A cultural guide to GRC
CoreStream offers a set of considerations when implementing or refining a practice, be it integrated governance, risk & compliance (GRC) or a single risk or compliance area, with the primary aim of fostering the right culture. There isn’t a one-size-fits-all approach to effective GRC, but there are common threads that will have a significant impact on the likelihood of success.
This article was published in the November 2013 edition of the Operational Risk and Regulation Magazine and is available as a PDF download: CoreStream – Fostering a GRC Culture.
To discuss this article, anything else GRC related or to arrange a demonstration of our latest version of the CoreStream Platform which now includes a flexible, user friendly workflow engine, please contact CoreStream on firstname.lastname@example.org or 020 7100 4378.
How CoreStream achieved ISO27001 certification in just 6 weeks (Casestudy by The British Assessment Bureau)
The fast track to ISO 27001: How CoreStream achieved certification in just 6 weeks (Casestudy by The British Assessment Bureau)
CoreStream recently achieved ISO 27001 certification with BAB. Very much a natural step for the company, CoreStream themselves provide software products based around Governance, Risk and Compliance (GRC). Here, we talk to Richard Eddolls who was responsible for implementing the information security management standard, learning how their GRC Platform helped them achieve certification in just 6 weeks.
Identifying an opportunity in the market for a solution that helps organisations cope with increasing regulatory and ethical obligations, CoreStream developed their GRC Platform to help customers clearly document and manage their policies, risks, processes and controls. ISO 27001, therefore, gave CoreStream an opportunity to walk the talk, whilst certification would give the added credibility from being checked by a third-party. Moreover, they would gain insight from using their software as one of their own clients would.
Initially, CoreStream were visited by BAB for their Stage 1 audit. This visit is intended to establish what organisations already have in place, leaving the client with a Gap Analysis and an action plan to move forward with. Richard Eddolls at CoreStream explained how their preparation began;
“The Stage 1 visit from BAB showed us what deficiencies we had when it came to meeting ISO 27001’s requirements. Whilst we had much in place already, there were some tweaks here and there which would clearly lead to improvements. It was then we used our software, which gave us the functionality to record non-conformities and set actions. It meant nothing could be missed, so we could approach our formal Stage 2 audit with confidence.”
Any thriving business will suffer from growing pains at some stage. As a result, knowing who does what, when and how can become difficult, which is when issues can creep in. These could be from small problems that affect efficiency, to more serious problems that will ultimately upset clients and damage reputation. CoreStream take their reputation seriously so this was a big driver for them.
A successfully implemented management system such as ISO 27001 gives back confidence, minimising mistakes and the associated re-work from addressing them. No wonder then, at a time when there are regular information security blunders hitting the headlines, ISO 27001 has grown in popularity.
Once ready, it was time for CoreStream to be visited again by an auditor, this time for the formal Stage 2 audit. Richard shared his thoughts;
“Despite a number of us working in risk and compliance for several years, we were a little nervous about being the focal point of an audit ourselves. We needn’t have been concerned. As with the Stage 1 audit, the auditors were incredibly helpful and went beyond merely looking for non-conformities by discussing with us ways in which we might improve our management system. Our GRC platform also made the audit process more efficient, being able to access a single system containing all our policies, processes, risks and controls.”
Successfully achieving certification ISO 27001 first time round without any issues was testament to Richard, his colleagues and, of course, their GRC Platform. He explained how CoreStream were keeping on top of things moving forward;
“As our Information Security Management System (ISMS) has matured, our platform is used to build a policy library, providing a permission-controlled online repository for all interested (and authorised) parties to access. Our risk assessment programme is also managed by our platform, supporting the identification, categorisation and scoring of risks to information security. Simply put, the people that need access, can access the right things with a clear picture of where we are overall; it saves us an enormous amount of time.”
“Fully populated, our platform now supports our operational ISMS. Audit assessments, issue and remedial action management and policy and processes reviews are all conducted using a single platform, avoiding the complexity of using disparate systems. Our Senior Leadership team is able to monitor performance of our ISMS via a reporting dashboard which provides real-time information on the state of compliance at any point in time. In addition, all business processes documented in the system are now ready for reuse, effectively accelerating the management of other internal or regulatory requirements.”
The elimination of needless duplication will stand CoreStream in good stead, as they’re planning to implement other ISO standards – which all share a common structure – in the future.
“Implementing ISO 27001 with our platform was a great way of practicing what we preach! Better yet, it helped us achieve certification from scratch in only 6 weeks. Now, we’re delighted to be able to show our clients that we meet an internationally recognized standard; hopefully reminding them that they made the right choice in choosing us.
From an internal point of view, we can now take on the other standards safe in the knowledge that the impact of doing so is reduced. Our longer-term aim is to ensure that all controls implemented within our business (possibly as a result of regulation or legislation) are documented and assessed in the same way, increasing the value of having a single, collaborative system.”
CoreStream are offering a free demonstration to fellow BAB clients of their GRC platform to show how it can save time and hassle in managing ISO certification and other regulatory or ethical requirements. You can contact CoreStream directly on 020 7100 4378 or email email@example.com.
Effective Enterprise Risk Management
Another interesting article from Guy Carpenter on effective enterprise risk management (ERM). It is primarily focused on the insurance industry but a number of the suggestions apply to other industries.
Interestingly from our perspective, there is no specific reference to risk management software or any form of technology solution. Whilst we do not profess that technology is the solution (it is more of an enabler), it is an important one none-the-less. Selecting the right technology for the scope intended is critical to ensuring that it is adopted effectively, satisfies requirements and is not a drain on ERM budgets without delivering the intended benefits.
Six ways Risk Management Software expands risk assessment coverage
This article is actually more focused on managing risks associated with vendors but the principles apply to other forms of risk and provides a succinct outline of the benefits of moving from a predmoinantly manual (perhaps Excel) based approach to a partially automated approach utlising risk management software.
View the full article here.
SFO brings first Bribery Act charges in bio fuels fraud case
The Serious Fraud Office has brought its first charges against individuals accused of violating the UK Bribery Act.
The full article is available here (without subscription):
This charge highlights the need to ensure that Governance, Risk Management and Compliance programmes have implemented sufficient controls to demonstrate every effort is being made to avoid similar breaches.
Deloitte survey concludes that financial institutions are placing more emphasis on risk management
An interesting article summarising the results of a survey run by our former colleagues at Deloitte. In short, the survey concludes that the majority of financial institutions are investing more heavily in governance, risk and compliance activity and that boards are devoting more time to reviewing risk.
Interesting to note that one of the key areas of concern for organisations is the technology used to support risk management. Less than 25% of institutions rate their technology systems as extremely or very effective.
Centralised GRC or integrated silos?
An interesting article here which considers if the trend is to centralise GRC teams and technologies or focus on integrating existing silos. Where common taxonomy and ways of working can be adopted, the business case to focus on centralised GRC (even if just for technology and resource cost savings) is a clear one though not without its challenges. Depending on the specifics of any given situation though, it may be better to invest in a central GRC technology capable of supporting all risk and compliance functions than it is to spend money integrating (and therefore needing to continue supporting and maintaining) legacy applications.
Corestream to obtain ISO Accreditation for Data and Information Security
CoreStream is pleased to announce that it is on track to reach formal ISO27001 accreditation. Data security sits at the heart of our culture and underpins all of our software products. The recent appointment of the British Assessment Bureau (BAB) to conduct a detailed independent audit is the final step in reaching accreditation and underscores CoreStream’s recognition of the importance of data security.
Our hosting partner, Memset, already hold ISO27001 and our accreditation will ensure that the end to end provisioning of our technology (from design and development through to hosting) will adhere to industry best practice in relation to information security.
CoreStream and Memset announce partnership
CoreStream is pleased to announce a strategic partnership with Memset, a UK based, industry leading provider of hosting services. This announcement follows 2 years of working closely together, formalising an already established relationship.
Memset are responsible for hosting our suite of cloud based products, providing expertly designed and configured architecture, ensuring that data is stored securely, performance is impressive and the costs are competitive. Memset are also carbon neutral and therefore in line with our commitment to reduce our environmental impact.
Five essential elements of a compliance programme
Extremely interesting and well written article on the five essential elements of a corporate compliance programme.
The theme running throughout is that it is important for any programme to be joined up and preferably benefit from being managed centrally. It is common for compliance activity within many organisations to be triggered by some form of failure in a certain area of the business. In response, new policies and controls, new processes and new systems are implemented to address the issue, leading to many disparate silos of compliance activity. This approach is inefficient but also doesn’t lend itself to the proactive management of compliance obligations.