Doing GRC Better: Can You See the C?

When I was a kid, my family used to do an annual road trip to the beach for summer holidays. It was always lots of fun, and I can remember one game we used to play when we were getting near to the coast. It was called, “Who can see the sea?”. The competition was intense – we all wanted to be the first to see the sea.

When you think about GRC (Governance, Risk, and Compliance) in your organisation, can you see the “C”? It is sometimes the GRC element that is underdone, if not largely missing.

Recent events in both the public and private sectors provide a timely reminder of the importance of compliance – the “C” in GRC. Here is a simple 7-point checklist that will help you determine the visibility of the “C” in your organisation.

  1. Do you know what your compliance obligations are? Do you have a register of all your compliance obligations that is maintained regularly to ensure currency?
  2. Do you understand the risk profile of your compliance obligations? Have you identified the compliance obligations that present the most risk to your organisation, and have you put appropriate controls in place to manage those risks?
  3. Have you assigned responsibility for each compliance obligation? Has an appropriate business owner been assigned for each compliance obligation? Do they actively manage those compliance obligations, including reviewing the obligations at appropriate intervals?
  4. Do you maintain adequate records of non-compliance? Do you have a single-source-of truth for all non-compliance data? Do you maintain a non-compliance register that covers all categories of non-compliance for your organisation?
  5. Do you have an accessible mechanism in place for non-compliance to be recorded as it is identified? Is it available to all staff and business areas? Is it your policy that identified non-compliance must be recorded? Can you access real-time compliance data?
  6. Do you undertake assurance on your organisation’s compliance performance? Is assurance built into operational processes to provide real-time feedback on the level of compliance being achieved? Do you have a program of periodic checklists, health checks, and surveys to provide assurance about both compliance culture and compliance performance?
  7. Do you provide regular reports to stakeholders on compliance performance? Are you providing monthly compliance reporting to the Executive on priority and high-risk compliance obligations? Are you providing compliance reports to each meeting of your Audit Committee/Audit and Risk Committee?

Doing GRC better delivers value at all levels of the organisation and to all stakeholders. Seeing the “C” in your organisation is vital. Not meeting compliance obligations can potentially be catastrophic for an organisation – both financially and reputationally. Can you see the “C” in your organisation?

This article was written by Zane Edwards, Global Director of GRC at Torque Software. Zane is a chartered accountant and has 20 years experience in Government and Private sector GRC management. Not only is he passionate about the digital transformation of governance, but he is also a skilled and influential communicator with extensive national and international experience in a variety of channels, including conferences, radio, television, and video.