In order to support its clients in the implementation of a GRC program, ArtimIS generally uses a reference framework combining good risk management and internal control practices (AMF, COSO 2 & ISO 31000/2009 RM) with the specificities and the user experience of business solutions (ERP: SAP S4 HANA / Oracle or other specific applications).

Before launching into the definition and implementation of a GRC Program, it is important to define the governance, i.e. to define the organization, the sponsors, the key actors of the project, the contributors, but also to identify the processes to be covered in priority.

ArtimIS experts assist their clients in identifying the players needed for each line of defense:

First line of defense

Second line of defense

Third line of defense

Once the governance is defined (Organization, People, Processes, Applications, …) we need now to evaluate, define and implement the risk management and internal control system.

To do so, we can rely on the ISO 31000/2009 RM reference framework below:


————- Governance & Organization ————

————- Risk Classification & Reporting ————

————- Associated processes ————

————- Applicative Technology & GRC Platform ————