VComply Named a High Performer in the GRC Platform Category on the G2 Grid for Winter 2021
Dec 22, 2020

We are thrilled to announce that peer-to-peer business software review platform G2 has again placed VComply as a High Performer in the GRC Platform category in their Winter 2021 announcement. Organizations rely on research firms like G2 to help them analyze and compare business software products, and we are excited about the recognition.

We are thankful to our valued customers for this validation. We consider user feedback as a great technique to stay in close contact with our customers and get up to speed on improvements and provide value.

In case you missed it, here’s the score that our customers have given us:

  • More than 96% users gave VComply 4 or 5 stars
  • 95% users said they would recommend VComply
  • Majority of the users started just last year and found immediate value


Besides this, VComply also stands out in the following areas:

Ease of use

VComply received 8.7 score on a scale of 1-10 for ease of use, outranking many competitors in the GRC category and became a preferred choice for customers.

Quality of support

At VComply, we take great pride in serving our customers. We talk to our customers and help them find the quickest way to solve their problems. And the results speak for themselves! VComply received a score of 8.7 in the quality of support category.

Ease of setup

VComply scored 8.7 in the ease of setup category. VComply is intuitive and it is very easy to create an account on VComply. On an average, our customers have gone on-live in less than 2 weeks.

How did VComply reach the top spot?

At VComply, our goal is to make the easiest and the most useful GRC software for organizations. Ever since we started in 2019, we have adopted a customer-centric approach. We have made meaningful changes to our compliance, risk, and audit product range to meet the evolving requirements of our customers. Now, VComply helps teams across compliance, risks, audit, human resources, and legal in varied industry sectors to manage their individual responsibilities, while making it easier for leadership to coordinate organization wide compliance activities.

What customers speak about VComply?

It was simple, it was easy to engage with, and it had a little bit of light-heartedness as well as a very easy to use Dashboard and reports. With VComply, our teams can quickly and easily comply with responsibilities, and our ability to provide oversight across the agency, in one central location is achieved.

Way Forward 

We recognize that there is a lot of work ahead. And, we are committed to the vision of making the world’s most trusted GRC platform for our customers. We continue to add robust features and enhance existing features in our platform to help you strengthen the compliance and integrity of your organization.

Read our reviews here on G2!  

Devi Narayanan
VComply Raised $6 Million in Series A Funding: See Where We Are Headed!
Jan 21, 2021

It is an exciting time for us at VComply! We raised $6 Million in Series A funding to expand VComply's mission to build one of the most intuitive and innovative Governance, Risk, and Compliance platforms in the market. Counterpart Ventures led the round with participation from our current investor Accel Partners

It marks a significant milestone as it sends a powerful message about the direction in which we are heading as renowned investors validate our growing market position. We built VComply with an unwavering belief that every organization deserves an intuitive and flexible GRC platform that understands its unique Governance, Risk, and Compliance management requirements, which legacy software products fail to understand.

"GRC software is a necessity for the modern organization. The current market is full of antiquated solutions, which are not agile and are difficult to manage. VComply is uniquely positioned with its innovative, robust, and scalable platform to capture a huge piece of this market. We are thrilled to be leading this round and looking forward to associating with the company's continued growth," said Patrick Eggen, Co-founder, and Partner at Counterpart Ventures.

Since our start in 2019, VComply has embraced a customer-centric approach and continuously strives to make compliance and risk management as easy and transparent as possible. "In the rapidly growing GRC management landscape, VComply stands out by providing a cloud-based solution that enables robust self-serve risk management while also being easy to use. They have a tremendous opportunity ahead to expand their business in the US, and we're looking forward to working with them on this journey.," said Dinesh Katiyar, Partner at Accel.

We are honored to see the belief and commitment of our investors. And we are thrilled to welcome Counterpart Ventures to the VComply family and see such strong support from our exiting partner, Accel.

We will utilize the investment proceeds to strengthen all areas of the company, with a particular focus on:  

  • Continue product innovation to serve the growing GRC market 
  • Invest further in customer success initiatives and providing an unparalleled customer experience. 
  • Scale our operations across North America and Europe

A partial group photo of our product management team at our Kolkata office

A sincere thank you to our customers

Delighting our customers is at the core of our vision. We are incredibly thankful to our customers – we could not have gotten here without their trust and commitment. Our customers and partners have been there at every step, holding us accountable for our goals and targets. We continue to strive to provide the best experience and support to our customers.

What's ahead?

The road ahead is exciting. Our roadmap is goal-driven and sets a tone of positivity with features that add value to our customers. We are invested in a plan to make our Compliance, Risk, Policy, and Audit Management products as fluid and intuitive as everyday products. We will continuously build and deliver features that help drive change and deliver faster results and better governance.

Once again, a heartfelt thank you to our investors, partners, customers, and a fantastic team. We are eagerly looking forward to the next chapter of VComply!

We wish you all a successful 2021!

Harshvardhan Kariwala
Read More
What is SOC 2 Compliance?
Feb 25, 2021

With digitization of services progressing at a relentless pace, businesses are storing large volume of customer data . But with sensitive information being routinely handled by service providers and third-party associates, there is a pressing need for increased information security. Data breaches and cybercrime too are a threat to security. In such a scenario, it is not uncommon for clients to want an independent review of your internal controls for data security prior to partnering with you, especially if you are a SaaS organization.

This is the kind of guarantee that an SOC 2 audit provides, and many organizations seek to be SOC 2 compliant to possess more robust internal controls and improve their trustworthiness. To have an in-depth look at what is SOC 2 and the relevance of SOC 2 audits, read on.

What is SOC 2?

Framed by the American Institute of CPAs (AICPA),Service Organization Control 2 or SOC 2 lays down a framework for strong information security for cloud service companies. SOC 2 applies to SaaS companies and businesses that upload customer data to the cloud and aims to safeguard this data through 5 Trust Services Criteria.

The 5 Trust Services criteria are:

●       Security

●       Availability

●       Processing integrity

●       Confidentiality

●       Privacy

Following this, SOC 2 compliance is about an organization being able to assure the security of customer data, based on these 5 principles, using adequate controls and systems. Beyond criteria, SOC 2 also provides an auditing procedure and a SOC 2 audit report aims to assure users, clients, stakeholders, and third parties that the organization is complying with the criteria in place for handling sensitive information.

That said, SOC 2 reports are unique to your organization and you have the power to design controls and systems to comply with the trust service criteria that are relevant to you. SOC 2 audits are performed by accountancy organizations or an independent CPA (Certified Public Accountant).

Do you need to be SOC 2 compliant?

Companies and clients you liaison with may not  require you to furnish SOC 2 reports. SOC 2compliance is not a strict necessity in that sense. However, being SOC 2 compliant has its share of benefits. Here’s a look at what they are.

●       When auditors attest to your organization’s system sand controls for data security, you possess a competitive advantage in the market. All things equal, clients are sure to prefer an organization that assures them of information security and integrity.


●       SOC 2 compliance can help boost your other compliance efforts, such as preparing to be compliant with ISO 27001.


●       Data breaches can cause grave financial losses and have legal ramifications too. Being SOC 2 compliant is an ideal way to safeguard yourself against such aspects.

So, while SOC 2 compliance is not mandatory, objectively speaking, it may be required for your organization on a practical level.

What are the SOC 2 Trust Categories?

The 5 Trust Services Categories outlined by AICPA are:

Security: Refers to information and systems being protected against unauthorized access, unauthorized disclosure, and damage that could affect the entity’s ability to meet its objectives.

        a. Information protection in this case covers the points of collection, creation, transmission, storage, processing, and use

        b. Systems under protection are those that employ electronic information to act on the information gained

The criteria of security seeks to safeguard customer data against aspects like theft and unauthorized disclosure. Consequently, tools like 2-factorauthentication can be used to secure data.

Availability: Refers to systems and information being available for operation and use to meet the entity’s objectives.

So, your systems need to be available and accessible as per the terms of your service agreement. Availability is vital, for instance, if you run a datacenter or a web hosting service, which requires data to be accessible 24/7.Likewise, if you sell a SaaS product, you need to ensure that it is available for use, as per the agreement.

Processing Integrity: Pertains to services provided or goods manufactured, distributed, or produced. It ensures that the audited system’s processing is valid, complete, timely, accurate, and authorized in such a way that the entity’s objectives can be met.

If you provide e-commerce services or transact on behalf of clients, processing integrity should make its way into your SOC 2 report. This ensures clients that data modification is authorized, processing errors are able to be detected, system output is accurate, and so on.

Confidentiality: Stipulates that information that is held as confidential is aptly protected to meet the entity’s objectives. This applies from the point of collection right till removal. While privacy pertains to personal information, confidentiality refers to other information as well, such as proprietary information, trade secrets, and intellectual property.

An example of data that needs to be protected is personal health information. If your organization collects and stores such information, an audit of confidentiality ought to be carried out as per the SOC 2 guidelines.

Privacy: Refers to the collection, usage, retainment, disclosure, and disposal of personal information to meet the entity’s objectives. Privacy has parameters such as:

       a. Notice and communication of objectives

        b. Choice and consent

        c. Collection

        d. Use, retention, and disposal

        e. Access

        f. Disclosure and notification

        g. Quality

        h. Monitoring and enforcement

The criteria of privacy verifies that your organization is handling customer data in accordance with the privacy terms agreed upon.

What is Type 1 and Type 2 of SOC 2?

SOC 2 has two types of reports. Type 1 reports attest to the design of controls and security systems at your organization at a specific point in time. Type 2 audit reports are broader in scope. They contain everything that is included in Type 1 reports and attest to the effectiveness of the controls in place evaluated for a period of 6 months or more. Thus, a SOC 2 type 2 report is more valuable.

What is the difference between SOC 1, SOC 2, and SOC 3?

An SOC1 report attests to financial controls only. It is mainly for other auditors. An SOC2 report attests to controls that come under the 5 Trust Service Criteria. An SOC 2 report is mainly for the company itself and while SOC 1 focuses on internal controls over financial reporting (IFCR), SOC 2 focusses on data handling as per the Trust Criteria. SOC 3 report is a general use report that is designed for public sharing. It is a high-level summary of the SOC 2 report but does not go into details of the information in it.

Can GRC software help you become SOC 2 compliant?

A GRC platform like VComply can help you design internal controls that keep your organization compliant with the criteria requirements of SOC 2. VComply provides an uncomplicated way for you to manage compliance and risk, allowing you to assign controls and track them through an intuitive interface. For instance, you can assign responsibilities for data security so as to comply with SOC 2’s primary criteria.

Being SOC 2 compliant is sure to throw open doors to business opportunities and improve customer confidence in your services. Go about it the smart way with a GRC solution by your side!

VComply Editorial Team
Read More
What Is Risk Mitigation ? And Why Is It Important?
Jan 12, 2021

Risks are inevitable in business. Businesses must reduce their exposure to risks and find ways to mitigate them to remain competitive in business. Identification and acknowledgement of risks that affect the operations, profitability, security, or reputation of the business is the first step. Developing strategies to mitigate these risks is the next and the most essential step! Risk mitigation is an important step in risk management that includes identifying the risk, assessing the risk, and mitigating the risk.

What Is Risk Mitigation ?


Risk mitigation can be defined as taking steps to reduce or minimize risks. When you devise a strategy for reducing prospective risks and working with an action plan, it is important that you choose a strategy that relates to your company’s profile and nature of business.


Here's why risk mitigation is important:


-      A robust risk mitigation plan helps establish procedures to avoid risks, minimize risks, or reduce the impact of the risks on organizations.

-      It guides organizations on how they can bear and control risks. This helps a business in achieving its objectives.

-      The ability to understand and control risks makes an organization more confident and helps in making the right business decisions.

-      It increases the stability of the organization and reduces its legal liability.

-      It protects people involved and company from any potential harm.


Different Types of Risk Mitigation Strategies


Let's take a close look at different strategies for mitigating risks:



Accepting a risk does not reduce the impact of it on the organization. However, risk acceptance is considered as a valid option. Accepting risks involve identifying and analyzing risks and bringing these risks into the attention of stakeholders so that everyone involved are aware of the risks and its consequences. The most common reason for accepting a risk is that the cost of mitigation options might outweigh the benefit.


 This is exactly the opposite of the accepting risk. If the risk poses unwanted consequences, the organization chooses to avoid the action that leads to the exposure of the risk. Not starting a project that involves high unwanted risks avoids the risk completely.


 Risk transfer is the involvement of handing over the risk or a part of risk to a third-party. A conventional means to transfer risk is to outsource some services to a third-party. Many organizations outsource payroll, recruitment services to third party. It might involve some drawbacks and take out some control from your organization.


Businesses use this tactic most often in risk mitigation. It may include reducing the probability of the occurrence of the risk, or the severity of the consequences of the risk. If the organization cannot reduce the occurrence of the risk, then it needs to implement controls. Implementing controls should aim at reducing the chances of the risk occurring or finding out the cause for the risks and try avoiding it. Implementing appropriate controls depends on an organization’s decision making process and the nature of the business. One typical example for reducing a type of risk could be using a component tested and available in the market than subcontracting to create the same to a third-party.


Creating a Risk Management and Risk Mitigation Plan


Risk management and mitigation process consists of identifying, assessing and mitigating risks. There are different steps involved in creating a risk mitigation plan. These include:


●    Identify Risks

All the risks must be noted distinctively. This includes every risk big or small, that may harm the organization. The identified risk can be added to a risk register.


●    Define and Describe Risks

Define and describe a risk. Describe the intensity of the risk and the areas it will impact.


●    Allot Risks

All risks that are identified and described must be forwarded to respective entities to take action on mitigating them. The person handling the individual risk is answerable to the management about it.


●    Categorize Risks

There are different types of risks, such as business risks and non-business risks. You can also categorize risks as small risks, medium risks, and high risks. Then, there are risks which you can afford to take and those that should be avoided.


●    Minimizing Risks

This is the main part of risk mitigation, which involves taking actions to minimize risks. Appropriate actions should be taken to control risks and dodge them when they come up, so they don't become a barrier in achieving business objectives.


Best Practices for Risk Mitigation

Here are some ways businesses can make their risk mitigation strategies more effective:


●    Promote Transparency

There should be complete transparency in an entire organization. Even minor miscommunication or misinformation could lead to big problems. Therefore, its important that each step is clearly discussed and known to each stakeholder to mitigate risks.


●    Build a Team

Many businesses have experts in their team who deal with risks tactfully and also know the consequences if risks occur. Businesses should appoint such experts to oversee risk mitigation in an organization, and also hold team members responsible for each type of risk.


●    Reporting

Regular reporting provides a clear picture of the situation and the actions that need to be taken. Thus, management should encourage all teams to regularly report on the risks they're managing and controlling.


●    Evaluate carefully

Evaluation of risks helps you identify which risks might occur, and when and where. This helps you create better risk management plans.


●    Share objectives with your team

Each stakeholder must have one common goal: to cut down risks that come their way. No personal interest should be involved. This helps keep everyone on the same page and upholds the business ethics and interests.

Wrapping up  

While risks are an inherent part of every business, risk mitigation helps businesses minimize the impact of certain risks, while acknowledging and accepting others.

VComply provides an effective way for businesses to track and mitigate risk. VComply helps manage and automate the risk management processes such as risk assessment and risk treatment. The best risk mitigation strategies involve maintaining a risk register, regular reporting, teamwork, and planning.

VComply Editorial Team
Read More
What is Operational Resilience?
Jan 7, 2021

Etymologically, the word resilience has roots in the Latin term resiliere, which means ‘to rebound’. In similar vein, operational resilience describes an organization’ stability to cope with change or misfortune. The ongoing global pandemic, COVID 19 is an extreme form of misfortune, but its impact has been so universal that it has laid bare each organization’s level of operational resilience and sparked renewed interest in the topic.  

Stress, threats, potential failures, disruptions, uncertainty, and change are part of the life of an organization, but one that is operationally resilient has the wherewithal to maneuver through it all. From climate change, power grid black outs, and cyber-attacks to a tainted image on social media and demand-supply disruptions, there are numerous factors that can cause an organization to buckle and crack. A resilient organization has the frameworks and mechanisms to bounce back when dealt the unexpected.

Operational resilience, however, goes further than an organization simply maintaining business continuity or managing risk.

What is operational resilience?

Here are two helpful definitions:

Gartner: Operational resilience is a set of techniques that allow people, processes, and informational systems to adapt to changing patterns. It is the ability to alter operations in the face of changing business conditions. Operationally resilient enterprises have the organizational competencies to ramp up or slow down operations in a way that provides a competitive edge and enables quick and local process modification.

PwC: We define operational resilience as “an organization’s ability to protect and sustain the core business services that are key for its clients, both during business as usual and when experiencing operational stress or disruption.”

The operational resilience definition offered by Gartner places a lot of emphasis on ‘techniques’, ‘abilities’, and ‘competencies’. PwC too focusses on ‘ability’ but brings the end goal in picture, that is, service of the ‘client’.

This article will elaborate more on these themes, while also providing some operational resilience examples.

Interconnected and futuristic

To work within a sound operational resilience framework means to consider risks in a holistic manner. It involves moving away from a vertical and siloed approach to a horizontal and organization-wide approach. This way you aren’t left facing collapsing dominos when one segment of your operations stalls. Similarly, key to the word resilience is the aspect of bouncing back and if your operational resilience strategy focuses on avoiding disruptions only, it is inadequate. Operational resilience is a trait by which your organization can get back to everyday business once a disruption occurs too!

Digital, data and cyber

Today, amid the pandemic, digital adoption is what has kept many businesses running and building a layer of digital resilience can help you put your best foot forward. With more and more touchpoints in the customer journey being digitized, it becomes important to live up to the customer expectation of having always-on services. Issues like server outages can dampen customer confidence.

Digital processes run on data as a fuel and your operations will be only as good as the quality of data you possess. Data resiliency includes aspects like restoring compromised data, preventing data loss, and establishing a sync point in case of a snag.

Alongside digitalization and increased data comes the need for cyber operational resilience. For instance, on 5 March 2020 the US Power Utilities were the subject of a cyberattack that used firewall vulnerabilities to cause ‘blindspots’. The system was resilient enough that actual flow of electricity was not affected. However, this incident shines light on present-day practices that hamper organizational resilience. These include using sensitive apps over home Wi-Fi, storing passwords on home devices, and limited awareness about data privacy.

Client is king

When an organization is in its nascent stages, everything revolves around satisfying the client. At such times, it is quite clear what the firm’s key business processes are, which add direct value to the client. However, as an organization scales, processes become more abstract and even at the C-level, one is not dealing with the client’s needs and aspirations directly, but with other contingencies. While it is required that, for instance, the CIO, COO, and CEO take up different responsibilities, resilience is built when these are ordered to the client’s needs.

This approach makes it easier to identify key products and services, meaning that business continuity planning becomes more strategic and secure when the client is at the center. The goal of a client-centric operational resilience strategy must be to uninterruptedly deliver critical operations, even amidst disruptions.

Human resource

At a certain level, your organization is only as good as your employees. Business staff man several key processes, without which products and services would never reach the client. Factors like employee attrition and wages are perennial issues that threaten business continuity, and hence operational resilience. But in the wake of the pandemic, newer issues such as employee wellness have surfaced. In an increasingly remote-first work environment, HR teams have the tricky task of accepting work from home’s olive branch of business continuity, while knowing that prolonged isolation is a deadly threat to creativity, collaboration, and long-term goals.

Third-party dependency

Whether you have an operational resilience manager or not, possessing a framework for managing third-party relationships that are interwoven with critical operations is a must. This is another way of saying that the client shouldn’t be at the receiving end of issues related to sourcing and other external dependencies. Achieving this includes performing due diligence and risk assessment according to your standards for operational resilience before entering into an agreement.

Governance, risk, and compliance

GRC is integral to operational resilience – and not just because organizations are increasingly coming under the scrutiny of regulatory authorities! A good operational resilience framework includes having a governance structure that can respond to disruptions. Ongoing risk assessment too is crucial to weeding out vulnerabilities and avoiding threats. As mentioned earlier, being resilient means moving away from silos and being more holistic and here, GRC software serves aptly as operational resilience technology.

Solutions like VComply ensure you have a better way to run your business. VComply is a comprehensive platform you can use to govern risks, stay compliant, and implement an operational resilience strategy in a way that you cannot with spreadsheets and binders. With automated reports, integrated workflows, data centralization and more, you can more reliably work towards making your business‘ disruption-proof’.

With a better understanding of what operational resilience is, proceed to define what it means in the context of your organization and grow your business strategically!

VComply Editorial Team
Read More
What is CCPA? How Do You Ensure Compliance with CCPA?
Jan 5, 2021

In this day and age, data is the most important asset that businesses need to protect.

All businesses, big or small, have access to more data than ever. This includes customer data, suppliers’ data, accounting data, and more. The CCPA (California Consumer Privacy Act) has been brought into existence in the state of California for the protection of consumer data and safeguarding their interests.

In this article, we will discuss CCPA in detail and cover topics such as:

● What is CCPA?

● Difference between CCPA and GDPR

● Which business does the CCPA apply to?

● What is personal information under CCPA?

● What are the consequences of non-compliance with the CCPA?

● Steps to become CCPA compliant

What is CCPA?

The CCPA act was introduced on the 1st of January, 2020, in the state of California to protect consumers’ personal information. This act allows consumers to investigate what information is collected by a business about them, and how the information is used or shared. A consumer can ask a company to delete or alter their information under Section 1 (AB 1146), if they feel it will have an adverse effect or their privacy will be hindered. For example, a customer may not want his photo to be shared after a hair transplant.

In order to comply with the CCPA, businesses should take the following steps:

● First, find out if the CCPA is applicable to your business.

● Update the privacy policy data as per the CCPA.

● Provide an opt-in option for prior consent of the users to sell their information, and from parents for users who are in the under-age category.

● Provide the option ‘Do not sell my data’ for users to opt-out from selling their information.

CCPA and GDPR: A comparison

The CCPA and GDPR both have the same objective, to protect consumers’ data and information from violation. However, there are a few differences between them as we'll see below:

● Commencement Date

The CCPA was effective from 1st January 2020, while GDPR came into existence on 25th May, 2018.

● Protection

CCPA protects information that will identify, describe, or is associated with the consumer, such as photos or videos. On the other hand, GDPR protects a specific piece of information about a consumer, for example, a credit card number.

● Region

The CCPA applies only for the state of California, while the GDPR is applicable to any data subjects who are citizens of the European Union.

● Regulation

Businesses that earn more than $25 million, collect data from more than 50,000 consumers, and generate more than 50% of the revenue by selling data accounts of consumers, come under the regulation of CCPA.

Any business around the globe that deals with private data of EU citizens comes under GDPR.

● Penalties

A fine of $2,500 to $7,500 is charged depending on the decision of the Attorney General of California if any law is violated under CCPA.

The penalty under GDPR can be 4% of the annual turnover of the company, or €20 million depending on which is higher.

Which businesses does the CCPA apply to?

The CCPA applies to all big and small businesses. All companies that are in the business of collecting data or information from the consumers need to comply with CCPA.

Specifically, businesses that come under CCPA compliance are:

● Businesses based in California or deals with consumers of California.

● Businesses that are engaged in collecting personal data of the consumers.

● Commercial organizations that make more than $25 million gross profit annually.

● Companies that are collecting and selling data for more than 50,000 users.

● Businesses that generate more than 50% of the revenue by selling data accounts of consumers.

● Additional obligations will be implied including the CCPA if the company is dealing with data exceeding 4 million users.

Businesses exempt from the CCPA are:

● Businesses not from California or those that don’t deal with California.

● Businesses not engaged in collecting data of consumers.

● Nonprofit organizations are also exempt from the CCPA.

● Agencies of credit reporting that come under the Fair Credit Reporting Act.

● Financial Companies that come under the Gramm Leach Bliley Act.

● Health care centers that are under HIPAA (Health Insurance Portability and Accountability Act).

What is personal information under CCPA?

Personal information under the CCPA is anything that describes or is associated with a consumer, household, or device directly or indirectly.

Personal information covered under the CCPA includes the following:

● Customer Identification

Information that identifies a customer such as a name, age, gender, photograph, and other related identifiers.

● Customer Information

Information such as signature, social security number, driving license number, bank account, etc comes under customer information of the CCPA.

● Biometric Data

Information detected and recorded electronically such as fingerprints, eye color, retina scan, and similar other biometric data.

● Commercial Details

Information such as bank details, transactions such as purchase and sale of goods and services, payment of utility bills, etc are all commercial records of a customer.

● Educational Background

This refers to information on how qualified a person is, such as a graduate or a postgraduate.

● Professional Information

Professional information refers to what a person is professionally engaged in.

● Location

Where people live, which places they visit and check-in, where they travel are information records of their location. The new trend of Facebook, Instagram check-ins are examples of showing the location of where a person has visited.

Consequences of non-compliance with CCPA

A company that doesn’t comply with the CCPA can be penalized with charges of thousands of dollars. If a business violates any CCPA law and fails to pay the charges, it risks complete shutdown of the business, website, or channel. Consumers are also in a position to sue companies for breach of their private information after a notice period of 30 days. Another body that can sue the business is the Attorney General of California for the violation of any law of the CCPA.

Here are some specific penalties businesses might incur if they fail to comply with the CCPA:

● Charges from $100 to $750 fined per violation if a company doesn’t prove itself just and fair in front of the consumer.

● A fine of $2500 can be charged by the Attorney General of California if the law was violated unintentionally.

● A fine of $7500 will be charged if the Attorney General feels that you have violated the law intentionally.

Steps to become compliant with the CCPA

Here are some steps businesses can take to ensure compliance with the CCPA at all times:

● Know Your Business

First, you need to know if your business falls under the category to be compliant with the CCPA. To fall under the jurisdiction of the CCPA, your business should be a commercial organization collecting data of consumers of California and generating income of more than $25 million, making 50% profits by selling data, and selling data of more than 50,000 users.

● Keep a tab on data collection

Be sure to keep an eye on all personal information your business is collecting about your consumers. This includes data collected on your website, data your employees are collecting, and so on.

● Create a data map

A data map is a very important part of data privacy management. It shows what data you collect, where it is stored, how secure it is, who has access to the data, and the purposes it is used for.  

● Update your privacy policy

Consistently review your policies and procedures regarding the handling of personal information in your company. Your employees should not be allowed to download data of customers on their devices. For example, accounting data for audit purposes.

● Include an opt-out link

Create a process for customers to opt-out and delete their data from your records. This is an important part of the regulation. Customers can opt-out or delete the sharing or selling of their data. This link should be prominently accessible on your website.

● Improve customer communication

A company should promptly respond to customers if they have any requests to change their data usage. Companies should be able to provide information if the consumer asks about their private information and how it is being sold.

● Vet all third-party contracts

Review contracts with the third party vendors on your policies about managing and using customer data. Determine things that need to be changed related to the privacy policy. Outline the responsibilities that will be handled by the third party and include them in the contract.

● Have security controls in place

The CCPA has strict fines for data breaches. Thus, it's essential that data collected is fully secured and encrypted. Review your security control measures and make sure they're sufficient to protect your business against breaches.

● Invest in employee training

Employees must be adequately trained and educated regarding the  CCPA. They must be aware of the consequences of mishandling data, and how best to communicate with customers regarding their personal information.

Wrapping up

The goal of the CCPA is to protect consumer information from being misused and mishandled. Businesses complying with the CCPA are thus likely to enjoy more loyalty and goodwill from customers.

If you're struggling to keep up with the various laws and regulations your business must comply with, we've got a solution for you. VComply's GRC software makes it easy for businesses in all industries to manage compliance and governance in a hassle free way.

VComply Editorial Team
Read More
VComply Named a High Performer in the GRC Platform Category on the G2 Grid for Winter 2021
Dec 22, 2020

We are thrilled to announce that peer-to-peer business software review platform G2 has again placed VComply as a High Performer in the GRC Platform category in their Winter 2021 announcement. Organizations rely on research firms like G2 to help them analyze and compare business software products, and we are excited about the recognition.

We are thankful to our valued customers for this validation. We consider user feedback as a great technique to stay in close contact with our customers and get up to speed on improvements and provide value.

In case you missed it, here’s the score that our customers have given us:

  • More than 96% users gave VComply 4 or 5 stars
  • 95% users said they would recommend VComply
  • Majority of the users started just last year and found immediate value


Besides this, VComply also stands out in the following areas:

Ease of use

VComply received 8.7 score on a scale of 1-10 for ease of use, outranking many competitors in the GRC category and became a preferred choice for customers.

Quality of support

At VComply, we take great pride in serving our customers. We talk to our customers and help them find the quickest way to solve their problems. And the results speak for themselves! VComply received a score of 8.7 in the quality of support category.

Ease of setup

VComply scored 8.7 in the ease of setup category. VComply is intuitive and it is very easy to create an account on VComply. On an average, our customers have gone on-live in less than 2 weeks.

How did VComply reach the top spot?

At VComply, our goal is to make the easiest and the most useful GRC software for organizations. Ever since we started in 2019, we have adopted a customer-centric approach. We have made meaningful changes to our compliance, risk, and audit product range to meet the evolving requirements of our customers. Now, VComply helps teams across compliance, risks, audit, human resources, and legal in varied industry sectors to manage their individual responsibilities, while making it easier for leadership to coordinate organization wide compliance activities.

What customers speak about VComply?

It was simple, it was easy to engage with, and it had a little bit of light-heartedness as well as a very easy to use Dashboard and reports. With VComply, our teams can quickly and easily comply with responsibilities, and our ability to provide oversight across the agency, in one central location is achieved.

Way Forward 

We recognize that there is a lot of work ahead. And, we are committed to the vision of making the world’s most trusted GRC platform for our customers. We continue to add robust features and enhance existing features in our platform to help you strengthen the compliance and integrity of your organization.

Read our reviews here on G2!  

Devi Narayanan
Read More
5 Ways Internal Audits Can Go Beyond Tick Marks And Spreadsheets
Dec 11, 2020

The tick mark has grown to become a symbol of the internal auditor’s raison d'être, but the primary role of internal audit is not, in fact, defined by stationery and workpapers. The Institute of Internal Auditors (IIA) notes that:

“The role of internal audit is to provide independent assurance that an organization's risk management, governance and internal control processes are operating effectively.”

Today, in the wake of the pandemic, organizations across the world are not just realizing the importance of internal audit, but also appreciating the merits of internal audit that go beyond the confines of ticking and tying. With automation, AI, and ML brining data-driven insights to the table, C-suites and boards are better able to realize why internal audit departments should exist. What is the primary objective of auditing? It’s about offering an independent opinion. But how many times do auditors unearth matters that are of immense importance? The crux of the issue lies in going beyond sheets and into strategy. For that, it is helpful to list out some best practices that can change how internal audit works.

Carefully define the scope of internal audit

This applies to what and how much. After all, internal audit teams help boards and the C-suite steer the ship. It is of prime importance that auditors are trained to look at the big picture and not just at minute details, which very often have no significant consequences on decision making. As the pandemic unfolded, many organizations were confronted with realities they had, hitherto, turned a blind eye to and if internal audit can unmask threats with well-timed counsel, it will well and truly have done its job.

The objectives of each audit too must be defined so that teams do not get overwhelmed with scope creep. This is when you aren’t able to audit in a modular way and land up investigating and rummaging through everything. To define the scope of the undertaking it can be helpful to learn from past audits and factor an element of structure into the internal audit process by drawing out a schedule, assigning responsibilities, setting a budget, and so on.

Prioritize insights and advice

One thing the pandemic made clear is that a spotless past is no absolute guarantee of a seamless future. Many ways of working were condemned to at least temporary obsolescence and today, many organizations question their preparedness for things to come in the future. Hence, internal audit has the chance to evolve into the role of a dependable advisor. The emphasis here lies on what lies ahead. Yes, GRC is important, but consulting must come to the fore too.

Shining a spotlight on issues that have occurred, and even diagnosing them is one thing, investigating processes for issues that may occur in the future is quite another! This is the kind of value that leadership and stakeholders seek, especially after the pandemic. Forward-looking internal audit can take many forms: providing data on how much of a cybersecurity risk work from home poses, probing into current employee morale and what a company needs to do to avoid attrition, alerting management to current ways of working that are likely to come under environmental sanctions in the future, and so on. The advantages of internal audit multiply when you add strategy to assurance.

Invest in the right skills sets

You’ll note shifting the focus from hindsight to foresight is not so much about an internal audit process, it is more about the competence of the team. As such it makes sense to recruit and retain top talent. Besides technical audit skills there are several competencies that you should look to your auditors having.

Data analysis: There is a reason that data science is in vogue and people from all professions are taking to it. With operations and processes becoming increasingly digital, there is a dire need for professionals who can work on that data, make sense of it, and churn out insights from a heap of 1s and 0s. This means that if an audit lead, for instance, were to be able to process data, he or she could instantly steer the internal audit team towards bringing data-driven insights to the executive table.

Soft skills: Irrespective of the internal audit procedure and the technical skills it mandates, what does not change is the requirement for soft skills like exemplary communication. Often, these are hard to teach and given that internal auditors communicate with persons at different levels of the organization, the audit committee, board, C-suite, employees, and stakeholders alike, soft skills can be the factor that determines the efficacy of an audit.

Cybersecurity: With online work going mainstream and unsafe cyber practices being commonplace a fragile digitally-connected world is now a reality. Along with this is the increased probability of a cyber pandemic that can cripple to industries on a global scale. Far from being conspiracy theory, this is what entities like the World Economic Forum are talking about. Having an internal audit department that understands cybersecurity is almost a necessity today (why wait for the next pandemic to strike!).

Cultivate a culture of transparency

Ancient philosophers believed that what is received is received according to the mode of the receiver. Meaning that an internal audit report may be only as good as the way it is accepted. Since it is to comprise of an independent opinion, it becomes necessary to foster transparency across the organization, and definitely between the auditors and the people they are reporting to. If internal audit reports to an audit committee, things become easier, but, for instance, in a small organization, if auditors must report to the department they are auditing it becomes tricky.

An interesting way to improve transparency across the organization is to reduce the gap between employees through collaboration. If auditors work with other employees and vice versa mutual trust will be formed and further, cross-team projects give internal audit an opportunity to glean strategic insights.

Deploy an organization-wide GRC solution

The traditional internal audit checklist is replete with items like repetitive tasks, manual data extraction, spreadsheet-intensive work, and report preparation. Not only are many of these time-consuming but in other fields tasks such as these have already been automated. It is this gap that GRC solutions like VComply seek to fill, offering internal audit capabilities such real-time metrics, easy reporting and dashboarding, advanced data analytics, compliance management, and remote auditing tools.

Deploying such a software organization-wide increases the scope of internal audit instantly and is in fact a clear sign that you want to move beyond tick marks and spreadsheets, and into the realm of data-driven insights and advice. Good luck!

VComply Editorial Team
Read More
What is a Risk Register? What are the Key Elements of a Risk Register?
Dec 10, 2020

Every business has some inherent risks that it must deal with. As the name suggests, a risk register forms a central repository for all risk-related information for an organization. This includes the type of risks, the impact they may have on an organization, and the risk management plans of the company.

In this article, we'll take an in-depth look at what a risk register is, and how it helps companies manage risks.

What is a risk register in risk management?

A risk register is a repository or a document that contains details about potential risks an organization faces. It describes the risk as a whole, the category under which it falls, and the potential impact of the risk. It is an instrument in project management and risk management that helps recognize and mitigate potential risks. It also lists precautionary steps an organization can take to overcome these issues.

The purpose of a risk register is to assemble information about all possible risks in one file, so it becomes easy to assess them, work on them, and resolve them.

What is the need for a risk register?

Here's why a risk register is a necessity for all organizations:

  • Identification of risks

A risk register helps identify the various types of risks associated with a business, enterprise, or project. A dedicated team generally conducts an in-depth investigation of factors that will affect the organization such as weather, resources, or market, and makes a note of these in the register.

  • Analysis of risks

The risk register shows the impact of each risk and when it may occur. This helps organizations be prepared at all times.

The recent pandemic has had a detrimental impact on various businesses such as and travel, restaurants, and physical stores. It illustrates why constantly analyzing and preparing for potential business risks is of utmost importance.

  • Prioritization of risk

Not all risks are equal. Some need instant actions, while others may not pose an immediate threat to the business. Diligently noting down all potential risks helps businesses prioritize risk in an organized manner. Organizations can classify risks as high, low, or medium priority, and deal with them accordingly.

  • Allotment of risks

To manage risks in a better way, organizations can use the risk register to appoint relevant team members to manage potential risks. Without building this level of accountability, it can be difficult to keep track of risks.

  • Useful notes

The risk register also contains issues that have not been recorded before but may also be of importance. This helps ensure that important information doesn't slip through the cracks.

Key elements of a risk register

Here are some key elements that a risk register must contain:

  • Index

This is a place where a risk is identified by its given distinctive number. In every project, many risks are entered in the index, even if it is a small project. This helps easily find risks.

  • Title

The title is a narration of risks. It describes the intensity and nature of the risk.

  • Illustration of risks

This gives a detailed explanation of the risks that are mentioned in the risk register.

It shows us how complex the risks are and which areas they may affect. By reading the description, the stakeholders decide on the steps to be taken to mitigate the risk.

  • Rank

This is the level or the magnitude of the risk. Rank is used to understand how serious the risk is. If the consequences of the risk are dangerous, then it should be ranked as a high priority.

  • Prevention plan

Actions to be taken to avoid risks are stated here. Strategies are implemented to prevent the risk from occurring. Each person in charge of the risk should work on avoiding the risk as far as possible.

  • Status

This shows the latest activities that have been undertaken about a risk. It shows the status as completed or pending, along with corresponding dates.

Steps to create a risk register

Here are the major steps involved in creating a risk register for an organization:

  • Design a risk register

Ensure that the risk register is updated and has the correct format. This will ensure you get all the relevant information and a clear picture of all the levels of risks associated with a project. It will guide your team to get better results.

  • Brainstorm possible risks

Study and evaluate your plans in a granular manner, to uncover even the smallest risk involved that can harm your efforts. Think of ways that the risks can be avoided or at least reduced in impact.

  • Note every detail

The risk register should analyze each risk minutely. It should describe the risk, steps to control it, how to manage the risk if it becomes a reality, and the person accountable for each risk.

  • Enlist risk management experts

With their skills and knowledge, risk management experts can forecast when a risk will appear and what will be its intensity. Some of these experts include investment bankers, and risk and financial analysts. While preparing their risk register, organizations must also seek help from experts to properly identify and evaluate risks.

  • Conduct a hypothetical analysis

The hypothetical analysis is a series of assumptions that may be made in regard to a project. What may go wrong with a project, what will the potential impact be, and what actions can the team take to reduce the impact, these should be part of a hypothetical analysis.

  • Encourage communication

A risk register is not only a tool that records risks and actions to overcome them, but also a communication channel between stakeholders. To make the most of it, a risk register should include varied views and perspectives. Every viewpoint should be considered while taking any decision so that the interest of all the members is intact and unharmed.

  • Keep the risk register secure

While the participation of all members of an organization should be encouraged, the ability to view and update the register should be limited to a few trusted employees. Only a few stakeholders such as owners of the organization and senior-level managers should be provided rights to edit and audit the risk register.

  • Prepare useful summaries  

Senior-level executives may not be able to view every part of the risk register. Thus, a summary can give them an overall picture of the risks involved, and guide them to take necessary actions.

Best practices of monitoring a risk register

Take a look at the best practices while monitoring a risk register:

  • Track progress

Organizations must continually track their progress, concerning risk management.  They must evaluate past actions, present activities, and future goals to ensure the level of risk is kept to a minimum.

  • Collect data

Initially, at the start of the register, there may not be much data available to an organization. As bigger issues start to appear and you gain more experience, make a note of information such as high potential risks, medium risks, and so on. Study your past performance, how you handled risks in the past, and what you can improve on.

  • Create  a risk heat map

A risk heat map helps you assess risks in a meaningful way. It shows you the probability of certain risks and what impact they may have on a project.

Wrapping up

We hope this article serves as a starting point for you to create a risk register for your business. Managing and preparing for risks is quintessential for each business. Once the inherent risks are identified, you can plan and implement controls to mitigate risks.

VComply’s risk management software provides a centralized system to determine and maintain a register of potential risks for the organization, and evaluate the impact of the risks, and implement controls for the treatment and mitigation of risks. Contact us to learn more about how VComply can help you manage your risks.

VComply Editorial Team
Read More
9 Challenges to Data Compliance Strategies
Dec 7, 2020

Today, data is everywhere. With ecosystems and infrastructures going digital, access to personal and sensitive data has proliferated across the board, giving rise to the need for adherence to data compliance standards.

What is data compliance? In simple terms, it means managing your data in a manner that keeps you in line with regulations that safeguard the security and integrity of the data you handle. With the introduction of GDPR, data compliance did get a lot tougher, but being compliant is a priority that your business cannot afford to go slow on, especially in an era defined by data-based interactions.

Nevertheless, be it GDPR compliance or CCPA compliance, every data compliance officer will agree that rummaging through awfully long and dense legal prose is one thing, implementing a framework to ensure compliance standards across an organization is quite another! The challenges are varied, manifold, and unrelenting.


Here are 9 challenges to data compliance strategies commonly faced by organizations.

More data...

In the last decade itself, the sheer volume of data churned out and consumed by the industry has been incredible. Data is growing exponentially. Moreover, with tranches of the population in developing countries still taking to digital interactions there is reason to believe that this upswing hasn’t peaked. Further, with the increase in online modes due to the pandemic, companies who weren’t handling data are now doing so.


Data, today, is like the air you breathe, permeating everything, giving life to smartphones, appliances, watches, and other gadgets. IDC projects that by 2025 the global data sphere will grow to 175ZB (1021), from 45 ZB in 2019. What’s plain in all of this is that the data compliance protocols of today may be outdated as soon as tomorrow and that’s a big challenge, especially to companies with limited resources.

...and more devices

As the Internet of Things (IoT) weeds its way into the fabric of every business, you no longer have just an Achilles’ heel to watch out for—you have many points of vulnerability to heed to. While the IoT market is slated to be worth $ 1.1 trillion by 2026, as per a statistic, IoT devices experience over 5,000 attacks per month. Another statistic indicates that 6 in 10 companies have experienced an IoT security incident.

The challenges for data compliance are manifold and include:

  • Privacy violations
  • Legal complications
  • Vulnerability management

Can’t say ‘No’

Less is often more when it comes to data. Big data has its place in the industry, yes, but clinging to every bit of data that comes your way is also a problem. That’s because you have compliance, privacy, and security concerns to attend to when gathering and processing the data you receive. In other words, customer data compliance becomes more of a balancing act if you haven’t drawn the line between what data is desirable and what is not.


Here, you’re not looking at just GDPR compliance, but every other law that you are liable to. A simple internal decision on data management can reduce the compliance requirements for your business by a lot. Yet is data your key to growth or is it a risk? That’s the major challenge!

Dark data

Dark data refers to data you have, but are not aware of. And if dark matter is a metaphor to go with – 85% of the universe is supposedly dark matter –  your organization could be sitting on an iceberg of data, part of which is useful, much of which is worthless, but all of which is a risk.


Dark data raises serious compliance issues, but also ethical issues in data collection. How do you keep data free from harm, private, and confidential, when you are unaware of the data you possess? The challenge is also one of cost, because to bring data into the light, you’d probably need better systems in place.

Lack of board foresight

If you’ve keenly observed the last few challenges, you’ll note that they don't necessarily ask that you draw out a GDPR requirements list. However, they do point to the need for clear organizational policy. The internal signal not the external mandate is often where data governance, and compliance, should start.


This means that the board needs to own responsibility for the data you store, process, analyze, and even sell. In times past, data privacy and compliance may not have been a priority at board meetings, but in today’s digital era, boards must set the tone for risks in data management throughout the organization.

Mandates galore

For many boards, however, the big challenge is that there are just too many compliance standards to juggle with at the same time. You’ve got a ton of yardsticks to play with such as:

  • GDPR
  • CCPA

What’s more, compliance standards like GDPR can tend to erase geographical boundaries and with the mass adoption of digital technologies amid the pandemic, you can expect several countries to draw out their own GDPR-like standards. The result is compliance fatigue, which can be broken down into:

  • More time spent
  • More money spent

With ample legislation comes the difficulty of enforcing policies and applying them to real-world contingencies. A prime example is the issue of confidentiality associated with the Bring-Your-Own-Device (BYOD) trend.

Data lifecycle

To abide by data compliance rules, you want to have keen oversight over customer data, right from when you first acquire it, to the time you process it, and how you do so as well. This poses a challenge because over the course of time your data is going to migrate from physical servers to the cloud and across boundaries and secondly, because data lives on. Connected with this is the fact that you may recognize organizational silos within your fabric, and with data lost within silos the issue of compliance gets murkier.

Damage is costly

With data compliance damage is costly, extremely costly. That’s because you’re dealing with:

  • Fees
  • Penalties
  • Containment
  • Reputation

Think about it. Even the slightest slip up can cause you to lose customer trust, which can have more of a long-term impact on your business than the hefty fines associated with data breaches.

According to IBM , in 2020, the global average total cost of a data breach is $3.86 million, and in the US, this cost rises to $8.64 million. In 2019, big players already shelled out in hundreds of millions for data breaches and security incidents. IBM also points out that with remote work going mainstream, the cost of a data breach could potentially increase.

Ongoing compliance

Whether it is setting controls in place for vulnerability management or preparing data for regulators seeking to know your compliance position, data compliance managers have their plate full. Without real-time monitoring and automated data analytics, mitigating risks can be a challenge. Further, companies across the board find themselves struggling to report data breaches in time.

To cope with ongoing data compliance requirements, it makes sense to arm your organization with a tool like VComply, an integrated governance, risk, and compliance management platform. It is multifaceted, powering compliance management, policy management, risk management, audit and assurance, and more, all through an agile, online platform.

Being prepared for a digital-first future with the tools to handle data compliance is a way you can make the hurdles that come across your way smaller and go from being compliant to secure effortlessly!

VComply Editorial Team
Read More