Governance, Risk and Compliance

The output from the risk assessment is to consider all influencing factors, and determine a risk level.

Governance, Risk and Compliance (GRC) is an overarching term used to describe an organisation’s approach to corporate governance, enterprise risk management and compliance with relevant industry, state and national legislation.

Corporate Governance

Nettitude provides services for company executives to help aid the information flow within the business. Through understanding the critical management information that is required within an organisation and by identifying the policies, controls and strategies that are in place to enforce them, Nettitude is able to provide strategic guidance around corporate governance.

Risk Management

Nettitude provides leading risk management services that identify, quantify, analyse and treat risks that are present within an organisation. Through formal planning and a structured analytical approach, Nettitude can deliver consistent results for risk management. An organisation’s risk appetite and risk tolerance is used as a baseline for all risk calculations.

Following on from this, Nettitude determines a focus of interest based upon assets and data sets. The risk assessment consider threats, impacts, vulnerabilities and likelihood as factors that directly influence risk. When combining qualitative metrics from these factors, along with data on an organisation’s risk appetite, it is possible to determine appropriate risk treatment plans. The output from these exercises then feed in to the organisation’s overarching risk management framework.


Nettitude assists organisations in achieving compliance through numerous legislative, regulatory and industry body compliance frameworks. Nettitude actively delivers services in retail, energy, healthcare and finance and proactively delivers both consulting and auditing services within these industries. Nettitude also provides guidance around Personally Identifiable Information (PII) and provides consulting services tailored to meet the objectives defined by the information commissioner.

Nettitude uses a series of commercial tools and frameworks when delivering Governance, Risk and Compliance (GRC) services.

What is Governance?

Governance is the phrase that is used to describe the way in which an organisation manages the relationships between its main internal and external stakeholders.

In larger organisations it is not uncommon for there to be conflicts of interest between some of these stakeholders. For instance employees may have objectives that are dissimilar to the leadership team, and both of these parties may have objectives that conflict with shareholders. The concept of corporate governance is used to increase accountability within these stakeholder groups.

Numerous acts, including the Cadbury Report, a series of OECD reports and the Sarbanes-Oxley Act all make reference to the principles of corporate governance within an organisation. In both the UK and US, an “Anglo-American” model of corporate governance is practiced, where a board of directors and non-executive directors is elected to serve the objectives of the shareholders.

Within this structure, the following corporate governance controls are recommended:

Internal audit and internal control

Split control and balance of power

Performance based remuneration

Monitoring of stakeholder groups

Governance is a large and complex subject manner, with multiple different approaches and objectives that are ultimately determined by the organisations structure. In order for companies to manage their risk and achieve levels of industry and regulatory compliance, it is recommended that a defined governance structure is operated.

Risk Management Services

Risk management is a phrase that is used to describe the process of identification, assessment and prioritisation of risks. Every organisation, whether large or small, conducts risk assessments every day of the week. However in many instances the measurement of risk is ad-hoc, undocumented, and follows no defined structure. This can result in disjointed risk management, and ultimately higher levels of residual risk than would ordinarily be achieved through a formal risk management program.

Nettitude delivers risk management and risk assessment services for organisations across the globe. One of the key contributors to delivering successful risk analysis is to understand the risk appetite of the organisation or the business unit that is being assessed. This provides guidance on how much risk the team is prepared to tolerate.

The typical responses to risk are: risk transferral, risk avoidance, risk reduction, or risk acceptance.

At the beginning of any engagement, risk appetite and risk tolerance needs to be fully understood.

Nettitude defines a clear scoping document that identifies all areas of assessment.

Assets and focus of interest: Nettitude moves on to identify the focus of interest. This could include a business unit, an IT asset, an application or a data set.

Determination of business impact: If an FOI was compromised, there would be a compromise in confidentiality, integrity or availability. This in turn would have a consequential business impact. Nettitude uses a series of business impact tables that help to quantify the impact of a compromise.

Assessment of threat sources & threat actors: Nettitude identifies who the threat sources and threat actors are that could impact an FOI.

Threat assessment: Nettitude identifies the threat as a combination of both capability and motivation of threat actors and threat sources to attack an asset.

Identification of compromise methods (vulnerabilities): Nettitude attempts to identify the compromise methods that a threat actor would use to compromise confidentiality, integrity and availability.

Assessment of likelihood: Nettitude attempts to measure the likelihood that a threat will exploit a vulnerability, leading to a business impact.

Once this risk level has been ascertained, Nettitude moves on to generate risk mitigation guidance. This guidance is used to manage the risk in a manner consistent with the organisation’s initial risk appetite.

Global Compliance Services

Our Experience

Nettitude has presence in both the UK and North America. We help hundreds of merchants, in the providing of compliance and cyber security consultancy services, which are highly focused on the Payment Card Industry Data Security Standard (PCI DSS). We are one of less than ten organisations worldwide to be recognised by the PCI Security Council (SSC) as a PCI QSA, PCI ASV, PCI PA QSA and PCI P2PE QSA. Combining this level of focus with our award winning penetration testing practice, malware analysis and forensics labs, makes us highly unique and sought after within this industry.

Our Skills

As part of our end-to-end approach to security, Nettitude provides focused design, implementation, support and testing services that address many of the technical requirements of cyber security. In addition to this, Nettitude can carry out formal risk assessments, security auditing services, comprehensive policy & procedure definition and alignment.

Our Accreditations

Nettitude has a strong pedigree in information security and has achieved some of the most rigorous industry accreditations in this sector. Our consultancy teams provide comprehensive advice and guidance to help you navigate your way to achieving your preferred level of information security compliance.

Intelligent Cyber Security and Risk Management   0345 5200 085