Frequently Asked Questions
What is GRC? What is QGRC?
Governance, Risk, and Compliance (GRC) software (tools) are essential software solutions that help organizations manage their corporate governance processes, risk management processes, and regulatory compliance obligations in an integrated and compliant manner. The goal of a GRC tool is to create a centralized framework that enables businesses to achieve their business goals, address uncertainty, and act with integrity.
Governance includes ensuring that all strategy, operation, management, control, and audit processes are aligned and consistent with the overall strategy, policies, and objectives of the business, and ensuring accountable, responsible, transparent, and fair management for stakeholders. It sets the tone and direction at the top, guiding everything from daily operations to long-term planning. In this sense, internal audit and internal control systems support governance. Their integrated management provides added value.
Risk Management is a systematic approach to identifying, analyzing, assessing, and addressing potential risks that could hinder the company's operations or lead to losses. This includes continuously monitoring and assessing financial, strategic, and operational risks to minimize any negative impact they may have on the company's assets and earnings. As a result of determining and implementing the reactions to the risk and monitoring the results, the company is protected from financial, operational, legal and reputational losses. At this point, the internal control system provides a holistic and comprehensive approach in terms of risk reduction strategy. In this sense, added value increases when risk management and internal control are managed in an integrated manner.
Compliance refers to developing strategies and operating in accordance with the _asa and regulations to which it is subject. It's not just about avoiding legal penalties but also about maintaining the company's integrity, reputation, and customer trust. Compliance management ensures that business processes, operations, and practices comply with all applicable laws, regulations, standards, and ethical practices. It also aims to ensure that the company's internal regulations are compatible with external regulations and that all regulations are associated with processes. Process owners have to monitor the change caused by the external environment and take quick action against changes related to adaptation. The units that coordinate this work within the company also need to coordinate compliance through process management, internal communication and internal control processes.
Q-GRC is a comprehensive GRC tool, combining these three key areas into a single, cohesive platform.
QGRC supports the governance, risk management and compliance processes of companies. How does it do this?
- Establishing, managing and monitoring internal control and risk management processes in companies
- Facilitating internal audit processes, integrating them with internal control and risk management
- Process and document-based management of compliance with internal and external regulations
- Ensuring organization, process management and management of duties/responsibilities in companies
What is the benefit of __QGRC to my organization? What will it bring to my institution?
Q-GRC software centralizes governance, risk management, and compliance processes into a single system, breaking down silos and fostering collaboration across departments. By integrating these functions, organizations can ensure that their strategies are consistently implemented across all levels, enhancing the overall effectiveness of their governance, risk management, and compliance initiatives.
Processes such as internal control, risk management, process management and internal audit under GRC are generally managed independently and disjointed from each other in companies/institutions. It is a very serious problem to integrate these management systems with each other, which exchange data with each other.
Companies that manage these processes all over the world and in our country allocate a lot of resources to the subject and develop integration with great effort, usually with in-house solutions or manual methods. Achieving this integration with the Q-GRC software solution; It will allow the management of these management systems to be integrated with each other from a single point and to reduce duplicate efforts, and in this way, a serious cost advantage, data security, data integrity and corporate resource efficiency will be provided.
- Improved Decision-Making with Real-Time Data and Analytics
- Cost Efficiency with Process Optimization
- Consistent Regulatory Compliance and Faster Adaptation to Changes
- Proactive Risk Management
- Improved Reporting Capabilities
- User-Friendly Interface and Customizability
- Flexibility in the Face of Uncertainty
- Increased Organizational Agility
- Building a Culture of Compliance and Risk Awareness
- Contribution to ERP Projects Transition or Revisions
What are the technical specifications of QGRC?
ERP Integration
Azure App Service
Active Directory
Single Sign On
Mail Integration
SMS Integration
Escalation
Ready Web Services
Multi-Language Support
Wide Parameter Support
Bulk Transfer Tools
Role-Based Authorization
Dashboards,
Consolidated Reports
In which sectors should QGRC be used?
It is used in every sector. Especially Public, Energy, Finance, Telecommunication, Informatics, Insurance, Leasing, Factoring, REIT Health.
Q-Differences of GRC (How do we differ from our competitors?)
In the crowded market of GRC solutions, Q-GRC distinguishes itself by offering a range of features that are both advanced and user-centric, ensuring that our clients not only comply with regulatory requirements but also gain significant strategic advantages.
Gömülü Know-How, Methodology and Tools Desteği
Q-GRC is in line with professional organizations such as IIA and ICI and international professional practice frameworks, standards and frameworks of organizations such as COSO. More than compliant, it includes implementation models, methodologies and tools that comply with these standards. When you get Q-GRC, this know-how comes to you installed. In addition, we provide technical support in the installation and go-live of the software, and professional support in the transfer or revision of the internal control, risk management and internal audit processes in your company with our consultant and expert team.
Üstün Integration Yetenekleri
While many GRC tools offer integration with ERP systems, Q-GRC stands out by providing seamless integration capabilities with most common ERP software. This means less downtime and fewer compliance issues for the application, ensuring that your organization can synchronize data between systems without the need for extensive customization or costly IT resources.
In addition, our Q-GRC tool can work integrated with our other software QDMS, Ensemble and Beam. This will provide additional benefits to our customers, especially those who are using these software. Apart from data exchange, users who are familiar with the interfaces of these software will have the advantage of using Q-GRC intuitively.
Gelişmiş Reporting and Analitik
Q-GRC is equipped with superior reporting capabilities that go beyond standard compliance checks. Our tool offers in-depth analytics and visualization features, enabling organizations to understand not only where they are compliant or at risk, but also why, and what actions can be taken to mitigate those risks. Customizable dashboards provide executive overviews and detailed drill-downs tailored to the specific needs of various stakeholders, from audit committees to operational managers.
With advanced analytics and reporting features, Q-GRC transforms data into actionable insights. This feature allows you to easily understand complex GRC data and make informed decisions to manage risk and ensure compliance. Regular and ad-hoc reports can be generated to meet the needs of different stakeholders, including regulatory bodies, senior management, and the board of directors, facilitating transparency and accountability.
Kullan ici-Centered Bill m
Ease of use is at the core of Q-GRC's design philosophy. Our interface is intuitive, reducing the learning curve and enabling users within your organization to become proficient quickly. This user-centric design extends to mobile platforms, ensuring that your team can access critical GRC functions anytime, anywhere, and promoting a cohesive approach to GRC management.
Özelleştirme and Esneklik
Q-GRC stands out for its ability to adapt to the unique needs of each organization. Unlike many competitors that require organizations to tailor their processes to the tool, Q-GRC can be customized to fit your existing processes, governance structures, and risk management frameworks. This flexibility ensures that organizations do not have to compromise their operational procedures to adhere to a predefined software structure.
Proaktif Harmony Yönetimi
Our software is not only reactive but also proactive. It allows you to make necessary adjustments to compliance and risk management strategies in a timely manner. This proactive approach ensures that organizations monitor regulatory changes and always reflect the change in their operations, minimizing the risk of non-compliance.
Uygun Costly Uygulama
Q-GRC provides a cost-effective application compared to many competitors. By reducing the need for external consultants and lengthy customizations, organizations can achieve a faster return on investment. Our transparent pricing model also ensures that there are no unexpected costs often encountered in GRC applications.
Sağlam Security Özellikleri
In the era of data breaches and cyber threats, security is paramount. Q-GRC incorporates robust security protocols to protect sensitive data. Encryption, role-based access control, and continuous security updates are just a few of the features that ensure your data is secure and that you don\'t compromise your compliance with data protection regulations.
Are there legal requirements for GRC?
Regarding their legal obligations; there are obligations on internal control, risk management and internal audit.
In fact, international internal control regulations have been adopted in internal control practices in Turkey. Studies on internal control in our country are carried out by the CMB and Banking Regulation and Supervision
Board (BRSA), and the Public Financial Management and Control Law No. 5018 was enacted. Later, regulations were made for internal control in the New Turkish Commercial Code No. 6102.
CMB Regulations
The evaluation of the internal control structure in the CMB legislation is regulated in the communiqué Serial: X, No: 22. In this communiqué; It has been said that independent auditors must evaluate whether the internal control structure is functioning effectively.
In the CMB, in parallel with the Investor Protection Law, it has been made mandatory to establish a committee responsible for auditing. In this context, companies whose shares are traded on the stock exchange are obliged to establish an audit committee. The audit committee oversees the functioning and effectiveness of the internal control structure of the company.
Regulations Made by the Banking Regulation and Supervision Agency (BRSA)
In banks, this function is defined as 'internal systems'. In banks, factoring companies, electronic money payment institutions; internal control, risk management, internal audit and compliance obligations.
Regulations Made within the Scope of Public Financial Management and Control Law No. 5018
In all public institutions; Ministries, Universities and Municipalities have to establish internal control, corporate risk management and internal audit systems
Investment Financing Decree
SOEs are obliged to establish internal control, corporate risk management and internal audit systems according to the investment finance decree.
New Turkish Commercial Code No. 6102 (TCC)
In the Turkish Commercial Code No. 420, which was published in the Official Gazette on 14.02.2011 and started to be implemented on 01.07.2012 with the Law No. 6102, mandatory rules have been introduced for joint stock companies to be structured on the basis of Corporate Governance Principles.
In order to ensure better management of companies in the TCC No. 6102; the necessity of an effective internal control structure and internal audit in companies has been stipulated and regulations have been introduced to encourage the establishment of internal audit units.
In order to ensure institutionalization in the TCC No. 6102, the Early Detection of Risks Committee, the Corporate Governance Committee and the Audit Committee have been established.
In summary; In the TCC, internal control, risk management, internal control are mandatory in public companies. In joint stock companies, it is left to the decisions of the companies' own board of directors within the scope of compliance with corporate governance principles. However, the TCC wants the risks to be determined in any case. In cases such as foreign investors, internal control, risk management, internal control systems are questioned issues.
Is COSO compliant with SOX, IIA, ISO 31000 standards?
QGRC focuses on areas that have international standards and are required by legal regulations: enterprise risk management, operational risk management, internal control, internal audit, compliance with legislation/policies and procedures.
The standards we aim to comply with:
- COSO Internal Control Framework
- COSO Enterprise Risk Management Framework
- ISO 31000 Standards
- IIA Internal Audit Professional Practice Framework (Standards)
Legal regulations we aim to comply with:
- Public Internal Control Standards
- A Guide to Public Enterprise Risk Management
- Sarbanes Oxley (SOX)
- CMB Regulations
- TCC Requirements
We adopt a Model-To-Execute approach for organizations to comply with the above standards. Because GRC, or internal control, enterprise risk management, and internal control automation is not just a matter of technology. In order to take full advantage of automation in this regard, methodology challenges must be overcome. Q-GRC's Model-To-Execute approach provides institutions with all the technical functions and methodology proposals needed in Internal Control, Operational Risk Management, Corporate Risk Management, Internal Audit and Compliance within the scope of GRC strategies in accordance with international standards. Because we want to make internal control, operational risk management, corporate risk management, internal audit and compliance requirements applicable correctly at once with an integrated solution. Q-GRC has developed a holistic Model-To-Execute approach that combines methodology and technology in this regard.
How long will it take Ne profit?
With QGRC, you manage your major risks, prevent major losses and leaks, prevent water exploitation and protect your reputation. These are priceless.
You will start to show its effect in 6 months.
You will get a return on your investment within 1.5-2 years.
What modules does QGRC consist of, how to use it, why is it important?
- Base Module: QGRC Server
- Policies and Procedures
- Action Planning
- Internal Audit
- Risk Disclosure
- Process Risk Management
- Process Management
BASE MODULE: QGRC Server
- What it is: The core module that provides the necessary infrastructure for Q-GRC to function. Modular-based arrangement operations are carried out. Used by System Administrators.
- How to Use: Only accessible to system administrators. Definitions, Configuration Settings and Reports menus are included. Authorizations are defined through the Definitions menu and HR data is included. Changes are made throughout the application as needed through the Configuration Settings menu. Application usage reports and log information are available through the Reports menu.
- Why It Matters: All modules work on and with the base module. Technical specifications and system changes are made through this module.
POLICY AND PROCEDURES:
- What it is: It ensures the management of all processes such as initial preparation, revision, cancellation, review, control, approval of administrative documents such as policies, procedures, instructions, job descriptions of the institution, which are necessary to keep the system operational and operational within the Q-GRC System.
- Used: A special folder tree structure is created according to the organization and document system of institutions and organizations. Folder-wide or document-specific authorizations are made. Preparation, revision and cancellation operations are carried out within the authority. A reading task is created for the published documents, and at the same time, the system is informed by e-mail.
- Why It Matters: Documents need to be monitored and managed for the effective operation of process-risk-control management components within Q-GRC. There is a search feature in the document list or in it. The review process is carried out periodically. Revision information of documents can be easily followed. Document revisions by associating processes with documents; automatically reflected in the processes.
ACTION PLANNING:
- What it is: Within the scope of Q-GRC, risk processing action plans resulting from risk assessment processes can be implemented and relevant tasks can be defined; It is a module in which the person who will do the work and the responsible person are determined, deadlines are given and the work done is followed.
- How to Use: An action plan is created for the work that needs to be done. Relevant actions (actions) are defined in the created action plan. For these actions, the person who will do the work, the responsible person and the deadline are determined. Relevant users are informed by e-mail. Closure confirmation may be requested to check completed actions. In addition, the system notifies the senior management of the delay for the expired actions.
- Why It Matters: It works integrated with Internal Audit, Corporate Risk Management, Nonconformity Event Notification modules. In this way, the necessary actions to improve and resolve the findings arising from internal audit, threats or risks are easily planned and followed. Action owners are informed, reminded before the deadline and delayed notification after the deadline. It also has a periodic and stealth action feature.
INTERNAL AUDIT:
- What it is: It is a module that enables process and risk-oriented internal audits to be carried out and necessary measures to be taken for the resulting findings. It works integrated with the Action Planning module. It is a module related to the processes and risks of the organization. Internal audit results can be reported.
- How to Use: Control tests related to controls are defined in the system. At the same time, the risk priorities of the processes can be monitored through the audit universe according to the determined criteria. The processes to be audited are determined and an audit plan is created. An audit task is automatically initiated by the system with the control-control tests related to the processes selected in the Audit Plan, and when the control test results are entered into the system by the auditors when the audit is performed, the audit report is formed in the system.
- Why It Matters: It allows institutions to make preliminary preparations before the audit. If there are findings, it ensures that the inspections carried out by the authorities are successful by taking the necessary measures in advance. Since a relationship is established between control-control tests, it can be seen how much the institution provides control efficiency.
RISK NOTICE:
- What it is: It is the module that enables incidents and non-compliance notifications related to operational/compliance/financial and strategic threats in the institution and taking relevant measures. It can be associated with documents and processes. It works integrated with Action Planning modules.
- How to Use: Risk Notification is made by the relevant employee by filling out the form through the module in Q-GRC. After the form is filled out, actions or corrective actions are defined by the relevant responsible persons within the workflow to be defined specifically for the institution. The process is completed by obtaining the relevant controls and approvals.
- Why It Matters: The standard risk notification form is readily available in the system. This ensures that the incident-nonconformity notification process is used quickly and effectively. Control approval and e-mail notification can be made at all desired steps, which allows the stakeholders in the process to obtain information about the process.
PROCESS RISK MANAGEMENT
- What it is: It is the module that enables the identification, analysis and evaluation of these threats and risks through existing controls, taking measures depending on the risk level, reviewing, revising and reporting for all situations that affect or threaten the strategy, mission and vision of the institution.
- How to Use: A ready-made risk assessment method is installed in the Q-GRC Process Risk Assessment Module. These fields are filled in for the risk assessment record. Natural risk and residual risk calculations are automatically performed by the system. Measures/actions are planned depending on the risk level. Periodic review is applied. Control and approval processes suitable for the structure of the institution are used.
- Why It Matters: It can be associated with legislation, process, document, control. Viewing or transaction authorization can be given on a user basis. A risk-based control or approval hierarchy can be established. A mandatory or automatic precautionary warning system can be established for certain risk levels. It has unlimited parametric field support.
PROCESS MANAGEMENT
- What it is: It is a system that enables all business processes within the organization to be easily drawn in the digital environment with the drag-and-drop method and not only designs processes, but also Input-output, Source, Documentation, Risk, Responsibles, Controls, etc. It is a module that deals with processes such as all its stakeholders.
- How to Use: With BPMN 2.0 support and the Drag and drop method, you can easily create process models digitally on the web-based drawing screen. In addition, the risks and controls in the process card are automatically integrated from the relevant modules within the scope of Q-GRC, providing an integrated environment.
- Why It Matters: Process Management is one of the most important steps of GRC studies. Both the current status (as is) - and the (to be) versions of all processes belonging to the organization can be determined, thus supporting process improvement studies.
Do you have a demo address where we can access the QGRC application?
Our QGRC application has a "demo" system. It can be accessed from the address below, with any browser. You can request demo login information from the sales manager.
Address: http://qgrcdemo.bimser.com.tr/
Does QGRC run on console or browser?
The application is web-based and works in all browsers. No additional programs will be installed on your computer.
Is there a QGRC mobile app?
You can download the QGRC application for free from markets such as Apple Store or Google Player. Mobile license will also be offered free of charge with the application.
Is QGRC installed on our servers or on your servers?
The application can be installed on-prem (on your servers in your institution) or on a cloud server (private cloud) to be provided by you. In the near future, it will be possible to install it in its own cloud environment provided by Bimser.
Does the QGRC app have cloud support?
Currently, the QGRC application can be installed in a cloud environment provided by our customer. It is also installed in the cloud environment provided by Bimser.
Do we have the option to rent Uygulamay?
Yes, we have a rental option. In the rental option, you do not pay any additional maintenance money.
__Lisanslara do we have? Or is it a temporary purchase?
You have two different licensing options: perpetual and lease. In indefinite licensing, you can use the license without any time limit by paying the licensing fee in one go. The warranty period for this type of licensing is 1 year. After 1 year, our customers can continue to receive support by making a Maintenance and Version Update Agreement if they wish. In Temporary Licensing, our customers pay the license fee for the duration of their continued use of the solution. At the end of the commitment period, he can stop using the solution at any time.
Do I need a Kullan ici license?
A user license is required to use Ensemble. The Ensemble license fee only covers the active user license.
Hangi users are included in the license?
A license is requested for users who will bring data into the system and will be in an infrastructural setup.
For example: Policy Procedure preparation, revision, opinion, control or approval require a license. It does not require a license for e-mail notification, Reminders, Reading Process, Access, Writing and Reporting operations. For detailed information, you can contact Bimser.
Can we draw with BPMN icons in Süreç Management?
Yes, you can.
How is Süreç Management different from Visio?
Processes created statically in Visio are managed more dynamically with all process stakeholders in QGRC Process Management. With the process control and opinion approval mechanism in QGRC Process Management, it is ensured that the relevant users are included in the process. At the same time, automatic process distribution and revision tasks are automatically assigned to the relevant users. With QGRC Process Management, in addition to creating corporate rules, it ensures that stakeholders such as risk, control, opportunity, documentation, resource, input-output, performance indicator are included in the process while performing process activities. With the integrations to be made, you can instantly monitor the data on the process models with the TDA feature. You can assign performance indicators for the created process models, set targets for the indicators, and perform measurement activities with the data you obtain manually and/or integrated. With this data, you can also manage improvement activities.
Is version (revision) information kept by the system in Dokümantasyon and Process Management?
Yes, revision history is kept, comparisons are made, and reported.
Can we make bulk transfers for Politika and Procedures?
Yes, there are public transfer vehicles.
Can we prepare policies and procedures on the Uygulama interface?
Yes, you can run your document operations by editing and uploading either in the application interface or on the desktop.
Hangi can we integrate with databases?
Data integration can be achieved with all databases.
Does SQL licensing belong to Bimser?
SQL licensing is the responsibility of the customer.