Governance refers to the internal process by which policy is set and decision making is executed by the company’s executives and managerial levels.
GRC-Boxx facilitates Supervisory Boards and higher management to structure and document their processes (agenda items, decisions, actions, risks).
This gives supervisors the ability to better protect themselves against liability.
GRC-Boxx supports the dialogue among the several internal boards and stakeholders and possibly also external regulators and stakeholders.
Documenting these decision-making processes creates a culture of transparency and responsibility.
GRC-Boxx builds a collective memory, becoming the single-source of the truth, about important business decisions, risks and actions.
Contracts and Agreements can be digitally filed in GRC-Boxx. A review process allows these to be re-evaluated or re-negotiated timely, thus improving/managing relations, improving a contract’s financial terms and minimizing contractual risks.
Organisations are unique and so is their procurement process. GRC-Boxx embraces this by allowing organisations to create and optimise their procurement processes. In this manner, separate customised processes can be applied per type of procurement and are thoroughly documented.
GRC-Boxx contains a best-of-breed Risk Management process:
- Anyone within the organisation can identify and report a risk
- Risk managers are notified to assess and classify the risk and decide on its mitigation
- Relevant controls can be created and implemented
- Tasks and actions can be linked
- Risks are reviewed until considered and marked as managed.
GRC-Boxx facilitates Incident registration and orchestration of follow-up actions.
- Anyone within the organisation can identify and report an incident
- Incident managers are notified to assess and classify the incident and decide on follow-up steps
- Incident resolution is a customised process by the organisation that can be applied per type of incident (data breach, security incident, calamity/disaster)
- Tasks and actions can be linked
Risk Management is an organisation’s ability to effectively and cost-efficiently mitigate risks that can hinder an organisation’s operations or ability to remain competitive.
Compliance refers to the process of adherence to policies and decisions. Policies can be derived from internal directives, procedures and requirements, or external laws, regulations, standards and agreements.
GRC-Boxx enables organisations to:
- organise and maintain their compliance documentation (e.g. their Information Security Management System) and their entire compliance (i.e. controls, evidence, audits, etc.);
- formalise and digitise compliance-related procedures, which can then be repeatedly executed and monitored;
- provide reliable evidence; for instance, registrations with customisable collection periods during which actors and/or teams can upload evidence and/or findings.
GRC-Boxx is a standard-agnostic solution. It supports any laws & legislation, regulations, and standards (internal and external, country-specific and international, industry-specific or sector-imposed) that can be brought down to requirements.
Requirements can be marked as applicable/not-applicable and associated with controls, for which evidence will be collected.
In a digital ecosystem, requirements can also be delegated to other organisational entities (departments, sub-organisations or sibling-organisations).
GRC-Boxx includes and supports a steadily increasing number of frameworks/standards, such as:
|AICPA – SOC2||ISO 9001||IATF 16949||EU – GDPR|
|CIS – CSC||ISO 14001||VDA ISA||EU – MDR|
|COBIT 5||ISO 27001||VDA TISAX||NL – BIO|
|NIST CSF||ISO 45001||NL – NEN7510|
|NIST SP.800||ISO 50001||PCI DSS||NL – NEN7512|
GRC-Boxx supports a Plan-Do-Check-Act cycle for continuous improvement of all compliance elements (controls & evidence), but also a simpler recurring Review cycle.
Other improvement cycles can and will be added when necessary.
GRC-Boxx architecture allows requirements to be linked to controls which, in their turn, are linked to evidence. This makes it extremely useful for internal or external audits. An auditor decides on the scope of the audit and can then follow the links to the supplied evidence.
GRC-Boxx comes with built-in support for the European Union’s and the UK’s General Data Protection Regulations, including:
- GDPR-Wizard to quickly become and stay compliant
- Document management and Evidence collection
- Records of Processing Activities
- Data-Subject Requests with customisable procedures
- (Contract and) Agreement management
- Consent-form filing
PS. The GDPR module can be hidden if not necessary.
GRC-Boxx can efficiently manage your compliance requests:
- Select the recipients
- Ask questions or request a document to be returned
- Include a document template (optional)
- Send the request(s)
- Monitor the progress, possibly sending reminders
- Approve responses, or resend rejected ones
GRC-Boxx supports both internal and external audits.
Audit items’ findings, recommendations, and judgements can be recorded and in case a non-conformity has been found, corrective actions can be started and monitored until their completion, when a re-audit can be performed.
Internal audits can be performed within an organisation to verify the efficiency of own adopted procedures and check for possible shortcomings, ensuring compliance with laws and regulations and standards in a more casual environment and with lower stakes.
GRC-Boxx audits can be created for:
- Requirements of a standard (all or a selection thereof)
- Controls (all or a selection thereof)
- Evidence items, such as testing a process against all applicable requirements
External audits (also known as third-party audits) are performed by impartial auditors and can be called objective assessments of organisational procedures and provide transparency and confidence to interested parties that your organisation is truly running an effective and compliant management system.
External auditors can be invited to an organisation’s GRC-Boxx and be given rights to a specific audit and all related evidence. It is also possible to grant rights for continuous auditing to an external auditor, thus not relying on their on-site presence for the audit.
An audit provides credibility to an organisation’s compliance statements. This is done to ensure sufficient compliance with requirements and to track and improve the efficiency of your operational processes.