hello@tecplus.co.uk
Contact

Getting started with Governance, Risk, and Compliance (GRC)

Date

June 20th, 2025

Category

Article, Risk

No comments
Data,Analytics,Automated,With,Ai,Technology.,Big,Data,,Business,Analytics

Organisations have varying levels of maturity for governance, risk, and compliance (GRC) usually by nature of the industry they operate in. Highly regulated industries often have very mature GRC obligations imposed on them by regulators.

Other organisations may just be starting out on their governance journey. It can seem daunting but we have compiled some essential information to help these organisations to realise their governance ambitions.

What are you trying to govern?

The quickest response is, everything! But, that is a monumental task particularly if you have no foundations to start from.

Our advice, pick one area. This should be something that is critical for your organisation. Finance and health and safety are always high up on the list. Compliance with the Companies Act is also a good place to start.

We specialise in Data Protection and AI GRC. These are areas that are very important to organisations who have lots of personal data and complex uses of AI – but not every organisation. You may have different standards you are wanting to align with – and that is fine!

Pick something you can actually achieve. This might mean picking a limited scope and trying to get the core foundations of good governance in from there.

What standard should we use

We like the COSO Enterprise Risk Management standard.

There are many to pick from but in our view this provides a very accessible overview of what you need to do.

Whichever standard you use you should be confident that you cover the three core concepts:

Governance:

  • Your GRC initiative fits with the strategic objectives of the organisation
  • You have oversight at the highest level of management and representation from relevant departments
  • You have a committee and accountable persons that have the power to enact change
  • You record meeting minutes and actions
  • You present relevant metrics in meetings

Risk

  • You have mechanisms to identify and record risks
  • You assess the likelihood and severity of the risk
  • You record and implement actions to mitigate risk
  • You define your appetite for risk
  • You have accountable persons responsible for mitigating risks

Compliance

  • You understand and map the applicable regulations and internal policies
  • You have appropriate training so that staff understand concepts, policies and procedures
  • You have a process for managing non-compliance and incidents
  • You have metrics to evaluate performance which are fed into your governance committees

These are the very basics to get going but are the foundations of most GRC standards.

Three Lines of Defence Model (3LoD)

The three lines of defence model is commonly used as a way to interpret GRC requirements into your operational structure. It is interpreted as:

First Line: the people who will be actioning an operation day-to-day.

Second Line: your GRC specialists who will set policy, provide guidance on compliance and risk, and monitor metrics to assess performance.

Third Line: independent Internal Audit teams that validate the controls are working effectively against a particular standard.

This common phraseology is a good starting point for operationalising your conceptual GRC model. Identify your first line key stakeholders and get them bought in to your programme. Provide the first line with all of the tools and training they need to be successful. Identify your GRC specialists, if you have done the first steps then this should be straightforward. Make sure they have a library of materials and metrics the demonstrate good governance, risk management, and compliance.

Finally, get an independent auditor. If you are lucky enough to have an Internal Audit team that is a great start. External Auditors require you to spend money but do a similar job. The key thing is that your auditor needs to be INDEPENDENT from your core activities.

Textbook GRC vs. Culture

When you start to read about governance you might see rafts of compliance standards and best practices and think that implementing governance is a daunting task.

The theory of governance is the easy part, the hard part is implementing good governance and making it stick. If you try and implement all the standards in governance frameworks then you will probably spend lots of time and not have results to show for it.

Consider your organisation’s culture. How do they currently view governance and risk management? What areas currently show good governance, risk and compliance standards?

Culture will play a major part in the success of your GRC initiative. You will need to convince the hearts and minds of people to get onboard with your GRC programme. We can’t stress this enough, if you have nothing, start small. If you are trying to change a culture then it is even more important to get buy-in from the very top of your organisation – such as your Board of Directors.

 

For help with Governance, Risk, and Compliance – get in touch!

Contact Form

"*" indicates required fields

This field is for validation purposes and should be left unchanged.
Name*