Practice 02 · Govern

Governance, Risk, Compliance
& Assurance.

For boards, CROs, CCOs, CAEs and CFOs who need four disciplines to work as one system:
governance that clarifies accountability, risk that informs choices, compliance that stays current,
and assurance that proves the system works.

Strong institutions need more than a GRC framework. They need governance that sets direction and accountability, risk intelligence that anticipates exposure, compliance that turns obligations into action, and assurance that independently validates performance.

Four Connected Capabilities

Turn oversight into an operating system.

Each capability has a distinct mandate. Together they create a connected operating model across the board, executive management and the three lines.

Governance

Board effectiveness, decision rights, delegation, policy governance, ethics and AI governance.

Risk

ERM, risk appetite, operational risk, third-party risk, fraud risk and emerging-risk intelligence.

Compliance

Obligations, regulatory change, compliance risk assessment, monitoring, testing and remediation.

Assurance

Internal audit, ICFR, combined assurance, continuous assurance, quality and issue closure.

Governance

Direction, Accountability & Oversight

We help boards and executive teams clarify who decides, who owns, who challenges and how information reaches the right forum at the right time.

Board Governance

Board & committee effectiveness

Board architecture, committee mandates, charters, reserved matters, information flows and annual effectiveness improvement.

Decision Rights

Delegation of authority & accountability

Decision-rights design, delegation matrices, approval thresholds, escalation routes and accountable ownership.

Governance Operating Model

Enterprise governance architecture

Connect boards, executive committees, business units and control functions through clear forums, mandates and reporting cadence.

Policy Governance

Policy lifecycle & attestation

Policy hierarchy, ownership, review cycles, approvals, exceptions, acknowledgements and evidence of compliance.

Ethics & Culture

Conduct, culture & speak-up governance

Governance of ethics, conflicts, conduct risk, whistleblowing, investigations and culture indicators.

AI Governance

Responsible AI operating model

AI inventory, ownership, policy, risk classification, lifecycle controls, oversight forums and monitoring aligned to responsible-AI principles.

Risk

Enterprise Risk Intelligence

Move from periodic risk registers to a decision-relevant view of exposures, dependencies, appetite and management action.

Enterprise Risk

ERM operating model

Risk policy, taxonomy, ownership, assessment methodology, treatment, KRIs, reporting and integration with planning and performance.

Risk Appetite

Risk appetite & limits

Board-level appetite statements translated into thresholds, indicators, limits, escalation and management action.

Operational Risk

Operational risk & loss-event management

Process and event risk, control self-assessment, incidents, root causes, action tracking and trend reporting.

Third-Party Risk

Third-party & outsourcing risk

Due diligence, risk tiering, criticality, concentration, contract obligations, ongoing monitoring and exit readiness.

Fraud Risk

Fraud risk management programme

Fraud-risk assessment, scenario library, preventive and detective controls, investigation governance and management reporting.

Emerging Risk

Emerging risk, scenarios & KRI intelligence

Horizon scanning, scenario analysis, indicators and executive sensing to identify material shifts before they become events.

Compliance

Obligations to Evidence

Turn regulatory obligations into owned requirements, mapped controls, evidence, monitoring and management action — across multiple jurisdictions and regulators.

Obligations

Regulatory obligations register

Structured obligations, applicability, accountable owners, linked controls, evidence requirements and review dates.

Regulatory Change

Regulatory change management

Intake, impact assessment, ownership, implementation tracking and evidence of response to regulatory change.

Compliance Risk

Compliance risk assessment

Inherent exposure, control environment, residual risk, prioritisation and risk-based compliance planning.

Controls & Evidence

Requirement-to-control mapping

Map obligations to policies, controls, owners, testing, exceptions and reusable evidence across frameworks.

Monitoring & Testing

Compliance monitoring programme

Monitoring plans, control testing, attestations, issue identification, escalation and management reporting.

Breaches & Investigations

Breach, case & remediation governance

Record incidents and breaches, manage investigations, assign remediation and maintain closure evidence and audit trails.

Assurance

Independent Validation & Confidence

Modernise internal audit and controls assurance so boards receive clearer coverage, stronger evidence and faster remediation insight.

IA Digital Office

Internal Audit Digital Office

Audit universe, planning, execution, workpapers, findings, actions and Audit Committee dashboards in one connected model.

Risk-Based Planning

Dynamic audit planning

Risk assessment, assurance mapping, prioritisation and rolling plans that respond to changing exposure.

Delivery Models

Co-source, outsource & specialist audit

Flexible delivery capacity for core plans, technology, cyber, data, transformation and specialist assurance.

ICFR

ICFR & controls automation

Process documentation, control design, testing, evidence, deficiencies, certification and management reporting.

Continuous Assurance

Combined & continuous assurance

Connect assurance providers, control indicators, testing results, incidents and findings to identify gaps and duplication.

Quality & Remediation

QAIP, findings & closure discipline

Quality reviews, issue ageing, root-cause themes, closure evidence and independent validation of remediation.

Flagship Offers

Focused entry points for governance, risk and assurance leaders.

Start with a defined priority. Build the operating capability. Expand across the wider GRC estate only where value is proven.

GRC

GRC Transformation in 90 Days

Operating model, taxonomy, priority workflows, technology enablement, executive dashboards and a sequenced roadmap — designed to move GRC from fragmented registers to live operating capability.

Governance + ERM

Governance & ERM Operating Model

Governance structure, decision rights, risk appetite, ERM, KRIs, committee cadence and board visibility in one coherent management model.

Internal Audit

Internal Audit Digital Office

Audit universe, dynamic planning, execution, workpapers, findings, remediation and Audit Committee reporting supported by a connected digital operating model.

Controls

ICFR & Controls Automation

Process documentation, control design, testing, evidence, deficiencies, certification, remediation and management reporting with stronger traceability and ownership.

How We Deliver This Capability

One capability. Four ways to engage.

Govern can be delivered as a focused governance, risk, compliance or assurance engagement — or as a connected operating model supported by technology, recurring managed services and role-based capability development.

01 · Consulting

Design the Governance & GRC Model

Strengthen board and committee governance, ERM, risk appetite, third-party risk, fraud risk, compliance operating models, internal audit, ICFR, controls assurance and AI governance. We design the model around accountability, decisions and regulatory reality.

02 · Platform

Operationalise through the platform

Bring policies, risks, KRIs, obligations, controls, assessments, evidence, audit work, findings and remediation into one connected environment with role-based workflows, dashboards and traceable accountability.

03 · Managed Services

Run the GRC & Assurance Cadence

Use a Managed GRC Office, compliance monitoring, control testing, Internal Audit co-source or outsource support, remediation follow-up and virtual risk or compliance leadership to keep the model working between major projects.

04 · Academy

Build Governance, Risk & Assurance Capability

Develop boards, risk owners, compliance teams, internal auditors and control owners through governance briefings, ERM academies, compliance training, controls and assurance pathways, fraud-risk awareness and responsible-AI governance programmes.

The capability is modular. A client can start with one priority — governance, ERM, compliance, Internal Audit or controls — and progressively connect the wider GRC estate as value is proven.

Explore the other practices

Practice 01

Transform

Strategy, uncertainty, programme assurance, decision intelligence, digital transformation and AI.

Practice 03

Protect

Cyber, privacy, technology risk, resilience, BCM, crisis and critical-service continuity.

Practice 04

Sustain

People and organisational performance, ESG, sustainability and long-term value.

Engage

Give the board a clearer line of sight and regulators stronger evidence.

Speak with the senior team about your governance and assurance agenda.