Cameron Garrity No Comments

What is CastleHill GRC as a Service (GRCaaS) all about?

It’s about increased effectiveness, reduced costs and the establishment of new risk management capabilities for our clients. We believe that improved efficiency, effectiveness and productivity drive profitability for our customers. CastleHill GRC as a service leverages the business process outsourcing (BPO) model to execute a wide range of enterprise risk management and support functions. CastleHill GRCaaS frees up our client’s key strategic resources to focus on their core business, find cost savings, operate more effectively and be more efficient as an organization.

Who are your customers and what is the engagement model?

We serve businesses and institutions operating in high-risk and highly regulated environments. Our employees work externally as dedicated risk management teams on behalf of our customers, ensuring the highest level of service, professionalism and proficiency possible. We assign subject matter expertise and teams of domain professionals to each customer, providing:

  • Experienced, responsive domain experts and GRC professionals
  • Familiarity and resource continuity
  • Single points of contact
  • Elimination of call trees and support tiers
  • Elimination of single points of failure


What are the CastleHill GRC as a service core deliverables?

CastleHill GRC as a Service delivers an end-to-end outsourced management capability that handles the day to day tactical functions of establishing, running and monitoring governance, risk and compliance programs. Engaging with CastleHill ensures support for critical decision-making processes, continuous improvement of governance, risk and compliance management programs, and rapid controlled responses to increased regulatory scrutiny of a temporary or sustained nature.

Working with CastleHill Managed Risk Solutions means:

  • Establishing an outsourced risk and compliance management function that creates a clear division between the process of monitoring risk and the management of risk.
  • Providing a fully managed, fully hosted technology solution that eliminates risks and limitations associated with using common office products as the primary tools supporting critical, risk-aligned business functions.
  • Aggregating and provisioning actionable data that drives client organizations toward meaningful improvements in enterprise governance, risk and compliance management functions.
  • Reducing client costs by decreasing latency and improving communications workflow, while still improving the effectiveness and efficiency of critical business process activities.
  • Establishing or improving oversight of regulatory, policy and procedure, process, vendor and control management programs.
  • Introducing well-managed and scalable solutions for accommodating rapid change to business, technology and compliance risk environments.


What are some of the services included with CastleHill GRC as a Service (GRCaaS), and what are some of the outputs?

Our services and deliverables are tied to business objectives aligned to strengthening not only the business value of strong GRC management, but the improvement of your organization’s supporting business processes as well. Our GRC business and technology professionals accomplish these objectives through delivery of:

  • Internal systems development
  • Risk management process engineering and continuous improvement
  • Execution of key governance, risk and compliance functions
  • Risk data aggregation, reporting and business intelligence
  • Risk platform configuration and deployment
  • Best practice advisory and support services
  • Real-time feedback, issue management and actionable data


What, in addition to successful delivery of an outsourced capability, are the CastleHill criteria for success?

Critical success factors include, but are not limited to, the following:

  • Improved operational workflows and measurable decreases in GRC program lifecycle times
  • GRC program transition to fixed cost and observed cost savings as a dimension of resource overhead, time and effort
  • Improved GRC program communications and establishment of effective feedback loops
  • An observed improvement in reporting accuracy and sustained client access to actionable data
  • An observed improvement to compliance environment efficiency, effectiveness, scalability, and sustainability

In some cases, evidence of success is plainly observable while, in others, metrics may need to be applied as baselines early and monitored on an ongoing basis. Specific criteria and baseline measurements may be different for each client. However, typical success indicators are inclusive of timeliness and accuracy of control testing, compliance assessments, assessment lifecycle times including certification, overall remediation lifecycle times, time to remediation (issue management) for individually underperforming areas, and the availability, accuracy and effectiveness of organizational reporting.

What and how many GRC programs can I outsource?

You can let CastleHill handle as many or as few programs as you’re comfortable with. We generally apply a proof of concept in one or two areas at first, then move on to integrate additional areas of focus as the client becomes more comfortable with the process. For example, we might begin with third-party risk and issue management, moving on to controls and document management soon after. As you add additional program scope, the process and supporting systems become increasingly effective even though the costs associated with GRC as a service remain largely level!

Some of the GRC programs that can be fully developed and managed by CastleHill:

  • Vendor Management and Third-Party Risk Management
  • Regulatory Compliance
  • Issue Management
  • Incident Management
  • Library Management (Risks, Policies & Procedures, Processes, Regulations and Standards)
  • Business Impact, Business Continuity and Disaster Recovery Program Management
  • Document Management
  • Custom GRC Program Development and Execution


What does service delivery look like in the beginning, and how does it change as we progress through the program?

Your program will be executed and managed by a dedicated team of GRC professionals, all with specific domain expertise.

Trial Period: We start with a trial period designed to quickly onboard an effective baseline capability, such as vendor management or issue management. The trial period is intended to ensure low overhead entry into your organization over a period of a few months, allowing you to observe, engage in the process handoffs and evaluate the outputs. After completion of the trial period, we can evaluate your overall program performance and decide what direction is required in moving forward with additional solutions for GRC management.

Project Normalization (ongoing): In this phase, we begin to mature your GRC programs through a process of continuous improvement. We work to build in structured methodologies and best practice, integrating your outsourced programs with your complete enterprise risk function. We also work to centralize and onboard additional GRC areas, as the capabilities continue to increase and more value is driven out of the program.

Do program costs increase as additional GRC areas are added to the overall scope?

Of course. However, the spend increase is so minimal that we’ve never actually received pushback on the pricing. For example, if CastleHill is already handling vendor management, third-party risk management and issue management for a client, and they decide the entire RCSA and contract management should be onboarded as well, total cost increase for the added capability would probably be about 6%. The economy of scale with CastleHill GRC as a Service (GRCaaS) is a major contributor to our incredible ROI.

Are your services cost-effective?

Yes. CastleHill GRC as a Service (GRCaaS) can cut your GRC program operating costs by 75% or more, and you probably don’t have to lay off resources post implementation to get there. No kidding. Even better, GRCaaS has never failed to improve the effectiveness and continuity of a previously existing, internally managed, GRC function. Our reputation for cost savings, program improvement and high-quality output is unblemished.

What qualifications do your employees hold?

At CastleHill, client teams are staffed with only the most qualified and experienced professionals, ensuring we provide our customers with quality solutions and high-value interactions. Most CastleHill employees hold certifications in their specialty domain (CISSP, GSEC GIAC, CISA, HCISPP, CTPRP, CVPM), while others are simply among the best at what they do. We hire quality people to provide quality results.

Note: Although we do train high potential candidates in specific domains, we do not dedicate these junior professionals to client teams without them first achieving a high level of proficiency as “floating” resources.

Do you have the adequate infrastructure and technology to support my business processes?

Yes. Our systems are actively managed, completely modern and entirely scalable.

Do you sign non-disclosure agreements and SLA’s?

Yes. We sign non-disclosure agreements and service level agreements for every customer who outsources to CastleHill.

I want to discuss CastleHill GRC as a Service details and opportunities. What should I do?

Call or email us!

  • Phone: +1 603 259 4007
  • Email Us: support@castlehillrisk.comMailing
  • Address: P.O. Box 1402 Amherst NH 03031
  • Physical Address: 199 RT101 Suite 1B Amherst NH 03031

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.