GRC (Governance, Risk and Compliance) isn’t just corporate bureaucracy – it’s your company’s shield against costly surprises. Too many organizations scramble during audits, struggle with scattered risk registers, and face regulatory nightmares that could be avoided.
Watch the full video above to see exactly how to implement GRC and how a pharmaceutical manufacturer did it using Jira and SoftComply tools.
What GRC Actually Means (And Why You Should Care)
GRC is a top-down strategic framework that ensures organizations manage risks effectively while aligning them with business objectives and regulatory requirements. Think of it as protecting your business while enabling growth.
Without proper GRC, companies face siloed decision-making, hidden risks, and costly surprises like failed audits, data breaches or product recalls.
Regulators today aren’t just recommending GRC – they’re expecting it. The consequences of not having it can be severe: warning letters, hefty fines or losing your customers’ trust.
Seven Warning Signs You Need GRC
If you are wondering whether your organization needs GRC (or improve the existing one), here are seven most common red flags:
1. Spreadsheets Everywhere
If risk registers, compliance checklists and audit logs are scattered across endless Excel sheets or SharePoint folders, that’s a clear sign of inefficiency and lack of oversight. You can’t track ownership of risks, updates get lost and audits turn into fire drills.
2. Last-Minute Audit Panic
If your team scrambles to collect evidence right before an audit or inspection, it means compliance isn’t integrated into daily workflows. GRC should be proactive, not reactive.
3. Policy Blind Spots
Employees aren’t sure which version of a policy is current or which training records are incomplete. This usually signals weak governance and creates real compliance risks.
4. Siloed Risk Management
Does your IT manage cyber security risks in one system, QA is tracking quality risks elsewhere and operations is having their own risk list, while management has no consolidated view? This fragmentation leaves the company blind to cross-functional risks.
5. Repeated Incidents or Near-Misses
If the same types of issues keep happening: security breaches, quality defects, missed deadlines – it’s often the sign that your risks aren’t being systematically identified, tracked or mitigated.
6. “Compliance Theatre”
When compliance feels like a box-ticking exercise instead of a meaningful process – for example, documents are being signed but are never read or risk controls exist but only on paper. This is a warning that GRC is treated as an afterthought, not a framework.
7. No Leadership Visibility
If management asks: “What are our top 5 risks right now?” and it takes days (or weeks) to pull together an answer, that’s a strong signal GRC isn’t functioning as it should.
In short, if your company feels like it’s constantly firefighting and struggling to connect governance, risk and compliance into one view, it’s time to either implement GRC or strengthen the one that you have.
How to Implement GRC in Jira and Confluence
Most companies still manage GRC through spreadsheets or siloed tools. This approach creates blind spots and slows down teams. Instead, you should bring GRC into the same environment where your teams already collaborate every day, like Jira. With the SoftComply Risk Manager Plus app, you can embed risk assessments, compliance tracking and governance activities directly into your workflows. No more disconnected spreadsheets or scrambling before audits.
Following is a classical 7-step GRC framework with Atlassian tools and apps (above the steps) that support their implementation:
Planning & Documentation Stages (Steps 1-3):
- Confluence Cloud for documentation and policy descriptions
- SoftComply Document Manager to track approved documents and identify outdated ones
Project & Risk Management Stages (Step 4-6):
- Jira for project management
- Jira Goals for aligning risks to goals using
- SoftComply Risk Manager Plus for strategic and operational risk management
Performance Evaluation & Improvement Stages (Steps 6-7):
- Jira and Confluence Cloud with SoftComply apps for reporting
- SoftComply Static Snapshots for baselining
A Real-World GRC Implementation in Jira
Let’s walk through a practical use-case of setting up and implementing a GRC program in Jira.
A large pharmaceutical company, Pharma Global with multiple factories across 4 countries was facing a challenge of having disconnected risk registers and no consolidated visibility into operational, IT and compliance risks. Regulatory complexity was rising together with increased rate of inspections and cyber threats.
Their objective was to improve quality, cybersecurity and lower regulatory risks across their various sites while maintaining site-level accountability and enabling real-time risk oversight at the executive level. In other words, they aimed to establish a centralized Governance, Risk, and Compliance (GRC) framework to get there.
Step 1: Define Your GRC Scope
Pharma Global started with clarifying the scope of their GRC initiative: an enterprise-wide initiative, as opposed to a specific business unit or key processes specific one as they wanted to harmonize their operations across all organisation.
They also established the boundaries from the beginning, i.e. they introduced the compliance goals and organizational policies across their organization.
Their goal was to introduce an enterprise-wide risk taxonomy for their supply chain, data integrity, product quality and regulatory compliance. As such they specified that they need to harmonize policies of GxP, GDPR, ISO 22301, NIS2 and ISO 27001 and internal policies across their factories.
Step 2: Appoint GRC Stewards
Pharma Global assembled a cross-functional GRC steering committee including people from compliance, IT, operations, quality and executive leadership. Each member had decision-making authority together with necessary resources to manage risks in their area.
Additionally, each factory had their own GRC lead who coordinated local risk programs and reported to the steering committee. The committee conducted periodic audits and facilitated organization-level risk dashboards.
Step 3: Map Governance Objectives and Compliance Requirements
In this step, they identified all relevant compliance requirements: GxP, GDPR, ISO 22301, NIS2 and ISO 27001.
They moved all document control and training processes to a Confluence-based QMS to standardize operational quality management across regions.
They established an integrated audit calendar covering GMP, cyber security, business continuity, and health and safety reviews.
Each factory was to regularly perform business impact analysis and risk assessment aligned to ISO 22301.
Risk scores and mitigation plans were tracked in Jira using the SoftComply Risk Manager Plus and each deviation or CAPA was linked to a global compliance dashboard in Jira.
Audit logs were to be continuously tracked and compliance metrics regularly reviewed (e.g. audit findings resolved), and all relevant information was to be maintained in real-time oversight dashboards in Jira.
Step 4: Conduct Risk Identification Across Domains
Pharma Global implemented GRC in Jira using the SoftComply Risk Manager Plus to conduct comprehensive risk identification. They started with risk identification of various types: strategic, operational, financial, legal, security, third parties and reputational risks.
They built a comprehensive risk catalogue using sources like audit findings, self-assessments, incident history, stakeholder interviews and regulatory updates.
They utilized custom fields in the Risk Manager Plus on Jira Cloud including select lists for their different risk categories and risk sources across their various sites. This way, they were later able to easily sort and filter their results.
Step 5: Assess Risk Impact and Align to Strategic Objectives
Pharma Global conducted risk assessment first assuming no controls were in place to get their inherent risk values. They evaluated inherent impact and likelihood of each risk to get the inherent risk score.
Using the Risk Manager Plus, they also defined risk iterations – the number of times they assess each risk. After each annual review, they added the next review date directly into the workable risk table view, creating columns for next annual review date, risk impact, risk likelihood and risk scores for the review.
Step 6: Analyze Root Causes
Once the risks were assessed at Pharma Global, the underlying cause for each high-impact risk was analysed. Gap analysis was conducted to determine where governance and compliance frameworks were deficient.
In Jira, custom fields were created for entering the Root Causes. In Pharma Global, they set up a predefined list of root cause categories as a select-list. These predefined categories helped harmonize data across the entire organization.
Step 7: Prioritize Risks Using Heat Maps
Based on the risk impact and likelihood, risk scores were automatically generated using the organization’s risk appetite that was determined in their heat map.
In the Risk Manager Plus, Pharma Global customized their risk model to be a 5×5 risk matrix. They provided clear descriptions for each risk characteristic (both impact and likelihood) and defined specific actions for risks in each category. This gave their teams clear guidance on exactly what to do once a risk was classified at a certain level.
Step 8: Develop and Implement Mitigation and Governance Actions
For all high risks, the teams at Pharma Global designed robust interventions to:
Strengthen internal controls (e.g., segregation of duties, policy enforcement);
Roll out governance mechanisms (e.g., governance committees, oversight reporting);
Update policies, procedures and training materials;
Automate risk monitoring through GRC technologies.
The team made sure to have clear accountability and timelines for each action that help mitigate risks.
In Jira, they utilized custom fields to enter free text for the Mitigation Summary and created Tasks to the relevant Jira projects where owners were assigned to each risk control together with due dates. Tasks were linked to Risks using Jira issue links.
Step 9: Monitor Residual Risk and Compliance Effectiveness
After implementing risk controls, residual risk levels and compliance status were reassessed.
Metrics about control effectiveness, audit findings, incident trends and regulatory updates were tracked to validate progress. In case of any inefficiency, governance and risk approaches were adjusted.
In Jira, Pharma Global teams defined the frequency of reviewing their risks inside the Risk Manager Plus. To plan in advance, they added a Review Date (custom Date picker field in Jira) and also added an appropriate name for the next Risk Iteration to their Risk Model (iteration name was updated to the next risk review time).
Step 10: Document and Maintain the GRC Framework
Finally, as one of Pharma Global goals was to keep detailed records of governance policies, risk registers, compliance matrices and audit logs available for all in their organisation, they decided to use Confluence across their different sites and control documents using the SoftComply Document Manager app.
With the help of SoftComply Document Manager in Confluence, they are now keeping their policies and records of activities close to Jira, and have automated document approval workflows, version control and electronic signatures available within Confluence.
With the help of Quick Filters built in the SoftComply Risk Manager Plus, they can now also stay on top of any critical risks across their various sites at any given time.
Real-World Results That Matter
One year after implementation, Pharma Global reported impressive outcomes:
- Audit readiness doubled across all sites,
- Closing CAPAs took days instead of weeks,
- Cross-site collaboration improved significantly, especially for sharing mitigation strategies and audit preparation.
The key to their success? Management engagement and integration of GRC into tools their teams already used daily.
Start Your GRC Journey Today
The difference between reactive compliance and proactive GRC can mean the difference between scrambling during audits and confidently demonstrating your risk and compliance management maturity.
Ready to transform your compliance from burden to competitive advantage?
Try SoftComply Risk Manager Plus free for a month on Jira Cloud or schedule an intro call with our team.
