GRC is not a document. It is a posture. Take the 10-question assessment below to find out where your organisation's real exposure is right now.

Request an Assessment →
Home / Intelligence / GRC Cannot Just Be a Tick Box
Governance & Risk

GRC Cannot Just Be a Tick Box:
Is Your Organisation Actually Protected?

Cluny Archibald
Founder, BlackFlag Advisory
April 2026
8 min read + self-assessment

Governance, Risk, and Compliance exists in two forms in Australian organisations. The first is a living framework — actively maintained, externally validated, genuinely embedded in how decisions are made and how risk is managed. The second is a document. A policy written two years ago, a framework diagram on an intranet page, a checklist completed at audit time and filed until next year. Most Australian organisations have the second. Most believe they have the first.

The gap between those two things is where incidents happen. It is where regulators find their cases. It is where insurers decline claims. And it is almost always invisible to the organisation until something forces it into the open.

The Distinction That Matters

  • GRC as a document provides the appearance of compliance. GRC as a posture provides actual protection.
  • The OAIC, ACSC, and ASIC have all increased enforcement activity against organisations whose GRC frameworks existed on paper but not in practice
  • Cyber insurers are declining claims at higher rates where organisations cannot demonstrate that documented controls were actually implemented
  • Self-assessed GRC maturity consistently overstates actual maturity when independently tested — the gap is typically one to two maturity levels
  • The 2024 Privacy Act amendments and the Essential Eight 2023 updates have created new obligations that most existing GRC frameworks do not address

Why Tick-Box GRC Fails When It Matters Most

The appeal of tick-box GRC is understandable. Compliance frameworks are complex, the language is technical, and the practical demands on smaller teams are significant. A checklist that can be completed once a year and filed satisfies the immediate pressure of an audit or a client questionnaire. The problem is that it satisfies nothing else.

When a breach occurs, the questions asked are not "did you have a policy?" They are "was the policy current?", "was it implemented?", "was it tested?", and "who was responsible for it?" An organisation that can answer yes to the first question and no to the remaining three is in a significantly worse position than one that had no policy at all — because the existence of the policy demonstrates awareness of the obligation. The inability to demonstrate implementation demonstrates that the awareness was not acted on.

The Australian Signals Directorate's research on the Essential Eight consistently finds that organisations self-assessing at Maturity Level 2 are independently assessed at Maturity Level 0 or 1 at rates that would surprise most Boards. Source: ASD Essential Eight Maturity Model, 2023 update. The same pattern applies to privacy compliance, incident response readiness, and access control. Intention and implementation are not the same thing, and the gap between them is typically wider than leadership believes.

The 10-Question GRC Reality Check

The assessment below is not a comprehensive GRC audit. It is a structured set of questions designed to surface the specific gaps that most commonly exist between documented GRC and actual GRC. Answer honestly. The result will tell you more about your real exposure than most annual compliance reviews.

GRC Reality Check
10 questions. Answer Yes or No based on what is actually true right now — not what you intend to do, not what is written in a policy document. When all questions are answered, your result will appear below.
Progress — 0 of 10 answered
Question 01
Does your organisation have a dedicated internal cyber security function or team — not just an IT manager with cyber responsibilities?
Question 02
Have critical security patches been applied across all systems within the timeframes required by the ASD Essential Eight — within 48 hours for internet-facing services with critical vulnerabilities?
Question 03
Has your organisation's privacy policy been reviewed and updated in the last 12 months — including against the obligations introduced by the Privacy and Other Legislation Amendment Act 2024?
Question 04
Do you know — with documented evidence — which third-party tools, trackers and integrations are actively collecting personal information on your website and mobile apps, and where that data is being sent?
Question 05
Has your incident response plan been tested in the last 12 months through a tabletop exercise or simulation — not just written and filed?
Question 06
Have the mobile applications your organisation uses — including staff-installed apps on BYOD devices — been assessed for embedded trackers, excessive permissions and cross-border data transfers?
Question 07
Has your organisation checked whether any of its domains appear in public breach databases — and confirmed that exposed credentials are no longer in active use?
Question 08
Is Multi-Factor Authentication enforced across all systems that require it — not just email, but remote access, privileged accounts, and critical data repositories?
Question 09
Has someone outside your internal team assessed your organisation's external security posture in the last 12 months — not a self-assessment, but an independent external review?
Question 10
Can your Board answer the following three questions right now: What is our current cyber risk rating? What are our top three unmitigated risks? When was our last independent assessment?
Strong Posture
out of 10 answered Yes
Your GRC posture is considered. Here is what independent validation adds.
A strong set of self-assessed answers is a good starting point. The distinction that matters — to insurers, regulators, and procurement teams — is whether that posture has been independently verified. Self-assessed GRC maturity and externally validated GRC maturity are two different things. BlackFlag Advisory's passive GRC assessment gives your Board an evidence-based external view that no internal review can replicate.
See What We Find →
Meaningful Gaps Identified
out of 10 answered Yes
Your organisation has gaps that create real exposure. Here is what that means.
A mixed result is the most common outcome for Australian organisations that answer honestly. The gaps identified by your No answers are not theoretical — they are the specific areas where incidents occur, where regulators find their cases, and where insurers decline claims. A BlackFlag Advisory assessment will identify and evidence exactly where your exposure is, and give your Board a prioritised roadmap to address it.
Get a Full Assessment →
Material Unaddressed Risk
out of 10 answered Yes
Your organisation has material, unaddressed GRC exposure. This needs to be addressed now.
The answers you have provided indicate significant gaps across multiple areas of your GRC posture. These gaps are the kind that create regulatory exposure, insurance non-payment, and reputational harm following an incident. The good news is that they are identifiable, documentable, and fixable. BlackFlag Advisory can surface the full scope of your external exposure in a structured report delivered within seven business days — giving your Board what it needs to act.
Request an Assessment Now →

What Genuine GRC Looks Like in Practice

Genuine GRC has three characteristics that distinguish it from the tick-box version. First, it is current. Every policy, every framework, every documented control reflects what the organisation is actually doing right now — not what it was doing when the document was written. Second, it is evidenced. For every claimed control, there is documentation, testing records, or observable implementation that can be shown to a regulator, an insurer, or a procurement team. Third, it is externally validated. Someone outside the team responsible for implementation has confirmed that the controls work as described.

Most Australian organisations have none of these three characteristics across their full GRC framework. Many have one. Few have all three. The organisations that do are in a fundamentally different position when scrutiny arrives — and in the current Australian regulatory environment, scrutiny is arriving more frequently and with more consequence than it has at any previous point.

The Internal Cyber Team Problem

Having an internal cyber security function is a genuine asset. It creates ongoing operational security capability, faster incident response, and day-to-day risk management that external advisors cannot replicate. What an internal team cannot do is provide an independent external view of the organisation's own posture. Internal teams assess from the inside out. They know what was built, know what was intended, and are subject to the same blind spots as the rest of the organisation. An external passive assessment of what the organisation looks like from the outside — what a threat actor, a regulator, or a competitor can see — is a different exercise entirely, and one that internal teams are structurally unable to perform on themselves.

This is not a criticism of internal cyber capability. It is a structural reality. The most sophisticated internal security functions in Australian enterprise still commission external assessments, because the value of an external perspective is not in question. For smaller organisations without enterprise-level internal capability, the case is even stronger.

The Honest Question for Your Board The question every Board should be able to answer is not "do we have a GRC framework?" It is "when was our GRC posture last independently assessed, and what did that assessment find?" If the answer to the second question is "never" or "more than 12 months ago", the first question is largely irrelevant. A framework that has not been tested is an assumption, not a control.

GRC Is Not a Document.
It Is a Posture.

A BlackFlag Advisory assessment tells you what your organisation's GRC posture actually looks like from the outside — with evidence your Board can act on and your insurer will accept.

Request an Assessment →
What the Assessment Delivers

Every BlackFlag Advisory GRC assessment maps findings to the ASD Essential Eight, NIST CSF 2.0, ISO 27001, CIS Controls v8, and the Australian Privacy Principles. Your Board receives a structured risk register, framework mapping, and a prioritised remediation roadmap in a single Board-ready report. Fixed price. Delivered within five to seven business days. No systems accessed.