Providing clients with a clear understanding of their exposure to a potential cyber-attack and the impact that it would have on their business. Through advisory, we’re able to help our clients make informed decisions that result in the development of successful cybersecurity roadmap.



Governance, risk and compliance (GRC) refers to a strategy for managing an organization's overall governance, enterprise risk management and compliance with regulations. Think of GRC as a structured approach to aligning IT with business objectives, while effectively managing risk and meeting compliance requirements.


An effective GRC implementation helps an organization to reduce risk and improve control effectiveness, security, and compliance through an integrated and unified approach that reduces the ill effects of organizational silos and redundancies.


A well-planned GRC strategy comes with lots of benefits, including:

  • Improved decision-making

  • Optimal IT investments

  • Continued monitoring and compliance

  • Elimination of silos

  • Reduced fragmentation among divisions and departments


An IT GRC solution enables you to create and coordinate policies and controls and map them to regulatory and internal compliance requirements. In the IT environment, GRC has three main components:

  • Governance: Ensuring that organizational activities, like managing IT operations, are aligned in a way that supports the organization's business goals.

  • Risk Management: The set of processes through which management identifies, analyzes, and, where necessary, responds appropriately to risks that might adversely affect realization of the organization's business objectives. The response to risks typically depends on their perceived gravity, and involves controlling, avoiding, accepting or transferring them to a third party. Whereas organizations routinely manage a wide range of risks (e.g. technological risks, commercial/financial risks, information security risks etc.), external legal and regulatory compliance risks are arguably the key issue in GRC.

  • Compliance: Making means conforming with stated requirements. At an organizational level, it is achieved through management processes which identify the applicable requirements (defined for example in laws, regulations, contracts, strategies and policies), assess the state of compliance, assess the risks and potential costs of non-compliance against the projected expenses to achieve compliance, and hence prioritize, fund and initiate any corrective actions deemed necessary.

By definition, the scope of GRC doesn’t end with just governance, risk, and compliance management, but also includes assurance and performance management. In practice, the scope of a GRC framework is extended to information security management, quality management, ethics and values management, and business continuity management.


At The Mako Group, we have senior-level experts who will examine the business, IT and support functions to help you implement your GRC strategy. Some of these areas include:

  • Assurance—independent assurance is required to ensure that controls are designed and operating effectively, and compliance requirements are met consistently. It is the responsibility of governance to monitor and obtain assurance. Assurance will be primarily through audits. There are several types of audits. Internal and external audits, certification audits, financial audits, IT audits, compliance audits, process audits and security audits, etc.

  • Resources—required to conduct business, including strategies, policies, standards, procedures, organizational structure, roles and responsibilities, people, processes, technology, information, physical, financial and intellectual assets, and third parties (suppliers, vendors and contract employees).

  • Business attributes—the key attributes of a business include: goals, targets, SLAs and metrics.

  • Risk, including financial risk, operational risk, reputational risk, information security risk, and compliance risk.

  • Compliance, including regulatory compliance (SOX, PCI/DSS, GDPR, HIPAA, GLBA), organizational compliance (policies and standards), and security (human, physical and information security).

  • Controls—in order to realize value from the business, resources should be utilized efficiently and effectively, and business attributes should optimized. This is only possible when appropriate controls are implemented and executed. The controls can be classified as management controls, process controls, technical controls and physical controls. Controls are applied to the resources as well as the attributes.





Finance and Insurance



State and Federal