The integrated control system: Privacy and Risk Management module and outsourcing compliance services for e-commerce companies

“An internal control system integrated on a solution that allows for a structured collection and assessment of risks represents a real opportunity for a concrete response to the growing compliance needs that must be combined with the complexities of the business. The control functions, at any level, can count on a single environment, operate on a single action plan and pool their respective knowledge and skills which, naturally, lead to the optimization of interventions and increasing coverage. of risks through the consolidation of the so-called controls first level that are the basis of operations "

Compliance Manager

"The adoption of a GRC solution and a dedicated module consistent with the company structure, allows the DPO to operate organically on the specificities that the legislation requires in an e-commerce reality where data management is a key element "

DPO

The Need

To have an integrated solution capable of optimizing the functioning of the internal control system by supporting the definition of a risk-based audit plan that at the same time responds to compliance needs by optimizing the scope of interventions with respect to key regulations such as Privacy and 231.

The Solution

Customization of the Privacy module and integration with the IRM module

Thanks to the characteristics of the KRC® application that places business processes as a key for the configuration of its standard modules, the project was developed in 2 macro-phases that have progressively made it possible to achieve the objectives by integrating information, data and evidence produced for compliance to the GDPR with the highest safeguards with respect to business risks.

The first part of the project concerned:

  • customization of the standard privacy flow for compliance with the GDPR through:
    • the configuration of the Context with the loading of the data of the business processes, of the contacts by role, of the IT assets and of the related security measures (common and transversal information also for the IRM module)
    • loading data processing
  • the analysis through assessment of individual treatments and the evaluation performed on the basis of the reference standards recognized by the Guarantor
  • carrying out the DPIA where deemed necessary
  • the generation of an Action Plan, a useful tool for collecting the interventions deemed necessary for an effective enhancement of compliance with legislation
  • the generation of the Register of data processing by Data Controller and by Manager

At the same time, through dedicated forms, the information and the Data Breach procedure were created consistent with the recommendations issued by the Guarantor.

The adoption of the Form and the opening to the various managers in charge allowed compliance with accountability, a distinctive element in a growth path of the corporate culture.

The second part of the project concerned the extension of risk assessment methodologies to all business risks. In particular:

  • the company's risk model (business risk model) and the registry of the general control system have been uploaded
  • the risks were associated with the processes and objectives as defined in the industrial plan (strategic objectives) and by management (operational objectives)
  • a risk assessment and assessment of the inherent risk and control measures was carried out taking into account the security measures already mapped in the privacy module.
  • all the shortcomings and points of improvement that fueled the General Action Plan with the transversal indication with respect to other compliance (in particular 231) have been surveyed
  • the system automatically produced the residual risk assessment.

The module also allows you to activate a quantitative risk assessment by evaluating and simulating the effects with respect to the income statement, cash flow or expected damage items (Montecarlo simulation) through the adoption of Risk Appetite Framework logics.

Benefits

With the adoption of the IRM and Privacy modules, the Customer has an integrated and engineered solution, in line with regulatory provisions and recognized international standards capable of:

  • Support the growth path of the corporate risk and control culture
  • Carry out and update the risk assessment in a simple and structured way
  • Define a gap analysis adhering to company needs and objectives and have an Action Plan that, in addition to responding to compliance needs, supports the entire corporate internal control system
  • Monitor the progress of activities with respect to compliance, operational and strategic objectives
  • Produce dynamic documents and reporting consistent with the analyzes and assessments made
  • Support the activities of Internal Audit and/or other players in the internal control system and channel requests into a structured improvement and updating plan
  • Optimize and reduce the cost of compliance thanks to the integration to and from the company internal control system