Loading Events

« All Events

  • This event has passed.

Info Sharing Session: The Integrated Governance, Risk and Compliance (iGRC) Framework

22 February, 2018


22 February, 2018

BarnOwl Info Sharing session: 22 February 2018

The Integrated Governance, Risk and Compliance (iGRC) Framework

Presented by Gary Khan, Risk Advisory, EOH

Thank you very much Gary Khan (Risk Advisory) and Justin Clarke (Business Unit Head) for your enlightening presentation at our BarnOwl info sharing event held at the BarnOwl offices in Bryanston on the 22nd February 2018. The event was well attended and very well received. Thank you Gary and Justin.


There are many variations of frameworks out there. Advisory practices are famous at coming up with new ideas and creating impressive / pretty infographics. What I really like about the EOH iGRC (Integrated GRC) framework is its simplicity and its practicality. Not only did Gary present the theory of the iGRC framework but shared with us practical examples of how it has been implemented including the challenges in general when it comes to getting buy-in for GRC and embedding GRC at all levels of an organisation.

Gary spoke about the traditional pillars of GRC:

Traditionally, organisations have treated governance, risk and compliance as a compliance exercise. Organisations have put in place some policies (e.g. an Enterprise-wide Risk Management Policy) that governs a process (e.g. the ERM process), and the governing body has created committees and groups to regulate and monitor these processes (e.g. the Risk sub-committee of the board, the Chief Risk Officer position, and Risk Champions throughout the organisation). Together these pillars were documented in the GRC framework. The goal was a static document to be updated every two to three years. On the other hand, organisations spent a sizeable portion of their newly allocated GRC budgets on acquiring systems they didn’t quite understand, or which they were not yet mature enough to adopt. These systems were to demonstrate to the audit function that some progress has been made on implementing GRC in an organisation.

C:\Users\cheryl.heine\Desktop\IMG-20180222-WA0002.jpg C:\Users\cheryl.heine\Desktop\IMG-20180222-WA0001.jpg

Unfortunately, in the traditional model of GRC implemented at most organisations, these pillars still operate in siloes, for example, when the shiny new GRC system is implemented, the policies, frameworks, and processes are typically not updated to incorporate the rules of use for the new system.

C:\Users\cheryl.heine\Desktop\20180223_143131.jpg C:\Users\cheryl.heine\Desktop\20180223_143034.jpg

The purpose of GRC is to reliably ensure that the strategic objectives are met, and yet organisations have built their GRC programs on shaky foundations. Some have pillars missing, some have the pillars in place, but very few have built a framework to have these pillars talk to one another in a way that makes sense for their business. As we know it takes more than a theoretical GRC framework to make things work. It takes the people, starting from the leaders of the organisation and moving all the way down to every employee and stakeholder, changing their perspective about GRC. People have been the most difficult and unpredictable pillar to get right. People are the most crucial success factor in any business. The goal is to get an organisation’s people not to see GRC as a compliance activity or a hindrance but a way of generating value that equips the business to more ethically and sustainably achieve its objectives.

So how do we move from the theory to the practical implementation of GRC?

iGRC Framework:

Step1 Horizontal Integration (Cross Functional)

  1. Let’s start by getting all the assurance providers (strategy, risk, audit, compliance etc.) to work more closely together and start singing off the same page. As an example, Gary shared with us an experience where the audit committee presented a totally different ‘top 10’ risk outlook compared with the ‘top 10’ risk outlook presented by the risk committee. As assurance providers we need to start communicating more closely whilst maintaining independence.

  1. Gary mentioned that a good idea may be to have a coordination function to integrate assurance more effectively (e.g. combined assurance). Combined Assurance is still just a buzz word in many instances and requires active intervention and the correct reporting and coordination structures.

Step2 Vertical Integration (Aggregation):

  1. We need a top down and bottom up approach. How often do I hear from senior execs: ‘We know what our top 10 risks are and can track these in Excel. We don’t need a system’. Again, Gary mentioned a classic example whereby many risks at the operational levels in the organisation are yellow and red but ‘miraculously’ the risks at the exco and board level are all green (with perhaps a tinge of yellow here and there). These top risks bear no resemblance to the top risks at the operational levels. In many organisations, risks are managed informally in silos. A measure of how in touch the leaders of the organisation are with what is happening in the business is how aligned their risk profile is in comparison to that of the operational levels. Gary mentioned how several organisations are looking at incorporating a comparative risk assessment of the Board and Executive Committee with that of the operations in their integrated reports to provide stakeholders with assurance that the governing body is well-aware of the true state of affairs in their organisation.

  1. For the management of risk to be effective, risks should not only be linked to objectives but should be linked to other risks they have an impact on in the same area or in other areas of the business (cross functional as well as upwards and downwards). An example of this could be the risk of ‘Cash-flow exposure’ (parent risk) at a Business Unit level monitored by an exec. Operational risks (child risks) such as: ‘Sales targets not being achieved’, ‘Cost of sales over budget’, ‘Outstanding debtors’, ‘Bad debts’, ‘Credit notes’ etc. managed by the respective department heads should be linked to the parent risk ‘Cash-flow exposure’. When any operational (child) risk is re-rated, the owner of the ‘Cash-flow exposure’ risk should be warned that a ‘child’ risk linked to his / her risk has changed and how it has changed. This enables the exec to re-rate his / her ‘Cashflow exposure’ risk more accurately and timeously which in turn triggers the re-assessment any linked risks higher up the value chain. Linking KRIs (key risk indicators) to risks and updating these regularly (either manually or from live systems) also triggers the re-assessment of risks. In this way, risk management becomes an integrated early-warning system facilitating informed decision making which is based on accurate and up to date information.
  2. Risk appetite statements (traditionally quantitative) should not only be determined at the group level (as they often are) but should be cascaded down to every level of the organisation. For example, what is the point of applying the group financial appetite of R50million (value at risk) to a small business unit which doesn’t even have a turnover of R500,000? Risk appetite statements need to be relevant at every level of the organisation and need to be aggregated upwards to the group level where the value at risk (financial risk appetite) is much higher. Please see related article: https://barnowl.co.za/insights/a-3-step-approach-to-implementing-risk-appetite-and-tolerance/

Step3 Dimensional Integration (Cultural):

The need for cultural integration.

The ‘tone at the top’ (culture) should be about ‘doing the right thing’ and should be inculcated throughout the organisation. Corporate governance which is well-articulated in King IV is defined as the exercise of ethical and effective leadership by the governing body towards the achievement of the following governance outcomes:

  • Ethical culture
  • Good performance
  • Effective control
  • Legitimacy

No GRC framework will prevent the leadership of an organisation, especially senior executives and board members, from choosing to pay lip service to corporate governance and risk management or worse still chooses to run the company unethically (e.g. fraud and corruption). Just take a look at the long list of corporate scandals including recent ones such as Volkswagen, Bell Pottinger, KPMG and now Steinhoff which have destroyed value and the lives of those affected. One often gets asked ‘where was risk management or where was internal audit’? Well they were there and probably reported that things were not right but got shut down based on a culture of fear and cover-ups. The good news is that no one can cover-up for too long and no one can ignore the power of social media and the innate nature of humans to want things to be fair. Michael Judin, partner in the Johannesburg based law firm, JUDIN COMBRINCK INC on ‘Why King IV is not another layer of regulation but creates add-on value’, spoke about business (and country) leaders’ misconceptions that the power lies within the board room. The power really lies with the new millennials and the power of social media and the smart phone.

Please see related article: https://barnowl.co.za/insights/good-corporate-governance-alive-and-kicking/

In summary, the iGRC framework is refreshing and provides a simple yet practical approach to embedding effective GRC within any organisation. Once again thank you Gary and Justin for your time and for sharing with us your iGRC framework and extensive experience. You can download Gary’s presentation here and view a video recording of the info sharing session here.

Written by: Jonathan Crisp

Director – BarnOwl GRC and Audit software

About Gary Khan:

At university, Gary found his passion for risk management completing a Bachelors of Commerce with a double major in both Risk and Insurance Management, and Human Resource Management. Soon after completing his degree, he began his career at PricewaterhouseCoopers (PwC) as a risk management consultant, and quickly became a specialist in the field. In this capacity, he worked on various large clients in the Mining, Manufacturing, Medical, Financial, Entertainment and Governmental industries gaining extensive insight into risk management practices across each of these domains, both from a strategic and operational risk management perspective.

In addition, Gary was provided with the opportunity to gain experience in the following Governance, Risk and Compliance (GRC) domains: Internal Audit, Combined (Integrated) Assurance, Governance Audits, Maturity Assessments, Compliance, and GRC Framework development. By the end of his tenure at PwC, Gary was leading his own advisory engagements, and was working with several software partners at the time including SAP and BarnOwl.

The next challenge for Gary, was to join CQS GRC Solution (Pty) Ltd (CQS), where he became a SAP functional consultant with a speciality in SAP Process Control and SAP Risk Management. After a short while at the company Gary became a Solution Architect, leading implementation projects at several large mining houses.

A few years later, EOH Mthombo (Pty) Ltd, the SAP subsidiary of EOH Holdings Limited (EOH), acquired the SAP team from CQS. Gary joined EOH as a Lead Solution Architect, where he led and mentored other Solution Architects on large scale projects including international projects in Africa and the Middle East. Now Gary heads up a team of Governance, Risk and Compliance consultants and has been charged with building an advisory team under the EOH GRC Solutions Business Unit.

About BarnOwl:

BarnOwl is a fully integrated governance, risk management, compliance and audit software solution used by over 200 organisations in Africa, Australasia, Europe and the UK. BarnOwl is a locally developed software solution and is the preferred risk management solution for the South African public sector supporting the National Treasury risk framework.

Subscribe to BarnOwl's Information Portal

Subscribe to BarnOwl’s information portal today and receive our monthly newsletter with the latest GRC and audit insights, industry updates, priority access to exclusive events, tip of the month and more straight to your inbox!


GRCReady is the official provider of risk management content for the BarnOwl GRC software solution. GRCReady provides extensive risk libraries and risk maturity checklists/surveys which are integrated with BarnOwl.

GRCReady, based in Australia, offers a comprehensive and holistic library of products and associated services including templates, policies, procedures, guidelines, checklists etc. to help owners and directors of SMEs, startups and corporates to satisfy their corporate governance, risk management and regulatory compliance needs.

By integrating GRCReady's rich content libraries into BarnOwl's GRC software, we are able to offer our clients a state of the art, turnkey GRC solution.

GRCReady provides, arguably, the most comprehensive risk and governance maturity assessment framework with detailed steps and artefacts. BarnOwl's survey and action plan portal provides a simple and effective way to monitor and report on your current state of risk maturity and suggest and drive remedial action plans to take you to your desired state of risk and governance and maturity.

By integrating GRCReady's risk libraries with the BarnOwl GRC software, means that you don't have to start from scratch. In addition, ongoing updates and insights keep you informed and up-to-date on best practices.



Season Rhyrhm is BarnOwl's preferred partner in Botswana assisting with BarnOwl implementations, support services and client relationship management.

Season Rhythm is an established and distinguished player in the ICT sector in Botswana, specialising in a range of cutting-edge solutions. Season Rhythm leverages BarnOwl to provide tailored GRC&A services to businesses in Botswana facilitating:

  • Governance: Enabling organisations to establish and uphold effective governance structures, ensuring transparency and accountability in decision making processes.
  • Risk Management: Equipping businesses with tools to identify, assess and mitigate risks, safeguarding against potential threats and ensuring continuity in a business environment.
  • Compliance: Ensuring adherence to regulatory frameworks and industry standards, protecting businesses from non-compliance penalties and fostering trust among stakeholders.
  • Audit: Streamling the audit process with comprehensive tools for planning, execution and reporting, driving efficiency and accuracy in internal audit and compliance assessments.
  • www.sr.co.bw/ict


BarnOwl works closely with NSA in the field of GRC and assurance.

NSA is an education and risk & assurance advisory services provider, consisting of a team of professional consultants and facilitators who have been hand-picked on experience and expertise. NSA services include:

  • Strategic intervention: 30 expert consultants facilitating strategic planning, combined assurance, effective governance and risk management assignments.
  • Continuous professional development: CPD training for internal auditors, external auditors, accountants, risk managers, government officials, and psychologists.
  • Online learning: accredited training for the local government sector, including the Municipal Financial Management Program and Supply Chain Management.
  • Online skills development: skills in demand for 2030, including cybersecurity, Protection of Personal Information, Artificial Intelligence, Robotics and programming.

BarnOwl and NSA work closely with our clients to align and enable best practice GRC and assurance framework & methodologies within BarnOwl. NSA regularly presents online information sharing sessions together with BarOwl.



Nico Technologies is BarnOwl's preferred partner in Malawi assisting with BarnOwl implementations, support services and client relationship management.

Nico Technologies Limited is an established IT products and services provider in Malawi, specialising in managed IT services, IT infrastructure services, IT project management, digital solutions, digital transformation and IT advisory.

Nico Technologies uses BarnOwl extensively within their own organisation to automate and manage their own risk and compliance functions.



Morgan Solus is BarnOwl's preferred business continuity specialist consulting firm with its 'BCM toolkit' software. BarnOwl GRC together with the BCM toolkit, provides a comprehensive risk management and BCM software solution.

Morgan Solus is a specialist consultancy firm focusing on risk, resilience and continuity. Morgan Solus's core services are centred on resilience, crisis management, business continuity (BCM), IT services continuity and disaster recovery (DRP) and training.

The BCM toolkit ensures a consistent approach to implementing BCM and IT disaster recover and cuts down implementation timelines by 60% whilst driving up successful outcomes.

BarnOwl's extensive GRC and assurance functionally coupled with Morgan Solus's BCM toolkit provide the ultimate risk management and BCM software solution.



Arbutus Analytics is Barnowl's preferred data analytics software. BarnOwl GRC integrated with Arbutus Analytics, provides the ultimate in continuous risk monitoring.

Arbutus Analyzer is a powerful data access and analysis solution specifically developed for auditors, business analysts, and fraud investigators. Its robust performance and user-friendly features offer you the ability to access and analyse data quickly and simply.

BarnOwl GRC, integrated with the real-time metrics from Arbutus provides a strategic early warning system driving preventative and predictive capability facilitating effective business decision making business improvement.

www.arbutussoftware.com with local sub-sahara African distributor www.betasoftware.co.za


Barnowl works closely with Pax Resilience in the field of GRC and sustainability.

Pax Resilience offers solutions in risk, resilience and cyber security. Pax Resilience strive to create peace of mind by assisting you to build the resilience in your organisation so essential to survive and thrive in the volatile, uncertain, complex and ambiguous world we live in.

Pax Resilience regularly presents online information sharing sessions together with Barnowl.



Paige Law is the official provider of compliance content for the Barnowl GRC software solution. Paige Law provides an extensive Library of South African acts including provisions [CRMPs] and checklists which are integrated with Barnowl.

Paige Law specialises in compliance, Commercial Law, Legal process consultancy, managed legal services and POPIA/ GDPR.


Registered Address

75 Malibongwe Drive
Linden Ext
South Africa

Postal Address

PO BOX 3009


+27 (0) 11 540 9100


More Information: info@barnowl.co.za
Product Support: support@barnowl.co.za

Let Us Contact You
Let Us Contact You
I grant BarnOwl permission to contact me for marketing purposes*
*You will receive BarnOwl monthly newsletters & invitations to online events. You can unsubscribe at any time.


If you need assistance with your BarnOwl software, there are three channels available to you:



You will be emailed a ticket number from our issue tracking system and your request will be managed in
this ticket until it is completed.


You can view all your existing tickets or create new ones.


+27 (0) 11 540 9112
to speak to a support consultant

Let Support Contact You
Let Support Contact You