Schedule your 15-minute demo now

    Please select the modules you are interested in:

    We’ll tailor your demo to your immediate needs and answer all your questions. Get ready to see how it works!

    • March 24, 2025

    As a GRC software provider we assist many an organisation to implement compliance processes effectively. We have noted quite a few organisations “estimating” the residual risk rating on the regulatory universe items utilising an average control effectiveness for each act, regulation etc. which could ultimately result in a loss of license, penalties or much worse. Let us explain our concern.

    The 1st Step
    The first step in the compliance process is identifying the regulatory universe for the organisation. The regulatory universe is a list of all legislation, sub-ordinate legislation, permits, licences, policies etc that are applicable to the organisation.

    The regulatory universe is therefore the total scope of all legislative and other compliance related items that an organisation needs to comply with. The output or result of this step is a list of acts, regulations, permits etc that the organisation must comply with.

    2nd Step
    As an organisation has a vast number of legislative requirements to comply with and limited resources, a risk assessment can be performed to rate the regulatory universe in terms of its risk. The inherent risk of the regulatory universe items can easily be calculated by determining the impact of non-compliance and the likelihood of non-compliance.

    INHERENT RISK = IMPACT X LIKELIHOOD

    Typically, penalties, fines and other statutory measures such as imprisonment or loss of license are stipulated within an act. Utilising impact scales the actual impact value can then be calculated. Likelihood values are determined by factors such as the effectiveness and rate of activity of the regulators.

    After completing step 2, the organisation should have a risk rated, regulatory universe. From a software perspective the results look like this:

    Third Step
    The third step is to compile a Control Risk Management Plan (CRMP) for each act, regulation, permit etc. This entails analysing the act to identify legal requirements applicable to the organisation and then to identify controls to ensure compliance with these requirements.

    Different sections of an act or regulation might have a different risk rating. For example, non-compliance with Section 43 of the Basic Conditions of Employment Act, 1997 would result in imprisonment of 6 years while other section have small monetary implications. The risk for each section is further influenced by the effectiveness of controls for each of these sections.

    It is therefore very clear that an average residual risk rating for an act or regulation is not possible unless every requirement and control have been assessed and
    calculated and reported on, on an individual basis.

    Summary
    As a board member or a member of an audit and risk committee it is therefore of critical importance to not accept an average residual risk rating presented on a regulatory universe unless the detailed analysis on this calculation has been presented.

    Feel free to contact us should you require any input from us in this regard,

    Innovations to SHOUT about.

    Product

    Company

    Resources

    Social

    Legal

    © Copyright 2025 Exclaim Innovations | All Rights Reserved