Abstract
An Australian Cultural Institution (the institution) serves as an artistic hub for visitors from around the world, showcasing its vast collection of art pieces. As a public Commonwealth Government entity, this institution is also subject to a range of governance, risk, and compliance (GRC) requirements, including regulatory mandates and internal policies.
In 2018, the institution recognised the need to update its approach to GRC management to ensure compliance with evolving regulations, requirements and industry standards. To achieve this goal, the institution turned to LighthouseGRC to solve this business problem.
LighthouseGRC has now been used by the institution for over 4 years. It has provided them with a centralised platform for managing all aspects of their GRC program, allowing them to track and monitor risks, ensure compliance with regulatory requirements, and streamline their overall GRC processes.
Business Problem
The institution faced several business problems related to its GRC processes that identified the need for them to invest in LighthouseGRC.
Firstly, the institutions existing GRC processes were largely manual, relying on spreadsheets and paper-based documentation, making it difficult to track and manage risks and compliance obligations. The institution’s GRC program was fragmented, with different business units using different tools and processes, which made it challenging to get a comprehensive view of the organisation’s risk and compliance position.
The institution also faced the challenge of keeping pace with evolving regulatory requirements and industry best practices. Compliance obligations were becoming increasingly complex, with new regulations being introduced regularly, and the institution needed a more robust and agile GRC approach to ensure that it could adapt to these changes.
Additionally, the institution is overseen by a Council and has a Foundation Board comprised of eminent Australians. The Institution needed a way to ensure that the compliance obligations of the members of these key governing bodies, as well as of their own staff members, were tracked and managed appropriately. And, ideally in one location.
Finally, the institution recognised the need to improve its overall risk management posture. The organisation held a vast collection of valuable art pieces. As well as this, due to its public stance, the institution had hundreds to thousands of people entering the premises or attending events at any one time. This made it even more critical to have effective risk management processes in place – and in such a way that risks could be easily tracked by relevant stakeholders, and reviewed and updated on an ongoing basis.
The Solution
After consultations with the team at LighthouseGRC, the institution decided to invest in its software (LighthouseGRC) to manage its GRC requirements. LighthouseGRC provided a centralised platform for managing all aspects of the institution’s GRC program. This platform allows the institution to track and monitor compliance activities, document compliance, identify risk and governance-related data and evidence, generate reports on compliance status and much more. By consolidating all compliance-related activities in one place, LighthouseGRC helped the institution achieve greater visibility and control over its GRC posture.
The LighthouseGRC team was also able to leverage LighthouseGRC to develop a customised compliance framework that incorporated the institution’s unique compliance requirements, including key management personnel (KMP), conflict of interest, and management assurance. This framework was tailored to meet the institution’s specific needs and regulatory mandates.
All staff members at the institution received access to LighthouseGRC, which is accessed securely using single-sign-on (SSO) technology. The system also offers a secure password and login option, meaning those without an institution-specific email, such as Foundation Board Members could be granted access to the system. This was a welcomed change that ensured Council and Foundation Board members were able to directly access the system to complete their annual disclosures and conflict of interest declarations. This meant that all GRC activities relating to staff and other key stakeholders could be tracked, managed and reported on by the Governance Team – providing organisational-wide assurance – via a single-source of truth, LighthouseGRC.
Since implementing LighthouseGRC to manage compliance requirements, the institution has continued to evolve and build out new GRC processes in LighthouseGRC. As part of the ongoing evolution, a custom-built risk manager module was configured for the institution in 2022. This module acts as a hub for collating, managing and reporting on agency-wide risks. LighthouseGRC’s configurable nature allowed the institution’s risk framework, including their risk matrix and risk scoring to be embedded into the system. Based on the level of risk, subsequent delegate workflows are triggered. This newly developed module, adds an additional layer of assurance, ensuring that risks were not only reviewed by the appropriate delegate(s), but also followed the institution’s internal risk policy. Overall, LighthouseGRC’s risk management solution provided the institution with a streamlined and efficient way to manage risk and ensure compliance with its risk policy.
GRC-related reports around enterprise risk are generated directly out of LighthouseGRC, and each member of the Council and Foundation Board can be provided with access to such information both on a scheduled or ad hoc basis. By streamlining their GRC efforts in LighthouseGRC, the institution was able to save countless hours spent on collating and preparing reports for all entity-wide GRC information. Instead, they were able to apply that time to create a structured GRC program using LighthouseGRC functionality, including the implementation of board action items, applying risk mitigation strategies and forward planning. It also meant that they had access to data and insights that helped them stay ahead of emerging risk challenges and maintain a positive GRC stance.
Thanks to LighthouseGRC, the institution’s management team now has access to real-time GRC data and insights that allow them to make more informed decisions. They now have confidence in the completeness of their compliance information because all staff members and business areas have access to the system, allowing them to enter non-compliance in real-time. Regular assurance is also gained from staff and business areas using the assurance tools available within LighthouseGRC, including compliance assessments, health checks, conflict of interest declarations, gifts and benefit declarations, assurance surveys, and management certification.
Overall, the institution’s partnership with LighthouseGRC has enabled them to more effectively manage its GRC requirements, ensuring compliance with regulatory mandates and industry best practices. Through ongoing collaboration and support, LighthouseGRC continues to help the institution stay ahead of emerging GRC challenges and maintain its position as a leading cultural institution.