Does your board (or risk committee) receive a structured risk report at least quarterly?

Are roles & responsibilities for GRC documented in a current accountability matrix?

Is there a documented risk appetite statement endorsed by the board?

Is there a single risk register that consolidates risks across business units?

Are key risks tied to identified treatments with named owners and target dates?

Are emerging risks (geopolitical, AI, climate) actively scanned and added to the register?

Is there a current obligations register mapping every regulator to internal owners?

Are regulatory changes monitored proactively (horizon scanning)?

Are control breaches/issues centrally tracked to closure?

Has your organisation completed a VAPT within the last 12 months?

Is there a documented incident response plan tested at least annually?

Are vendor cybersecurity assessments performed before onboarding & annually?

Does a Business Impact Analysis exist for all critical processes?

Have BC/DR plans been tested in the last 12 months?

Are recovery objectives (RTO/RPO) defined for critical systems?