GRC Capability Model 3.5-EN Study Notes

GRC Capability Model Version 3.5-EN Revision 2024 01 22

General Information

  • Title: GRC Capability Model™
  • Version: 3.5-EN
  • Revision Date: 2024 01 22
  • Organization: OCEG
  • Copyright: © 2002 - 2024 OCEG. All Rights Reserved.

Licensing and Use of the Document

  • This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
  • For commercial purposes, prior written permission from OCEG is required for reproduction or distribution.
  • The GRC Assessment Framework is available for download by any individual holding an active OCEG All Access Pass.

Foreword

  • Date: June 2023
  • Legacy: OCEG Community created GRC and Principled Performance over 20 years ago.
  • Model Purpose: Codifies the approach using GRC Concepts, GRC Capabilities, and the GRC Glossary.
  • Update Objectives:
    • Simplify the GRC Capability Model.
    • Clarify key concepts and definitions.
    • Augment with new concepts, models, and practices.

Document Organization

  • Sections:
    1. Introduction
    2. Using this Guide
    3. The GRC Capability Model
    • Part I: GRC Concepts
    • Part II: GRC Capabilities
    • Part III: GRC Glossary
    1. Tools & Techniques

Suggested Reading Order

  1. Read the Introduction for context.
  2. Study GRC Concepts for foundational ideas.
  3. Review the GRC Glossary for vocabulary.
  4. Analyze GRC Capabilities for high-performance frameworks.
  5. Explore other sections as needed.

Table of Contents

  1. Introduction
  2. Executive Summary
  3. The Problem: VUCA & Disconnection
  4. The Solution: Principled Performance® & GRC
  5. Protectors
  6. Using this Document
  7. Design Drivers
  8. Anatomy of GRC Capabilities
  9. Measuring GRC and Principled Performance
  10. Applying the GRC Capability Model
  11. Getting There
  12. Part I: GRC Concepts
  13. Part II.A: GRC Outcomes
  14. Part II.B: GRC Capabilities
  15. Part III: GRC Glossary
  16. Acknowledgments
  17. Appendix - Tools & Techniques

Executive Summary

  • Financial Impact: Over $1 trillion USD lost annually due to misconduct, errors, and miscalculations.
  • Role of GRC Professionals:
    • Protectors: Professionals guiding departments (board, strategy, compliance, etc.). They work to achieve Principled Performance®
    • Responsibilities include aligning strategies across disciplines and ensuring ethical behavior.

VUCA Environment

  • Challenges: Organizations face Volatility, Uncertainty, Complexity, Ambiguity resulting in departmental disconnections.
  • Disconnects:
    • Departments working in isolation.
    • Misalignment between people, cultures, and systems.
    • Lack of interdisciplinary approaches to problem-solving.

Solutions Provided

  • Principled Performance & GRC:
    • Helps unify departments under a structured framework for governance, risk, and compliance.
    • Encourages integrated capabilities and insights that leverage common practices across departments.
    • Provides action and adjustment pathways to assure trustworthy performance.

Definitions and Core Concepts

Principled Performance®

  • Definition: To "reliably achieve objectives, address uncertainty, act with integrity."
    • Key Elements:
    • Reliability: Consistency and transparency in achieving outcomes.
    • Objectives: Align with the mission, vision, and values.
    • Integrity: Maintaining voluntary and mandatory obligations.
  • Misconceptions: Good intentions do not equate to principled performance. Performance must be measured against defined expectations.

Integrated Action & Control Model™ (IACM™)

  • Purpose: Provides a framework for considering actions & controls before, during, and after events.
  • Helps manage both risks and rewards effectively within organizational operations.

Core Components & Questions of GRC Capability Model

  • Components:
    • LEARN: Understand contexts and stakeholders.
    • ALIGN: Define objectives, strategies, and approaches.
    • PERFORM: Execute actions & controls for improvement.
    • REVIEW: Monitor and enhance performance based on feedback.

Measuring GRC and Principled Performance

Maturity Model

  • Levels of organizational development:
    • Level 1: Initial Practices
    • Level 2: Managed Practices
    • Level 3: Consistent Practices
    • Level 4: Measured Practices
    • Level 5: Optimizing Practices
  • Continuous Improvement: No area is ever fully optimized; processes are perpetually enhancing over time.

GRC Capabilities Structure

  • Encompasses four components:
    1. LEARN (4 Elements)
    2. ALIGN (5 Elements)
    3. PERFORM (8 Elements)
    4. REVIEW (3 Elements)
  • Structured inquiries guide organizations to evaluate progress and milestones in dedicated domains.

Roles and Skills of Protectors

  • High-performing Protector Professionals leverage interdisciplinary approaches to integrate capabilities across departments.
  • Misconceptions about the role:
    • Protectors are not solely defensive but play crucial roles in promoting and preserving value.

Tools and Techniques Overview

  • Offers a collection of tools referenced through the document can be used for achieving outcomes.
  • Techniques include SWOT, PESTLE, Value Chain Analysis, and various performance frameworks.

Review and Updates

  • Regular updates provide new insights to the GRC community.
  • Encourage collaboration within the GRC ecosystem for feedback and improvement.
  • Acknowledges team members who contributed efforts to enhance the GRC Capability Model.

Conclusively

  • GRC is a comprehensive pathway to achieving principled performance by integrating various frameworks, ensuring that organizations can reliably address challenges while promoting ethical conduct and value creation.