Achieving Principled Performance through GRC Management
Mature organizations develop a portfolio management capability for GRC, including the management oversight functions that bring necessary skills, tools and information together to coordinate compliance and risk activities across the organization and its obligations.
According to the demands of Principled Performance ®, all business functions, skills and information resources contribute to the fulfilment of objectives achieved through GRC management.
Principled Performance ®
Principled Performance ® is what we achieve from implementation of a comprehensive and integrated discipline across GRC processes that;
- Focuses the organization on specific values, goal identification, and achievement
- Addresses the full range of risks bearing down upon the organization to impact it's strategy and operations
- Optimizes performance, conscientiously, within the boundaries of voluntary and mandated obligations
- Manages the complement of processes designed to both grow and protect value
OCEGs GRC Capability Model™
The mission is to help organizations achieve Principled Performance by providing a community and authoritative GRC resources for integrating the governance, assurance and management of performance, risk, compliance and ethics.
The landscape of governance, risk management, and compliance initiatives is broad and littered with a variety of specific standards and frameworks. Each of these specific frameworks may be good at what they focus on – but they fail to link GRC together and put everything in context with each other. Risk management, security, corporate governance, control, security, compliance, audit, quality, project Management, EH&S, sustainability – all have their respective islands of standards.
Key Elements of the Model
There is only one framework that brings this universe of GRC into a common language, process, and architecture – that is the OCEG Red Book and its GRC Capability Model™. Although various standards and guidance frameworks exist to address discrete portions of governance, risk management and compliance issues, the OCEG GRC Capability Model™ is the only one that provides comprehensive and detailed practices for an integrated and collaborative approach to GRC. These practices address the many elements that make up a complete GRC business architecture. Applying the elements of the GRC Capability Model™ and the practices within them enable an organization to:
- Achieve business objectives
- Enhance organizational culture
- Increase stakeholder confidence
- Prepare and protect the organization
- Prevent, detect and reduce adversity
- Motivate and inspire desired conduct
- Improve responsiveness and efficiency
- Optimize economic and social value
The GRC Capability Model™ describes key elements of an effective GRC architecture that integrate the principles of good corporate governance, risk management, compliance, ethics and internal control. It provides a comprehensive guide for anyone implementing and managing a GRC system or some aspect of that system. The OCEG GRC Capability Model™ is organized in eight components:
- CULTURE & CONTEXT – Understand the current culture and the internal and external business contexts in which the organization operates, so that the GRC system can address current realities – and identify opportunities to affect the context to be more congruent with desired organizational outcomes.
- ORGANIZE & OVERSEE – Organize and oversee the GRC system so that it is integrated with and when appropriate modifies, the existing operating model of the business and to management specific responsibility, decision-making authority, and assign accountability to achieve system goals.
- ASSESS & ALIGN – Asses risks and optimize the organizational risk profile with a portfolio of initiatives, tactics, and activities.
- PREVENT & PROMOTE – Promote and motivate desirable conduct, and prevent undesirable events and activities, using a mix of controls and incentives.
- DETECT & DISCERN – Detect actual and potential undesirable conduct, events, GRC system weaknesses, and stakeholder concerns using a broad network of information gathering and analysis techniques.
- RESPOND & RESOLVE – Respond to and recover from noncompliance and unethical conduct events, or GRC system failures, so that the organization resolves each immediate issue and prevent or resolve similar issues more effectively and efficiently in the future.
- MONITOR & MEASURE – Monitor measure and modify the GRC system on a periodic and ongoing basis to ensure it contributes to business objectives while being effective, efficient and responsive to the changing environment.
- INFORM & INTEGRATE – Capture, document and manage GRC information so that it efficiently and accurately flows up, down and across the extended enterprise, and to external stakeholders.
OCEG’s GRC Capability Model™ brings a holistic enterprise view of GRC together. It works from the board of directors down into the management and process of an organization. Its goal is not to replace other frameworks and standards but to give them a common language and context to operate within and thus provide enterprise collaboration and communication across governance, risk, and compliance.