Management Cycle


We all want the GRC processes to be efficient and accurate. However the first step is to develop and understand the business components of each individual GRC process and how it fits to the annual GRC management cycle. If you do not contain a GRC approach to the business you will miss out on the benefits of GRC and simply follow the check-the–box manner to comply.

Companies continue to face an increasing number of regulatory requirements for all types of reporting, compliance, risk management and IT security reporting. Therefore, the compliance (or related) function has a growing role in influencing the culture and internal controls of any organisation.

The reality is that any GRC landscape is constantly changing. Change management procedures supplement the GRC processes. When businesses try to stay on top of new GRC regulations and trends, the GRC management cycle will ensure that it stays updated does not lose sight of the GRC strategies. The opposite is the case when there is no standard GRC management cycle in place.

On the other hand if you decide to follow the industry practice to incorporate, embed and automate GRC the first step is to take a stock of each entity, division or business's role and responsibility in the company's compliance lifecycle: the way it is implemented and aligning it to the view from the business and from the internal or independent oversight and regulator.

GRC Management Cycle is the way to go for mitigating GRC risk in the best possible manner. However, we need to address the GRC business challenge and GRC compliance ideas before you can address the wider issue of mitigating operational GRC failures.

The first hurdle of the GRC management cycle is to understand the rules, degree and bar that are applied to the GRC components of the business. The second part is the interpretation of the appetite, mandates and rules and the creation of the right policies or procedures for the GRC functions and the specific business process. The final section is monitoring and updating policies and procedures for GRC management cycle adherence.

If you do not have a structured, organized, embedded and integrated GRC approach, which most companies do not have, we recommend that you take a few steps back and respond to these basic questions:
  • Does a standard GRC cycle exist?
  • How well do we actually know the GRC management Cycle?
  • Does every business unit follow a standard GRC cycle?

  1. Regulatory Reform
    • The GRC landscape is a moving target since the crisis started in 2007-8 and is constantly evolving. Regulatory compliance agencies and key industry stakeholders are working to create GRC processes that are designed to improve the stability, reliability and confidence of the investor. Ongoing GRC reviews can lead to structured dialogue among all stakeholders in the GRC landscape. This open discussion sets the foundation for further improvement in stakeholder engagement and investor confidence.
  2. Research & Review the GRC Best Practices
    • Be painstaking with the GRC research - prior and during the management cycle creation process. Allow businesses to develop or implement the best practices that are in line with the significant mitigating issues and determine the actual costs that may arise in the GRC process.
  3. Receive Advisory Inputs on GRC
    • The company's Board of Directors, senior and mid management lawyers and accountants are the key GRC stakeholders that can influence the GRC management cycle by regularly taking initiative or attending internal GRC workshops on developing the GRC management cycle. The GRC stakeholders can provide value-added input. Send us a mail if you need a workshop agenda
  4. Communication
    • Once the GRC process has been adopted, it is available to everyone. Investors, regulators, shareholders, stakeholders and others. Be open, transparent and accountable in disseminating the GRC services and the opportunity to be notified in real-time about a GRC process update. To ensure a smooth dissemination process, stakeholders must be involved in the initial research stage, creation process to mitigate the risk of a weak GRC management cycle.
  5. The GRC Logistics and Infrastructure
    • When you go thru the above 4 steps several GRC logistics and infrastructure issues will be identified and provide insight with business context. One of the main responsibilities of the GRC management cycle is to mitigate risk, and that requires a business-centric view of most security issues. The GRC management cycle must embrace a holistic, enterprise approach, to streamline and integrate risk, compliance, threat and vulnerability information. Providing a business context for GRC IT decisions, focus on policies and compliance via the use workflows to perform and document GRC remediation efforts. Ensure efficient GRC processes for an effective audit trail and for future reference.
  6. Stakeholders engagement
    • Stakeholders commitment is probably the real reason why companies need a strong GRC management cycle. There's no way of monitoring the number of GRC processes if these are not structures embedded and monitored for compliance. An effective GRC management cycle pay dividends right here. Shareholders, investors, however annoyed or unhappy stakeholders will compliment the board and management if the disclosures and corporate data are transparent and accountable and are certified by the oversight authorities. The result of the oversight conclusion can have a material impact on an organization.
  7. Set & Monitor Internal GRC Control Measures
    • The GRC management cycle must take into account all key GRC risks. The following control is to ensure that appropriate actions are established to address these risks. These address business, accounting and non-accounting controls. The GRC management cycle has its own set of internal controls and measures.
    • GRC procedures are used as an umbrella to the existing controls and processes to ensure that GRC internal control measures are in place and applied the GRC standards to their processes.
  8. Monitoring & Oversight
    • Despite enforcing internal procedures, receiving advisory data and complying with regulatory compliance require that updates and improvements are needed. The GRC management cycle must review the current monitoring and oversight processes before new procedures are created.
  9. Compliance Enhancement
    • Once the GRC management cycle is tabled, weighed and approves by all stakeholders the cycle is then integrated with the new rules and regulations. Aim at strengthening the investor and stakeholder confidence by increasing the GRC integrity and keeping the constant stakeholder wish to be trained and informed.
  10. Internal Self Evaluation & Change
    • With new rules and regulations applied, businesses must reflect on their internal processes and modify as required. From here, the cycle continues – providing a structured framework for the GRC management cycle. With a effective GRC management cycle in place, businesses can not only be sure that their business is fully compliant, but they are also able to pinpoint where manual processes can be automated.