Solution Perspective: An Integrated 360° View of Risk, Resiliency & Integrity
As business environments become evermore complex and intertwined, there is a rising need for organisations to adopt a 360° approach to gain contextual awareness of their governance, risk and compliance (GRC) processes to help them achieve objectives, remain agile, address uncertainty and effectively manage risk across their enterprise. Read more about an ‘Integrated 360° View of Risk, Resiliency & Integrity’ – a detailed Solution Perspective of Alyne’s Software as a Service, written by GRC Analyst, Michael Rasmussen, founder of GRC 20/20.
The World of Business is Distributed, Dynamic and Interconnected
There is a complex ecosystem of relationships with stakeholders, clients and third parties, and an ever-changing landscape of the day-to-day of business operations – from changes in employees, to that of regulations, strategies and business objectives. One thing that is constant, is change. This is driving the need for organisations to adopt a 360° approach to gain contextual awareness of their governance, risk and compliance (GRC) environment, to help them achieve objectives, remain agile, address uncertainty and effectively manage risk across their enterprise. Addressing the organisational ecosystem as a whole with a holistic approach allows businesses to operate with greater confidence, rather than as decentralised and dissociated departments, which naturally has the ability to snowball and significantly impact the entire ecosystem.
“The interconnectedness of objectives, risks, resiliency, and integrity require 360° contextual awareness of integrated Governance, Risk management, and Compliance (GRC). Organisations need to see the intricate relationships of objectives, risks, obligations, commitments, and controls across the enterprise. It requires holistic visibility and intelligence of risk in the context of objectives. The complexity of business – combined with the intricacy and interconnectedness of risk and objectives – necessitates that the organisation implement an integrated GRC management strategy.”
– Michael Rasmussen, GRC 20/20.
Solution Perspective of Alyne: An Integrated 360° View of Risk, Resiliency & Integrity
Along Alyne’s journey, we have had the pleasure of regularly engaging with GRC pundit and analyst, Michael Rasmussen – keeping him up to speed with all of the latest developments in Alyne, as well as having him share knowledge at our events.
Within this detailed 14-page document, read a GRC analyst’s perspective of the Alyne solution, along with input from Alyne Customers on their usage and reason for choosing the platform.
Topics contained within the Solution Perspective of Alyne’s Software as a Service, written by GRC Analyst, Michael Rasmussen, founder of GRC 20/20:
- The Need for Integrated Risk, Resiliency & Integrity
- Governance – reliably achieve objectives
- Risk management – address uncertainty
- Compliance – act with integrity
- The Need for Integrated GRC Architecture, With a Focus to Deliver on:
- Interconnected risk
- Objectives are dynamic – adapting to risk events
- Disruption – remaining agile and resilient in business strategy and operations
- Dependency on others
- Dynamic and agile business
- Values defined and tested
- Three Strategic Trends in GRC Integration
- Alyne – An Integrated 360° View of Risk, Resiliency and Integrity
- Enterprise & Operational Risk Management, Risk Quantification, Visualisation, Simulation & Scenario Analysis, Environmental, Social, Governance (ESG) Management & Reporting, Third-Party GRC/Risk Management, and others.
- What Alyne Does – GRC engagement throughout the GRC Lifecycle – including unified architechture, risk aggregation etc.
- Foundational Capabilities in Alyne – configurability, analytics, workflow and task management, compliance management and regulatory change and more.
- Benefits Organisations Can Expect with Alyne – such as significant efficiencies in time, accountability with full audit trails.
- Considerations in Context of Alyne
“Organisations state that Alyne has improved the quality of their GRC related management, monitoring, and reporting processes – which in turn has strengthened their overall risk culture and maturity across the organisation. This improves the organisation’s overall visibility into GRC across the organisation – with greater accountability and ownership to manage risks. All of this while eliminating the overhead of managing manual assessment processes encumbered by hundreds to thousands of spreadsheets, documents, and emails. Clients find that the solution is flexible to adapt to their requirements, has the capabilities needed, and provides them the ability to grow and mature their program over time. Overall, users find the solution was particularly easy to implement and rollout in their organisation.”
Thank you to Michael Rasmussen for the detailed case study on Alyne, and to Customers that took the time to provide their honest experience in using the platform.
Access the free Solution Perspective of Alyne’s Software as a Service, written by GRC Analyst, Michael Rasmussen, founder of GRC 20/20, below.
IDW PS 340 n.F. – Alyne’s Risk Revolution
Implementation of the new requirements for risk management driven by the IDW PS 340 n.F. with the help of Alyne. With Alyne you prepare your risk management to be compliant with the requirements of the revised IDW PS 340. You can increase the maturity of your processes quickly and easily – your 1st line will be impressed by the intuitive solution.
With the new version of IDW PS 340, a significant expansion of the requirements for company-wide risk management was formulated. This was preceded by heated discussions about aspects such as risk-bearing capacity and risk aggregation. Basically, these are discussions about the methodology of the risk management system and also to what extent and at which process steps quantitative approaches are useful and / or necessary.
For many risk managers, these requirements mean a significant adjustment of the previous risk management in the company, which they have to cope with in addition to everyday tasks. In our IDW PS 340 n.F. White Paper you will learn how you can implement the requirements from the audit standard with the help of Alyne Software as a Service and how you can bring your risk management up to date.
Smart Compliance: Enabling Your Business To Succeed
Compliance processes are typically expensive, time-consuming and reactive rather than proactive; all these aside from the high costs associated with non-compliance. A Smart Compliance Process is one that encompasses a holistic integrated approach, leveraging technology to facilitate a more agile process, making compliance teams more efficient and effective with the ultimate goal of generating greater value for the organisation.
Compliance is ever-changing. It is an extremely broad area with many different meanings and evolving requirements. Before, compliance was primarily confined to the financial services sector, but now it has become a fundamental cornerstone of all organisations, no matter the industry. Businesses are faced with a variety of regulations, directives and laws that define their daily operations, covering a wide range of areas – from data protection in the HR department to tax and corruption in the finance department.
For all organisations aiming for successful compliance processes there is a lot at stake. Managing these often leaves compliance teams facing questions on how to integrate all required regulations, keep their costs down and maintain programs that enable the organisation to easily adapt to change. Feeling lost in a sea of spreadsheets and paperwork with no view of real transparency is not uncommon for many enterprises.
As the world shifts and business environments change, the need for digital compliance management that can provide efficiency, clarity and collaboration across different business functions is becoming increasingly hard to ignore.
If your organisation is still reliant on manual compliance management, chances are information is segmented and your compliance work is not as integrated as it should be. These approaches usually result in blind spots that prevent compliance managers, across various functions, from working together seamlessly. As a result, companies often overlook key information or insights that can potentially help them work towards achieving compliance with fewer resources and effort.
Compliance work is more effective when addressing standards and regulations by their commonalities, rather than individually. A smart compliance process is one that encompasses a holistic integrated approach towards managing compliance, vertically and horizontally.
At Alyne, we understand the need to simplify, digitalise and automate processes to minimise guesswork as well as foster collaboration across your organisation; all while maintaining transparency and consistency across your Control Framework.
Speak to an expert to learn more about Mitratech’s Regulatory Compliance Technology.
Internal Control Frameworks and Meeting ICFR Requirements
In order to be compliant with SOX and to meet ICFR requirements, organisations are required to create controls that cover a large scope of IT and financial aspects, all tailored to their unique organisational structure. Leading organisations point to frameworks such as COBIT and COSO and even a combination of the two, to adopt in your quest for SOX and ICFR compliance. Alyne’s Content Library goes beyond providing IT and Information Security related Controls and now contains extensive coverage of Financial Controls focused purely on the financial integrity of an enterprise.
The first codification of internal accounting controls happened nearly four decades ago, spurred on by the increasing bribery and corruption cases of U.S. businesses in 1977. Since then, and more notoriously due to the Enron Accounting scandal and others, the requirements of financial controls and reporting have slowly become more clearly defined and enforced. The Sarbanes-Oxely Act (SOX) has been in effect for all U.S. listed companies and those conducting business in the U.S since 2002, as a means to prevent and protect against accounting errors and fraudulent practices. Section 404 requires the implementation of adequate Internal Control over Financial Reporting (ICFR) within listed companies to guarantee fair financial reporting practices in accordance with Generally Accepted Accounting Principles (GAAP). External auditors must attest to the design and effectiveness of Internal Control over Financial Reporting and the accuracy of an organisation’s financial statements.
Although there is mention above of requirements becoming “more clearly defined”, the actual requirements on how to achieve compliance are not so simple and SOX is not praised for straightforward guidance on how best to achieve compliance. The Sarbanes-Oxley Act, despite requiring organisations to have established and effective internal controls governing both IT and financial spheres, does not provide a checklist to follow, nor milestones to measure achievements. The ambiguity of SOX requirements has been widely condemned due to its vague nature, let alone the missing differentiation between key process parts.
Despite the lack of a clearly defined control framework from SOX, two leading organisations responsible for implementing SOX, namely the SECC and PCAOB – do point to common widely accepted frameworks, such as COSO and COBIT, and even a combination of the two, to adopt in your quest for SOX Compliance and ensuring ICFR. Combining frameworks can also help ensure that all aspects are covered in your SOX compliance checklist and help your organisations to meet ICFR requirements, as listed in Section 404.
COSO, COBIT, SOX & ICFR
Committee of Sponsoring Organisations of Treadway Commission (COSO) – 1985
The COSO framework provides an applied risk management approach to internal controls and articulates key concepts that organisations can use to deter fraud. The framework also places emphasis on financial related controls, designed to enable SOX 404 requirements of ICFR. The framework, however, lacks full consideration for the IT environment of the organisation. According to COSO, there are three types of internal controls:
- Those that affect a company’s operation
- Those that affect a company’s compliance with laws and regulations.
- Those that affect a company’s financial reporting. (ICFR)
Control Objectives for Information and Related Technology (COBIT) – 1992
COBIT is an IT Management framework developed by ISACA, which provides a clear path for developing policies and good practice for IT control, helping organisations achieve their objectives in the sphere of information technology. The COBIT model allows managers to bridge the gap between control requirements, technical isssues and business risks.
Sarbanes-Oxley Act (SOX) – 2002
-
Section 404 – Internal Control over Financial Reporting
SOX applies to all publicly traded companies in the United States as well as wholly-owned subsidiaries and foreign companies that are publicly traded and do business in the United States. The Internal Controls Report, mandated by Section 4 of the Act, commonly known as SOX 404, requires that all applicable companies have adequate internal controls in place to report accurate financial data in their annual reports. More specifically, SOX 404 requires companies to implement adequate Internal Control over Financial Reporting (ICFR) to ensure fair financial reporting practices have been put in place in accordance with Generally Accepted Accounting Principles (GAAP).
SOX Compliance and Meeting ICFR Requirements within Alyne
In an interconnected world, financial integrity relies heavily on a secure, properly functioning IT infrastructure. The ability to follow your finances requires full transparency and assurance of where and how your data flows. Meeting ICFR requirements set out in SOX 404, requires an organisation to have not only sound Financial Controls, focusing on the financial integrity of an enterprise, but also cover relevant Business Controls, with IT and information security related topics.
Covered within Alyne:
-
Full mapping based on COBIT-COSO.
-
Extensive IT and Information Security related controls.
-
Library of Financial Controls focused purely on the financial integrity of an enterprise.
ICFR Control Set and Assessment Template:
The content available within the Alyne platform has enabled us to release an out-of-the-box Control Set for ICFR: Internal Control over Financial Reporting (ICFR) for compliance with SOX and SOC 1.
In addition to the Control Set, Alyne offers an out-of-the-box Assessment Template with pre-configured maturity levels which help corporations assess the maturity of their financial integrity. Regular self-assessments help organisations review compliance within their financial reporting requirements and assists them in strengthening their Internal Control over Financial Reporting. Alyne’s latest Internal Control over Financial Reporting capability allows a complete health-check of your company as well as your vendor base, for both SOX and SOC 1 compliance.
Download our latest white paper and learn more about SOX/SOC-in-a-Box and how Alyne can help your organisation with the Internal Control over Financial Reporting (ICFR) requirements of the U.S. Sarbanes- Oxley Act (SOX) “Management Assessment of Internal Controls”, and the System and Organisation Controls 1 (SOC 1) framework, defined as “Reporting on an Examination of Controls at a Service Organisation Relevant to User Entities’ Internal Control Over Financial Reporting.”
Alyne announces strategic partnership with LeadingEdgeCyber
Alyne enters a strategic partnership alliance with LeadingEdgeCyber to strengthen its international presence across the APAC region, with a primary focus on Sydney and Brisbane.
Alyne is proud to announce a new Resale partnership with cyber consultancy company, LeadingEdgeCyber.
LeadingEdgeCyber is an Australian company that specializes in guiding organizations of all sizes and industries in effective management of cyber security through cutting-edge solutions. As a new resale partner and fellow cyber security experts, LeadingEdgeCyber will be leveraging Alyne in their business offerings of providing end-to-end cyber security management services.
We look forward to working with LeadingEdgeCyber towards our shared mission to deepen the coverage of organizations in the Cyber Security, Governance, and Risk Management landscape. This partnership aims to strategically accelerate capability building in our services through a shared platform of expertise, insights, and reach. In a joint effort, we hope to stay ahead of the ever-evolving compliance requirements and regulatory frameworks to deliver industry-leading solutions to customers.
Cheers to a great partnership!
Alyne offers a range of partnering opportunities. More details on Alyne’s partnership opportunities can be found here.
Comprehensive Compliance with HIPAA Part 164
Although HIPAA has been in effect for over two decades, compliance with the law is still not a straightforward task. Many still lack the appropriate measures applicable to their organisation or are unsure of how to comply with all of the HIPAA Rules set out in Part 164. Alyne’s technology can facilitate this process, and offers a comprehensive mapping of Part 164 of the HIPAA regulation, covering the provisions of the HIPAA Data Privacy, Security Controls and Breach Notification Rules.
HIPAA Compliance
Although the Health Insurance and AccountabiIity Management Act (HIPAA) was first enacted into law in 1996, compliance still remains an often challenging task, leaving many Covered Entities and business associates lacking the appropriate measures and still unsure of how to comply with all HIPAA Rules set out in Part 164. The law was designed to provide consumers with greater access to healthcare insurance, reduce fraud, protect the privacy and security of healthcare information and promote efficiency and standardisation within the sector. The HIPAA regulations apply to any Covered Entities which handles health or healthcare-related data, including financial clearinghouses, and any provider that uses or transmits Personal Health Information (PHI).
According to a report by Research and Markets, the global mobile health app market is expected to hit US$134.7 Billion by 2027. In fact, two-thirds of the world’s largest hospitals offer mobile apps to their patients. With the rise of telehealth, the need for data security in the healthcare space has increased the use and sharing of patients’ Electronics Health Record (EHR).
The proliferation of digital technologies has changed the way that many healthcare providers operate. As efficiency and connectivity increased, so did the storage and transmission of key pieces of confidential health information, mandating an even greater need for the security and privacy of patients’ information. HIPAA regulates the security, privacy and protection of Personal Health Information (PHI) held by the covered entities and third parties, and provides individuals with rights to understand and control how their health information is used or disclosed.
Alyne’s Comprehensive Coverage of HIPAA Part 164
When working to achieve compliance with HIPAA, companies often focus exclusively on § 164 Subpart C (Security Standards). Technically, to ensure full compliance with HIPAA, Covered Entities will need to also apply the rules set out in § 164 Subpart D (Breach Notification) and § 164 Subpart E (Privacy Aspects).
Alyne’s coverage of HIPAA primarily focuses on Part 164 of the regulation, which covers the HIPAA Security and Privacy rules. The HIPAA Privacy Rule (Subpart E) focusses on allowed and prohibited uses and disclosures of Personal Health Information (PHI) and Personally Identifiable Information (PII) along with data subject rights. Additionally, the Security Rule (Subpart C) is the security standard for the protection of PHI, defining both technical and non-technical requirements for safeguarding health information.
HIPAA Privacy Rules
The HIPAA Privacy Rule (Part 164 Subpart E) focusses on the many uses and disclosures of Personal Health Information (PHI) and Personally Identifiable Information (PII) with data subject rights. This includes medical records and other personal health information, and it applies to health plans, healthcare clearinghouses, and healthcare providers that conduct certain healthcare transactions electronically.
HIPAA Security Rules
The HIPAA Security Rule (Part 164 Subpart C) is the security standard for the protection of electronic PHI (e-PHI). This set of rules ensures that there are both technical and non-technical safeguards (which include administrative and physical) to ensure that ePHI is transmitted and handled in a secured and responsible manner.
HIPAA Breach Notification Rule
The HIPAA Breach Notification Rule (Part 164 Subpart D) requires Covered Entities and their Business Associates to notify affected individuals and the media of a breach of unsecured PHI. Depending on its severity, if the data breach affects 500 and more individuals, the Secretary of Health and Human Services has to be informed no later than 60 days following the breach.
Technology can be a great facilitator to help simplify requirements, provide greater risk transparency, educate and train employees, and even act as a centralised source of data, alleviating pressure from the audit process. Are you interested in learning more about Alyne’s capabilities and comprehensive mapping of Part 164 of the HIPAA regulation?
Download HIPAA Whitepaper here or Speak to an expert to learn more. https://mitratech.com/schedule-demo/.
How Haufe Group found success leveraging Alyne’s Software as a Service for organisation-wide digitalised policy management
Learn more about how Alyne’s easily accessible and interactive platform made it possible for Haufe Group to successfully communicate relevant guidelines.
Haufe Group with its brands Haufe, Haufe Akademie and Lexware among others has developed into a nationwide leading provider of digital workplace solutions and services, as well as a constant in the field of training and further education.
Challenges such as how to ensure acceptance among colleagues for compliance topics or link guidelines with appropriate online training and success monitoring were of central importance for them.
Learn more about how Alyne’s easily accessible and interactive platform made it possible for Haufe Group to successfully communicate relevant guidelines. Furthermore, they were also able to promote awareness among employees through the agile implementation of requirements and read confirmations through an easy-to-understand user interface – supported by an open and cooperative collaboration between Haufe and Alyne.
Read more about the case study in detail below.
DOWNLOAD CASE STUDY
For more information on Alyne’s policy management capabilities for your organisation, schedule a meeting with an Alyne expert in your region.
How Neodigital Established a Complete Risk Inventory Within Alyne in 6 Weeks
Neodigital, a digital insurance company, aimed to strengthen its Operational Risk Management capabilities within the framework of management systems and information security. They required a solution that could not only provide agile Risk Management, but cover topics across the full governance and compliance spectrum, as well. Neodigital’s first goal in Alyne was to create a complete inventory of all existing risks, which was achieved in just six weeks.
Neodigital Versicherung AG was founded in 2017 by Stephen Voss and Dirk Wittling with the goal of making it a leading insurance factory. Thanks to the strong team with many years of experience in the insurance industry, Neodigital has developed, in a very short time, into a digital insurance company based on simplified and accelerated processes with the help of extensive automations.
“We live digitisation in all our processes. Therefore, it is important to us to integrate it into our internal processes. Mitratech’s Alyne GRC platform helps us support our employees in the Risk Management space and beyond.”
– Anzhela Kuts Chief of Staff – Neodigital
While Neodigital continues its ambitious growth course, it aims to strengthen its Operational Risk Management capabilities within the framework of management systems and information security. An isolated solution, exclusively for Risk Management purposes, was out of the question for Neodigital, as other topics from the governance and compliance environment, such as VAIT Compliance or ISO 27001 Compliance, were also highly relevant.
After selecting Mitratech’s Alyne platform, Neodigital’s first goal was to create a complete inventory of all existing risks. To reach this goal, three steps were necessary within Alyne:
- Configuration of the Instance
- Migration of Existing Risks
- Updating the Risk Inventory
Only six weeks after signing the contract, Neodigital was able to successfully achieve its goal of developing a complete risk inventory and efficiently record as well as manage risks from different divisions.
Read about their journey in detail and the time-to-value that the Alyne platform provides. The case study is available in both English and German.
Alyne announces collaborative partnership with Cyber Samurai
Alyne and Cyber Samurai are pleased to annouce the commencement of a collaborative partnership which streamlines the delivery of industry leading IT security services.
Alyne and Cyber Samurai have entered into a collaborative partnership to support our shared vision to equip companies with greater confidence in navigating the cyber security, governance and risk management space.
Cyber Samurai is a German-based company which specialises in IT Security, offering professional advice and guidance to ensure that organisations are taking a preventive approach towards cyber risk.
As a new Resale Partner and fellow IT security experts, Cyber Samurai will be leveraging Alyne in their business offerings of providing end to end IT security management services. In this partnership, we will join our expertise in our shared mission to streamline IT security within companies and minimise their risk exposure. We look forward to a great partnership!
We’re here to help
Contact us and we’ll answer any questions about how Mitratech supports your success.
