Governance, Risk & Compliance (GRC)

Today’s rapidly changing business and regulatory environment requires thinking about risk in new ways.

Organisations face a range of pressures brought on by the need to balance transformation and creating value with compliance and changing regulation, a fast-moving and unpredictable risk landscape, and growing competition.

Taking an innovative approach to managing and enhancing your governance, risk and compliance activities can help you seize opportunities, stay ahead of uncertainty, and meet stakeholder expectations.

Playback of this video is not currently available

Our Services

Enterprise Risk Management (ERM) 

Enterprise Risk Management remains a complex issue for many organisations and deriving true value from investment in this area continues to be a challenge. As a result, organisations should understand that ERM represents a core management discipline to exploit the evolving landscape that they operate in whilst also enabling meaningful discussions around how to address overall exposure to risk across their enterprise.

At PwC, we aim to simplify and demystify this process for our clients, with a focus on helping to achieve a principles-driven view of ERM and its practical application, ensuring that organisational activities and decisions reflect risk appetite.

Our services draw upon decades of experience of successfully partnering with organisations of all shapes and sizes, allowing us to leverage key insights, and benchmarks to ensure we deliver ERM systems that are fully bespoke and work in reality whilst reflecting common good practice and leading approaches.

PwC’s Global Risk Survey 2023

From threat to opportunity: How a tech tipping point is fuelling reinvention, resilience and growth

PwC's Global risk survey 2023 reveals how leading organisations are changing the way they see risk by embracing the transformative power of technology and data in pursuit of opportunity and value creation.

Learn more

How we can help

ERM establishment and implementation

No matter where you are in your risk management journey, we can support you in setting up or improving your ERM function (in accordance with COSO ERM or ISO 31000) to meet your aspirations for risk management.

As co-authors of the COSO ERM standard, we understand how to adapt ERM principles to suit your unique operating model and objectives. This entails the development of your ERM Framework, including the ERM policy, procedures, governance, strategy and risk appetite.

ERM program maturity assessment

We conduct maturity assessments and audits of your current risk management capability, providing you tailored recommendations in a defined implementation roadmap on how to take your ERM function to the next level.

Our PwC methodology assesses your capability in line with leading standards and practices, including ISO 31000 and COSO ERM.


Enterprise risk assessment

Our professionals are highly experienced in the risk management process, meaning we can implement your framework to help you identify, assess, analyze, treat and monitor your most important strategic risks across the enterprise.

This typically involves the preparation of departmental and corporate risk registers (or risk profiles), in addition to risk reporting and dashboards for Management and Boards.

Risk mitigation analysis

We will support you in identifying existing mitigation capabilities and potential opportunities for enhancements which will allow you to understand your current effectiveness and as needed implement additional controls to manage risk in alignment with your risk appetite and strategy.

Risk appetite development

We support organisations in developing their risk appetite for all categories of risk, support in quantifying the risk appetite thresholds and risk tolerance. We then help organisations operationalize the risk appetite through developing risk assessment criteria (impact and likelihood criteria) that will help the organisations to use the risk appetite on operational decisions.

Key risk indicator development and monitoring

We will assist you in developing key risk indicators (KRIs), key control indicators (KCIs) policy and facilitate the identification of these indicators and implementation.

Awareness and training

We will help you to skill up your current risk management staff or risk champions through formal workshops, digital training modules and on-job training to ensure smooth running of the risk management department.

Risk culture assessment

We will assist you in evaluating your current risk culture, through an risk culture survey and/or desktop research studying of key internal documents of the organisation related to risk management in a broader term and/or a series of targeted interview with the key risk culture stakeholders across the organisation covering all 3 Lines representatives.

Then, identify improvement opportunities and recommendations to feed in a master roadmap – which includes a collection of projects, grouped by focus areas (or risk categories), considering your organisation's priorities, capacities, and interdependencies amongst the projects.

Crisis and Business Continuity Management (BCM)

A crisis can happen at an inopportune time when you least expect it to. What more with the speed of today's business and technology, a disruption of a short period of time may lead to a catastrophic impact to the organisation. While you may not be able to predict a crisis, you certainly can be prepared for one.

BCM is an investment that enables your organisation to turn any crisis into a competitive advantage.

PwC’s Global Crisis and Resilience Survey 2023

The Resilience Revolution is Here: How organisations are adapting to constant disruption by transforming their approach to building resilience

PwC’s Global Crisis and Resilience Survey 2023 is focused on understanding today’s threats and how organisations focus their resources, efforts and investments to become more resilient.

Learn more

How we can help

BCM framework development and implementation

We offer end-to-end BCM implementation covering the BCM lifecycle in the following phases:

  • BCM framework to govern your organisation's BCM programme
  • Risk assessment and business impact analysis to understand and identify the potential threats and your organisation's critical business activities
  • Business continuity strategy to enable the organisation to resume business operations with the most practical and cost-effective solutions
  • Business continuity procedure to document workable processes to be performed by employees during a crisis. Aside from Crisis Management Plan and Business Continuity Management Plans, we can also assist to develop other contingency plans catered to specific situations to further support your company's BCM programme, such as IT Disaster Recovery Plan, Pandemic Plan, Contingency Funding Plan, Recovery and Resolution Plan and more.
  • Exercising and testing to ensure that the plans and strategies developed are effective and reliable

We are also able to implement selected phases focused to fit your organisation's objectives and needs. 

Incident and crisis management exercises

Putting the procedures and strategies to test not only helps to identify gaps and opportunities in your BCM programme, but also creates awareness among your employees. We offer the following types of exercises and tests:

  • Notification tree exercise
    An exercise to evaluate the effectiveness of the layered hierarchical communication structure practised in your company for crisis communication purposes.
  • Desktop walkthrough exercise
    A facilitated tabletop discussion for participants to walk through the response and recovery actions based on realistic scenarios crafted.
  • Crisis simulation exercise
    An engaging "live" exercise that involves participants in role-playing and interacting with one another to address scenarios crafted for the simulation.

Aside from testing Crisis Management Plan and Business Continuity Management Plans, we are experienced in conducting exercises involving the testing of various contingency plans, such as Emergency Evacuation Plan, Crisis Communication Plan, IT Disaster Recovery Plan, Cyber Incident Response Plan and Contingency Funding Plan. We are able to tailor scenarios and materials to help you achieve your exercise objectives and requirements.

BCM maturity assessment

Already have a BCM programme in your organisation but unsure how relevant and robust it is? We offer the following solutions to address these concerns:

  • BCM effectiveness review
    An independent assessment of your organisation's BCM documentations against best practices or relevant standards and guidelines to identify gaps and improvement points. This review can also be part of your organisation's internal audit plan.
  • BCM maturity assessment
    An evaluation to study the maturity of your organisation's existing BCM capabilities against best practices and relevant standards and guidelines.

Awareness and training

While plans and infrastructure are important, the success of your BCM programme depends on your most valuable asset--your people. It is important that your employees are aware of your company's BCM programme and their respective roles and responsibilities. To help you achieve this, we can conduct customised training workshops or refresher courses based on your objectives and target audience.

Corporate governance

Establish robust governance practices to proactively manage risks and navigate uncertainty.

Good corporate governance is a foundation attribute for a healthy organisation. Not only does it set the tone as to how the organisation operates and behaves both internally and to the market generally, it also defines the relationship between the Board of Directors, Senior Management and the rest of the organisation.

Key corporate governance issues can range from highly strategic topics like corporate strategy, IT oversight and innovation, Board composition and risk oversight to more real-time topics like crisis management and shareholder activism. We support you with the governance knowledge to answer tough questions and tackle complex challenges.

PwC’s 2023 Annual Corporate Directors Survey

Today’s boardroom: confronting the change imperative

PwC’s Annual Corporate Directors Survey has gauged the views of public company directors from across the United States on a variety of corporate governance matters for more than 15 years.

Learn more

How we can help

Corporate governance assessment for IPO readiness purposes

We will assess the readiness of your current corporate governance practices for being IPO by benchmarking with leading practices (such as OECD Principles of Corporate Governance or relevant CG international standards) and applicable local regulations stipulating for public listed organisations.

Our opportunities for improvements and recommendations will be tailored to the organisation's business context considering cost-benefit matters.

We also provide IPO services, supporting your IPO journey from end to end. Refer here for more details on our IPO services

Audit Committee

We have extensive experience in assisting Audit Committees in different industries. We understand the legislation, know the classic pitfalls and provide bespoke advice on how leading practice should be applied in each organisation. 

We can help you with:

  • The committee's mandate, role and annual plan
  • Scope and content of Management's reporting to the Committee
  • Competence building in accounting reporting and rules
  • Competence building in internal audit, risk management and internal control

Evaluation of the Board

We help you conduct reviews of your Board to determine their effectiveness in performing their duties. We tailor our review approach to your specific circumstances and work with you to plan a review that takes into account your business, its environment, and more.

Our review of the board goes beyond the boardroom to include other stakeholders’ perspectives in understanding the true impact of the board’s activities.

Board induction and development

An effective induction supports new directors in their role by providing them with the necessary information of the organisation to become as effective as possible in their role.

It is also important that the directors continue to be informed of their duties and relevant regulatory changes in order to sufficiently discharge their fiduciary duties.

We can construct an induction and training programme tailored to your organisation's culture, taking into consideration leading practices and deliver these.

Regulatory and corporate compliance

We understand the broad and complex nature of the changing compliance climate and the resources required to effectively manage these regulatory and corporate compliance obligations. We are cognisant of global practices while applying a localised lens to how compliance management should be operationalised.

We help our clients to review their compliance set-up and ecosystem - from identification, assessment, monitoring, and responding to reporting - ensuring that they are aligned to the accountability structures in the organisation.

Compliance. Transformed.

Shifting compliance activities from having high costs on customer experience, finances and culture to building trust, enhancing resilience with technology and supporting competitive advantage.­

Learn more

How we can help

Compliance function review/operating model

The compliance function as the second line of defence needs to be equipped with the right mandate and resources to undertake its role effectively. Often times, the expectations or mandates are not clear and misaligned to the organisation's business strategy. We help clients assess the compliance function set-up and the wider compliance operating model that is customised to the needs of the organisation. This covers the assessment of the following amongst others:

  • Compliance strategy and how it relates to the business
  • Structure of compliance ownership across the three lines of defence
  • Level of compliance processes institutionalised and understanding interdependencies
  • Enablement of technology and digitisation in the compliance value chain
  • Competency requirements and measures to inculcate desired behaviours

Regulatory gap assessment review

We help our clients undertake specific regulatory and compliance reviews on domain subject matters (i.e. AML/CFT, ISO, MACC Adequate Procedures) and the design of remediation programmes to address gaps identified.

Compliance risk assessment model

Organisations need to understand and appreciate their regulatory and compliance obligations to facilitate business practices. They dictate the planning and execution required to ensure compliance with the relevant standards.

We help our clients define the mechanism and process in identifying the compliance universe, applying it in the context of the organisation, monitoring and reporting of these requirements. Our compliance risk assessment model has been designed to:

  • Scan the compliance and regulatory universe
  • Function as a centralised depository as the and our core source of information
  • Apply a risk-based approach to prioritise the regulations that matter most to the organisation and where resources should be focused on
  • Translate regulatory and compliance requirements into reporting dashboards to monitor compliance risk

Sarbanes-Oxley compliance

Opportunities to reduce costs and improve compliance

Given the current market situation, and the continuously changing regulatory environment, a company that intends to go or recently went public should consider the latest trends in investors’ attitudes. Apart from business and financial performance, other aspects of Sarbanes-Oxley (SOX) - such as governance, risk and compliance (GRC) approach - endorse the company’s public image and may facilitate the decision-making of potential investors.

The first challenge to overcome when complying with SOX or related regulations (J-SOX, K-SOX, C-SOX) requirements, is the transition from the informal control environment of a private entity to a standardised and well controlled environment. SOX, J-SOX, K-SOX or C-SOX are not just bureaucratic requirements, but also an important tool for Management to formalise processes and establish adequate mechanisms that will enhance operational efficiency.

PwC assists and supports clients by:

  • Delivering customised, interactive training programs and workshops focused on the familiarisation of employees with SOX requirements
  • Delivering Risk Assessment /Scoping exercises
  • Assessing the degree of readiness and the level of maturity of company controls in meeting SOX requirements
  • Documenting key business processes (through narratives / flowcharts / risk matrices), identifying key controls, performing walkthroughs and assessing the design effectiveness of controls, based on PCAOB standards and the COSO framework
  • Testing the operating effectiveness of company controls
  • Evaluating identified deficiencies and providing recommendations for improvement

Playback of this video is not currently available


PwC's Digital SOX

The compliance program of tomorrow, today

In many organizations today, most SOX activities are performed manually, and for many the process is significantly inefficient and resource intense. PwC continues to invest in building the tools, methodologies, and digital assets to digitize SOX, from scoping through reporting, supported by our Acceleration Centers. Save yourself time and resources by leveraging our ready-made investments in delivering SOX.

Policies and Procedures

Policies and procedures are a fundamental and essential part of any organisation. Together, policies and procedures provide a roadmap for day-to-day operations by outlining control activities, expected standards and key staff responsibilities. Robust policies and procedures can ensure your organisation is in compliance with laws and regulations, profitable and enables sound decision making. 

At PwC, we build tailored solutions to help our clients achieve their strategic ambitions - reflecting their uniqueness but also grounded in rigorous analysis and data-driven insight - to create lasting, differentiated value.​

improve business performance

How we can help

Develop a governance framework to enhance internal controls and ensure alignment with the business strategy.

Formulate departmental and functional policies that define the standards, rules and conditions for conducting key business activities.

Recommend ‘best-fit’ process management tools and technology platforms in line with the organisation’s needs, and support with the implementation.

Develop business process maps and operating procedures to define activity workflows and responsibilities.

Develop assessment reports which outline opportunities for improvement.

Drive a culture of continuous improvement by setting up the organisation’s process management function and training relevant stakeholders.

Governance, Risk and Compliance (GRC) Enablement Solutions

Implementing the suitable Governance, Risk and Compliance (GRC) framework will enable organisations to identify the right approaches which contributes to process efficiency, improved risk management and internal controls.

Learn more

improve business performance

Contact us

Xavier  Potier

Xavier Potier

Partner, Risk Assurance Services Leader, PwC Vietnam

Tel: +84 28 3823 0796

Pham Hai Au

Pham Hai Au

Director, Risk Assurance Services, PwC Vietnam

Tel: +84 24 3946 2246

Follow us