White paper

Governance, Risk & Compliance 365

GRC inside Dynamics 365
Governance, Risk and Compliance (‘GRC’) is a formal & effective approach (strategy) for an enterprise to:
• define and mitigate risks
• ensure compliance to laws, regulations and directives
• enable corporate governance and transparency

Governance describes the overall management approach through which senior executives direct and
control the entire enterprise, using a combination of management information and hierarchical
management control structures. Governance activities ensure that critical management information
reaching the executive team is sufficiently complete, accurate and timely to enable appropriate
management decision making, and provide the control mechanisms to ensure that strategies, directions
and instructions from management are carried out systematically and effectively.
Risk management is the set of processes through which management identifies, analyses, and, where
necessary, responds appropriately to risks that might adversely affect realization of the organization's
business objectives. The response to risks typically depends on their perceived gravity, and involves
controlling, avoiding, accepting or transferring them to a third party. Whereas organizations routinely
manage a wide range of risks (e.g. technological risks, commercial/financial risks, information security risks
etc.), external legal and regulatory compliance risks are arguably the key issues in GRC.
Compliance means conforming to stated requirements. This is achieved through processes which identify
the applicable requirements (defined for example in laws, regulations, contracts, strategies and policies),
assess the state of compliance, assess the risks and potential costs of non-compliance against the
projected expenses to achieve compliance, and hence prioritize, fund and initiate any corrective actions
deemed necessary.

The GRC module inside Dynamics 365 for Finance and Operations adds
functional colours to the white Dynamics 365 canvas. In this white paper the
following topics will be covered:
• Introduction to GRC
• Information on the components
• Instruction
• Integrative approach
• Investment justification
Table of Contents
Governance, Risk & Compliance 365 .................................................................................................... 1

GRC inside Dynamics 365 .................................................................................................................. 1

Table of Contents ................................................................................................................................... 2

Introduction ............................................................................................................................................ 3
Global and ever increasing ................................................................................................................ 3
Adoption of GRC solutions ................................................................................................................ 3
Information ............................................................................................................................................. 4

GRC components ............................................................................................................................... 4

Instruction ............................................................................................................................................... 5
Risk management ............................................................................................................................... 5
Audits .................................................................................................................................................. 5

Contracts............................................................................................................................................. 6
Tender management ......................................................................................................................... 7
Sustainability reporting ...................................................................................................................... 8
Business continuity ............................................................................................................................. 9
Performance management ................................................................................................................ 9
Meetings ........................................................................................................................................... 10
Integrated ............................................................................................................................................. 11
Investment ............................................................................................................................................ 12
Justifying the cost ............................................................................................................................. 12
In conclusion ......................................................................................................................................... 13

About Microsoft Dynamics 365 ....................................................................................................... 13

About Axnosis................................................................................................................................... 13

2|Page
Introduction
Global and ever increasing
Numerous legislations exists across the globe. SOX in the USA; CLERP 9 in Australia, the Combined Code
of Corporate Governance from the UK and Bill 198 from Canada are just a few responses to the outcry
over corporate scandals.

These laws are not static. The frequency and volume of new requirements are huge. Organizations have
to face this avalanche. To stand at the bottom of the GRC mountain, looking up and thinking “We can
survive this on our own” is probably not the wisest plan. Automation and formalization of these processes
via a system would be the wiser route to follow to ensure risks are known and can properly be dealt with
in a systematic manner.

Some sales literature will suggest that GRC is all about keeping corporates out of jail. We contend that if
done properly, GRC also adds value to shareholders, trading partners, workers and the environment. An
organisation with a GRC culture and supporting system ensures sustainability and transparency.

Adoption of GRC solutions

Governance, Risk Management, and Compliance (GRC) are related concepts. Formalising these into an
integrated system assists an organization to reliably achieve objectives, to address uncertainty and to act
consistently with integrity. AMR Research Maturity Model provides useful insight into adoption of GRC
solutions. Most organisations are still at the bottom looking up.

3|Page
Information
GRC components
Our GRC 365 module inside Dynamics 365 covers these three inter-dependent sides of the traditional
GRC triangle:

Governance is the combined process established and executed by management and business owners
that is reflected in the organization's structure and how it is managed and progressed toward achieving
the goals set.
Risk management is predicting and managing risks which could hinder the organization from reliably
achieving its objectives under uncertainty.
Compliance refers to adhering to the mandated boundaries (laws and regulations) and voluntary
boundaries (company's policies, procedures, etc.).

We extend this traditional definition to include overlooked areas such as Master data governance,
Contract management as well as Worker permit management, training and more. Adding to our GRC
365, is our OHS (HSE) 365 module for an integrated suite of tools which surpasses most of our competitors
also branded as shreq (safety, health, risk, environmental & quality) by Axnosis.

GRC 365 includes these components:

4|Page
Instruction
Some highlights of GRC 365 are discussed below:

Risk management
Risk assessments and measurement: How
likely is the risk to occur and how much will
the damage or impact be?
Risk mitigation: How can the organization
protect itself from these losses at an
affordable and sustainable cost?
Implementation of risk controls: What
combination of risk avoidance, control, and
financing will yield the best result?
Monitoring performance of control: Are the
methods achieving control, and if not, what
alterations can be made to raise their
performance?

These and many more questions are

answered by GRC 365.

Audits
GRC 365 supports both
compliance audits (control
focused) as well as internal audit
(risk focused) requirements.
Electronic working papers, audit
files and a host of reports exist
providing functionality for the
full audit cycles, audit universe,
auditable entities, audit need
assessment, scheduling of
audits, etc.

Findings in the form of non-

conformance and audit
observations (issues). Follow up
reviews and more.

The risk control matrixes provides an overview of different control objectives that organizations
should take into consideration and the corresponding controls to safeguard the company against
risks which may arise if not reviewed and reassessed timely.

5|Page
Instruction
Contracts
The complete lifecycle of a contract is managed inside GRC 365. Configurable workflow driven
terminations and renewals as well as approvals are available. Supplier risk assessments, performance
measurements and penalties can be performed. On top of this enterprises can track the initial statement
of work, change requests and breaches as well as remedies. As this is integrated and part of the Dynamics
ERP solution, project expenditure as well as procurement and sourcing costs are contained.

6|Page
 Tender management
Procurement is the process of buying goods or services. Procurement is often carried out by the process
of tendering (inviting many suppliers to respond to a formal request for goods or services), rather than
buying products directly from a seller.
It includes invitations to possible suppliers, then through a process of qualification, assessment, and
evaluation, getting to a preferred supplier.
Properly done, tender management will start with a “procurement trigger” (Purchase request or
procurement plan) and include components of meeting management, committee appointments,
declarations of interest and specification management.
Tender management is also used by project management organizations to analyze data of proposed &
current projects. Project portfolio managers provide forecasting & business analysis when looking to
invest in new projects. It starts with obtaining approval and extends into the procurement cycle. By seeing
the big picture of how a proposed project will fit into the goals and objectives of the organization,
companies can make better decisions on what projects to choose and what initiatives will create the most
return.
The objective is a formal, cost effective process, removing subjectivity, and increasing governance &
transparency.
It involves filtering through (like a funnel which starts off with many and end with few) all suppliers that
responded to the invitation through steps of Qualification of supplier as an organization, doing technical
analysis on the content of the supplier response, final evaluation looking at pricing and possible costs,
ending in a recommended shortlist.

Finally, Tender management

concludes with contracts.
Contracting officers should have
a common thread through the
tenders – back to the
initial procurement trigger.

They should also set up and

maintain complete and up to
date records on every aspect of
the contract, both to provide a
list of actions taken, and to
protect the organization’s
interests under the contract.
This will give an organizational
memory of activities and events.

7|Page
 Sustainability reporting
Traditional Enterprise Resource Planning (ERP) solutions are not good at tracking most factors inherent
in doing business that impact others, nor do they provide a model for describing the processes involved
in being operationally sustainable.
The purpose of this module is to create a repository where the users can do non-financial reports (NFR)
and sustainable reporting (SR). This is done by entering monthly (or daily) data for the above purposes.
Calculations are automated and source data from other corners inside Dynamics 365 F&O are used.
Operational and sustainability reporting (OSR) inside Dynamics GRC 365 helps enterprises to model the
flows of utilities, waste & energy throughout its internal structure and its external relationships. This not
only improves decision making but provides a compelling platform to be transparent and grow a
sustainable enterprise.
A reporting template is created to accomplish the above. In this template, users specify the Data
descriptors for the data that must be collected. The Department where the data must be collected from,
the sources inside D365 and manual data entry is also supported. Each user will enter the required data
for their area of responsibility. OSR use the fiscal calendar that is setup under the General Ledger, to align
with the company’s financial reporting year.
Finally, using reporting and analytics, users can explore how changes to the enterprise processes and
practices might change sustainability and impact.

8|Page
 Business continuity
Definition and scope of Business Continuity Management (BCM)
Establishing and maintaining business continuity management processes begins with three steps:
1. Defining business continuity management
2. Identifying and defining the key components of a viable BCM framework, and
3. Placing BCM in the context of organizational risk management
Detail of Business Continuity Management (BCM)
“Business Continuity Management (BCM) is a holistic management process that identifies potential
impacts that threaten an organization and provides a framework for building resilience and the capability
for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-
creating activities.”
Business continuity planning is the process through which organizations establish the capabilities
necessary to protect their assets and continue key business processes after a disaster - an unexpected
business interruption caused by natural or man-made events - occurs.

Performance management
In addition to corporate performance management, GRC 365 also covers individual worker performance
management; allowing for a top down or bottom up approach. Our Performance scorecard is a graphical
representation of the progress over time of an entity (such as an enterprise, an employee or a business
unit) toward some specified target or goal. Key Performance Areas (KPAs) are the areas within the
enterprise, for which an individual or group is logically responsible. Key Performance Indicators (KPIs) are
used for each Key Performance Area (KPA) to determine where the organization ranks. The above can
also be referred to as goals with specific measurements.

9|Page
 Meetings
A meeting is a routine activity in a company. Members of an enterprise discuss organizational issues and
other agenda through a personal gathering or through a conference call. It is even part of the weekly
itinerary of many working individuals and businesspeople. Meetings can be formal or informal, but for
the most part, organizational meetings usually take a formal setting where preparation must be done to
properly plan and execute the meeting.
Formulating a set of objectives in the meeting preparation is the first and most important step because
having a purpose of goal for the meeting will keep the participants focused on what they need to
accomplish in that session. The objectives have to be realistic and measurable to become achievable.
Meeting goals have to be action statements that would prompt the attendees to take action and carry
out a task. Usually, objective statements start with the phrase “By the end of the meeting or session, the
group should be able to…”, and then supply it with activities that participants need to do to achieve an
overall outcome.
Objectives help the facilitator, and the participants plan the meeting in a more focused approach.
Moreover, established goals allow for a concrete measure with which to assess the outcome of the
meeting and provide areas for improvement in the future.

10 | P a g e
Integrated
Rather than acquiring a separate solution (different user interface, separate database, different
security etc.) for Risk management, compliance controls and governance enablement; we offer GRC
as an integrated module and 100% part of the already powerful and award winning Dynamics 365
solution. Reporting and management through a single platform and part of ERP is compelling.
Executives, auditors and managers will now have a holistic view; use the same workflow and
document management foundation and provide a single source of truth based on live and actual
data. Dashboards are consistent and report on a wider landscape opposed to just another GRC
island.

11 | P a g e
Investment
Justifying the cost
Previously organisational resources were consumed with collecting GRC data, allowing less time to
report and analyse the information. Ever increasing systems costs can be reduced with an integrated
approach resulting in no interface costs and considerably less training costs.
An increase in responsiveness to risk and new regulations also reduces cost and can prevent costs
resulting from re-active damage control.
To pinpoint one area inside GRC; proper contracts (supplier & customers) management ensures
less fraud, better spending and control. This alone is normally a huge saving and benefit to any
organization.
Less quantifiable but very important nonetheless; moving an organisation towards a GRC culture
will increase the human capital resource to work faster, safer and have less audit findings and
associated costs to be concerned about.

12 | P a g e
In conclusion
About Microsoft Dynamics 365
Microsoft Dynamics 365 is a comprehensive enterprise resource planning (ERP) and customer
relationship management (CRM) solution for midsize and larger enterprises that empowers people
to work effectively, manage change, and compete globally. It makes it easy to operate across
locations and countries by standardizing processes, providing visibility across your organization,
and helping to simplify compliance.

About “shreq”
In the swamp of global legislation and local regulations; enterprises face dangers, ogres, costs and
litigation. Using formal software with deep functional reach will reduce these dangers significantly.
If the software is integrated and part of an ERP/CRM application such as Dynamics 365, then dangers
facing enterprises become opportunities. Our GRC 365 module is part of the shreq (safety, health,
risk, environmental & quality) suite. It is built as “best of breed” but is part of, and integrated with
Dynamics 365.

About Axnosis
Axnosis (20 years and counting) provides vertical solutions and consulting services to manufacturing,
public enterprises and asset intensive organisations; whether corporate companies, public concerns
or medium-sized businesses. This is achieved using world class software applications from Microsoft
(Dynamics), developing deep industry specific software inside Dynamics and applying decades of
business consulting, project management and systems integration skills to this environment. Axnosis
consultants have industry knowledge, technology experience and methodologies to deliver these
solutions successfully.

13 | P a g e