QC3 or QC Three product logo

Enterprise Risk Management solution, digitally integrated across all three lines of defence

QC3 digital enterprise risk management vs business delay
Risk is only a “trusted advisor” to an organisation, when it is supported with comprehensive, digitally integrated assurance tools

Audit functions can be more efficient and deliver richer insights with greater depth when your organisation is Audit Ready and Regulator Ready every day

Red Flags are opportunities to shape and improve risk and control environments when organisations are supported with integrated improvement frameworks and tools




Device Agnostic
Assurance Schedules
Centralised Management
Data Visualisation



Risk and Control Library
Issues and Incidents
End to end Assurance
On Demand Analytics



Microsoft Azure Infrastructure
Secure SQL Servers
Australian Designed
Australian Developed
Global deployment capability



GRC Integrated
Organisational insight
Automated control testing
API Integration

Configurable Assurance

Across industries, different investment in people, process and technology ultimately lead to similar but very different assurance layers from business to business.

Processes and technology vary as does the depth and coverage of assurance.

To meet the needs of this complex landscape, QC3 employees a centralised highly configurable assurance platform which enables organisations to configure, control and manage assurance centrally across an entire organisation.

Assurance & Scheduling

Frontline assurance resources are limited and are not available to monitor every transaction, every interaction or every event, subsequently assurance resources can be guided and directed by a centrally managed assurance schedule.

The QC3 Assurance schedule instructs frontline assurance resource what they should be auditing, where and how many samples may ne required of them.

QC3 automatically push notifies assurance resources when their schedule starts, ends and summarises results to schedule owners.

Assurance Performance, Results and Risk

When data is received by QC3 from frontline assurance, a rich dataset is extrapolated from the submission, this includes;

  • Performance - weighted responses calculating the % of assurance success
  • Results - granular response level analytics enabling heat mapping and detailed analysis
  • Risk Indication - Positive, Negative, Neutral indications of risk are derived from submitted data bridging multiple standards or key material risks


Data extrapolation is executed instantly with a rich assistance and risk data set available immediately to the organisation.

Risk Scenario and Control Library

In QC3, risk has been simplified to enable organisation wide understanding, adoption and penetration.

Risk scenarios are lead with a simplified structure which are linked to various key material risks and elements.

Risk scenarios can be raised by the organisation and work flowed to become an accepted library entry driving engagement and understanding of the enterprise risk discipline.

Controls can be raised and contributed to each risk formulating a standardised definition of risk and expected controls.

Owned Risks and automated control testing

Owned Risks are allocated risks from the library which are placed in a position through the organisational structure. Owned risks are also allocated a designated responsible party within the organisation. This unique linkage allows QC3 to drive accountability and responsibility for risks appropriate for different areas of the organisation with clarity to appropriate nominated risk owners.

Using the advanced features of QC3, Risk Owners can define automated control tests which are executed on each frontline assurance data payload submitted to the organisation either by the QC3 Assurance User Interface or via the QC3 API processing endpoint.

Issues and Actions Management

QC3 includes a small work order management system to trace the progress and resolution of manually created issues or automatically created issued from failed key control tests.

When risk acceptance thresholds are breached, an issue is raised on the risk owner which is centrally managed in the small work order Issues Management feature until rejection or completion of the issue.

the digitisation of control testing and immediate push notification of failed controls leapfrogs organisations risk culture and risk accountability ahead light years from the rudimentary spreadsheet solutions laboriously employed by many organisations.

Plan Do Study Act Improvement

QC3 applies a PDSA (or Demming cycle) Improvement methodology and framework which enables a team to determine why an improvement is necessary, for example improvement is required as a result of an Issue, Incident, Inherent & Residual risk assessment, Indication of Risk, etc.

the PDSA framework applies a project work breakdown structure to targeted objectives, tasks and the qualitative and quantitative assessment of improvement impact to the organisation and the defined objectives.

uniquely, Improvements can be daisy chained together to demonstrate progressive and continual improvement efforts to resolve systemic issues or incidents impacting an organization.

Microsoft Power BI Data Visualisation

QC3 has partnered with Microsoft to provide world leading data visualisation dashboards addressing the many aspects of holistic organisational assurance and risk performance.

Inter-rater Assurance Assessment

To ensure consistency and to drive a commonly high standard of assurance, QC3 applies an interrater or 'audit the audit' capability to data mine the submitted assurance data for re-processing in and against separate audits.

Inter-rater assurance assessments enable QC3 to uniquely extract seemingly un-related assurance data sets, determine if prescribed results are achieved and re-executed against configured risks and controls.

Inter-rater enables organisations to drive consistency and understanding of assurance via this automated processing.