Five things to keep in mind when working with governance, risk and compliance (GRC)

Organizations have in recent years dedicated an increasingly amount of resources on managing governance, risk and compliance, GRC management, – and with good reason. GRC management is very popular these days, especially within the executive management and other key stakeholders.

Assessing and updating governance, risk and compliance initiatives should continuously be done as risks scenarios change and because some risks cannot be controlled. Not at least because different factors can affect the risks topicality. We’ve listed five things to keep in mind when working with GRC.

  1. Use the same taxonomy across the organization

Make sure that the same taxonomy is used across the organization to ensure alignment and consistency in all processes. An example is to create guidelines for how ‘Impact’ and ‘Likelihood’ should be interpreted, so that the aggregated overview of risks is true and accurate.

  1. Embed risk management in your organization

Everybody should be aware of the risks and continuously assess them, so that they are flagged and dealt with in due time. There is no point in risk management being something that is only addressed at quarterly board meetings. Be open for input from outsiders as well: which risks do your colleagues see in the industry or within your geographical area? And what do the auditors and other subject matter experts think?

  1. Materiality efforts

Focus your efforts on the risks that are the most significant and that most likely to happen, so that they are under control – and perhaps reduced in either their impact or the likelihood of the risk happening – if you do not wish for the risks to be both significant and likely to happen.

  1. Ensure that your mitigation efforts are functioning

Ensure that your mitigating efforts are working: if a risk is reduced in impact or likelihood, it is essential to ensure that mitigating actions are working.

  1. Are you already in control?

Most functions in the organization already have the goal of being in control. The Supply Chain Management has always had the aim of being in control with the different supply chain processes, also long before GRC management was a thing. When you are searching for risk minimising initiatives, remember to examine whether they may already be in place – redundant initiatives will take up unnecessary resources.

Check out: Governance, Risk and Compliance (GRC) – What you need to know


Impero is a cloud-based GRC (governance, risk management and compliance) solution that is used in various areas to achieve compliance. Impero can support compliance through documentation of implementation and the performance of the controls in place. Impero is intuitive and can with ease provide an overview of the performance of processes. Controls can be reused, which is a valuable feature when dealing with recurring controls as in the case of managing GRC.

Recent Posts