Governance, Risk and Compliance (GRC) Solutions


We serve businesses, business owners, board members, investors and lenders.


At McAlan our attention is most often focused on businesses. Many companies, especially smaller companies, treat risk management as an after-thought, to be handled by an in-house functionary as part of an annual insurance review. However, as shown in this website, risk management is much more than that.

Risks come in many sizes and flavors, including well-understood risks, like premises and product liability, and more esoteric risks, such as cyber risk. We will not list all the kinds of risks a company may face — a tall if not impossible order — but here are two especially worth remembering:

  1. Mission failure.  All businesses are created with a mission in mind, so there are always risks of mission failure.
  2. Inadequate risk management. Those in charge, from the board down through lower middle management, are graded in part by how they manage risk.


Investors want the companies they invest in to be valuable and increase in value over time, and they certainly don’t want to be seen as having made a foolish investment. Assessing the downside is equally if not more important than perceiving the upside.

Business Owners

Business owners want their companies to be healthy and profitable. Business owners often also want their companies to be saleable to potential buyers for a good price, pursuant to a carefully prepared exit plan, or even in a forced sale. A risky business is a less-valuable business, and it can be unsaleable at any price. Accordingly, GRC management deserves high-level attention from business owners.

Acquirors of Businesses

Acquirors want a good “acquisition experience”. Experienced professional investors typically expend considerable effort in due diligence to help form their baseline expectations, the amounts they are willing to pay, and the terms and conditions of buy-sell agreements, including reps and warranties insurance. However, due diligence often misses risks, and rarely takes account of a company’s risk management program or competencies, or the adequacy of the target’s business insurance.

Risk management is equally or more important post acquisition, to uncover previously unrecognized risks, to make systematic improvements, and to enhance the value of the acquired company.

Board Members

Boards of directors should be actively involved in their companies’ management of GRC (governance, risk and compliance). Governance is a board’s fundamental role, and most directors know that. They may not be as aware of a board’s duties with respect to risk management, which requires, initially, getting a basic awareness of the company’s risk profile, and then creating a legal and practical framework for eliminating or mitigating risks. That requires allocation of responsibilities and lines of communication, monitoring and periodic top/down review. The policy should provide guidance on board involvement in the event of a crisis.

Board members also need to be informed of their legal and reputational risks. Surprisingly, most board members are not aware of the in’s and out’s of directors and officers insurance policies, or that the coverage may be less protective than they thought.


All lenders know that poorly governed, high risk and/or non-compliant borrowers can be problematical.

We can help lenders on all matters pertaining to risks, including assessments of potential customers’ GRC programs.

What We Provide

GRC (Governance, Risk, Compliance)

Governance, risk and compliance are three sides of a triangle, equally important. We keep that in mind at all times, and our services are conceived and tailored accordingly.

Assessments of vulnerabilities and solutions

The beginning point of risk management is a survey of all aspects of a company to identify risks and assess their significance. We have a unique tool to help C-suite executives and board members make an initial assessment of risks. If the company is ready to proceed, we work with management to dig deeper to find all the material risks and rank them in terms of impact and probability.

With a risk assessment in hand, the company is ready to develop strategies to deal with specific risks and to work with management to create policy and an overall risk management program.

With a risk assessment in hand, the company is ready to develop strategies to deal with specific risks and to work with management to create policy and an overall risk management program.

Our solutions include:

    • Legal solutions
    • Insurance
    • People solutions
    • Creative risk transfer arrangements

Board-level assistance

Risk management is increasingly recognized as a matter for boards of directors and trustees. We can assist your board in establishing policies, committees and procedures, and in connection with periodic risk management reviews.

We also provide advice and solutions regarding Board Member Liabiity for all matters, including the failure of the board to discharge risk management duties.

Risk management processes and systems

We have procedures and systems for overall risk management, and we can assist in selecting systems to deal with particular matters.

Risk management advice

We stand ready to advise you on your risk management concerns.

Ask yourself: How good is my company’s risk management program or department?

Due Diligence Services

We are available to be your risk advisor, including helping you find the right resources to meet your specific needs.

Crisis management services

Crises are often outside of anyone’s control. “Crisis management” therefore can be as much about crisis response as it is about management. We draw upon all our resources to get crises resolved as best possible.

Our Approach

Our services and systems are based on (i) the GRC (governance, risk, compliance) model of OCEG and (ii)) our belief that GRC should be driven by ultimate decision makers — those who bear ultimate responsibility.

Our approach is comprehensive. We look at the vertical, horizontal and contextual aspects of an organization. We see how governance, risk and compliance considerations interact and how purported solutions can create their own problems.


Multiple perspectives and related competencies
are needed for effective risk and crisis management.

Each of the element-boxes in the diagram is discussed below.


McAlan brings legal expertise and experience to assess a client’s legal needs and counsel a client accordingly. The basic requirement here is legal education and training, supplemented by experience, handling compliance with laws and regulations, and managing disputes.

Every contract creates risks. McAlan can be helpful in connection with Contract Lifecycle Management (CLM), which covers the various stages in the life of a contract, beginning with negotiation, through performance, and post-performance/termination matters. CLM can be the domain of the legal department or some other department and/or shared.

Insurance and risk transfer

Insurance is the industry most closely associated with risk management. We have dedicated resources to find the best insurance solutions.

Risk Transfer means contractual shifting of risk from one party to another, most often seen in financial and commodities hedging operations.

Management of human resources is important but too-often overlooked in risk and crisis management. An organization is well-served if its people have the psychological and wellness attributes that make them strong and effective in their jobs. We call this “resilience”. We have information and resources available to help your people become resilient. Because resilience is built up over time, long-term programs are helpful. We can help your HR department in that regard.

Education, Training and Engagement

Successful risk management requires education, training, and buy-in/engagement on the part of everyone in an enterprise — as appropriate to their levels of responsibility. McAlan can provide education, training and engagement resources, and can design and/or oversee programs for its clients.


IT and systems are at the heart of virtually every business. System integrity is essential.

We live in a world of extreme cyber risk. There is simply no excuse for neglecting cyber risk.

Business Owner/Manager and Generalist Work Experience

High-level business experience is invaluable. What is ideal will vary from company to company. Based on what we learn – what the company has and does not have – it may be best to bring in industry or functional expertise or general experience/skills.

Communications, Public/Investor Relations

It is important to have effective communications to manage risk and even more so to respond effectively to a crisis. These communications can be inward-facing or outward-facing – directed to suppliers or customers, or to “the court of public opinion”.


Financial resources are of course essential. Cash flow is what keeps a business going.

Our founder worked on Wall Street as an investment banker and ran the corporate finance department of a regional investment banking firm.

Our analysis often includes an assessment of a company’s financial needs and resources. Although a company may have solid financial management, in a crisis, new perspectives and resources may be required, and we can help arrange for that.

C-Suite/Board “People Solutions” Expertise

An organization needs to know what needs to be done and have the right people in charge of all functions. Those people can be in-house, full-time or fractional, part-time, outsourced, or employed in other creative ways.

Many companies do not have a risk management department or even a risk management program. Finding and/or arranging for the right people is important.

We have dedicated resources to deliver “people solutions” for your risk management program or department.

Just as resilience is desirable in a company’s workforce, in a time of crisis it can be essential in the C-suite – or for a company’s owner(s). We can arrange for individual counseling and coaching.