Program Governance and Remediation

Program governance is vital for the success of any endeavor as it is meant to ensure the alignment of the initiative with the overall business strategy and goals.
The GRC Program services offered by Virtusa assist financial services organizations in maintaining both efficiency and compliance in an increasingly complex regulatory environment. Virtusa provides industry professionals, who are experienced in various areas of risk and compliance, to provide a hand’s on approach to program management, operational efficiency, remediation and delivery.
Our clients benefit from the combination of domain expertise with years of financial services expertise and technology utilizing our unique global delivery model. Virtusa professionals provide in-depth business and technical skills to assist organizations of all sizes embarking on key GRC initiatives.

Virtusa provides the following:

  • GRC Strategic Planning – services to help organizations develop a vision, align the strategy and create a strategic roadmap for their GRC program to improve success.
  • Regulatory Change Management – provides expert assistance in regulatory and compliance issues while maintaining the focus on overall business strategy and operational efficiency.
  • Controls Design, Testing and Verification – ensuring that identified areas of risk are mitigated to reduce exposure and maintain compliance with internal policies and external regulations

Strategic GRC Program Planning

Before embarking on the implementation of a GRC program it is important to ensure that an organization has set the proper vision and objectives. These should be aligned with overall business goals. The utilization of a maturity model allows an organization to view their current state practices and competencies against the model in order to determine the roadmap for achieving higher levels of GRC maturity. The utilization of Virtusa’s Strategic GRC Program Planning provides the organization the ability to jumpstart the initiative and achieve consensus among divergent stakeholders.


The initial stage of the process provides the organization the ability to define and focus on a set of priorities. The ability to resolve those issue considered as the “low hanging fruit” while setting the program in the right direction to achieve the long term goals.

  • Vision, Mission and Goals - Set the Vision for the program and ensure alignment of the program with overall business objectives.
  • Maturity Modeling - Determine the current level of program maturity in order to create the future roadmap.
  • Governance Model - Mechanism to ensure the consistent delivery from the program


The next stage of the process delivers a framework i.e. common set of risks, taxonomy, architecture and processes to the enterprise. This ensures that these assets are all properly mapped to the regulations, policies, procedures and controls.

  • Framework - A foundation to ensure a consistent approach to GRC across the enterprise.
  • Ontology - A taxonomy to ensure common understanding across stakeholders.
  • Analytics/Business Intelligence – The data required to produce actionable information for the organization.


The final phase of planning is designed to assist an organization define the lifecycle of the program and to ensure the sequence of work streams will deliver the expected value. We can assist the organization by helping implementing the appropriate program model to ease the challenges of change management, communications and continuous improvement.

  • Long term Roadmap – to ensure the implementation of the aligned strategy.
  • Ensure the plan provides for Communications, Change Management and Continuous Improvement.
  • Creation of a program management plan involving a governance, test strategy and risk mitigation approach and documentation of key roles and responsibilities.

Business Process and Controls Management

Business Process Transformation is needed by Financial Services firms to ensure compliance with new regulations, improve governance and improve operational efficiency. Changes in regulations and technology have changed the paradigm for the Financial Services industry. This change requires a greater focus on controls and on the acquisition, access and management of data to accommodate the challenges of this new paradigm. Virtusa provides an approach to delivers the necessary capabilities to support the competing requirements and achieving the desired results. Our approach includes the following:

  • Business Requirements Analysis
  • Process and Controls Design
  • Solution Design and Functional Specifications

Clients successfully utilize our approach to business process consulting for overcoming many different types of challenges. Virtusa’s consultants can help provide services to ease the burden on a financial services organization to improve efficiency, compliance, and controls.

  • Utilize for new or existing GRC programs and new regulatory requirements
  • Current state assessment of existing processes to identify potential control gaps
  • Design new business or risk management processes or operating models to achieve desired results
  • Provide recommendations based on regulatory requirements, existing resource and technology constraints
  • Definition of business and functional requirements for BPM design
  • Roadmap provided for implementation of process and technology initiatives

Controls, Design, Testing and Verification

Readiness Assessment

Readiness assessments explore how ready companies are to address risks or gauge their readiness needs as a professional service organization. The readiness assessment is divided into three phases:
Phase 1: Planning - Establishing scope, timing and objective for the readiness assessment.
Phase 2: Delivery - Documenting a description of the system and the inherent risks associated with existing controls- Conducting gap assessments to identify areas of immediate and future focus.
Phase 3: Reporting - Providing advice and recommendations - Delivering the final readiness assessment report.
This approach incorporates a risk-centric focus, while also identifying the effective and efficient methods for identifying the scope, testing controls, and executing the tasks and activities associated with third-party assurance reporting.

Internal Controls Testing

Procedures designed to evaluate the design and operating effectiveness of internal controls at an organization. Controls are evaluated to assess whether the controls have been properly designed to prevent or detect a material misstatement in the financial statements. The operational effectiveness of the control is assessed to determine whether the control was applied consistently during the period. Testing focuses solely on controls at an organization that are likely to be relevant to an audit of a user entity’s financial statements, operations and compliance. Testing can be used to determine weaknesses and the need to redesign a control environment.
Various types of testing include:

  • Inspection
  • Observation
  • Walkthrough
  • Reperformance

Various types of Internal Control Reports:
SOC engagements are performed in accordance with Statement on Standards for Attestation Engagements (SSAE) 16, Reporting on Controls at a Service Organization. These reports are important components of user entities’ evaluation of their internal controls over financial reporting for purposes of comply with laws and regulations such as the Sarbanes-Oxley Act and the user entities’ auditors as they plan and perform audits of the user entities’ financial statements.

There are two types of reports for these engagements:
Type 2 - Report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.
Type 1- Report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.

The use of these reports are restricted to the management of the service organization, user entities of the service organization and user auditors.

Risk Control Self-Assessment (RCSA)

RCSA (Risk Control Self-Assessment) is an assessment performed by enterprise management, which enables management and staff to collectively identify and evaluate risks and associated controls. It is a technique that adds value by increasing an operating unit’s involvement in designing and maintaining control and risk systems as well as identifying risk exposures and determining corrective action. It aims to integrate risk management practices and culture into the way staff undertake their jobs, and business units achieve their objectives. It provides a framework and tools for management and employees to help provide an enterprise view of operational risk, and help keep the company on course for achieving high performance.

The RCSA is used by many financial institutions for performing operational risk assessments as required by Basel II, for example, and many local regulatory bodies. In those institutions, the annual RCSA exercise is typically undertaken to comply with regulatory requirements calling for a firm-wide, self-analysis of operational risks. In its most general format, an RCSA requires the documentation of risks, identifying the levels of risk (derived from an estimate of frequency and impact), and controls associated with each process conducted by the organization.