Our governance, risk and compliance (‘GRC’) architecture is based on the six key principles of sound risk management:
- An unambiguous mission statement which provides the vision and direction of the organisation, i.e. ‘What we want to become’
- Clear, measurable strategies which set out how the organisation is to achieve its mission, i.e. ‘How we’re going to get there’
- The Board Risk Appetite framework at the enterprise risk policy level, from where all risk appetite statements derive
- The creation of effective GRC policies providing the detailed rules ensuring the safe implementation of strategy within the risk appetite, i.e. ‘What we have to do’
- Processes and systems developed within this risk management architecture become the mechanism by which policy is implemented in the context of strategy, i.e. ‘How we do it’
- Assurance: the management information, around key performance and risk indicators, which evidence ‘How we know it’s happening’
These six components are mutually dependent. Change to any one may have consequential impact on one or more of the others.
KnowCo consultants have developed GRC architectures to suit the size and business strategy of their clients, and pragmatic, efficient programmes of work to implement them. We have defined a GRC maturity model to support the process.
IMPLEMENTING A GRC PROGRAMME
A Governance, Risk and Compliance (‘GRC’) programme needs to address the complex accountabilities of GRC and tends to cut across functions, roles and responsibilities. It also has additional complexity that regulations are increasingly technical and require specialist knowledge.
Yet implementing a GRC programme, like any other project or programme of work, has to be managed to the objectives of time, cost and quality, and be effectively communicated. And any required business changes have to be effectively addressed.
Our project and programme managers work closely with our GRC domain experts to identify and understand the implication of relevant regulations, as part of the planning process. This enables them to translate the regulatory requirements into effective change programmes.
They are Prince II accredited practitioners and apply rigorous but proportionate project management disciplines to any assignment.