-
Compliance
Assistance in the design, implementation and monitoring of Compliance programs within the framework of local and international regulations (FCPA, Corporate Criminal Responsibility Law), including course delivery.
-
Sustainability
Learn how our sustainability services can help you go beyond and build a strong reputation, attract committed investors and generate long-term sustainable financial results.
-
Forensic
The services offer includes expert advice in litigation resolution and the development of procedures in legal/digital forensics and cybersecurity.
-
Human Capital solutions
Grant Thornton's Human Capital division has a team of professionals determined to accompany individuals and organizations throughout the relationship between the employee and the organization.
-
Organizational restructuring
Advice on operational restructuring to companies in difficulty, their creditors or other interested parties.
-
Services to the Government and the Public Sector
Financial audit projects and special technical and concurrent reviews of programs of national and subnational governments financed by International Credit Organizations. Special projects for government entities, public and mixed companies.
-
Valuation Services
We provide stock, business, asset, and liability valuations in support of negotiations, account structuring, and tax opportunities.
-
Transaction Advisory Services
The service offer includes financial due Diligence, operations services, business and strategic intelligence, ratings, advice on mergers and acquisitions, capital markets and debt advice.
-
Academy - Empowered by Grant Thornton Argentina & Perú
Academy is an e-learning platform that emerged as a joint initiative of Grant Thornton Argentina and Grant Thornton Perú. It is designed so that everyone can acquire new skills in accounting, auditing, taxes, technology and business through access to multiple courses and certifications.
-
External audit
We offer services of external audit of financial statements; assurance reports, agreed procedures and certifications; due-diligence and take-over of companies.
-
Audit methodology and technology
At Grant Thornton we use a single audit methodology across our global network. We apply it through an integrated set of software tools known as the Voyager suite. Meet it now.
-
Professional standards and training
Our IFRS advisors can help you navigate the complexity of the standards so you can spend your time and effort on your business.
-
Prevention of money laundering and financing of terrorism
At Grant Thornton we provide advice to our clients in the development of an Asset Laundering and Terrorist Financing Prevention strategy that allows them to prevent risks in a comprehensive manner.
-
Tax outsourcing
Taxes have a strong impact on your business decisions. At Grant Thornton we will respond quickly and tailor solutions for our clients.
-
Payroll
Put your payroll in good hands while you take your business beyond. Learn about our services.
-
Accounting, administration and finance services
To achieve the highest business benefits, you need an experienced team by your side. Learn about our services.
-
Start-up companies
Learn about our solutions to help build your business.
-
Financial statements audit
We offer services of external audit of financial statements; assurance reports, agreed procedures and certifications; due-diligence and take-over of companies.
-
FIU Independent External Reviewer - AML/CFT
We participate in the implementation of the requirements of the FIU in leading companies and our services ensure an orderly framework, optimizing the investment.
-
Internal audit
An internal audit helps identify gaps, deficiencies, and potential for inherent risk in all facets of the organization.
-
Legal audit
The monitoring of the legal area is usually a complex and difficult task for organizations, which however cannot be neglected.
-
Creation and acquisition of Financial Entities
We have the knowledge and experience in activities related to the acquisition and creation of financial entities, both locally and internationally.
-
Responsible for regulatory compliance
At Grant Thornton we offer the service of acting as "Responsible for Regulatory Compliance and Internal Control" for companies that requested registration as Settlement and Clearing Agent and Trading Agent.
-
IT Internal Audit
IT has been, and will increasingly be, a key factor for success and operational efficiency in all industries. Innovations such as the cloud and virtualization, and new threats around data security, have reinforced the importance and increased the risks associated with the use of technology for our clients.
-
Cybersecurity
As sophisticated digital manipulations become more prevalent, organizations must strengthen their defences and effectively protect themselves from threats and recognize those that are not. Organizations must act quickly to strengthen trust and resilience. A combination of enhanced security capabilities, robust controls, and employee education and awareness is critical.
-
ITGC Controls
Information Technology General Controls (ITGC) are a set of policies that ensure the effective implementation of control systems throughout an organization. ITGC audits help verify that these general controls are implemented and functioning correctly, so that risk is appropriately managed.
-
Global Mobility Services
Sending someone abroad involves liabilities and obligations. We offer interesting solutions to minimize the tax burden for both parties.
-
Direct Tax
We provide clear and practical solutions that meet your specific business needs, in the most tax-efficient way possible.
-
Indirect Tax
Grant Thornton's tax teams take a rigorous approach to help you meeting your tax obligations, whatever challenges you may face along the way.
-
International taxes – Transaction support
We offer our international experience in the field and make available the resources to plan and adequately comply with regulatory frameworks.
-
Services to private clients
Wherever you are in the world, our tax specialists can help you with your interests and investments abroad.
-
Clean energy and technology
Growing demand, development of new ways of energy and need of a sustainable future: we accompany our client in these changes and to be one step ahead.
-
Mining
Our flexible, partner-led teams are dynamic and focused on development. We take time to understand the details of the client’s business and offer unique solutions.
-
Oil and gas
Our Oil & Gas teams have the deep knowledge, wide experience and vision needed to offer our clients practical solutions adapted to their businesses.
-
Banking
Grant Thornton offers meaningful and accurate solutions for operational and transactional issues, litigation and administrative disputes in banking.
-
Private capital
We gather international teams of experts in corporate finance, restructuring and recovery, tax and insurance services to deliver customized solutions from initial investment, through development stages until the end of each project.
-
Fintech
We work to take advantage of all opportunities and manage industry risks, allowing our clients to always be one step beyond their competitors.
-
Asset management
We have specialized teams in more than 140 markets delivering solutions regarding insurance, taxes and advisory to global, international, regional, local asset managers.
-
Insurance
Thanks to our specialized team we offer accurate solutions for operational and transactional matters, litigations and administrative conflicts.
The most cutting-edge companies harness customer preference data for a range of reasons, including to create personalised services and targeted marketing campaigns; to scrutinise employee performance data to drive productivity; and to analyse supply chain information to drive efficiencies. That’s just the tip of the iceberg, with digitised data embedded across business practices.
Digital information offers businesses huge potential, but owing to the increased use of personal data, it also creates vulnerabilities and interdependencies between two previously discrete threats – data privacy and security. For example, data breaches can result from a cyber attack, but have data privacy implications.
GDPR and other international data privacy regulations have started to bite, meaning businesses are starting to feel the commercial cost of data privacy violations. So it is perhaps no surprise that we see data privacy rising up the business agenda. Grant Thornton’s research of over 4,500 international business leaders found that 2 in 3 agreed that due to new regulation there has been a greater focus on privacy issues than there has on cyber security in recent years in their business.
However, it’s important to not lose focus on the real and growing cyber security risk - the Economic Commission for Latin America and the Caribbean (ECLAC) indicates that during the first eight months of 2021, in the Latin American region there were 35 cyberattacks per second.i
Mike Harris, Partner of Forensics and Cyber at Grant Thornton Ireland, emphasises that data privacy and cyber security have never been more interlinked.
“In today’s data-driven world, data privacy and cyber security simply cannot be considered in isolation,” he says. “They should be viewed instead as part of a wider digital risk function.”
But what is digital risk?
Digital risk is a business-driven model that proactively considers the business risks associated with digitised data across business processes, including cyber security and data privacy, along with other considerations such as regulation, automation and ethics.
Think about how you secure your own home. Do you one day focus on locking all of the doors, but happily leave the windows open? And on another day, would you ignore setting the alarm, because you are too busy focusing on securing access from the garden? Of course not – all of these risks need to be considered together, or your protection measures will quickly fail.
It’s a similar story when assessing a company’s digital risk profile – focusing on each of the threats separately is no longer effective, and instead they must be proactively integrated and managed together. It’s only when a business takes a holistic approach like this that real progress can be made.
Indeed this integrated best practice is embedded in the regulation. The General Data Protection Act (GDPR) states that, in order to be compliant, companies should implement ‘data protection by design and default’ measures.ii The Information Commissioner’s Office explains that this means companies must “integrate or ‘bake in’ data protection into… business practices, from the design stage, right through the lifecycle”.iii It would be very difficult indeed to 'bake in' such privacy measures across the business without a single, integrated function.
So, it is critical for businesses to effectively and efficiently get to grips with digital risk. Yet, they are struggling, because data privacy and cyber security are often managed by different teams. Typically the Chief Privacy Officer (CPO) takes responsibility for the data privacy, while the Chief Information Security Officer (CISO) is responsible for cybersecurity.
It would be far better for both to be managed by the same team or an integrated team with new governance model which provides a direct reporting structure to the CEO/CRO (Chief Risk officer) with oversight from the board. After all, a lot of work that ensures compliance with data privacy can be used to bolster cyber security, and vice versa. In addition to helping businesses manage digital risks, this approach adds value by enabling them to bring forward digital transformation initiatives.
Optimising data classification
A single digital risk team will also ensure the data classification that companies are undertaking across the business for various purposes is aligned and coordinated.
Data classification means understanding what data is held by the business, the processes it connects to, and who manages it. It is a crucial part of compliance with data privacy regulations such as GDPR, but can also be used to enhance cyber security.
By undertaking a structured programme to assess and understand their data assets - using a categorisation or classification process - business can identify their key data and build effective security around them.
Harris adds: “We see that the Pareto principle applies to data risk in many businesses, with 20% of a business’s data carrying 80% of the risk. It is almost impossible to make all systems hack-proof, so why not focus on the data for which security is absolutely essential to your business and to your customer?”.
Hans Bootsma, partner, cyber risk services at Grant Thornton Netherlands, agrees that an integrated approach to privacy and cyber security extends to the classification process.
“Most companies never classified data before GDPR,” he said. “But they started to because they had to categorise personally identifiable information and other types of data in order to comply. If you run a programme like this, then it’s easy to extend it and combine it with other types of data to identify your data crown jewels and then link this with your cyber programme.”
Unless data privacy and cyber security are aligned, the classification process will happen in isolated silos and the benefits will not be shared.
An integrated response to breaches
The interconnection between data privacy and cyber security is never more painfully obvious than immediately following a data breach. Businesses need to know how the breach occurred and which cyber defences (if any) failed. But, crucially, they also need to understand which data were compromised and whether it was personal or sensitive. If so, they will need to disclose it.
Most businesses are not fully equipped to do this. Only 28% of businesses surveyed by Grant Thornton are ‘highly satisfied’ with their ability to protect against the risk of a serious breach and just 26% with their ability to respond consistently to a major breach across the entire business, no matter when or where it takes place.
Integrate privacy and security into one function, and businesses will be able to respond more effectively to data breaches due to their combined resources and holistic understanding of the threat.
“Privacy and cyber security are complex because they are crashing together in the real world,” says Harris. “A data breach could start off as something very technical in an outsourced cloud provider. But in responding to the incident you need to consider whether personal data are involved and what regulatory disclosures need to be made.
“All of a sudden, the two have become interconnected. Rather than two separate cyber and privacy functions responding to a breach, it makes sense to have one integrated function with the specialised skills to manage the process, so that nothing falls through the cracks.”
Managing supply chain and third-party digital risk
The increased interconnectedness of cyber security and privacy has implications for how third-party risk is managed. For example, data privacy regulation such as GDPR requires businesses to get robust guarantees from suppliers that handle data on their behalf.
“It would make a lot of sense for organisations to merge cyber security aspects of third-party risk management with privacy controls,” says Harris. “It’s just a matter of asking about both at the same time. It’s relatively straightforward, but it’s not happening widely at the moment. Cyber security teams and privacy teams are doing this separately.”
Of course, this ‘one-stop’ third-party risk management will remove duplication of effort and create efficiencies. More importantly, however, it will produce a more joined-up understanding of digital risk.
Benefits of an integrated digital risk approach
Taking an integrated business approach to managing digital risk delivers a number of key benefits to organisations.
Firstly, it can help to bring forward digital transformation initiatives because the data classification and compliance that companies are undertaking across the business for various purposes is aligned and coordinated.
Secondly, a digital risk function that conducts comprehensive assessments of third-party and supply chain digital risk is better positioned to ensure that risk is considered across the organisation. One way to do this is by pre-approving vendors from a risk perspective.
“Businesses can digitally transform quicker if they do the supplier approval process up front,” says James Arthur, Partner, Head of Cyber Consulting, Grant Thornton UK. “It’s a lot easier to do this if you have a single digital risk function that proactively assesses cyber security and privacy risk together.”
Thirdly, businesses continue to use new technologies to seek out commercial advantage, meaning their approach to data privacy and cyber security also needs to continually evolve, to address new threats and vulnerabilities. An integrated digital risk function is better placed to scrutinise some of these new technologies, such as blockchain.
Board oversight is key, combined management essential
The case for an integrated digital risk function is clear. But who should oversee and manage it?
At the moment, there is confusion about where responsibility ultimately lies, and this is hampering digital risk management. Tellingly, surveyed businesses say that a lack of understanding about which risks individuals and teams are responsible for is their second-greatest weak point in managing digital risk.
The first important thing to consider is who manages digital risk from a day-to-day point of view. Most companies put the chief risk officer or chief technology officer in charge of this. But effective digital risk management relies on a lot more than technology. Chief Risk Officers report on more holistic risk to business, strategic, financial and operational. So what’s the answer?
Enter the Chief Digital Risk Officer function. “Organisations are starting to create digital risk functions headed by a Chief Digital Risk Officer,” confirms Arthur. “This is where responsibility for managing digital risk should lie. But at the moment they are still organisationally distinct at most companies.”
Once the day-to-day digital risk management is in place, its essential to consider who provides oversight. As with financial risk, the gravity of digital risk means that the board must take an active role. While the board needs to oversee it, they may not always have the technical expertise to understand the nature of the threat. Therefore ideally, a specific digital risk committee should be established within the board to oversee this risk, with representation from experts.
“Digital risk oversight should be at board level,” confirms Christos Makedonas, Technology Risk Leader at Grant Thornton Cyprus. “There should also be a committee that discusses digital risk".
“Digital risk is multifaceted, so many people need to feed into this process. At the moment, this only happens in large, heavily regulated companies – especially those in financial services.”
Three steps to integrated digital risk management
- Combine the data privacy and cyber security functions, to create a single digital risk function. This new team should be governed by a single model and follow the same set of processes, goals and practices connected to wider business commercial drivers.
- Work out who is responsible for managing and overseeing digital risk, map out their activities and daily workflows, and see if there is any overlap. Identify synergies and strip out duplicated processes.
- Ensure that digital risk processes are managed on an end-to-end basis. For example, should assess both cyber security and data privacy. Both factors should also be evaluated when classifying data.
[i] R. M. Díaz, “Cybersecurity in smart supply chains in Latin America and the Caribbean”, Project Documents (LC/TS.2022/70), Santiago, Economic Commission for Latin America and the Caribbean (ECLAC), 2022. Page 54.
[ii] Eur-Lex - General Data Protection Act.
[iii] Information Commissioner’s Office - Data protection by design and default.