No time like the present

Follow these simple steps to assess how mature your GRC strategy is!

Read the following statements, then indicate your business' relative position.

Step 1: Leadership and Strategy

Context of the Organisation

A complete organisational contextual baseline assessment is conducted annually, with regular review when any organisational change takes place.

I am not aware of anything like this

We do assessments,but in silos

This is done annually with all key role players

Strategy and Decision Making

The detailed contex of the organistation assessment is used to inform strategy and setting of objectives and targets. Risks are linked to objectives. Causal analysis is regularly done. Policy management is robust. Our integrated technology and reporting framework supports our decision making.

No, this is not the case

To some degree, but it's fragmented

This is fully in place and well managed

Information Availability

A culture exists whereby information can, if needed, flow freely in real time to defined key roles without restriction or hinderance. Clear reporting structures exist. Critical information can and is able to be excalated with out restriction when needed. Robust governance processes are defined and managed well for the benefit of the organisation, its stakeholders, its customers and suppliers.

Not at all

In some areas, but silos and restrictions inappropriately still exist

We have a well-structured, well-governed and well-informed integrated enterprise information framework that supports our organisation at all levels and assists us in meeting our objectives

Read the following statements, then indicate your business' relative position.

Step 2: Technology Intergration

GRC Central System

A central Governance, Risk and Compliance System exists within the business that is not limited to, but covers at least the following:

Strategic risks (risks including strategy setting, markets, financial, marketing and sales, competitors, customers, internal operations, records and processes, quality, IT, PR) Enterprise compliance obligations, Specific Business

Focus Areas: Quality Management, Occupational Health and Safety, Anti-Bribery and Corruption IT Governance, Information Security & Protection, Privacy Security, Cyber Security IT operational Compliance, Business Continuity Management, Business Sustainability and Resilience

We address some specific areas but still in excel sheets or word documents. We do have some systems, but they are siloed.

We address most areas, but in siloed systems. But we do have a GRC reporting warehouse giving some consolidated reporting.

We have a single consolidated GRC technology system that covers all the areas. Integrated reporting is defined and operational for each management level.

Data integration related to GRC

We have completed a detailed data mapping exercise related to information that would have an impact on us meeting our objectives. The input and output of this exercise has been built into our GRC software.

I don’t know what this means.

Some work has been done in some areas, but we do not have an integrated GRC data map.

We have completed an integrated GRC data map. Our GRC software supports our integrated GRC data map and fully supports / improves management and executive decision making.

Reporting culture and access to information

Detailed enterprise wide GRC reporting structures have been fully defined and documented within our governance framework. The GRC reporting structures are fully embedded and enabled within our GRC software. The structures have been proven not to restrict information escalation or create information bottlenecking.

We do not have anything like this in place.

Some work has been done to create a GRC reporting structure, but it is not fully embedded.

We have a fully defined and entrenched GRC reporting structure that is linked to the achievement of objectives. This is embedded within our GRC software. Campaigns to ensure that a GRC-aware culture exists in the business have been carried out. GRC incidents and events reported prove the effectiveness of our embedded culture.

Read the following statements, then indicate your business’ relative position.

Step 3: People and Culture

Awareness

A robust ongoing enterprise-wide GRC awareness campaign exists, and it is appropriate at each level within the organisation. Ease of access technology (e.g. mobile or desktop apps) is used to ensure the reporting of GRC related issues / non-conformances are centralised into the company’s GRC software.

No such awareness campaigns or use of technology exists.

There is an awareness campaign, but only for some GRC verticals such as Health and Safety. No enterprise-wide campaigns or enablements exist.

An enterprise-wide awareness campaign exists and is fully entrenched within all level of the business. It is enabled and supported further by the use of technology at multiple levels in the business.

Depth of culture

Employees at all levels have been made aware of how and when to report GRC related issues and do so regularly and promptly as observations occur. These issues reported are not only related to actual loss producing events but include near-misses and minor non-conformances as well as emerging risks. There is a mature employee feedback process which updates employees who report, where applicable.

Nothing in place – Or paper-based

Some electronic reporting with a feedback process. Only major losses reported.

Robust, enterprise-wide reporting culture exists. Employees fully understand the value and importance of reporting GRC related issues. Data has proven invaluable for decision-making purposes.

GRC ownership and accountability

There is a fully defined, non-restrictive GRC accountability and reporting structure in place which aligns to the approved corporate GRC framework, charters and approved policies. Notification and escalation parameters have been defined and fully enabled through the GRC software. There is a robust and monitored corrective action management process in place along with a continuous improvement process.