Compliance means abiding by the rules – from legal requirements to internal organizational guidelines.
Corporate governance is the control structure for processing business transactions or mutual relations in, between or by means of companies. This type of control matrix is comprised of rules and organizational institutions to manage and control a company. The rules can be formal or informal in nature. Legal regulations and company-specific instructions, guidelines and procedures belong in the first category while company culture and values belong in the second.
Data protection management software (DPMS)
Data protection management software (DPMS) supports companies and external data protection consultants regardless of the size or structure of the organization. The focus is on the analysis and optimization of work processes under data protection aspects. With the help of integrated checklists, company processes are illuminated and evaluated in order to derive optimization potential for data protection and data security.
The EU General Data Protection Regulation, or EU GDPR for short, is a modernized, updated version of the existing data protection regulations in the EU member states. GDPR is designed to strengthen the rights of EU citizens with regard to their own data, specifically with respect to the rights of affected individuals.
Governance, Risk and Compliance (GRC)
GRC is an integrated collection of capabilities to reliably achieve goals, cope with uncertainty, and manage the business with integrity. Growing regulatory pressure, stricter transparency requirements on management from the owners, digitalization of business models, changing trends, increasing market volatility and the intrinsic motivation for traceable, transparent decisions are making enterprise management more complex than ever – especially in light of the growing expectations on efficiency. By establishing a comprehensive strategy for governance risk and compliance, companies can face these challenges effectively and efficiently.
Achieving operational excellence requires a strong integration of governance, risk and compliance. The enterprise risk and compliance management policies are defined on the basis of corporate governance. The objective is uniform, binding procedures and guidelines for all employees. Risk management covers all of the actions for systematically recognizing, analyzing, evaluating, avoiding, monitoring and controlling risks. It centers on the continual assessment, documentation, reporting, analysis and steering of risks. Compliance risks are integrated in a compliance management system, where they are documented with rules, processes and actions (e.g. within an internal control system). This method ensures that all internal and external requirements are fulfilled. These three elements are necessary to build a future-proof GRC across the entire organization.
Integrity describes the moral codex used by companies to conduct their business. Their actions, in turn, must correspond with the defined system of values. Integrity should help companies fulfill their responsibility to stakeholders in an adequate manner and preserve or improve their ability to cooperate.
Internal Control System (ICS)
An internal control system ensures the compliance, security and profitability of internal company processes and provides management a reliable foundation for decision-making. It covers organizational measures, management controls and organizational resources.
Information Security Management System (ISMS)
An ISMS is part of a complete management system that encompasses the development, implementation, execution, monitoring, auditing, maintenance and improvements to information security based on business risks.
Monte Carlo Simulation
A Monte Carlo simulation is an IT-driven algorithm for determining risks in quantitative analysis and decision-making. These methods are used by professionals in a variety of fields (e.g. finance, project management, planning and R&D) and industries (e.g. energy, manufacturing, banking, insurance, oil and gas, transportation and environmental technology). Using a Monte Carlo simulation, decision-makers can recognize which effects can be triggered by a certain action as well as the probability of such an occurrence. These methods demonstrate extreme possibilities – in other words, what could happen if a very risky or conservative decision is made – as well as the possible consequences of moderate decisions.
Risk management centers on steering organizations in light of risks. It covers processes as well as behaviors. Risk management assesses, analyzes and evaluates potential risks that could pose a threat to a company’s assets, finances and profitability in the medium and long term. The objectives include securing the ongoing existence and goals of company against disrupting events and increasing its corporate value.
Resilience describes the systematic resistance against failure and change. Agility is the proactive form while robustness is the reactive form. Resilience management covers all actions designed to make an organizational or business system (e.g. of a company) more robust against external influences.
Risk aggregation summarizes several individual risks regarding an identical attribute. The goal of risk aggregation in the context of risk management is to determine the entire scope of risk within a company or the individual strategic business units as well as the relative meaning of individual risks. Companies, for example, evaluate the effects of individual risks in the context of their planning models (e.g. budgeted P&L). This approach builds a bridge between risk management and traditional enterprise planning.
A risk appetite describes the willingness to take and accept risk within the risk capacity in order to achieve strategic goals through threshold monitoring. Defining a risk appetite is part of an overall risk strategic strategy and includes all major individual risks for individual companies and on group levels (total risk appetite).
Three Lines of Defense
The three lines of defense model serves as a guideline for a holistic governance, risk and compliance (GRC) system for managing enterprise risks. The model embeds the roles and responsibilities of the company’s internal control system in an all-encompassing GRC system. Here the functions assigned to the respective lines of defense are linked to the risk management tasks which are regularly documented with a classic management control loop.