The following flowchart outlines the Drova GRC Compliance Management process.

1. Identify and enter Compliance Process and Controls

Individuals appropriately trained and experienced in Compliance should identify and record all requirements for Compliance within your organisation. This can include compliance with:

• Regulatory controls,

• Government Acts,

• Industry standards, and

• Codes of Practice.

If your organisation is moving from another Compliance Management System to Drova GRC, a lot of this work has probably already been done and it’s just a matter of getting the information into Drova GRC.

Tip:
Consider a plan to transfer existing Compliance Records and Process Controls into Drova GRC as they become due for action. This will avoid you having to try and get everything into Drova GRC in one go.

2. Schedule and allocate Process Control Tasks to Positions

For each identified Compliance Process:

• determine the appropriate schedule for performing the Process Controls, and

• identify the most suitable people to perform the Process Controls.

Tip:
Process Controls should include a requirement to submit documentation to support any assertion of Compliance. These records can then be quickly recalled within Drova GRC for evidence at any time. You can set a Process Control so that it cannot be completed without documentary evidence being attached to the Record.

3. Drova GRC generates Tasks and sends email Reminders

On the appropriate date (determined by the Schedule and Reminder settings for each Process Control), Drova GRC generates Process Controls and emails the person recorded in the Process Control Record as responsible for Actioning the Task (the ‘Actioned By’ Position).

The generated Process Controls are displayed in each ‘Actioned By’ Position’s ‘My Summary’ page 'Current Task' tab.

4. Position records completion of Task in Drova GRC

Once the actions in the Process Control have been performed and any documentary evidence prepared, the ‘Actioned By’ Position reports completion of the Process Control in Drova GRC. Where required, documentary evidence can be attached to the Process Control Record during completion, forming a permanent record of the actions taken and results obtained.

5. Task not completed—Task is escalated to Position’s Manager

If a Process Control is not completed on time, or won’t be completed at all for some reason, then Drova GRC provides a way to ensure that this is managed.

You can set a Position to be the ‘Escalate To’ Position for each Process Control. If the Process Control is not completed by the due date, Drova GRC sends a notification email:

• Every day beyond the due date, to the the ‘Actioned By’ Position, till the task is done.

• Once to the ‘Escalate To’ Position, so they can act on this information as required.

This ensures that your Compliance Tasks are not missed, thus helping to avoid possible Compliance breaches.

Note: The escalation process does not move tasks from the Actioned By Position to the Escalation Position. The responsibility to complete the task remains with the Actioned By Position. The escalation process allows the Escalation Position to know when tasks are not completed by the due date so that they may choose to act.

6. Compliance Reports outlining Task completion and non-completion

Drova GRC retains data recorded for each Compliance Process and Process Control. The ability to include attachments, links to other Records and resources makes Drova GRC a valuable tool for building an accurate and detailed history of your organisation’s Compliance performance.

The more Compliance data Drova GRC collects, the more information you have to improve organisational compliance, performance and reputation within your industry