Frequently asked questions about GRC software

Here you will find answers to questions that we are asked time and again. Do you have any further questions? Then simply get in touch with us! We will be happy to help you.

Yes, the requirements of both standards can be mapped via the software.

Yes, in addition to mapping the risk management process, an internal control system can also be mapped. This can take place in a completely integrated process or in two different process organizations (1. RM and 2. ICS). It is always possible to consider the topics separately but also in an integrated manner

Yes, in addition to risks, opportunities can also be considered, recorded, evaluated and reported. Customers who simulate, in particular, use the opportunity management option, as risks can also deviate into the positive range as part of the risk assessment. Of course, the opportunities can also be viewed in isolation from the risks.

Yes, a Monte Carlo simulation is available in the application. Risks can be aggregated using a Monte Carlo simulation, individual simulation portfolios can be compiled or the overall risk situation of the company or sub-areas can be simulated. Both multi-year risk assessments and (uni- or bidirectional positive and negative) dependencies between risks are taken into account. The application can determine the risk measures Value@Risk (VaR) and Conditional Value@Risk (CVaR) for user-definable confidence levels.

 

In the application, there are standard reports as well as individual reports. The standard reports reflect common requirements for the risk management or internal control system (risk map, risk inventory, risk development, ISAE 3402, etc.). In addition to the standard reports, it is also possible to store your own reports. These can be fully customized in terms of both content and design/layout.

The application has a comprehensive and flexible authorization concept. Roles and rights can also be assigned to users at entity, department and division level. A wide range of standard roles are available for authorization, which can be supplemented by customer-specific roles if required.

The application has very extensive valuation options. This starts with a qualitative and/or quantitative assessment and the respective hybrid forms of these, via a multi-year assessment, gross/net/target view, EBIT/cash impact through to the assessment of risks using various distribution functions or in a multi-dimensional view (financial, reputation, liability, environment, etc...). The use of the available options is completely free and can be supplemented at any time in order to further optimize and expand your own risk assessment. In principle, all data entry screens adapt to the customer's requirements.

The resulting effects on the probability of occurrence and/or impact can be recorded for measures. These effects can be automatically offset against the risk assessment, e.g. to calculate the net assessment from the recorded gross assessment. This offsetting of measures can be combined with all other functions and assessment options.

Yes, it is possible to record loss events/indicators with date of occurrence, loss amount, risk allocation and geographical location and evaluate them in an overview page or in reports.

As an alternative to processing their tasks in the application, employees who carry out measures or confirm the implementation of controls or their effectiveness can also report their implementation via Microsoft Outlook. This allows employees to work in their familiar working environment and eliminates the need for training.

 

We offer our R2C_GRC application not only on premises, i.e. installed in your system, but also in the cloud. Our GRC cloud is always online, always available and fully scalable. This allows you to use the full functionality of the R2C solutions at a low cost. Security is our top priority. This is also why all data is hosted in a German data center: Certified to ISO 27001.

We take care of maintenance and support for you and guarantee high data security and reliable system availability.

The following requirements must be met:

Complying with all legal guidelines is a major challenge for companies. We take on this extensive but important task for you.

With the GRC software R2C_GRC, you can implement the requirements of IDW PS 340 n.F. professionally. The guidelines for auditing early risk detection systems were revised by the Institute of Public Auditors in Germany (IDW) in the new version of the IDW PS 340 auditing standard. The published auditing standard 340 includes the audit of the early risk identification system in accordance with Section 317 (4) HGB, which is used in risk management for both the identification of new risks and the continuous monitoring of risks.

A brief overview of the most important new regulations:

  • Extended Group-wide identification of developments that could jeopardize the continued existence of the company on the basis of a holistic overall risk inventory
  • Timely identification of risks in one or more action-oriented time horizons
  • Determination and ongoing analysis of risk-bearing capacity
  • Aggregation of risks to assess the threat to the portfolio
  • Consideration of risk management measures in the assessment of "net risks"
  • Introduction of the basic element of risk management into the risk early warning system
  • Specification of the system documentation for the measures in accordance with Section 91 (2) AktG

The new auditing standard currently applies to listed stock corporations (Section 91 (2) AktG).

Our GRC software solution supports you in implementing the requirements of IDW PS 340 n.F.

Comprehensive risk identification using GRC software

Based on a holistic overall risk inventory, the GRC tool identifies risky developments throughout the Group. R2C_GRC provides several options that support risk identification:

  • IDENTIFICATION LIST: Example risks can be displayed using the risk categories.
  • SUBJECTS: A central function can distribute topics within the organization. These are then checked and can be converted into a risk if necessary.
  • OBLIGATORY RISKS: In R2C_GRC, mandatory risks can be distributed to the divisions using the scoping function. These must then be checked and evaluated by the local risk owners.
  • QUESTIONNAIRE: The questionnaire function enables the risk manager to start a structured query. This can then be evaluated centrally.

Timely identification of risks using configurable time periods
Our GRC software supports the early identification of risks using suitable tools:

  • Mapping of several time periods
  • Integrated indicator management
  • Integrated reporting system
     

The procedure for determining risk-bearing capacity must be clearly defined and documented accordingly. The parameters to be used are, for example, equity, EBIT, liquidity, etc. The risk-bearing capacity calculation must be reviewed on an ongoing basis and adjusted if necessary.

The respective risk coverage potential can be stored for each client. The risk-bearing capacity can then be calculated using the integrated Monte Carlo simulation. The result can then be evaluated and reported using reports stored in the system.

In order to achieve optimum transparency, risks must be aggregated. In Schleupen GRC software, risks can be aggregated across several hierarchy levels. In addition to manual evaluation and the stored standard aggregation formula, it is also possible to have aggregated risks evaluated automatically using Monte Carlo simulation.

The new version of IDW PS 340 requires greater consideration of measures. In R2C_GRC, measures can be presented with the required points (appropriateness, effectiveness, ...). In addition to the cost effects, measure effects can also be stored. These effects are then used to show the net presentation of the risks. The net assessment can be calculated manually or automatically in the GRC tool.

Integrated action management has been an integral part of R2C_GRC for years.

  • Status
  • Appropriateness
  • Effectiveness
  • Efficiency

The required points can be documented and evaluated in corresponding fields. In addition to clear dashboards, GRC software also offers the option of ensuring efficient processing and tracking of measures via stored workflows.

Prepare yourself optimally for the next audit together with our GRC experts - take the Readiness Check for IDW PS340 n.F.! As part of our readiness check, you will find out which of these points you are already implementing in full, in part or not at all and you will receive targeted implementation recommendations.

We will be happy to support you in implementing the recommendations. Alternatively, we can provide you with an action plan on how and by when you can implement the points mentioned so that you can position yourself vis-à-vis the auditors.

Implement the requirements of IDW PS 340 n.F. professionally with R2C_GRC

The guidelines for auditing risk early warning systems were revised by the Institut der Wirtschaftsprüfer in Deutschland e.V. (IDW) in auditing standard IDW PS 340 as amended. The issued auditing standard 340 includes the audit of the risk early warning system in accordance with Section 317 (4) HGB, which is used in risk management for both the identification of new risks and the continuous monitoring of risks.

A brief overview of the most important new regulations:

  • Extended Group-wide identification of developments that could jeopardize the company as a going concern on the basis of a holistic overall risk inventory
  • Timely identification of risks in one or more action-oriented time horizons
  • Determination and ongoing analysis of risk-bearing capacity
  • Aggregation of risks to assess the threat to the portfolio
  • Consideration of risk management measures in the assessment of "net risks"
  • Introduction of the basic element of risk management into the risk early warning system
  • Specification of the system documentation for the measures in accordance with Section 91 (2) AktG
  • The new auditing standard currently applies to listed stock corporations (Section 91 (2) AktG).

Our software solution R2C_GRC supports you in implementing the requirements of IDW PS 340 n.F.

R2C_GRC provides several options that support risk identification:

  • IDENTIFICATION LIST: Example risks can be displayed via the risk categories.
  • SUBJECTS: A central function can distribute topics within the organization. These are then checked and can be converted into a risk if necessary.
  • OBLIGATORY RISKS: In R2C_GRC, mandatory risks can be distributed to the divisions using the scoping function. These must then be checked and evaluated by the local risk owners.
  • QUESTIONNAIRE: The questionnaire function enables the risk manager to start a structured query. This can then be evaluated centrally.
     

R2C_GRC supports the early identification of risks using suitable instruments:

  • Mapping of multiple time periods
  • Integrated indicator management
  • Integrated reporting system
     

The procedure for determining risk-bearing capacity must be clearly defined and documented accordingly. The parameters to be used are, for example, equity, EBIT, liquidity, etc. The risk-bearing capacity calculation must be reviewed on an ongoing basis and adjusted if necessary.

Determination and ongoing analysis of risk-bearing capacity
The respective risk coverage potential can be stored for each client. The risk-bearing capacity can then be calculated using the integrated Monte Carlo simulation. The result can then be evaluated and reported using reports stored in the system.

Aggregation of risks to assess the threat to the portfolio
In order to achieve optimum transparency, risks must be aggregated. In R2C_GRC, risks can be aggregated across several hierarchy levels. In addition to manual assessment and the stored standard aggregation formula, it is also possible to have aggregated risks assessed automatically using Monte Carlo simulation.

Consideration of risk management measures in the valuation of "net risks"
The new version of IDW PS 340 requires greater consideration of measures. In R2C_GRC, measures can be presented with the required points (appropriateness, effectiveness, ...). In addition to the cost effects, measure effects can also be stored. These effects are then used to show the net presentation of the risks. The net assessment can be calculated manually or automatically.

Introduction of the basic element of risk management into the risk early warning system
Integrated action management has been an integral part of R2C_GRC for years. The required points:

  • Status
  • Appropriateness
  • Effectiveness
  • Efficiency

can be documented and evaluated in corresponding fields. In addition to clear dashboards, R2C_GRC also offers the option of ensuring efficient processing and tracking of measures via stored workflows.

Prepare yourself optimally for the next audit together with our GRC experts - take the Readiness Check for IDW PS340 n.F.! As part of our readiness check, you will find out which of these points you are already implementing in full, in part or not at all and you will receive targeted implementation recommendations.

We will be happy to support you in implementing the recommendations. Alternatively, we can provide you with an action plan on how and by when you can implement the points mentioned so that you can position yourself vis-à-vis the auditors.

Data protection management software

Data protection management software supports companies in correctly protecting personal data. It complies with the legal requirements of the EU GDPR, documents important data such as business processes and carries out data protection impact assessments.

The requirements of the EU GDPR are aimed at companies of all sizes. For this reason, data protection management software is an effective tool for companies of all sizes to reduce the complexity of the requirements and implement regulations correctly.

In order to document your company in a long-term and holistic manner in compliance with data protection regulations, you need an expert to maintain the system despite the software. Nevertheless, our data protection management software makes your work considerably easier and reduces the time required.

To enable you to make optimum use of the data protection management software, it should be individually configurable. This allows you to adapt the software applications to your company. You should also ensure in advance that the system takes into account all the requirements of the EU GDPR.

Finally, data protection management software only facilitates the day-to-day handling of data protection documentation if it is intuitive and easy to understand. The system must be easy to integrate into your IT infrastructure. Convince yourself now of the high usability of our GRC software and request a free demo!

GRC Cloud

The following version availabilities apply as standard:

  • 1 x daily full backup (incl.) | retention period 14 days
  • 1 x weekly full backup (incl.) | retention period 4 weeks
  • 1 x monthly full backup (incl.) | retention period 3 months
  • 1 x annual full backup (commissioned) | retention period 10 years
  • Full backup & retention period according to your wishes (commissioning)

The data is backed up via backup-to-disk and, in individual cases, also via tape. The data is stored in secure areas (separate fire compartments) of the data center.

A comprehensive role concept at the administrative level regulates the rights of persons accessing the GRC Cloud. This applies not only to you as a customer, but also to Schleupen employees themselves.

As a Schleupen customer, you will be informed of an update in good time and an individual appointment will be arranged with you.

Updates to the system environment are part of the GRC cloud by default.

No, all licenses required for operation within the GRC Cloud are part of the offer. All you need is a web browser.
We recommend the following for the best performance: Google Chrome

The move to the GRC cloud is usually carried out like a regular update. Once the application has been deployed on our servers, the data is imported into the application and any connections to the Exchange Server or ADFS are established.

The answer as to the difference depends on the current performance of the in-house solution. However, resource planning for the GRC cloud aims to achieve consistently high performance. It can therefore be assumed that performance is largely dependent on the nature (bandwidth, latency, type) of the available Internet access.