Governance & Operations
Now let's look at your governance framework - policies, risk management, audit scheduling, and how findings become actions.
Your audit calendar—real or "we'll get to it"?
Do you have a clear schedule for internal reviews and external audits (e.g., privacy in March, WHS/site checks in Dec, quarterly reviews of incidents/CI/risk), and do you follow it?
What 3/3 looks like: One calendar with owners/dates, reminders, and proof-of-completion for each review/audit.
Policies you can trust (and prove)
Are your policies catalogued with owners, review dates, and mapped to the right Standards & Indicators—and kept current?
What 3/3 looks like: One catalogue, mapped to indicators, on-time reviews, versioned links for sharing with auditors.
Risks that move from register → action
Is your risk framework aligned to ISO 31000, reviewed quarterly, and tied to actual actions and insurance currency?
What 3/3 looks like: ISO-aligned framework; quarterly reviews logged; top risks feed one action list with owners/dates/escalations; insurance checks recorded.
Note: BCP/E&D referenced as part of risk governance.
CI that closes the loop
Do findings (from complaints, incidents, WHS, audits) land on a CI plan with owners/dates—and does leadership review the trend each quarter?
What 3/3 looks like: One CI plan fed by your sources, quarterly review, closures with proof, time-to-close improves.
Know what's the "system of record"
Do you have a clear system-of-record for governance artifacts (where things live, who can access what, retention/disposal rules)?
What 3/3 looks like: One place of truth with role access, an audit trail, and retention/disposal rules you can show an assessor.
From "we saw it" to "we fixed it"
When audits/reviews spot something, does it reliably become an action with an owner/date—and close with proof?
What 3/3 looks like: Finding → action → auto-reminder → escalate (if needed) → evidence-verified closure.