Risk and Compliance in Small Organisations

Gordon Tan | August 9, 2017

Photo by Stuart Miles via The StocksIn smaller organisations, there is less focus placed on risk, compliance and security in general. When it comes to IT, there is usually a desire to keep costs associated with IT low, and as a result, little emphasis is placed on setting up appropriate controls.

In this post, R&G Technologies Managing Director Gordon Tan shares his thoughts on problems faced by small organisations in managing risk and compliance.

Why do small organisations struggle with managing risk and compliance?

Small organisations commonly start out with basic and limited controls around IT. As the organisation grows, they often try to improve the robustness and resilience of those controls, with varying degrees of success.

In our experience, these organisations are relatively immature when it comes to risk and compliance in IT when compared to other areas of the business that are more traditional. Typically organisations have a greater understanding and execution of appropriate risk and compliance strategies for these areas.

Coupled with this, the government is increasing the amount of regulation and new standards are also being introduced right across the sector. For example, with more people moving to the Cloud, the government is putting more regulatory efforts in around mandating what Cloud Computing Standards are.

Another example of increasing regulation and standards is the Department of Employment recently insisted that all the organisations working with that department now need to be IRAP compliant. That, in itself, creates a whole host of complications or complexity around security and controls in compliance. The Department has said that if organisations are not yet IRAP compliant they will not award them any further funding, nor will they be able to win any more contracts.

As part of the IRAP compliance process, there are third party IT provider accreditations that need to be met. This would stop an organisation from dealing with an IT services provider unless they have that accreditation.

Most risk stems from not having the appropriate quality assured processes and that same premise applies in IT. Often IT processes, or the way that IT service delivery happens within the organisation, are fairly fluid. Without having appropriate IT processes, your level of risk around change and security are extremely limited comparative to what you might do in other areas of the business.

How can small organisations overcome these challenges?

It is best to start by first engaging at that departmental level with the government. Engage with departments that fund the organisations or the organisation is looking to win contracts from. There are people in positions that are providing this information to you who can point you in the right direction.

Secondly, there are external firms that are specialising now in auditing against those requirements, and presenting findings and consulting around that. So typically the government will point you to a specific firm if required. Alternatively, firms like R&G Technologies have relationships with most of the auditors and would consult with them and bring them in as needed to assist. Due to the ongoing change within the industry as well, it often does make sense to go with an IT provider that is aligned with the not for profit sector. The organisation will benefit from the fact that the IT provider deals with these challenges day in, day out. IT providers like R&G Technologies keep abreast of all of these changes because they have 10, 20, even 50 customers that are also experiencing the same challenges.

R&G Technologies are currently working on nine or ten IRAP audits at varying stages with different clients because of the nature of our business and the fact that we specialise in the not-for-profit sector.


In terms of managing risk and compliance in relation to the IT processes, it is important that regardless of whether you're using an outsourcer, or you have an internal IT team, that they adhere to some sort of service delivery standard. The standard within the IT industry that's most prevalent is what's know as ITIL or ITSM.

These processes are designed to reduce the amount of risk associated with IT and ensure that the IT environment is also compliant. Following and adopting these processes or ensuring your IT provider is following these processes is extremely important. This will ensure that your IT is keep in a reliable state.

Interested in learning more? I recommend these other articles: