Managing Governance, Risk and Compliance in Servicely

Managing Governance, Risk, and Compliance is crucial for modern businesses. In this demo of Servicely's GRC solution, we'll show you how you can easily manage GRC from a single Enterprise Service Management platform, and leverage AI and intelligent automation to make GRC a breeze.

Video Transcript

In this video, we'll see how service governance, risk, and compliance can provide a holistic view of governance, risk, and compliance disciplines throughout the enterprise. The first thing you'll notice in the menu on the left is that we've got three different areas: governance, risk, and compliance. Compliance refers to the obligations that we need to adhere to as an organization. Compliance frameworks, if you like, are the element to support this obligation. For instance, we have an obligation here, which can either be a law, regulation, standard, or policy, and there's a set of related procedures that covers that as well. We also have controls in place under that particular procedure, and we can see whether the control is auditable, the frequency, the type of control, the source of assurance, and related records in the whole GRC framework, including procedures, risks, and practices, any particular control tasks that need to be put in place, control attestations, and integrated risk management concerning projects and changes which can easily extend to incidents and problems as well.

In Servicely, compliance obligations relate to frameworks. This means there will be a supporting framework in place where we can see what type of framework we're talking about. Is it maturity-based, rule-based, policy-based, or procedure-based? We have the objectives and goals, scopes and boundaries, and underlying domains. Domains will have capabilities, and in here, we can see that we have various capabilities supporting this particular domain on security. We can come in and see the particular domain and capability, and the related practices as well. For example, we have a practice here, which is incident protection, and what we see is that at all levels, we're tracking maturity levels, desired state, and as-is state. We can see all the way down at the practice level what we're doing, and we have relationships to both controls and risks. Everything in the service is interrelated, meaning our governance frameworks, compliance obligations, and risks are all related.

In this case, we can open up the risk—unmonitored email security risks—which matches the risk menu that we have here to the left. The supporting workflow will show us how we manage and deal with risks, where everything is automated and put into context through a structured process. We have our compliance status, financial impact, scope, risk statement drivers, and appetite. We have the current assessment of the risk level, the target we want to achieve, our response to that particular risk, and the remaining risk once we've completed our efforts. Of course, we can also retire the risk, relate it to both practices and procedures, and put plans in place to help sort a particular issue. We have the link to the compliance world with relevant controls in place, and we measure this particular risk with a traffic light that indicates whether or not we are breaching the risk level or the desired risk level we aim to achieve.

Managing risks, compliance, and governance will not be complete without a reporting overview. That's where My GRC comes into place. My GRC provides a decision dashboard that helps us from a strategic perspective understand the different frameworks we have and the current state of the obligations we're trying to adhere to. We have our risks in terms of their relationship to compliance, our current risk landscape with an interactive heat map to see relevant risks according to likelihood and impact. We can see our risks according to compliance levels, our target risk picture regarding desired residual risks, and controls needing auditing, their frequency, and how we are currently doing from a risk perspective. Here, we have a traffic light approach that immediately tells us from a key risk indicator perspective what we have measured weekly, monthly, and quarterly. From here, we can understand our current risk landscape.

On the opposite side, we have the framework maturity level. We're monitoring SOC 2 and ISO 27001, and the desired risk states compared to our as-is landscape. Here, we can identify the gap between the different frameworks and do that down to a domain, practice, and capability level. We want to see equal size bars for each of the domains under control, each practice, and each capability. All of these can be reused, given a flexible relational data model across different frameworks and compliance disciplines. This ensures that any practice that would match multiple frameworks can be reused, and we have a structured approach to managing all different requirements from a framework, obligation, and risk perspective in a holistic manner.

‍