The ORC model

ORC model icon

Published as a whitepaper by the Institute of Internal Auditors (IIA), Australia in June 2021.

This article provides organisations with a model from which to build a comprehensive obligations register.

The Issue/Problem

Type ‘obligations register’ into an internet browser and most of the results focus on legal obligations, ignoring all the other obligations in the obligations hierarchy yet according to Deloitte, complying with public sector rules is only 38% of the total picture.

The Solution

An extensive analysis of over 20,000 documents across multiple industries and all sizes of organisation revealed patterns in operational obligations and compliance documents. This has been developed into a simple 3D model that characterises obligations, risk and compliance as equal and orthogonal issues.

The ORC model provides organisations with a framework from which they can build a comprehensive obligations register, a vital GORC (governance, obligational awareness, risk management and compliance administration) tool.


  • AICD – Australian Institute of Company Directors
  • FinGORC – Financial governance, obligational awareness, risk management and compliance administration
  • GORC – Governance, obligational awareness, risk management and compliance administration
  • NFP – Not for profit
  • OpGORC – Operational governance, obligational awareness, risk management and compliance administration
  • SDS – Safety datasheets, previously known as Material Safety Datasheets (MSDS)
  • WHS – Workplace Health and Safety


Every organisation must comply with the mandatory governmental statutory and regulatory obligations imposed by federal, state and local government. Each organisation should also meet the voluntary obligations imposed by

the best practices and self-regulation of the industry they are operating in, stakeholder expectations, shareholder expectations, ethical considerations, and asset maintenance obligations.

An organisation’s obligations start at the top, with corporate governance and the risk appetite statement. This cascades down to risk management, requiring the application of a range of tools and models, the result being a library of procedures (controls) and forms.

FinGORC has evolved standards and models to deal with  all the financial obligations. OpGORC does not have these centuries-old structures in place and compared to FinGORC, is relatively immature. OpGORC can, however, learn from FinGORC and develop similar standards and models like ISO 37301 Compliance management systems.

Until now, OpGORC has been missing the first step, a practical model, without which the rest of the structure is unstable.

FinGORC has its chart of accounts, ‘a digestible breakdown of all the financial transactions that a company conducted during a specific accounting period, broken down into subcategories.’ OpGORC needs a similar digestible breakdown

The Problem

A 2014 Deloitte report shows that administering and complying with rules consumes 16% of a company’s resources. A 2020 report by the Competitive Enterprise Institute states that federal regulation is estimated to cost the US economy over $1.9 trillion or just under 9% of total GDP, excluding the costs of state and local regulation.

What’s worse is that, according to Deloitte, 62% of red tape is self-inflicted through generations of internal policies and procedures implemented to manage risk. Yet, even after spending large amounts of money, almost no business actually knows how compliant they really are.

Trying to deal with operational risks in one simple list creates confusion and frustration. WHS and other operational risks include both regulatory and non-regulatory requirements and the regulatory bias means organisations lose sight of non-regulatory risks that can also lead to death and injury.

Right down the organisation, managers are struggling with operational compliance. It is a vast and messy subject covering every risk from WHS, product safety and food safety to fire safety in the properties that house employees, customers, contractors and visitors. The operational risks of failure are significant. They include death and injury, criminal convictions, fines, business disruption and reputational damage, all leading to a loss of customer trust, lost productivity, and lost revenue, right through to the complete failure of a business. In the US finance sector alone, non-compliant firms were subject to $3.945 billion in penalties and another $794 million in judgements related to SEC investigations and complaints, while FINRA imposed $61 million in fines. The effect on business disruption, lost productivity, loss of trust is even higher. On a global scale, the numbers are truly staggering.

In 2010, over 227 senior managers globally were surveyed, asking them if they felt they were fully aware of all their legal and regulatory responsibilities; 64.2% responded that they were unsure or only partially aware of such obligations.

The real problem is that executives and managers do not have a model to help them work out what they are supposed to be doing. As a result, there are no reliable reports to state if a business is compliant or non-compliant.

The ORC Model

Managing thousands of compliance documents has given me a unique perspective on OpGORC. Patterns emerged, leading to the realisation that operational obligations, risk and compliance are equal and orthogonal to each other.

The term GORC comes from governance, operational awareness, risk management and compliance administration – four equal, co-dependant, but separate disciplines.

AICD defines corporate governance as ‘a broad-ranging term which, amongst other things, encompasses the rules, relationships, policies, systems and processes whereby authority within organisations is exercised and maintained.’

This model focus on the three other dimensions of GORC that sit under corporate governance.

GORC Cube version 2
The Z-axis: the six plus six classes of compliance

Every single internal compliance document, irrespective of industry or subject matter, falls into one of six classes where each class describes an entity:

Classification Documetns that: For example
have someone’s name on it
training records, trade qualifications
refer to a whole property
ISO certificates, food safety certificates, annual fire safety certificates
refer to an asset within a property
maintenance records, installation and commissioning records, repairs
relate to a product manufactured by the company
homologation certificates, product safety certificates, test results
are contract or project specific
contract specific insurance, contract terms
refer to the whole company and cover everything else
liability insurance, policies, procedures

This categorisation of compliance into six classes provides the first axis of the model.

Even when looking externally at the compliance administration of suppliers, contractors and the organisation’s supply chain, the same classes apply.

From a practical perspective, it is best to maintain the split between internal and external compliance administration, resulting in twelve classes of compliance documents;
six classes for internal compliance administration of the organisation and six classes for external compliance administration of the organisation’s supply network.

An additional benefit of this approach is that it can be used for all levels in the supply chain and network, not just direct suppliers. The same approach can be used for sub-sub- contractors or sub-sub-sub-suppliers, e.g. Modern Slavery obligations, paddock to plate tracking requirements and chain of responsibility legislation.

My organisation and.. My supply network and..
my staff
their staff
my properties
their properties
my assets
their assets
my products
their products
my contracts
their contracts (with their suppliers in my supply chain)
my company
their company
The Y-axis: the obligations hierarchy

Analysis of over 20,000 compliance documents and their root causes exposed an obligation hierarchy based on the potential impact on an organisation. This hierarchy is summarised below and is discussed in more detail in the ‘The Obligation Hierarchy

Obligation hierarchy in full
Hierarchy Description
Governmental obligations include all international, federal, state and local government statutory and regulatory obligations where non-compliance with legal obligations can result in fines, penalties and even prison terms.
Obligations an organisation imposes on itself to ensure continuity of its business or those events that would have a critical impact on the business and impair its ability to continue operating.
Obligations driven by best practice and international, national or industry standards (most of which are not legal obligations) and contractual obligations
Driven by changing societal pressures, organisations may also impose ethical obligations on themselves such as equal pay for all genders, ethical sourcing policies, gender and race board diversity, etc.
Mainly driven by economic or brand issues
Obligations that fall into the ‘we’ve always done it this way’ basket or red tape.
The X-axis: risk topics

As compliance is a whole-of-business problem, the same risk topics are discussed by different managers, but from slightly different perspectives. Contractor WHS for the WHS manager means something different to contractor WHS for the procurement manager and again for the facility manager, but the same compliance documents are required by each.

There is a similarity of risk topics by job title. Facility managers in mining have the same risk concerns as facility managers in hotels. The fine details are different, but the underlying GORC issues are the same, i.e. maintenance schedules, fire safety, contractors WHS safety, SDSs, contractual conditions, etc. The major differences become obvious when looking at regulatory compliance: industry-specific regulations for mining, agriculture, aged care, education etc. and regulatory exemptions or different regulations for NFPs and small businesses.

FinGORC has solved this problem through the use of the company-wide chart of accounts. Within broad headings, each organisation creates its own charts to provide a hierarchy that allows an organisation to drill down to the fine financial detail. This financial drill-down capability is exactly what is required for risk topics like WHS, which have multiple sub-topics.

The AICD Company Directors Course splits risk into three main topics: financial risk, strategic risk and operational risk. The ORC model has been developed for operational risk, and from this perspective, risk topics fall into three broad themes:

  • By size and type of business. Small businesses may be exempt from some regulatory requirements or have low usage assets that don’t need to be maintained as often. Not for Profits have different reporting requirements as well.
  • By industry. Some risks are specific to an industry, especially highly regulated industries such as education.
  • By subject matter. Many operational risks are present in every organisation, e.g. workplace health and safety, while others are unique to a particular sector, e.g. food safety. To make things more complicated, each operational risk has multiple sub-topics.

Crafting the risk axis profile is best done department by department, each adding to the collective risk profile of the organisation.

How to use the ORC model to build an obligations matrix

If we expand the model to expose the details, we have twelve classes of compliance down the Z-axis, six levels of obligation along the Y-axis and n risk topics along the X-axis.

ORC model grid

Each cell in the model now represents the question

What are our [y] obligations under the risk topic [x] for compliance class [z]

Looking at the top sheet of the model, the governmental obligations, the cells represent internal obligation questions like:

  • What are our statutory and regulatory obligations under the risk topic of food safety for compliance class my properties?
  • What are our statutory and regulatory obligations under the risk topic of WHS for compliance class my staff?

and for external obligations the questions related to suppliers would be:

  • What are our statutory and regulatory obligations under the risk topic of fire safety for compliance class their products

and going back through the obligations axis, the cells pose questions like:

  • What are our discretionary (asset maintenance) obligations under the risk topic of fire safety for compliance class my properties?
  • What are our ethical obligations under the risk topic of bribery and corruption for compliance class my staff?

Some cells will provide true negatives. An organisation may not have any critical obligations under the risk topic of child safety for compliance class my properties. These true negatives remove a lot of guesswork and provide positive proof that there are no obligations in this area.

Recommendations and Conclusion


Recommendation 1: That in the same way directors are expected to be financial literate, directors ensure they are operationally literate by making use of the ORC model, become aware of all the risk topics, discuss obligations in terms of the obligation hierarchy and measure compliance in terms of the compliance classes.

Recommendation 2: That internal auditors collaborate with risk and compliance managers to use the ORC model and the recommended questions to build a comprehensive obligations register that covers all of an organisation’s obligations, not just the legal obligations.


By applying the ORC model, Internal Audit will have a foundational structure similar to a financial chart of accounts; that is, a digestible breakdown of all of the organisation’s obligations broken down into subcategories. This foundation will provide the basis for further tools and standardised reporting.


AICD Company Directors Course Day 3 Risk and Strategy

Get out of your own way: unleashing productivity’, Deloitte, (Nov. 2014)

Great tips to reduce risk of the unknown-True Negative statements’, Strytex, (8 Feb. 2017), 

Dalton-Brown, ‘GORC – the new and improved model, with added O’, April 2021

Dalton-Brown, The Obligation Hierarchy,  April 2021

Role of the Board’, Australian Institute of Company Directors, accessed 22 April 2021

Supplier Compliance Management Survey’, Strytex, (May 2010), accessed 22 April 2021

Ten Thousand Commandments 2020, An Annual Snapshot of the Federal Regulatory State’, Competitive Enterprise Institute (CEI), (May 2020) 

‘Chart of Accounts’, Investopedia, 


My thanks to Andrew Cox and Michael Parkinson of the IIA who helped edit the IIA Whitepaper.

Table of Contents

Nigel Dalton-Brown, GAICD, AMIIA, MBA

Managing Director, Chair, Speaker, Lecturer, Author

Nigel is the Founder of Strytex and has been presenting and writing on Goverence, Obligational Awarenss, Risk Management and Compliance administration (GORC) since 2010.

Leave a Comment