Read the following statements, then indicate your business' relative position.
GRC Central System
A central Governance, Risk and Compliance System exists within the business that is not limited
to, but covers at least the following:
Strategic risks (risks including strategy setting, markets, financial, marketing and sales,
competitors, customers, internal operations, records and processes, quality, IT, PR) Enterprise compliance obligations,
Specific Business
Focus Areas: Quality Management, Occupational Health and Safety, Anti-Bribery and Corruption
IT Governance, Information Security & Protection, Privacy Security, Cyber Security
IT operational Compliance, Business Continuity Management, Business Sustainability and Resilience
We address some specific areas but still in excel sheets or word documents. We do have some systems, but they are siloed.
We address most areas, but in siloed systems. But we do have a GRC reporting warehouse giving some consolidated reporting.
We have a single consolidated GRC technology system that covers all the
areas. Integrated reporting is defined and operational for each management
level.
Data integration related to GRC
We have completed a detailed data mapping exercise related to information that would
have an impact on us meeting our objectives. The input and output of this exercise has been
built into our GRC software.
I don’t know what this means.
Some work has been done in some areas, but we do not have an integrated GRC data
map.
We have completed an integrated GRC data map. Our GRC software supports
our integrated GRC data map and fully supports / improves management and
executive decision making.
Reporting culture and access to information
Detailed enterprise wide GRC reporting structures have been fully defined and documented within
our governance framework. The GRC reporting structures are fully embedded and enabled within
our GRC software. The structures have been proven not to restrict information escalation or create
information bottlenecking.
We do not have anything like this in place.
Some work has been done to create a GRC reporting structure, but it is not fully
embedded.
We have a fully defined and entrenched GRC reporting structure that is linked to
the achievement of objectives. This
is embedded within our GRC software. Campaigns to ensure that a GRC-aware culture
exists in the business have
been carried out. GRC incidents and events reported prove the effectiveness of
our embedded culture.