In the previous part I explained the Do and Check steps. In this third part, I continue with the Act step and conclude with a summary.
The Act phase completes the cycle. Here, the power of a living ecosystem, where all components are interconnected, comes to the fore.
Every deficiency warrants an action, complete with an owner, deadline, and priority. Even the decision to accept without remediation. Through the many-to-many structure, you not only see what needs to be done but also the impact of inaction. Essential for prioritisation, commitment, and risk acceptance if necessary.
New legislation or a new client? Map the requirements to your existing risks and controls. There’s no need for a new project. You integrate the new requirements into the existing ecosystem.
Monitoring and reviews provide management with key insights: trends, the status of risks and controls, dependencies and vulnerabilities, adjustments based on lessons learned, external developments, and decisions on priorities, governance, and resource allocation.
This is essential for management to gain insight into strategy execution and to make well-informed decisions. It also builds trust through demonstrable compliance with stakeholders such as shareholders, the supervisory board, and regulators.
Sustainable compliance doesn’t have to become a bureaucratic monster:
Smart frequencies: determine, based on risk, what requires attention and how often.
Proportional governance: tailor the approach to your organisation’s size, ensuring adequate capacity distributed across Plan, Do, Check, and Act.
Integrated methods: embed compliance activities within your existing processes rather than layering them on top.
Recognition of dependencies: manage fluctuating inputs such as legislation, internal processes, systems, products, personnel (including recruitment, training, and culture), technology, supply chains, and the wider external environment.
The goal remains: a framework that provides management with comfort and insight, truly mitigates risks, convinces auditors and clients, and does not paralyse the organisation.
The difference between organisations that see compliance as a burden and those that recognise its value does not lie in the number of controls or the thickness of policy documentation, but in the rhythm and the symbiosis. A framework that is continuously nurtured only gets better. Insights lead to improvements, improvements reduce risks, and lower risks allow for a greater focus on what truly matters. The ecosystem evolves and becomes more resilient.
In conclusion, sustainable compliance comprises an ecosystem that sustains its own balance, fuelled by a PDCA cycle, supported by an integrated assurance framework, and driven by people who understand their roles and strive for symbiosis. Its key characteristics are:
An established risk appetite as a compass for setting priorities
A consistent risk methodology for comparability
A clear division of roles via the three lines model
An integrated assurance framework with three well-aligned lines
Training and awareness as integral to execution
Monitoring that evaluates effectiveness, not just presence
Visible dependencies between controls and risks
Evidence that can be retrieved within five minutes
Actions that are genuinely followed up
Management reviews that ensure coherence
A continuous cycle, not an annual audit-driven scramble
You have now got a foundation (Part 1) and a cycle to keep it alive (Part 2). But how do you operationalise this? Many organisations grapple with the question: which GRC solution is best suited for us?
To answer these questions, a blog will be published soon. In this blog, we will also address the following question: how do you choose the right GRC solution without getting mired in spreadsheets, complexity, or vendor lock-in? We explore the trade-offs, pitfalls, and spoiler alert: the role that AI can play in operationalising your ecosystem.
Would you like to know how healthy your compliance ecosystem is? ICTRecht offers the Digital Decade Roadmap (currently available in Dutch) to help you understand the applicability of legislation and the effectiveness of your current approach, so you know exactly where adjustments are needed before the auditor steps in.
Questions or thoughts? Let's talk. We're always happy to have a no-obligation conversation.