Governance is about setting the company’s strategy and controlling the organization. Governance, Risk and Compliance (GRC) constitutes a key component of the former. GRC refers to defining the playground within which an organization wants to operate in order to achieve its objectives. The borders of this playground are defined by an organization’s risk appetite, the regulatory landscape, the desired culture and behavior, as well as the policies and procedures defined by the organization. In addition, GRC aspires to ensure that actions taken by the organization or its representatives respect these borders that enclose its playground. This results in the entire organization being involved in GRC, starting from the board up to the 3 lines of defense, including business continuity, enterprise risk,  compliance, internal control, HSE, internal audit, among others.

Relevance today

Although Family Owned Businesses don’t always have a very extensive or mature GRC-framework in place, stakeholders do expect – from a corporate governance perspective – that the organization adopts a structured and professional approach towards GRC, including Business Resilience, Internal Audit, Internal Control and Enterprise Risk Management.

As a root cause, we see that FOB’s are fully focused on running the business and often have a fear that GRC will limit their entrepreneurship, and naturally also want to limit to overhead costs as much as possible.

On the other hand, the disadvantages are that these companies often don’t have a good view of their global risk landscape, are not comfortable that gaps and overlaps in risk management activities are avoided, and cannot provide integrated risk insights to those charged with risk oversight and other key stakeholders.

The need

Based on our experience, FOBs require a balanced approach towards Governance, Risk & Compliance that:

  • Is in proportion to the size of the organization and takes into account the costs versus the benefits;
  • Does not work against driving entrepreneurship and intrapreneurship;
  • Provides comfort to the management team and those charged with risk oversight, such as the Board of Directors and other stakeholders;
  • Grants access to expertise on specific risks in a flexible way;
  • Allows the organization to quickly respond to a rapidly changing context.

What we can offer

Risk as a Service is a flexible and tailored solution for FOBs of all sizes who want to pursue a cost-efficient and pragmatic, value-adding approach towards GRC. We help you to get the basics right, irrespective of the maturity or position of risk management activities in your organization, and contribute to implementing key activities and best practices of risk management, internal control, compliance, business resilience and internal audit development.

Our ‘Risk as a Service’ offering allows you to access our global network, expertise and best practices in GRC, while simultaneously leveraging our technology and empowering your organization to streamline risk management activities while benefiting from KPMG’s wide and diverse range of areas of expertise.

We tailor our costing options to meet your needs and focus on a pragmatic, value-adding approach. You can flexibly request services as and when needed (i.e. for specific tasks, projects, processes) over the duration of the agreement. We can perform regular GRC activities within a set limit of hours for the agreed period, for example: quarterly inputs for the audit committee meeting.

A flexible and tailored solution for Family Owned Businesses who want a cost-efficient and pragmatic approach towards Governance, Risk & Compliance.

KPMG Risk as a Service offering covers the following topics: Enterprise Risk Management, Internal Control, Business Resilience, Project Risk Management, Internal Audit and Compliance.

This can include:

  • Ad hoc advice on specific risks and controls
  • Set-up of Risk and Internal Audit functions, frameworks and processes
  • Sharing of better practice on various risk domains in a flexible manner
  • Assessment and design of your operating model on Governance, Risk & Compliance (GRC)
  • Technology support and advice
Risk as a service

What can we do for you?

We offer assistance with small and large, basic or complex projects, including:

Enterprise Risk Management

  • Implementation of an Enterprise Risk Management process, organization and tools such as drafting of a risk management framework.
  • Coordination and facilitation of the recurring ERM exercises such as facilitation of a strategic or operational risk workshop.
  • Ad hoc advice on specific risks and signals of change.
  • Advice on risk control measures

Internal Control

  • Implementation or transformation of Internal Control programs.
  • Specific Internal Control requests: e.g. process review, policy reviews, consultation & advice.
  • Control testing: providing support to test predefined controls, evaluating risk mitigation, preparation for external compliance reviews.

Project Risk Management

  • Implementation / improvement of Project Risk Management: Staying in control for planned/ongoing projects.
  • Independent project risk assurance: we follow up on your strategic projects and provide reassurance that these are under control.


  • Implementation or transformation of compliance programs
  • Assessing a GRC model/ setting up a GRC model to identify the risks and compliance requirements
  • Support in executing the compliance function
  • Compliance testing

Internal Audit

  • Set-up or transformation of the Internal Audit function:
    Establishing the Internal Audit charter, methodology, process, organization, sourcing strategy, tools and templates
  • Internal Audit co- and out-sourcing: Also to support with workload, or execution of testing.
  • Internal Audit Quality Assurance Review

Business Resilience & Continuity

  •  Evaluate the organization’s overall business continuity plan, including policies governance, risk assessments, business impact analysis, vendor/third-party assessment.
  • Re-assessment of risk appetite based on changes in business environment
  • Developing standard operating procedures and responses to the pre-defined disruption triggers

GRC Target Operating Model

  • Assessment of the organization's current GRC model.
  • Definition of the GRC Target Operating Model
  • GRC Target Operating Model implementation

Connect with us