lit lightbulb

3 Steps to Make GRC Everyone’s Responsibility

Most businesses love to focus on the new: hiring new staff, investing in new innovations and entering new markets. However, “new” doesn’t fix a leaking bucket if you don’t understand the real root of the issue. As a compliance leader, it’s your role to ensure the controls are in place to manage the “new.” Here are three steps to take now.

Think of the last decision your business made. Perhaps it was something like this:

  • If we employ someone, that will fix an issue.
  • If we switch suppliers, we’ll get a better service.
  • If we enter a new market, we’ll be more profitable.

While exploring ideas isn’t wrong, these decisions are rarely made based on facts.

Time, energy and money are often invested on the newNew is exciting. But new doesn’t fix a leaking bucket. Make sure you’re asking the right questions before making these decisions:

  • What are the real skills you need from a new employee?
  • Would a new supplier really be better?
  • Do your internal team have the knowledge to successfully enter a new market?

Most businesses base decisions on inklings and ideas rather than on data or evidence. At first, the impact is minimal, but as the organisation grows and becomes more complex and decentralised, the cracks begin to show.

Without the processes and systems in place to really understand your business, mistakes are repeated, there’s confusion over roles and your business wastes money. Data is everywhere, taking weeks to compile into reports. Everyone’s looking back at why the new didn’t work, but nobody can work out why. But that’s the nature of the beast, hey?

Take Out the Guesswork

The truth is, most businesses have no real process for root cause analysis. Vast amounts of data may be collected, but it doesn’t go anywhere, isn’t in the right format and isn’t properly shared.

This is a weakness your business simply cannot afford.

As a governance, risk and compliance leader, it’s not your role to be involved with every decision and new innovation. Nor is it your role to fix everything when it goes wrong.

Your role is to make governance, risk and compliance everyone’s role. It’s about empowerment, culture and sustainability – so everyone can be informed and manage the new.

The following are three steps to make governance, risk and compliance the responsibility of everyone in the organization.

1. Understand the health of your business.

First, you can’t manage change without understanding the health of your business. What are your strengths and weaknesses? This is why an integrated management system has become as essential for modern businesses as an email and accounting systems. A GRC management system provides your entire organisation with visibility, traceability and collaboration.

There are lots of amazing GRC management system solution providers, Qualsys being one. Our solution has a flexible API, which integrates with applications such as Salesforce, SAP and Adobe Sign. This means you can bring all your processes and data and manage activity seamlessly from a single system.

2. Engage everyone with the system.

Guess what? If your employees find GRC boring, you’re doing it wrong.

You need to start with the “why,” not the “what.” Work with leadership and the best person in your organisation at communications to coin an effective “why” message.

Once you’ve got your “why,” you’ll be spending your time mentoring, advising and acting a consultant. You won’t be micromanaging every single policy, change and CAPA and chasing everyone for data. Employees will naturally begin to understand how they can contribute and won’t think your role is to manage ISO clauses. All the business data is there, exactly how you want it. Your employees feel more confident to contribute, and there’s a system in place to help them to do so.

Good governance, risk and compliance becomes part of the business DNA.

3. Interrogate the data.

Once everyone is recording risks and opportunities and collaborating in a single system, you’ll have access to better data. Now it’s your role to interrogate this data. Use this data to influence the business strategy and get to the real root cause. For example:

  • Your training matrix will inform you where there are competency gaps.
  • Automated supplier reports enable you to monitor performance of external providers.
  • Risk and opportunity treatment strategies are managed as a team based on audit, document and other employee data.

Everyone understands the business as there is the visibility, transparency and ownership so data is driving the business – not inklings.


Kate Armitage

Kate Armitage is Head of Quality at governance, risk and compliance software vendor Qualsys. Kate works with brands such as BT, Diageo, Honeywell and Sodexo to enhance the solutions, consult on best practices and ensure the management system works to maximum effectiveness.

Kate travels across the globe to speak at industry events and runs a series of monthly training sessions to promote quality leadership. Courses include: GDPR, Implementing ISO 9001:2015, Transitioning to ISO 9001:2015, Risk for High-Growth Businesses, ISO 45001:2018 for Beginners, Culture of Quality and more.

Related Post

Got Compliance News?

We do!  Sign up for CCI’s free weekly eBlast to get GRC news, views, jobs & events delivered to your inbox once a week.  Cancel anytime.

Click to Subscribe.