GRC

Capability
Model™
version 3.5

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

GRC Capability Model™

(OCEG Red Book)
The Essential Body of Knowledge for GRC Professionals (GRCP)

Version 3.5 - PUBLIC DRAFT

revision 2023-09-28

© 2002 - 2024 OCEG. All Rights Reserved. feedback to [email protected]

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0

International License.

For commercial purposes, no part of this publication may be reproduced, distributed, or

transmitted in any form or by any means, including photocopying, recording, or other electronic or
mechanical methods, without the prior written permission of the publisher. Advanced Licencing is
available at https://www.oceg.org/terms-of-use/advanced-license-permissions/

For commercial use requests, contact [email protected]

OCEG, Principled Performance, Driving Principled Performance, Putting Principles Into Practice,
GRC360°, and LeanGRC are registered trademarks of OCEG.

Protector Skillset, Protector Mindset, Protector Code, Lines of Accountability, GRC Capability
Model, GRC Professional, GRCP, GRC Fundamentals, GRC Audit, GRCA, GRC Audit Fundamentals,
Data Privacy Fundamentals, Integrated Data Privacy Professional, IDPP, Policy Management
Fundamentals, Integrated Policy Management Professional, IPMP are trademarks of OCEG.

This guide offers reliable information about GRC, but the author and publisher aren't providing
professional services like legal, investment, or accounting advice. Despite striving for accuracy,
they disclaim warranties regarding the content's completeness or its suitability for specific
purposes. No warranties can be formed through sales interactions or materials. The strategies and
advice presented may not fit your situation, necessitating professional consultation. The
publisher and author deny liability for any commercial losses or damages incurred, whether they
are special, incidental, consequential, personal, or other.

Front cover image and illustrations by Sarah Hart & Scott Mitchell; other images and illustrations
by Scott Mitchell.

version 3.5 revision 2024-01-22

ISBN: 979-8-9881268-0-5

OCEG
4144 N. 44th Street, Suite 6
Phoenix, AZ 85018
www.oceg.org

© 2002 - 2024 OCEG. All Rights Reserved. feedback to [email protected]

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Foreword (June 2023)

20 years ago, the OCEG Community created GRC and Principled Performance®. These ideas were
formalized into a structured model called the GRC Capability Model (“Model”). This model is
periodically updated with the help of hundreds of members and experts in the GRC ecosystem. For
this update to version 3.5, the objectives were to:

● Simplify - Make The GRC Capability Model easier to understand, navigate and use.

● Clarify - Untangle and elaborate key concepts and definitions.

● Augment - Include new concepts, models, and practices that are commonly used.

We achieved these objectives by adding, editing, and removing content throughout The GRC
Capability Model and using new technologies to capture and publish this document.

This document is organized into several sections:

★ Introduction: Details about the drivers of Principled Performance and GRC.

★ Using this Guide: Conventions used in the document and tips for starting.

★ The GRC Capability Model

○ Part I - GRC Concepts: Pervasive ideas and models that underlie all aspects of GRC.

○ Part II - GRC Capabilities: Structured expression of high-performing GRC.

○ Part III - GRC Glossary: Alphabetic listing of consistent terms and definitions.

★ Tools & Techniques: Collected tools & techniques referenced in this document.

You may read this document in any way and in any order. I find it helpful to:

● Read the Introduction to understand the big picture and context.

● Read the GRC Concepts because it outlines pervasive ideas used throughout.

● Read the GRC Glossary because it helps to untangle and harmonize vocabulary.

● Read the GRC Capabilities because it provides structure for high-performing GRC.

● Read the other sections.

© 2002 - 2024 OCEG. All Rights Reserved. feedback to [email protected]

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Warm Regards & Enjoy!

Scott Mitchell, Founder, OCEG

© 2002 - 2024 OCEG. All Rights Reserved. feedback to [email protected]

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Table of Contents

Introduction 1

Executive Summary 1
The Problem: VUCA & Disconnection 2
The Solution: Principled Performance® & GRC 2
Protectors 10
Using this Document 18
Design Drivers 18
Anatomy of GRC Capabilities 21
Measuring GRC and Principled Performance 22
Applying the GRC Capability Model 26
Getting There 30
Part I - GRC Concepts 33
“Big Picture” Perspective 33
“Reliably” 37
“Achieve Objectives” 44
“Address Uncertainty” 58
“Act with Integrity” 65
Integrated Action & Control Model™ (IACM™) 71
Part II.A - GRC Outcomes & Capabilities 76
U - Universal Outcomes 77
Part II.B - GRC Capabilities 78
L – LEARN 79
A – ALIGN 89
P – PERFORM 101
R – REVIEW 119
Part III - GRC Glossary 127
Acknowledgments 216
OCEG Team 216
OCEG Community 216
Appendix - Tools & Techniques 219

© 2002 - 2024 OCEG. All Rights Reserved. feedback to [email protected]

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Introduction

Executive Summary
Over $1 trillion (USD) is destroyed every year because of unprincipled misconduct, mistakes, and
miscalculations. Organizations, individuals, and the public count on GRC Professionals to lead the
way and solve this trillion-dollar problem.

GRC Professionals are called “Protectors” because of the work that they do. They produce and
preserve value to achieve Principled Performance® – and to reliably achieve objectives, address
uncertainty, and act with integrity.

Protectors are skilled GRC Professionals who advise and work in departments such as the board,
strategy, risk, compliance, ethics, human resources, legal, security, quality, internal control, and
audit. What they have in common is a Protector Mindset™ and an interdisciplinary Protector
Skillset™.

But it can be difficult to be a Protector and address this massive trillion-dollar problem because of
volatility, uncertainty, complexity, and ambiguity (VUCA) – and the disconnection between
departments (silos), people, values, and skills.

Therefore, the OCEG community created Principled Performance and GRC over 20 years ago – to
help solve problems using an interdisciplinary approach. The continuously improving knowledge in
this document codifies this approach in GRC Concepts, GRC Capabilities, and the GRC Glossary.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 1

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

The Problem: VUCA & Disconnection

More than ever before, organizations of all shapes and sizes operate in the context of volatile,
uncertain, complex, and ambiguous (VUCA) conditions. And, despite innovations designed to
connect, organizations experience substantial disconnection:

● Disconnected departments that operate in silos and at cross-purposes

● Disconnected people with strained relationships that cause conflict and loneliness

● Disconnected purpose and culture that cause misalignment with stakeholders

● Disconnected and myopic skillsets that see and solve problems from a single discipline

VUCA and disconnection are substantial “destabilizing forces” that make it challenging to produce
and preserve value. Protectors are the stabilizing forces to face this instability and to help
organizations gain, maintain, and sustain Principled Performance.

The Solution: Principled Performance® & GRC

The OCEG community created Principled Performance and GRC to overcome VUCA and
disconnection – and to provide Protectors a framework for stabilizing and connecting in the face of
so much instability and disconnection.

This connected and integrated approach is the essence of GRC

– the pathway to Principled Performance.

By adopting Principled Performance and GRC, an organization moves from disconnected

departments to integrated capabilities; from disconnected people to interconnected relationships
and coworkers; from disconnected purpose to intentional culture; and from disconnected and
myopic skills to an interdisciplinary approach.

The first peer-reviewed paper on the topic laid a foundation for this solution by providing clear
definitions and guidance for Principled Performance and GRC.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 2

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Principled Performance®
Principled Performance is a noble goal for every organization to “reliably achieve objectives,
address uncertainty, and act with integrity.” The major parts of the definition are:

● Reliably (thoughtfully, consistently, dependably, and transparently)

● Achieve objectives (achieve mission, vision, and balanced objectives)

● Address uncertainty (address opportunities and obstacles that balance risk and reward)

● Act with integrity (live out values and stay within mandatory and voluntary boundaries)

Principled Performance is NOT synonymous with “Good” or “Good Intentions.” An organization

must measure up to the Principled Performance definition to be a “principled performer.”

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 3

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

To elaborate on the other side, just because an organization pursues objectives that someone
might perceive as “Bad” or as “Bad Intentions” does not mean that the organization is NOT a
Principled Performer. If this organization reliably achieves objectives, addresses uncertainty, and
acts with integrity, then it qualifies as a Principled Performer.

What matters most is that the organization measures up to the key parts of the Principled
Performance definition to:

● reliably

● achieve objectives,

● address uncertainty, and

● act with integrity.

And to accomplish this, the organization must integrate and orchestrate several Critical
Disciplines and capabilities.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 4

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

“Big Picture” Perspective

Taking a step back, consider the big picture of what it means to “do” business. Every business,
every organization, is designed to achieve objectives. As the organization drives toward
objectives, it faces uncertainty – there are opportunities and obstacles along the way. And the
organization must establish a business model to address obligations and stay within mandatory
and voluntary boundaries.

● Opportunities are generally associated with reward (performance), a measure of the

positive, favorable effect of uncertainty on objectives. Reward is addressed using
performance management systems and key performance indicators (KPIs).

● Obstacles are generally associated with risk, a measure of the negative, unfavorable effect
of uncertainty on objectives. Risk is addressed using risk management systems and key risk
indicators (KRIs).

● Obligations are generally associated with compliance, a measure of the degree to which
obligations and requirements are addressed. Compliance is addressed using compliance
management systems and key compliance indicators (KCIs).

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 5

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

An organization must do more than manage the aspects of performance, risk, and compliance. An
organization must also govern and provide assurance around performance (reward), risk, and
compliance. Thus a complete picture of this approach is the governance, management, and
assurance of performance, risk, and compliance.

● Management - directly guiding, controlling, and evaluating an entity by arranging and

operating resources.

● Governance - indirectly guiding, controlling, and evaluating an entity by constraining and

conscribing resources.

● Assurance - objectively and competently evaluating subject matter to provide justified

conclusions and confidence that statements and beliefs about the subject matter are
justified and true.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 6

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

GRC & Critical Disciplines

GRC and the GRC Capability Model provide governance, management, and assurance of
performance (reward), risk, and compliance.

GRC is an initialism that denotes Governance, Risk, and Compliance, but the reality is much more.
GRC is the “integrated collection of capabilities that enable an organization to reliably achieve
objectives, address uncertainty, and act with integrity.”

Thus, GRC is the “pathway” to Principled Performance representing a broad portfolio of

departments and capabilities. GRC is sometimes misconstrued as “something the board does,” “a
piece of software,” “a compliance program,” or even “IT security” or some other topical area.

In fact, GRC is an integration and orchestration of capabilities. It is an umbrella over several Critical
Disciplines that share similarities but also have their distinct advantages.

● Governance & Oversight provides methods to guide, constrain and conscribe the
organization to achieve its purpose, mission, vision, and values.

● Strategy & Performance provides methods to guide, arrange and operate resources to
achieve objectives and monitor performance.

● Risk & Decision-Support provides methods to identify and address the effect of uncertainty
on objectives, including ways to support decisions under uncertainty.

● Compliance & Ethics provides methods to identify and address mandatory and voluntary
obligations and the underlying ethical principles and values.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 7

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

● Security & Continuity provides methods to identify and address threats to critical physical
and digital assets and infrastructure.

● Audit & Assurance provides methods to enhance confidence that the organization is
reliably achieving objectives, addressing uncertainty, and acting with integrity.

By integrating these disciplines, the unique strengths of each can be used to support the others.
For example, the Compliance & Ethics discipline can add strength in dealing with policies and
procedures to the other disciplines. The Strategy & Performance discipline can add strength in
setting objectives, mapping strategies, etc.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 8

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

GRC Capabilities
The GRC Capability Model codifies the continuously improving body of knowledge about how GRC
works in an organization. It comprises four (4) components and twenty (20) elements that help an
organization ask and answer key questions such as:

● LEARN - Who are we? Where are we? What might affect us? Who do we serve? How will they
judge us? What is our business model?

● ALIGN - Where are we going? How will we get there? How will we address the opportunities,
obstacles, and obligations along the way?

● PERFORM - How proactive are we? How do we detect problems and progress? How do we
respond to favorable and unfavorable events?

● REVIEW - Are we making progress? How confident are we? How can we improve?

High-performing GRC Professionals and Protectors use The GRC Capability Model in many
different jobs, roles, and departments and in organizations of all types, shapes, and sizes. The GRC
Capability Model provides a sound foundation and versatile toolkit for diverse problems in diverse
departments.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 9

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Protectors
Organizations, coworkers, and the public count on GRC Professionals to solve the $1 trillion
problem. GRC Professionals are called Protectors because of the work that they do in departments
across the organization. A high-performing Protector is a versatile professional who takes an
interdisciplinary approach to their job.

Whether they're implementing a compliance program, a risk management program, a security

program, or conducting an audit, using a GRC approach means they are leveraging the best
strengths and techniques from all of the Critical Disciplines.

Produce & Preserve Value

One misconception is that a Protector only "plays defense" while the rest of the organization
"plays offense" – and that "playing defense" and "playing offense" are mutually exclusive.

The truth is that every organization must play both offense and defense because both add
significant value. High-performing Protectors know how to DO both and BE both.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 10

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Protectors are typically not in functions that harness the forces of VUCA and instability (such as
sales, marketing, and product innovation). More typically, Protectors are in departments that
serve as a stabilizing force (such as the board, risk, compliance, security, finance, security, HR, IT,
internal controls, or audit.)

Wherever they work, the organization and the public count on Protectors to be skilled at balancing
value production and value preservation – to be the ones who serve as stabilizing forces and help
the entire organization navigate VUCA and instability.

Using an analogy of a mountain climber – as climbers progress toward a summit, they "produce
value" toward that goal. Along the way, there are ups and downs. Things can go wrong, and
progress can be stopped or reversed. Things can go very wrong, and the climber may fall into deep
crevasses, permanently destroying value.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 11

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

But high-performing Protectors lock in the progress and close gaps with tools and techniques to
"preserve value" along the way.

Preserving value not only reduces the “downs,” but it also helps to prevent fatal problems that
permanently destroy value. This helps organizations to reliably achieve objectives, address
uncertainty, and act with integrity – and achieve Principled Performance.

In the context of mountain climbing, this might include tools such as ropes and clamps. It might
mean techniques like tapping into the side of the mountain to secure safety gear.

In organizations, these tools include how Protectors use the Protector Mindset™ and Protector
Skillset™ to implement GRC and achieve Principled Performance. These tools are the
unmistakable “fingerprint” of a high-performing Protector:

● The Protector Mindset is the toolkit of ways that a high-performing Protector makes
decisions and appraises problems, solutions, and people. It is the way that they “think”
about their job.

● The Protector Skillset is the toolkit of versatile disciplines that a high-performing Protector
uses to solve problems, make progress, and lead. It is the way that they “do” their job.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 12

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

The Protector Mindset™

The Protector Mindset™ consists of traits that together strengthen the way that a
high-performing Protector makes decisions and appraises problems, solutions, people, and reality.

The high-performing Protector is Collaborative, Accountable, Stable, Proactive, Visionary, and

Versatile. Importantly, a Protector strives for the Golden Mean between the overuse and underuse
of these traits.

Collaborative
Producing and preserving value requires relationships and teamwork with others, and a Protector
is collaborative. Protectors know that relationships are everything and that through teamwork,
more can be accomplished. Protectors avoid the underuse of collaboration, where they might be
isolated, antagonistic, and hoard information. Protectors avoid the overuse of collaboration,
where work becomes a social club, and nobody owns outcomes.

Stable
VUCA and Disconnection are fundamentally “destabilizing” forces, and a Protector brings stability
to the organization. Protectors strive to bring stability against the volatile, uncertain, complex, and
ambiguous (VUCA) realities. Protectors strive to be conscientious and careful. Protectors strive to
be calm and detached from turmoil. Protectors avoid the underuse of stability, where they might

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 13

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

be neurotic, chaotic, and “caught up” in drama. Protectors avoid the overuse of stability, where
they might appear not to care.

Accountable
Too many people blame others and pass the buck because “it’s not my job,” and a Protector brings
accountability. Protectors know that they can always be more accountable and take ownership of
more. Protectors avoid the underuse of accountability, where they might blame others, wait for
others, and say, "It's not my job!". Protectors avoid the overuse of accountability, where they might
step on toes, micromanage and potentially move beyond the scope.

Visionary
Dealing with obstacles and obligations can distract from the big picture, so a Protector brings
vision to the organization. Protectors know that being purposeful, optimistic, and focusing on the
long game is critical. Protectors avoid underuse where they might become myopic and pessimistic
(even cynical!), and focus on the short game. Protectors avoid overuse where they might become
too abstract, too naive, and without an end in sight.

Versatile
Wicked problems require an interdisciplinary approach, and a Protector Mindset brings a versatile
skillset to the solution. Protectors strive to integrate Critical Disciplines to approach their work
from multiple dimensions using the Protector Skillset. Protectors avoid the underuse of versatility,
where they might myopically have a "hammer, and everything looks like a nail." Protectors avoid
the overuse of versatility, where they might create overly complicated solutions that never get
implemented.

Proactive
The modern economy moves fast, and the Protector knows that being proactive helps win the day.
Protectors know that being proactive reduces the risk of being caught off guard, helps to correct
errors and be more courageous. Protectors avoid the underuse of proactivity, where they might
become “clueless,” paralyzed, or cowardly. Protectors avoid the overuse of proactivity, where they
might leap without looking or, too frequently, change without ever reaching a steady state.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 14

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

The Protector Skillset™

GRC Professionals integrate the Critical Disciplines into their Protector Skillset™ to leverage the
strengths of each discipline to fill gaps and accelerate success.

Governance & Oversight

Governance & Oversight skills include ways to constrain and conscribe activities. These skills help
the organization to:

● Set direction (mission, vision, values)

● Identify and set boundaries

● Allocate authority and decision rights

● Authorize performance, risk, and compliance systems

● Shape a culture of integrity

Strategy & Performance

Strategy & Performance skills set objectives and results; and map strategies and tactics to
address opportunities, obstacles, and obligations. These skills help the organization to:

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 15

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

● Set direction (mission, vision, values)

● Set objectives and indicators

● Identify opportunities, obstacles, and obligations

● Align strategies and tactics

● Manage performance, risk, and compliance systems

Risk & Decisions

Risk & Decision Support skills include ways to address uncertainty and make sound decisions.
These skills help the organization to:

● Plan for risks

● Identify risks

● Assess risks

● Address risks

● Measure and monitor risks

● Use decision science and support techniques

Compliance & Ethics

Compliance & Ethics skills include ways to address obligations and the risks associated with both
mandatory and voluntary boundaries. These skills help the organization to:

● Identify mandatory obligations

● Identify and formalize voluntary obligations

● Assess compliance and ethics risk

● Set policy and procedures

● Educate and communicate with the workforce

● Inspire and shape an ethical culture

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 16

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Security & Continuity

Security & Continuity skills include ways to address significant risks and crises, especially those
areas of the organization prone to attack or existential consequences. These skills help the
organization to:

● Identify critical physical and digital assets

● Assess, address, measure, and monitor related risks

● Use scenario planning and simulation to practice response

● Identify technology recovery and business resumption strategies

● Perform crisis response when appropriate

Audit & Assurance

Audit & Assurance skills include ways to enhance the confidence of internal and external
stakeholders that the organization is designed and operating effectively to reliably achieve
objectives, address uncertainty, and act with integrity. These skills help the organization to:

● Prioritize assurance based on objectives, opportunities, obstacles and obligations

● Plan, perform, report, and monitor assurance assessments

● Use design and substantive testing techniques

● Communicate with stakeholders and management to enhance confidence

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 17

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Using this Document

This document introduces the GRC Capability Model (the “Model”). The GRC Capability Model
helps organizations reliably achieve objectives, address uncertainty, and act with integrity to
produce and preserve value – to achieve Principled Performance. The GRC Capability Model
describes components and elements that comprise high-performing GRC that are measured for
Maturity and Total Performance.

The GRC Capability Model integrates several Critical Disciplines and presents concepts familiar to
professionals skilled in Governance & Oversight, Strategy & Performance, Risk & Decision Support,
Compliance & Ethics, Security & Continuity, and Audit & Assurance.

The GRC Capability Model aims to unify, harmonize and integrate these disciplines with an
internally consistent vocabulary, models, and “meta-process” that can be applied in various
departments and functions.

The GRC Capability Model aims to “guide” rather than dictate. GRC Professionals should use this
Model like a cookbook rather than a chemistry set. In other words, the specific context and
idiosyncrasies of each organization will necessitate adding more or less emphasis on components,
elements, practices, considerations, and so forth.

Design Drivers
Several fundamental realities and drivers influence the design of the GRC Capability Model.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 18

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

People
People are at the center of the most vexing aspects of the trillion-dollar problem.

People are the ones who commit misconduct and make mistakes and miscalculations. Even when
technology is at “fault” for miscalculating, a person is behind the design and implementation of
the technology.

And people are messy. People have free will (or something that looks and feels a lot like it). People
are free to choose this or that or otherwise. People are free to make choices that may result in
positive or negative outcomes.

People rarely respond to top-down dictates and coercion (and if they do respond, they don’t
respond for very long). Addressing this “human element” requires bottom-up, inside-out
techniques.

Wicked Problems
The trillion-dollar problem of misconduct, miscalculations, and mistakes is a Wicked Problem.

A "wicked problem" is a term used in design, policy-making, and social sciences to describe a
complex, dynamic, and multifaceted problem that is difficult or even impossible to solve
completely. These problems are characterized by high levels of uncertainty, multiple and
conflicting goals, and many interrelated and changing factors. With wicked problems, it is difficult
to identify the boundaries of their impact, or recognize all the variables that are in play for a
particular problem. It can even be difficult to tell if a wicked problem has been solved until many
years later because it may address long-term opportunities, obstacles, and obligations.

Unlike "tame" problems that have clear solutions and can be addressed using a straightforward
and linear approach, wicked problems are often characterized by a lack of clear definition,
incomplete or contradictory information, and the need for ongoing adaptation and
experimentation.

Solving wicked problems often requires collaboration, creativity, and innovation across multiple
disciplines and stakeholders. Rather than seeking a definitive solution, the aim is to develop
adaptive and flexible approaches that can respond to changing circumstances and evolving
priorities.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 19

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Complex Adaptive System of Systems

Organizations, teams, and even individuals are Complex Adaptive Systems of Systems.

A "complex adaptive system of systems" (CASoS) is a type of system that is made up of many
interacting subsystems, each with its own behavior, rules, and feedback loops. A CASoS is
characterized by its complexity, adaptivity, and emergence, meaning that it is capable of
self-organization and can exhibit emergent behaviors that are not predictable from the behavior
of its individual components.

Understanding and managing CASoS requires a systems thinking approach, which considers the
behavior of the system as a whole rather than just its individual components. It also requires an
understanding of the interactions and feedback loops between different sub-systems, as well as
an ability to anticipate and respond to emergent behaviors.

A complex adaptive system of systems is more like a flock and less like a clock. It would be ideal if
all problems could be solved as easily as fixing a clock, where a solution can be immediately
verified by the clock's ability to tell time again. However, the reality is that problems in CASoS
cannot be solved in such a straightforward manner. The nature of such problems is dynamic and
multifaceted, and solutions are not always predictable or immediately verifiable.

Fractality
Organizations comprise multiple levels and units of self-similar patterns and structures.

Fractality refers to the property of self-similarity or the repetition of patterns at different scales in
a system or structure. In fractal geometry, a fractal is a mathematical set that exhibits
self-similarity and has a structure that is similar at every scale. Fractals are often found in nature,
such as in the branching patterns of trees, the veins of leaves, or the shapes of clouds.

In organizations, fractality is used to describe the self-similar patterns and structures of social
networks and interactions, as well as in the study of collective behavior and decision-making.

Fractality means that problems and solutions can replicate and scale to multiple levels of the
organization.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 20

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Anatomy of GRC Capabilities

The GRC Capability Model describes components and elements that comprise a high-performing
GRC Capability – any part of which is measured for Maturity and Total Performance.

Components
The GRC Capability Model consists of four Components: (L) LEARN, (A) ALIGN, (P) PERFORM, and
(R)REVIEW. Each Component includes its own:

● Descriptive summary,

● Considerations to be taken into account, and

● Elements that are required under each Component.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 21

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Elements
There are 20 elements in the GRC Capability Model distributed among the four components: (4)
Elements under the LEARN Component, (5) Elements under the ALIGN Component, (8) Elements
under the PERFORM Component, and (3) Elements under the REVIEW Component. Each Element
includes its own:

● Descriptive summary,

● Practices that describe critical activities,

● Considerations that impact decisions, design, and operation, and

● Tools & Techniques that may optionally be used.

Measuring GRC and Principled Performance

Maturity Model
A Maturity Model provides a theoretical continuum, often expressed in “levels,” along which
maturity can be developed incrementally from one level to the next. Maturity levels may be used to
assess how capable (prepared) the organization is to perform practices:

● Level 1 - Initial. Practices are improvised, ad hoc, and often chaotic.

● Level 2 - Managed. Practices are defined and managed, though sometimes informally.

● Level 3 - Consistent. Practices are formally documented and consistently managed.

● Level 4 - Measured. Practices are measured and managed with data-driven evidence.

● Level 5 - Optimizing. Practices are consistently improved over time.

In some maturity models, the highest Level 5 is called “Optimized.” However, GRC Professionals
recognize that an area is never “optimized” but rather in the process of “optimizing” over time.

GRC Professionals apply the concept of maturity at all levels of The GRC Capability Model as
needed. For example, the Education Element could be assessed for Maturity:

● Level 1 - Initial. Education practices are improvised and often chaotic.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 22

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

● Level 2 - Managed. Education Practices are defined and managed, though sometimes
informally. This means the team knows how to define, develop and deliver education, but
nothing is documented. And, when workers are educated, records are not always created or
stored.

● Level 3 - Consistent. Education Practices are formally documented and consistently

managed. This means the team follows documented practices to define, develop and
deliver education. Learner records are created and maintained.

● Level 4 - Measured. Education Practices are measured and managed with data-driven
evidence. This means that the documented process generates enough data and indicators
to judge the effectiveness, efficiency, agility, and resilience of Education.

● Level 5 - Optimizing. Education Practices are consistently improved over time. This means
that the indicators are not only captured and judged but that the team can demonstrate
continuous improvement.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 23

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Total Performance Model™

For each element, the GRC Capability Model describes Total Performance across four dimensions:
Effectiveness, Efficiency, Agility, and Resilience. These dimensions should be considered across
all components, elements, and practices.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 24

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

For example, the Education Element could be assessed for Total Performance:

● Effective (“Sound”). Is the design of the education program logical? Does it follow best
practices? Are all topical areas covered? Are the workers we intend to educate actually
getting educated? Are they retaining the knowledge/skills they need? Is the education
program impacting the intended business objectives?

● Efficient (“Lean”). What does it cost to educate the workforce? Is the cost per Worker going
up/down? How does this cost compare to organizations of similar size?

● Agile (“Responsive”). How long does it take to educate a department? How long does it take
to identify an education need and 100% coverage of the intended audience? When an error
is found in the education program, how long does it take to be detected and corrected?

● Resilient (“Antifragile”). What will we do if the online education system fails? What kind of
slack do we have in education timelines in case of unplanned distractions? What kind of
backup staff do we have in case someone gets sick?

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 25

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Applying the GRC Capability Model

The GRC Capability Model can be applied at any level within the organization.

● Organization (also Organization in Scope): The organizational unit in scope for applying the
GRC Capability Model. This may be the enterprise, a business unit, a department, or a team.

Organizations may be large or small, simple or complex. The organization in scope may be an entire
legal entity (enterprise) or some smaller subordinate unit (business unit, department, team).
While not every organization in scope has a complex hierarchy of levels, units, or layers, virtually all
have some structure for reporting, accountability, and approval.

The GRC Capability Model uses these terms and concepts when referring to the Organization in
Scope and its related units, levels, and layers.

Organizational Units
Organizational Unit (also Unit): A specific subdivision of an organization that is formed for the
purpose of achieving particular objectives.

● Enterprise: The most superior unit that encompasses the

entirety of the organization. The term “enterprise” may be
used even when the organization is a government
agency, a nonprofit organization, or a small organization.

● Business Unit: A business unit is subordinate to the

enterprise and often responsible for specific products,
customers, or geography. The term “business unit” may
be used even when the organization is not a “business”
(e.g., a government agency or a nonprofit organization).

● Department: A department is subordinate to the enterprise and often cuts across multiple
business units providing shared services such as human resources, information
technology (IT), compliance, risk management, and other services.

● Team: A team is the smallest organizational unit. Teams may be part of a department or may
be cross-functional. Teams may be permanent or temporary.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 26

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Organizational Levels
Organizational Level (also Organizational Layer): A description of the accountability relationship
between units.

● Superior Level (also Superior Unit, Superior Layer, and Superior): refers to other
organizational units to which the organization in scope is accountable.

● Subordinate Level (also Subordinate Unit, Subordinate Layer, and Subordinate): refers to
other organizational units accountable to the organization in scope.

● Peer Level (also Peer Unit, Peer Layer, and Peer): refers to organizational units that are
lateral to the organization and often report to or are accountable to the same superior unit.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 27

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Special Units and People

The GRC Capability Model refers to specialized units and people that have specific
responsibilities.

● Governing Authority (also Board): Refers to the most superior level of accountability and
authority. The governing authority is often responsible for balancing the competing needs
of stakeholders so that it can guide, constrain, and conscribe the organization to reliably
achieve objectives, address uncertainty, and act with integrity to meet these needs. The
governing authority is often a board of directors if the organization is an enterprise. (The
governing authority may be an oversight committee if the organization is a business unit or
department.)

● Workforce (also Personnel): Refers to the collection of individuals the organization

employs including:

○ Executives (also Executive Team or Executive Management or Executive

Management Team) Senior-most managers with broad responsibilities over the
entire organization or some significant part of the organization (e.g., all technology,
all sales, and marketing, all administration, all finance).

○ Managers (also Management or Management Team) refer to personnel who manage

others. Qualifiers such as “senior managers” refer to managers with more
responsibility in scale or scope, while “junior managers” have less responsibility.

○ Staff (also Team Members) refer to more junior-level personnel who typically do not
manage others.

○ Leaders (also Leadership) are individuals at any level of the organization who have
the de facto attention and respect of the workforce regardless of their title or
position.

● Third Party (or member of the Extended Enterprise): Refers to a partner that conducts
substantial actions & controls on behalf of the organization. Organizations often
“outsource” actions & controls to third parties to benefit from their competence while
focusing the organization's efforts on its core competencies. Even when an organization

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 28

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

outsources actions & controls, it is crucial to recognize that the organization often retains
legal or reputational responsibility for any problems in the extended enterprise.

Processes & Resources

The GRC Capability Model details the capabilities that arrange processes and resources to
achieve Principled Performance. These terms are used:

● Integrated Plan details processes and resources allocated to reliably achieve objectives,
address uncertainty, and act with integrity.

● Process (also Ways) is a series of actions or steps to achieve an objective.

● Resources (also Means) include people, technology, facilities, information, financial

capital, and other assets used to achieve objectives.

○ Human Capital - Individual capabilities and relationships.

○ Technology Capital - Hardware, software, and technology.

○ Physical Capital - Manufactured goods and facilities.

○ Information Capital - Data, communications, and intelligence.

○ Financial Capital - Liquidity, budgets, and other economic resources.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 29

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Getting There
An organization must implement and operate a collection of integrated capabilities (elements)
that drive cooperation, coordination, and collaboration. Some organizations achieve this by
keeping existing capabilities and improving integration. Other organizations may choose to
develop all or many new capabilities.

In every case, the organization must commit to the concept of Principled Performance and the
allocation of resources necessary to support integrated GRC.

Key Steps
1. Commit. Obtain commitment to Principled Performance and GRC.

2. Plan. Use the GRC Capability Model to guide the design of your capabilities.

3. Do. Assign accountability and implement the GRC Capability.

4. Check. Evaluate the execution of the GRC Capability.

5. Act. Use the results of the evaluation to fine-tune and improve the GRC Capability.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 30

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Starting Points
Getting somewhere requires both a destination and a starting point. For GRC Professionals and
the GRC Capability Model, the destination is the same – namely, Principled Performance.

But to navigate, the starting point tends to be different depending on the organizational type,
scale, scope, purpose, and current challenges. Moreover, even starting points may change over
time. It is possible to start with a Blank Canvas and then encounter a problem that can redirect you
to a Crisis starting point. Some of the starting points appear as an organization grows and
matures.

Thus, while every organization is unique and requires a unique starting point, most organizations
fall into one of these categories:

● SP0. Blank Canvas Starting Point

● SP1. Topical Starting Point

● SP2. Discipline Starting Point

● SP3. Element Starting Point

● SP4. Crisis Starting Point

SP0. Blank Canvas Starting Point

A blank canvas starting point is atypical because most organizations already have one or more
elements of the GRC Capability Model. However, some organizations work “as if” there is a blank
canvas so that the organization can take a step back to formalize and integrate its approach.

SP1. Topical Starting Point

A topical starting point is a project to address a category of opportunities, obstacles, or
obligations. For example, you may be assigned to

● Implement an information security system,

● Implement internal control over financial reporting, or

● Implement an anti-corruption program.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 31

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

SP2. Discipline Starting Point

A discipline starting point is a project to address one or more of the background disciplines to
establish a framework or program for the organization:

● Governance & Oversight Framework

● Strategy & Performance Framework

● Risk Management Framework

● Decision-Making Framework

● Compliance & Ethics Framework

● Security Framework

● Business Continuity Framework

● Audit & Assurance Framework

SP3. Element Starting Point

An element starting point is a project to address an element in the GRC Capability, such as:

● Implement a training system,

● Implement a policy management system,

● Implement a risk analysis process, or

● Implement an insurance program.

SP4. Crisis Starting Point

A crisis starting point is a project to address a situation that caused significant harm to the
organization, such as

● Address a major financial scandal,

● Address a major workplace scandal,

● Address major breaches in security,

● Address a major sanction, or

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 32

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

● Address a major human rights scandal.

Regardless of the starting point, the GRC Capability Model will help an organization ensure that an
integrated system of components and elements work together to reliably achieve objectives,
address uncertainty, and act with integrity – to achieve Principled Performance.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 33

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Part I - GRC Concepts

GRC is a pathway to Principled Performance – a noble goal for every organization to “reliably
achieve objectives, address uncertainty, and act with integrity.” This definition can be broken
down into its major parts.

● Reliably (consistently, dependably, and transparently)

● Achieve objectives (mission, vision, values, and balanced objectives)

● Address uncertainty (address opportunities and obstacles that balance risk and reward)

● Act with integrity (stay within boundaries to address voluntary and mandatory obligations)

These parts are used to explain the Key GRC Concepts. But before stepping into the parts,
consider the big picture of what it means to “do” business.

“Big Picture” Perspective

Every business, every organization, is designed to achieve objectives. As an organization drives
toward objectives, it faces uncertain opportunities, uncertain obstacles, and mandatory and
voluntary obligations.

● Objective – a measurable outcome to achieve.

● Opportunity – an uncertain event that may, on balance, positively affect objectives.

● Obstacle – an uncertain event that may, on balance, negatively affect objectives.

● Obligation (also Boundary) – a requirement that an organization must or should address.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 34

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Managing Opportunities, Obstacles & Obligations

Addressing opportunities, obstacles, and obligations requires focus. By understanding each, a
balanced approach can be used to manage these perspectives.

Opportunities
Opportunities are generally associated with Reward, a measure of the positive, favorable effect of
uncertainty on objectives. Reward is often managed using Performance Management systems and
Key Performance Indicators (KPIs).

● Reward (also Performance) - A measure of the positive, favorable effect of uncertainty on

objectives.

● Performance Management - The act of managing processes and resources to pursue

reward while addressing risk.

● Key Performance Indicator (KPI) - Indicators designed to help govern, manage, and provide
assurance about performance.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 35

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Obstacles
Obstacles are generally associated with Risk, a measure of the negative, unfavorable effect of
uncertainty on objectives. Risk is often managed using Risk Management systems and Key Risk
Indicators (KRIs).

● Risk - A measure of the negative, unfavorable effect of uncertainty on objectives.

● Risk Management - The act of managing processes and resources to address risk while
pursuing reward.

● Key Risk Indicator (KRI) - Indicators designed to help govern, manage, and provide
assurance about risk.

Obligations
Obligations are generally associated with Compliance, a measure of the degree to which
obligations and requirements are addressed. Compliance is often managed using Compliance
Management systems and Key Compliance Indicators (KCIs).

● Compliance - a measure of the degree to which obligations are proven to be addressed.

● Compliance Management - the act of managing processes and resources to achieve the
desired level of compliance.

● Key Compliance Indicator (KCI) - Indicators designed to help govern, manage, and provide
assurance about compliance.

USAGE NOTE: Performance Management and KPIs are typically used to address opportunities and
reward. That said, KPIs may also be used more generally to address opportunities, obstacles and
obligations. In other words, Performance Management and the label “KPI” is sometimes used more
generally for “all types of performance” and “all types of indicators.”

This is consistent with the GRC notion of Total Performance and Principled Performance. Thus,
one might imagine using Key Total Performance Indicators (KTPIs) or Key Principled Performance
Indicators (KPPIs) to encompass ALL types of indicators, including “classic” performance
indicators and performance management systems.

Regardless of which approach is used to label indicators and management systems, it can be
helpful to understand these three perspectives of opportunities, obstacles, and obligations.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 36

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Governance, Management & Assurance

Beyond managing these perspectives, an organization must also govern and provide assurance
around performance (reward), risk, and compliance. Thus a complete picture of this approach is
the governance, management, and assurance of performance, risk, and compliance.

GRC and the GRC Capability Model guide the governance, management, and assurance of
performance (reward), risk, and compliance to reliably achieve objectives, address uncertainty,
and act with integrity.

Decisions & Error Correction

The GRC Capability Model is fundamentally about making better decisions. In several areas,
decision-making criteria is used so that decisions are more consistent and aligned with the
organization’s purpose.

● Decision-Making Criteria - the principles, values, rules, variables, conditions, targets,

tolerances, and other thresholds used to select an option or make a decision.

● Direction-Setting Criteria - criteria used to set the direction for the organization and its
objectives based on external/internal context, culture, and stakeholder needs.

● Objective-Setting Criteria - criteria used to set objectives and key results in accordance
with the organization’s direction.

● Identification Criteria - criteria used to identify opportunities, obstacles, and obligations

that stand in front of the organization and its objectives.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 37

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

● Analysis Criteria - criteria used to analyze, quantify and select ways to address risk, reward,
and compliance.

● Design Criteria - criteria used to select actions & controls that address risk, reward, and
compliance.

“Reliably”
Principled Performance® requires an organization to reliably achieve objectives, address
uncertainty, and act with integrity.

Reliability applies to all other parts of the Principled Performance definition and means to:

● Reliably achieve objectives

● Reliably address uncertainty

● Reliably act with integrity

Reliability is all about being consistent, dependable, and transparent. And to be all these things,
GRC integrates the governance, management, and assurance of performance, risk, and
compliance.

Management & Governance Provide Reliability

Management and governance are economic functions that support each other. The difference
between the two is the relationship between the person doing the management/governance and
the thing being managed/governed.

● Management is the act of directly guiding, controlling, and evaluating an entity, process, or
resource by arranging and operating resources.

● Governance is the act of indirectly guiding, controlling, and evaluating an entity, process, or
resource by constraining and conscribing resources.

Management has direct contact with the thing being managed. Thus, managing something
involves direct actions & controls that arrange and operate resources. For example, a CIO has
direct contact with and control over the IT department. The CIO “manages” the IT department by
establishing policies and arranging resources to achieve departmental (and enterprise)
objectives.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 38

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Governance has an indirect influence over the thing being managed. Thus, governing something
involves indirect actions & controls that constrain and conscribe resources. For example, the
Board has indirect influence and control over the IT department. The Board may “govern” IT
resources by establishing policies and limits constraining what the CIO may do.

Sometimes, these economic functions overlap; and sometimes, it is unclear if an action or control
primarily serves a governance or management purpose. In fact, some actions & controls serve
both. Despite this ambiguity and potential overlap, it is helpful to distinguish between these two
economic functions so that both governance and management needs are addressed.

Assurance Provides Reliability

Those managing and governing the organization need to have confidence that what they BELIEVE
is happening, actually IS happening, and that it is working. Assurance provides this confidence to
management, the governing authority, and other stakeholders.

● Assurance - the act of objectively and competently evaluating subject matter to provide
justified conclusions and confidence that statements and beliefs about the subject matter
are true.

● Evaluate - the act of judging subject matter by comparing evidence against suitable
criteria.

● Subject Matter - identifiable statements, conditions, events, or activities for which there is
evidence.

● Suitable Criteria - benchmarks used to evaluate subject matter that yield consistent and
meaningful results.

● Information Consumer (also Information User) - an individual, group, or any entity that
receives information sent from any source within the organization. Information is utilized as
evidence to evaluate and compare against given criteria to provide a certain level of
assurance.

● Information Producer - an individual, group, or any entity that produces data/information to

send to another individual, group, or entity that requests such information for the purpose
of providing assurance.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 39

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Assurance is never absolute. It is common for GRC Professionals to specify a desired “level of
assurance” about some subject matter. The Level of Assurance about something is a function of
the Assurance Objectivity and Assurance Competence of the Assurance Provider.

● Assurance Provider - someone who conducts assurance activities.

● Objectivity - the degree to which an Assurance Provider can be impartial, disinterested,

independent, and free to conduct necessary activities and to form an opinion about the
subject matter.

● Competence - the degree to which an Assurance Provider can use sophisticated,

professional, and structured techniques to evaluate the subject matter.

A greater degree of Assurance Objectivity and a greater degree of Assurance Competence

generally result in a higher Level of Assurance.

● Level of Assurance - a measure of the degree of confidence that an assurance provider can
deliver to an information consumer about statements an information provider makes about
the subject matter.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 40

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Not everything requires a high level of assurance. For example, a manager in the sales department
may want “some” assurance that the way they conduct sales calls is sound. For this lower level of
assurance, they might call five colleagues in other companies and ask about their process. Then
use that information with the sales team to identify gaps.

The VP of sales, on the other hand, might want a “higher” level of assurance that all sales teams
are using best practices to conduct sales calls. This might entail hiring an outside expert, using a
vetted sales call maturity model, to conduct design and operational testing of controls used in the
sales process.

● Absolute Assurance - a level of assurance that is impossible to achieve.

● Reasonable Assurance - a special type of assurance, provided by external auditors as part

of a financial audit or examination, that subject matter conforms to suitable criteria and is
free from material error.

● Limited Assurance - a level of assurance resulting from reviews, compilations, and other
activities performed by competent personnel who are sufficiently objective about the
subject matter.

● Lower Assurance - a more limited level of assurance resulting from activities such as
self-assessments and benchmarking performed by the personnel responsible for the
subject matter.

The terms "independent" or "independence" are occasionally used in reference to assurance to

emphasize the importance of the structural or reporting relationship between the assurance
provider, the information producer, and the information consumer. The notion is that the
assurance provider should have a structurally independent status to enhance objectivity. This
means that the assurance provider must not report to the information producer, or have some
“dual reporting” relationship to an organizational unit outside of the information producer to
reduce conflict.

However, independence alone does not guarantee objectivity and is simply a means to achieve it.

Therefore, a GRC Professional must recognize that independence is a tool to achieve objectivity.
Independence is not synonymous with objectivity, and may not be recommended given a target
level of assurance.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 41

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

For example, when a high level of assurance is desired (e.g., evaluating internal control over
financial reporting), it may be beneficial for the assurance provider to be fully independent of the
information producer. When a lower level of assurance is desired (e.g., benchmarking one’s own
work), independence may not be required or recommended.

Hence, it is important to note that independence should not be confused with objectivity. While
they are related concepts, independence alone does not guarantee objectivity and is not always
recommended.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 42

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Lines of Accountability™ (LoA™) Provide Reliability

The Lines of Accountability Model™ helps organizations identify structures and processes that
facilitate the governance, management, and assurance of performance, risk, and compliance by
focusing on the contribution each “line” makes to producing value and preserving value.

● First Line - Individuals and Teams that own and manage performance, risk, and compliance
associated with day-to-day operational activities.

● Second Line - Individuals and Teams that establish performance, risk, and compliance
programs for the First Line. The Second Line may include an organizational service center or
staff within risk, compliance, HR, internal audit, and technology departments. The Second
Line provides oversight through frameworks, standards, policies, tools, and techniques to
support the First Line. The Second Line often manages its own portfolio of objectives and
associated performance, risk, and compliance. The Second Line may provide limited
assurance over First Line activities, depending on the objectivity and competence related
to the subject matter.

● Third Line - Individuals and Teams that provide a high level of assurance on activities
performed by the First Line and Second Line. The Third Line may include internal audit,
external audit, or outside experts who are sufficiently objective and competent. The level
of assurance possible depends on the objectivity and competence related to the subject
matter.

● Fourth Line - The Executive Team is accountable and responsible for the organization-wide
performance, risk, and compliance. The Fourth Line gains information from the First Line
and the Second Line and assurance from the Third Line to make decisions about managing
performance, risk, and compliance.

● Fifth Line - The Governing Authority (Board) is ultimately accountable and responsible for
the governance, management, and assurance of performance, risk, and compliance. While
the governing authority may choose to delegate, this plenary accountability means that

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 43

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

the governing authority must use due care to ensure that the right systems are in place to
learn about and address important issues – especially those that present “red flags.”

The lines of accountability are not static and should be used according to the unique needs of an
organization.

For example, the Third Line isn’t the only line of accountability that can provide assurance.

Assurance on First Line activities may be provided by the Second Line so long as the activities
under examination were not designed or performed by the Second Line. This depends on the
degree of Assurance Objectivity and Assurance Competence the Second Line personnel have
relative to the subject matter and the desired Level of Assurance.

Likewise, the First Line may conduct assurance activities over a third party (vendor) it engages to
perform day-to-day operational activities.

Also, recall that many concepts in the GRC Capability Model are fractal. While the Lines of
Accountability Model is presented using five lines, the reality is that organizations comprise
unique and idiosyncratic arrangements of people, processes, information, and technology.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 44

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

A sole proprietor may “physically” have just one “line” in their organization – namely, themselves.
Despite this arrangement, the Lines of Accountability Model may be applied by thoughtfully
segregating activities in time and space by just one person.

For example, the sole proprietor may perform daily bookkeeping with an aim toward efficiency and
accuracy (first line). Then, once a month, and though not completely objective, this same person
may perform “desk checking” and review of their own work (second line). Quarterly, they may
conduct some strategic planning and review (fourth line). A meticulous sole proprietor may even
take a weekend at the end of the year to trace transactions to perform assurance activities (third
line) before preparing materials for an external auditor. And being a board member (fifth line), this
same person may perform some “ultimate accountability” activities by filing the annual report to
keep the organization in good standing with the tax authority.

Contrast this with a global enterprise with many business units and dozens of lines of
accountability with varying degrees of scope and scale. Each business unit may have multiple lines
of accountability, providing varying degrees of service to other departments and business units.

Hence, every organization will have a unique arrangement of the Lines of Accountability based on
the size, scope, and preferences of the board and executive management. What is critical is that
the arrangement helps the organization be reliable.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 45

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

“Achieve Objectives”
Principled Performance® requires an organization to reliably achieve objectives, address
uncertainty, and act with integrity.

Everything in GRC flows from objectives – and objectives flow from the expectations of
stakeholders.

Objectives should be clearly defined at multiple levels and timescales, linked with one another,
and cascaded throughout the organization. Objectives must be intentional. Accidental
achievement does not count toward Principled Performance.

Objectives work with Indicators to be specific, measurable, achievable (yet aspirational), relevant,
and timebound (SMART Criteria).

Stakeholder Needs & Wants

There are several categories of stakeholders which have various needs and wants that drive
stakeholder expectations. These expectations inform the mission, vision, and objectives of the
organization.

● Stakeholder - a self-legitimizing person, group, or other entity with a direct or indirect

stake in the organization's actions because of actual or perceived impact.

● External stakeholders - stakeholders with an external influence on the organization:

○ Customers (the most important external stakeholder),

○ Shareholders (fractional owners who are not involved in the organization),

○ Creditors and lenders,

○ Suppliers,

○ Underwriters,

○ Government,

○ Non-governmental organizations,

○ Media, and

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 46

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

○ Society.

● Internal stakeholders - stakeholders with an internal influence from within the

organization:

○ Personnel (and unions that represent the workforce),

○ Managers,

○ Executives,

○ Board members, and

○ Owners (owners who are involved in the organization).

● Customer - A special type of external stakeholder. Every organization exists to serve a

customer, and it is the customer who judges value. For commercial enterprises, a customer
is an individual or entity that purchases products or services. For departments or teams,
the customer may include a superior, subordinate, or peer organizational unit. For
governmental entities, the customer is a constituent or regulated entity. In any case, the
customer judges whether the organization is producing, protecting, or destroying value.

An organization must balance the expectations of these diverse stakeholders – especially when
stakeholder expectations are in conflict.

● Stakeholder Expectation - is a general term that refers to what a stakeholder requests,

wants, needs, or expects from the organization.

Objectives & Objective-Setting

An organization sets objectives to address stakeholder needs and wants.

In the most general sense, an objective is simply something to achieve. And this “something” may
be at any timescale, may apply to any level of the organization, or may apply to a topic or theme.

● Objective - a measurable outcome to achieve (“something to achieve”)

● Indicator - a measure of progress toward or status of an objective

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 47

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Objectives should be memorable, qualitative descriptions of what the organization wants to

achieve. Objectives should be short, inspirational, and engaging. Indicators measure progress
toward or status of an objective.

Sometimes, modifiers indicate a specific department or topic for the objective, such as
Compliance Objective or Reporting Objective. Sometimes, modifiers indicate a specific timescale
for the objective, such as Annual, Quarterly, Monthly, or Daily objectives.

Sometimes modifiers are added to an objective to indicate superior or subordinate importance,

such as Strategic Objective versus Tactical Objective or Operational Objective.

Note that one organizational unit’s “strategic objective” may be another unit’s “tactical objective.”
For example, a compliance department might have a strategic objective called “Improve
Compliance Program Coverage” to make sure that all relevant compliance areas have been
addressed. While a compliance program and its coverage are incredibly important for the
enterprise, this objective might be just one of many tactics the organization uses to meet an
Enterprise Objective called “Enhance Integrity.”

Sometimes, modifiers indicate a specific level of the organization:

● Enterprise Objective

● Department Objective

● Team Objective

● Individual Objective

Often, though not always, objectives at superior levels of the organization are associated with a
longer timescale. Thus, Enterprise Objectives are often Enterprise Long-Term Strategic
Objectives, and Department Objectives are often Department Near-Term Tactical Objectives.

The use of modifiers doesn’t change the fundamental nature of an objective – namely, “something
to achieve.”

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 48

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Writing Objectives
Well-written objectives comprise a specific verb and a noun (object of the verb). Using simple and
direct language facilitates understanding and alignment.

Often, objectives are written to inspire progress using verbs such as “increase,” “decrease,” or
“improve,” or “enhance.” Achieving these objectives will “Change the Organization (CTO)” in some
way – and produce new value.

● Increase Revenue

● Grow Customer Base

● Increase Recurring Revenue

● Increase Scale of System Performance

● Increase Efficiency of XYZ

● Increase Effectiveness of XYZ

● Increase Responsiveness of XYZ

● Increase Resilience of XYZ

Sometimes, objectives are written to “maintain” or “Run the Organization (RTO).” RTOs allow an
organization to maintain what it has achieved – and preserve existing value.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 49

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Though seemingly boring or less inspirational, understand that RTOs are critical to managing the
organization and keeping the trust of stakeholders (especially customers). Think of RTOs as the
objectives related to service-level agreements or promises to stakeholders.

● Maintain High Customer Satisfaction

● Manage Debt Covenant Requirements

● Maintain Sales Lead Volume

● Maintain Conversion Rate

RTOs are often the source of future “Change the Organization” objectives. For example, a
customer service department may begin with a Manage the Organization objective of “Maintain
High Customer Satisfaction and use Net Promoter Score as an indicator. If the indicator falls
outside the target, appetite, tolerance or capacity; then “Change the Organization” objectives
may be defined in a subsequent period to resolve issues and elevate performance, such as:

● Improve Customer Satisfaction

● Improve Customer Loyalty

● Reduce Customer Support Hold Time

Change the Organization and Run the Organization objectives work together to align the
workforce with Mission, Vision, Values and Strategic Goals, that:

● Produce New Value

● Preserve Existing Value

● Increase Accountability & Transparency

Ownership
Each objective must have a clear accountability structure. A single, ultimate owner should be
assigned to each objective, and provided with the necessary resources and authority to ensure its
successful achievement.

Allocating ownership to multiple people may result in ambiguity and should be avoided.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 50

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

For example, the Maintain Customer Satisfaction objective could be part of both the customer
service department but also part of the Executive Team. However, regardless of where that
objective appears, a single, ultimate owner should be assigned to the success and status of the
objective. In this instance, the Executive Team may monitor the indicators associated with
“Maintain Customer Satisfaction,” but the customer service department would likely have
ownership and resources to meet the objective.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 51

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Mission & Vision

Mission & Vision are special objectives that apply to all levels of the organization, and represent
the longest-term view of what the organization strives to achieve. Mission & Vision are part of the
organization’s overall Direction and purpose.

● Mission: An objective that states who the organization serves, what it does, and what it
hopes to achieve today and in the long term. The mission statement is often used to guide
decision-making and priority-setting within the organization, and serves as a clear and
consistent statement of its overall purpose and direction.

● Vision: An aspirational objective that states what the organization aspires to be and why it
matters. The vision is often used to inspire and motivate employees, stakeholders, and
customers and serves as a guidepost for long-term strategic planning.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 52

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Strategic Goals
Strategic Goals are long-term objectives that reflect the strategic themes and priorities of the
organization. Strategic Goals are part of the organization’s overall Direction and are used by
executive management and the board to guide the overall enterprise.

Strategic Goals should balance different perspectives or areas of focus. One popular framework,
the Balanced Scorecard, typically includes four strategic perspectives: financial, customer,
internal processes, and learning and growth.

Regardless of which framework or model is used, it is important to balance short-term and

long-term timescales, financial and non-financial goals, and goals related to stakeholders,
customers, internal processes, and learning and growth.

Alignment
It is important for objectives to align throughout the organization. Superior-level objectives
should “cascade” to subordinate units to ensure that subordinate units contribute to the most
important objectives and priorities of the organization. Changes in superior-level objectives
should trigger changes in subordinate-level objectives.

That said, this is bi-directional.

Daily progress and feedback gathered on subordinate-level objectives bubbles up and updates
superior-level objectives. For example, progress that is slower or quicker at a subordinate level
might indicate that the superior-level objective is in jeopardy or not being achieved or that the
objective is in error.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 53

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Mapping
Besides cascading down and bubbling up objectives, it is helpful to map objectives to one another.
Mapping shows how (or at least if) objectives impact one another. This means mapping not only
UP to superior units and DOWN to subordinate units but also ACROSS the organization to peer
units and DIAGONALLY to superior and subordinate units in other areas of the organization.

Sophisticated mapping quantifies how objectives influence one another. For example, an
enterprise objective may cascade to objectives in separate subordinate units (Unit A and Unit B).
The mapping may conclude that Unit A influences the enterprise objective by 75% and Unit B by
25%. Understanding this relative influence helps to allocate resources to achieve enterprise
objectives.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 54

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Visibility
Superior units do not need visibility over all of the objectives of subordinate units and vice versa.
Sometimes, objectives can and should be localized to a single organizational unit.

For example, a strategic goal (enterprise objective) E1 may map to several other Enterprise
objectives E2, E3, and E4. Suppose that E2 cascades to Department A’s objective DA1. Within the
department, DA1 is mapped to DA2, DA3, and DA4. In this way, the Executive Team at the Enterprise
Level has visibility into department objective DA1 but doesn’t necessarily need to (or want to) have
visibility into the other department objectives.

Further, suppose that E4 cascades to Department A and Department B, linking to DA4 and DB1. In
this instance, DA4 and DB1 are visible at the enterprise level. And, because these departments
contribute to the same superior-level objective, their activities are coordinated to deliver value to
the organization.

In this situation, the enterprise level would only have visibility into DA1, DA4, and DB1. The other
subordinate-level objectives are things that do not directly map to the enterprise level.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 55

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Indicators
Indicators measure progress toward or status of objectives. Indicators must be linked to at least
one and potentially multiple objectives.

● Indicator - a measure of progress toward or status of an objective.

● Leading Indicators - an indicator that provides information about future events or

conditions.

● Lagging Indicators - an indicator that provides information about past events or conditions.

Writing Indicators
A well-written indicator includes:

● Title - Descriptive name for the indicator

● Metric - Quantitative measure or standard

● Current Value

● Target Value for this period

● Starting Value at the beginning of this period

Using a Customer Satisfaction example, objectives, and indicators might be elaborated:

● OBJECTIVE: Enhance Customer Satisfaction

○ Title: Customer Satisfaction Rating (NPS)

■ Metric: Net Promoter Score (NPS)

■ Current Value: 82

■ Target Value (this month): 85

■ Starting Value (this month): 79

Types of Indicators
Indicators measure several aspects of progress or status associated with an objective:

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 56

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

● Key Performance Indicator (KPI) - Indicators that help govern, manage, and provide
assurance about performance related to an objective.

● Key Risk Indicator (KRI) - Indicators that help govern, manage, and provide assurance about
risk related to an objective.

● Key Compliance Indicator (KCI) - Indicators that help govern, manage, and provide
assurance about compliance related to an objective.

Not every objective needs performance, risk, and compliance indicators. Some objectives and
areas of the organization may only require KPIs.

For example, an organization that has a strategic goal to “Create Loyal Customers” will formulate
objectives and indicators such as:

● STRATEGIC GOAL: Create Loyal Customers

○ OBJECTIVE: Enhance Customer Satisfaction

■ KPI: Net Promoter Score (NPS) provides a lagging indicator of customer

satisfaction and loyalty.

■ KRI: Number of Customer Complaints provides a leading indicator that might

result in a reduction of NPS or other problems, especially if this value is high
or increasing.

○ OBJECTIVE: Increase Long-Term Contracts

■ KPI: Customers on Long Term Contracts provides a lagging indicator of how

many customers are on the new long-term contracts

■ KCI:% Customers on Long Term Contracts Consent is a lagging indicator that

tracks whether or not the customer consented to enter into a new long term
contract.

○ OBJECTIVE: Meet & Maintain Service Levels

■ KCI: Website Uptime Score

■ KCI: Website Speed Score

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 57

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

In this last part of the example, note that Website Uptime and Website Speed Score are classified
as Key Compliance Indicators because, in this instance, the objective is to Meet & Maintain Service
Levels. The Indicators are NOT being used for improving performance or to Change the
Organization (CTO). Rather, they are being used to Run the Organization (RTO) and to meet the
service level agreements.

But remember, well-written Indicators also include target and timescale. Some objectives and
indicators require additional sophistication and use ranges for appetite, tolerance, and capacity.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 58

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Targets, Appetite, Tolerance & Capacity

All indicators should detail a target value and timescale within which the target is expected to be
met. Sometimes, it is helpful to define the acceptable upper and lower range of appetite,
tolerance, and capacity related to the target.

● Target - An expected or planned value for an indicator.

● Timescale - The expected or planned time frame to meet a target.

● Appetite - A range that defines a preferred level of variation around a target.

● Tolerance - A range that defines an acceptable, though not preferred, level of variation
around a target the organization is willing and able to address.

● Capacity - A range that defines the absolute level of variation around a target that the
organization is unwilling and unable to address; and may result in jeopardy or ruin.

Appetite is a narrow range of variation around the target that defines limits to what the
organization prefers as it drives toward objectives. Tolerance is a wider range around the target
that defines limits to what the organization is willing and able to address. Capacity is the most
extreme range, defining limits beyond which the organization is unable to address, and may result
in jeopardy of ruin.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 59

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 60

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Values within the appetite typically don’t trigger a response from the organization. They represent
“business as usual.” Values beyond the appetite but within the tolerance typically trigger planned
responses to bring the organization back within the appetite. Values beyond the tolerance often
trigger significant responses either to bring the organization back within tolerance (ideally back
within appetite) or to cease operations. The most important purpose of this response is to avoid
reaching the limits of capacity – and to avoid jeopardy or ruin.

One-Sided Indicators
Not all indicators require this sophistication. And some indicators are practically “one-sided,”
having neither an upper nor a lower limit for appetite, tolerance, and capacity.

For example, there is typically no upper limit for Customer Satisfaction. The higher, the better. So,
in this case, there might only be lower limits set for appetite, tolerance, and capacity. That said,
having 100% of customers rating 100% customer satisfaction should raise suspicions – so even
this example suggests that certain limits may help identify potential problems.

Take the indicator of Customer Complaints. For this, there is no real lower limit. Ideally, this number
will be as low as possible, so upper limits may be the only ones defined. And a total lack of
customer complaints may indicate problems with the people, process or technology designed to

identify and address customer complaints.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 61

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

When an indicator is “one-sided,” consider thinking about targets and limits as:

● Committed Value: a value that is likely to be achieved given current assumptions and
planned execution. When used, this is synonymous with Target.

● Best Possible Value: a value that is likely to be achieved under the best possible
assumptions and best possible execution.

● Stretch Value: a value that is unlikely to be achieved but still possible.

In the example of Customer Service:

● OBJECTIVE: Enhance Customer Satisfaction

○ INDICATOR: Customer Satisfaction Rating (NPS), Monthly

■ COMMITTED TARGET (this month): 80TARGET RANGE: 78 - 82; BEST

POSSIBLE: 85

■ STRETCH VALUE: 90

■ TOLERANCE: <78 thru 60 triggers response

■ CAPACITY: <60 triggers jeopardy and extreme response

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 62

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

“Address Uncertainty”
Principled Performance requires an organization to reliably achieve objectives, address
uncertainty, and act with integrity.

Uncertainty can arise from various sources, including incomplete data, conflicting information,
unpredictable circumstances, and unknown future developments. It is an inherent part of
everyday life. Addressing uncertainty involves making decisions based on incomplete or imperfect
information, weighing the risk and reward of different options, and adapting to changing
circumstances as new information becomes available.

Addressing uncertainty is about making decisions about potential opportunities and obstacles
that may arise while pursuing objectives. Decisions under uncertainty involve both upside and
downside – both favorable and unfavorable effects on objectives.

GRC Capability Model uses terms and definitions consistent with decision science and
quantitative methods. These disciplines use clear language to describe the upside and downside
of uncertainty.

● Uncertainty: A state of being unsure about something due to incomplete knowledge or

underlying randomness, making it difficult to understand with complete confidence.

● Opportunity (Prospect): an uncertain future event that may, on balance, have a positive
effect on objectives.

● Obstacle (Threat): an uncertain future event that may, on balance, have a negative effect
on objectives.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 63

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Cause & Consequence

Taking a step back, uncertainty can be illustrated simply by considering causes, events, and
consequences. A future, uncertain event (or condition) might have many causes. And, once the
event occurs, many consequences might follow.

The likelihood is a measure of the chance of an event occurring. The impact measures the
economic and non-economic consequences of the event. Taken together, the effect of
uncertainty on objectives is a function of the likelihood and impact of an event.

● Condition - a state of reality.

● Event - something that happens, including a behavior or change in condition.

● Cause (Source) - the trigger or potential trigger of events that lead to a consequence.

● Consequence - the outcome or potential outcome of an event.

● Effect - a measure that estimates the likelihood and impact of an event.

○ Likelihood - a measure that estimates the occurrence of an event.

○ Impact - a measure that estimates the consequence of an event.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 64

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 65

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

In reality, this model of cause → event → consequence is more complex and fractal, involving
repeating events that cause other events and other events and so on.

Likelihood and impact are rarely (if ever) single values. When considering causes and
consequences, there are often distributions that are useful when using quantitative methods.
Distributions more realistically model situations such as, “It is more likely that a $1 problem will
occur but less likely that a $100 problem will occur.”

Not all distributions are the same, and each situation should consider using distributions that suit
situations: discrete versus continuous; bounded versus unbounded; parametric versus
nonparametric; and univariate versus multivariate.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 66

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Classifying the Effect of Uncertainty

Classifying the effect of uncertainty on objectives, and the underlying event, as either positive or
negative, is dependent on the objectives. Classification isn’t always easy or even possible. Events
may be ambiguous, with BOTH positive and negative consequences relative to objectives.

Positive
The positive, favorable effect of uncertainty on objectives is called reward. And the causes that
have the potential to eventually result in benefits are called prospects.

● Prospect - a cause that has the potential to eventually result in benefit.

● Opportunity - an event that may, on balance, have a positive effect on objectives.

● Benefit - a measure of the positive impact on the organization.

● Performance (Reward) - a measure of the positive, favorable effect of uncertainty on

objectives.

● Performance (Reward) Management - the act of managing processes and resources to

pursue reward while addressing risk.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 67

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Negative
The negative, unfavorable effect of uncertainty on objectives is called risk. And the causes that
have the potential to eventually result in harm/damage are called hazards or threats.

● Hazard - a cause that has the potential to eventually result in harm.

● Obstacle (Threat) - an event that may, on balance, have a negative effect on objectives.

● Harm (Damage) - a measure of the negative impact on the organization.

● Risk - a measure of the negative, unfavorable effect of uncertainty on objectives.

● Risk Management - the act of managing processes and resources to address risk while
pursuing reward.

Note that for both positive and negative circumstances, neutral language may be used to describe
causes, events, and consequences. But at times, it can be helpful to be more specific by using
specialized terminology.

Addressing the Situation

Addressing uncertainty means confronting reality and doing something about it. There are several
broad design options that an organization can use to address an opportunity, obstacle, or
obligation:

● Avoid Design Option - cease all activity or terminate sources that give rise to the
opportunity, obstacle, or obligation.

● Accept Design Option - embrace or concede to the situation with minor modifications and
awareness about the nature and level of risk/reward and compliance associated with the
opportunity, obstacle, or obligation.

● Share Design Option - outsource, joint venture, partner, buy insurance, or use other
financial instruments to address the opportunity, obstacle, or obligation (NOTE: TRANSFER
is a special case of SHARING where an attempt is made to give close to 100% of
consequence to another party such as an insurance company).

● Control Design Option - implement actions and controls that govern and manage the
opportunity, obstacle, or obligation according to its nature:

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 68

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

○ Opportunities
■ Promote the occurrence of the event or event causes
■ Detect the event as soon as possible
■ Compound consequences to accelerate the positive impact and benefit
○ Obstacles
■ Prevent the occurrence of the event or event causes
■ Detect the event as soon as possible and accelerate correction and recovery
■ Correct the event and reduce the negative impact
■ Recover from negative impact and harm
○ Obligations
■ Cover each requirement with at least one action and control
■ Layer multiple actions & controls to get appropriate depth
■ Detect adherence or violations (noncompliance) as soon as possible to
accelerate remediation

Controlling the Situation

An organization implements actions & controls to modify the inherent effect of uncertainty, to
realize a residual effect that is acceptable.

● Inherent Effect - the effect of uncertainty in the absence of actions & controls.

● Residual Effect - the effect of uncertainty in the presence of actions & controls.

The causes and consequences of risk and reward are addressed differently. In the case of reward,
the organization tries to promote favorable causes and compound benefits as soon as possible. In
the case of risk, the organization tries to deter and prevent causes and correct and recover from
harm as soon as possible.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 69

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Note that the binomial “actions and controls” is used because not everything is a control.
Sometimes a single action or decision is used to address a situation.

● Actions & Controls - Specific arrangements of people, processes, technology, or

information intended to modify risk, reward or compliance.

○ Proactive Actions & Controls promote favorable events and deter and prevent
unfavorable events.

○ Detective Actions & Controls detect the occurrence of favorable events and
unfavorable events.

○ Responsive Actions & Controls compound the effect of favorable events, and
correct and recover from unfavorable events.

And, while true for both risk and reward, it is most common to use inherent and residual
terminology when talking about risk.

● Inherent Risk - the level of risk in the absence of actions & controls.

● Residual Risk - the level of risk in the presence of actions & controls.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 70

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

“Act with Integrity”

Principled Performance® requires an organization to reliably achieve objectives, address
uncertainty, and act with integrity.

Reliably achieving objectives and addressing uncertainty is pointless unless the organization acts
with integrity – addressing its obligations to operate within mandatory and voluntary boundaries.

One way to think about integrity is to consider it as a ratio of Promises Kept divided by Promises
Made. The more Promises Kept, the closer this ratio is to 1 or 100%.

● Integrity - The state of being whole and complete by fulfilling obligations, honoring
promises, and cleaning up the mess if a promise is broken.

● Obligation (also Boundary) - a requirement that an organization must or should address

because of a promise, whether mandatory or voluntary.

○ Mandatory Obligation (Mandatory Requirement, Mandatory Boundary) - obligations

that an organization must address because of some legitimate authority (e.g., laws,
rules, regulations).

○ Voluntary Obligation (Voluntary Requirement, Voluntary Boundary) - obligations

that an organization chooses to address because of voluntary decisions (e.g.,
contracts, agreements, and values).

● Compliance - a measure of the degree to which obligations are proven to be addressed.

● Compliance Management - the act of managing processes and resources to achieve the
desired level of compliance.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 71

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 72

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Measuring compliance in a particular area must start with:

● Requirements

● Actions & controls to address requirements

● Evidence that actions & controls are effectively designed and operating.

Since compliance is a measure, there can be both lower and higher levels of compliance. A low
level of compliance means that a requirement is EITHER or BOTH:

● Not in fact, addressed by effective actions & controls

● Not in evidence, addressed by effective actions & controls

High level of compliance, on the other hand, means that a requirement is BOTH:

● In fact, addressed by effective actions & controls

● In evidence, addressed by effective actions & controls

Put more simply, high compliance requires that the requirement is not only addressed by effective
actions & controls, but that this fact has evidence to be true (documentation, records, etc.).

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 73

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Duality of Obligations
Obligations present a duality – one involving risk and the other involving compliance.

For example, take a mandatory obligation that a government imposes to “implement an

anti-discrimination policy and training program.” This obligation is rooted in the ethical principle of
“treat people fairly.” The obligation may have several requirements:

● Post anti-discrimination policy in a public location

● Train all hiring managers for two hours every two years

● Train all employees for one hour every two years

Complying with these requirements might involve actions & controls such as:

● Policy – Anti-harassment policy. Additions to the Code of Conduct.

● People – Schedule and conduct manager and workforce training.

● Technology - Implement policy management and education management systems.

But beyond compliance, there are also related “compliance-related risks” that must be addressed
– that is, the risk that someone in the organization will be mistreated or discriminated against.

This risk may be higher or lower than other organizations based on the unique features of the
organization. If the risk of discrimination is assessed as low, the organization may decide that
mere “compliance” with the mandatory obligations is adequate. If the risk of discrimination is
higher, the organization may decide to enact additional actions & controls such as:

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 74

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

● Policy – Remove all names and dates from resumes to reduce inferences about race,
biological sex, and age.

● People – Enhance training with scenarios and reminders throughout the year.

● Process - Process hiring and promotion decisions through a centralized team to conduct
diligence on the hiring and promotion decision.

● Information – Make anti-discrimination one of the themes addressed in organizational

communications, including top executive communications.

● Financial - Purchase employment practices insurance.

Values in Action
Mandatory and voluntary boundaries are both important. But Values are an organization's most
important voluntary obligations. And putting values in action is key.

In some instances, acting contrary to organizational values may negatively impact the
organization much more than acting contrary to even mandated obligations. Stakeholders may
agree or disagree with any one particular mandate. And it is always possible that an organization
doesn’t know 100% of the mandatory obligations at a point in time.

However, unlike mandatory obligations, the organization voluntarily offers and expresses a
“promise” to stakeholders. The organization knows 100% of the values it expresses. Breaking this
voluntary commitment is sometimes more economically and reputationally damaging than missing
the mark on other commitments.

An effective organizational values statement can help to create a shared sense of purpose and
direction among the workforce, and can help to align the organization's actions and decisions with
its broader mission and goals.

In this way, Values work with Mission and Vision to describe the highest purpose of the
organization:

● Mission - A statement that describes who the organization serves, what it does, and what it
hopes to achieve today and in the long term.

● Vision - A statement that describes what the organization aspires to be and why it matters.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 75

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

● Values - A statement about what the organization believes and stands for.

An organizational values statement typically reflects the shared beliefs and expectations of the
organization's leadership, employees, and stakeholders. It serves as a guide for establishing a
positive and productive organizational culture.

Organizational values statements can take many different forms, depending on the size, structure,
and mission of the organization. Some values statements may be short and simple, while others
may be more detailed and elaborate.

Examples of organizational values that may be included in a values statement could include
accountability, collaboration, innovation, respect, and customer service. These values may be
expressed through specific behaviors or actions.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 76

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Culture
Culture is important across all aspects of Principles Performance. But it plays a special role to help
the organization “act with integrity.” Various aspects make up the Culture, Climate, and Mindsets.
These aspects are defined for consideration when analyzing culture from different perspectives:

● Culture - is an emergent property of a group expressed in observable norms resulting from

the interaction of individual beliefs, values, and behaviors. (NEW: Culture is an emergent
property of a group of people caused by the interaction of individual beliefs, values,
mindsets, and behaviors and demonstrated by observable norms and articulated opinions
that shape beliefs, values, mindsets, and behaviors in wide-ranging and durable ways.)

● Mindsets - are individual perceptions about self, surroundings, and others – including
perceptions about culture, some aspect of culture, or some topical area.

● Climate - is the collective perception about self, surroundings, and others – including
perceptions about culture, some aspect of culture, or some topical area.

● Norms - are customs, rules, or expectations that a group socially reinforces. There are two
types of norms:

○ Prescriptive Norms encourage behavior the group deems positive (e.g., “be honest”)

○ Proscriptive Norms discourage behavior the group deems negative (e.g., “do not
cheat”)

● Beliefs - are unobservable ideas and assumptions of a person or group, often caused by
experience, perception, and personality.

● Values - are principles that a person or group deems important, usually because of beliefs.

● Behaviors - are observable actions of a person or group of people, informed by beliefs and
values. There are three types of behaviors:

○ Voluntary Behaviors are intentional human actions informed by beliefs and values
and governed by free will and discipline.

○ Habitual Behaviors are semi-automatic human actions informed by beliefs and

values and governed by free will and discipline.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 77

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

○ Involuntary Behaviors are automatic, often instinctual human actions informed by

beliefs and values and governed by nature.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 78

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Integrated Action & Control Model™ (IACM™)

The Integrated Action & Control Model™ (IACM™) provides a structure to consider the purpose
and types of actions & controls used for the governance, management, and assurance of
performance, risk, and compliance.

The IACM uses a simple construct of “before, during, and after, and “favorable and unfavorable
events” that apply across opportunities, obstacles, and obligations to:

● Decrease the effect (likelihood and impact) of unfavorable events and behaviors.

● Increase the effect (likelihood and impact) of favorable events and behaviors.

Favorable and unfavorable events relate to opportunities, obstacles, and obligations. For example:

● Opportunities

○ Favorable events: increase the ultimate likelihood and impact of benefit.

○ Unfavorable events: decrease the ultimate likelihood and impact of benefit.

● Obstacles

○ Favorable events: decrease the ultimate likelihood and impact of harm.

○ Unfavorable events: increase the ultimate likelihood and impact of harm.

● Obligations

○ Favorable events: decrease the ultimate likelihood and impact of violations.

○ Unfavorable events: increase the ultimate likelihood and impact of violations.

The use of “ultimate” in these definitions indicates that there may be a complex chain of events
that results in ultimate benefit/harm/violations.

For example, take an ambiguous event called “Senior Executive Quits.” On the surface, this event
may be construed as an obstacle that would result in harm of “Lost knowledge, relationships and
the potential to cascade worry into the team.” Digging into the many causes reveals hazards that
are unfavorable such as “Non-competitive compensation.” Things that ought to be prevented.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 79

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

However, further analysis may indicate that “Senior Executive Quits” may also provide benefits.
Hiring a new person for the job from the outside provides “New ideas and relationships.” Promoting
an existing team member provides career advancement opportunities and hope for others.

What appeared to be a simple and straight-forward example of something to be avoided turns into
a more robust picture:

Before

● Promote/Enable

○ Promote executive careers beyond the organization with “job search” programs

○ Promote a culture where “moving on” is viewed as graduating instead of leaving

● Prevent/Deter

○ Deter quitting by ensuring compensation plans are always within benchmarks

○ Deter quitting by implementing feedback systems to learn about shortcomings

before they escalate

After

● Compound/Amplify

○ Recognize executives and employees who recently became “alumni”

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 80

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

○ Recognize alumni for many months and years with periodic communications

○ Accelerate “New Ideas” by pausing existing work for 2 weeks to adjust to new
situation

● Correct/Recover

○ Attempt to retain senior executive with lateral or other opportunities

○ Allow team left behind to pause existing work one week to adjust to new situation

○ Recover from relationship loss by connecting with former executive’s key accounts

Action & Control Types

Action and control types aim to be proactive, detective and responsive to address opportunities,
obstacles and obligations.

● Proactive Actions & Controls prevent unfavorable events before they happen and promote
favorable events. Proactive actions & controls include:

○ Prevent/Deter Actions & Controls decrease the likelihood of unfavorable events.

○ Promote/Enable Actions & Controls increase the likelihood of favorable events.

● Detective Actions & Controls detect the occurrence of favorable and unfavorable events.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 81

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

● Responsive Actions & Controls compound/accelerate the benefits of favorable events and
correct/recover from the harm of unfavorable events. Responsive actions & controls
include:

○ Compound/Accelerate Actions & Controls accelerate and compound the impact of

favorable events to increase benefits and promote future occurrence.

○ Correct/Recover Actions & Controls slow down or decrease the impact of

unfavorable events, and return the organization to its original state, stable state, or
superior state after harm has occurred to minimize harm and prevent future
occurrences.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 82

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Action & Control Categories

Policy, people, process, physical, informational, technological, and financial actions & controls
represent the full range of action & control categories.

● Policy – formal statements and rules about organizational intentions and expectations.

● People – human factors, including structure, accountability, education, and enablement.

● Process - how/when to perform activities and where/who to assign accountability.

● Physical – infrastructures such as facilities and other structures.

● Information – communications up, down, and across the organization.

● Technology - hardware and software systems that facilitate other categories.

● Financial - insurance, captives, hedging, reserves, or other financial instruments.

Action & Control Techniques

Action and control techniques are within and may span multiple categories.

For example, “segregation of duties” is a technique that spans multiple categories (and may be
considered multiple controls). Segregation of duties:

● structures “people” in a way that specifies who can / cannot perform certain tasks;

● is often articulated in a “policy” outlining roles and responsibilities; and

● is embodied in “technology” access controls.

Action & Control Orientation

When designing actions & controls, an organization should consider the governance,
management, and assurance orientations.

Management actions & controls should be the primary focus when designing an approach. If, and
only if, management actions & controls are insufficient for governance and assurance purposes
should additional actions & controls be considered.

● Management Actions & Controls are required for management to address opportunities,
obstacles, and obligations. Management actions & controls comprise most of the work

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 83

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

performed by the organization. Whenever possible, management actions & controls should
be used by both the governing authority and assurance personnel to avoid unnecessary
complexity and duplication.

● Governance Actions & Controls are additional controls beyond management controls that
assist the governing authority in constraining and conscribing the organization. Additional
governance actions & controls are added when management actions & controls do not
provide enough information or guidance to constrain and conscribe the organization.

● Assurance Actions & Controls are additional controls beyond management and governance
controls that assist assurance personnel to provide assurance services. Additional
assurance controls are added when management and governance actions & controls do
not provide sufficient information to assurance providers.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 84

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Part II - GRC Outcomes & Capabilities

The GRC Capability Model codifies the continuously improving body of knowledge about how GRC
works in an organization. It comprises four (4) components and twenty (20) elements that help an
organization ask and answer key questions such as:

● LEARN - Who are we? Where are we? What might affect us? Who do we serve? How will they
judge us? What is our business model?

● ALIGN - Where are we going? How will we get there? How will we address the opportunities,
obstacles, and obligations along the way?

● PERFORM - How proactive are we? How do we detect problems and progress? How do we
respond to favorable events and unfavorable events?

● REVIEW - Are we making progress? How confident are we? How can we improve?

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 85

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

U - Universal Outcomes
While every organization has a unique mission, vision, and values, every GRC Capability should
strive to help organizations realize these Universal Outcomes.

● U1. Achieve Objectives that Produce and Preserve Value: Ensure that strategy and
execution prioritize objectives to simultaneously produce value and preserve value.

● U2. Balance Risk and Reward: Ensure that opportunities and obstacles are adequately
addressed so that levels of performance and risk are acceptable.

● U3. Improve Culture: Establish a culture of total performance, accountability, integrity,

trust, and communication in all aspects of the organization.

● U4. Enhance Stakeholder Confidence: Provide assurance to stakeholders to continually

increase confidence in the organization’s mission, vision, values, and total performance.

● U5. Integrate and Improve Decision-Making: Integrate the governance, management, and
assurance of performance, risk, compliance, and decision-making.

● U6. Prevent, Detect, and Correct Undesired Conduct and Weaknesses: Establish actions &
controls to prevent, detect, recover from, and reduce the negative effect of events.

● U7. Promote, Detect, and Reward Desired Conduct and Strengths: Establish actions &
controls to promote, detect, increase, and compound the positive effect of events.

● U8. Sense and Respond to Context: Proactively make sense of, predict, and address
changes in the internal and external context to adjust strategy and tactics.

● U9. Improve Total Performance: Improve effectiveness, efficiency, agility, and resilience
with proactive, detective, and responsive actions & controls.

● U10. Honor and Express Values: Balance how the organization pursues total performance
while expressing and staying true to values, without sacrificing one for the other.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 86

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

L – LEARN

Examine and understand stakeholders, the external context, the internal

context, and the culture of the organization to make sense of reality and
changes as they unfold.

Principled Performance® requires that an organization learn about and make sense of internal and
external realities as it strives to meet the needs of stakeholders.

The internal context and culture describe the capabilities and resources that the organization
uses to meet stakeholder needs. The external context represents the reality in which the
organization operates.

By making sense of internal realities, external realities, culture, and stakeholders, the organization
can shape the most appropriate direction, objectives, and approach to achieve Principled
Performance.

LEARN Component - Elements

Figure - LEARN Component Overview Diagram

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 87

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

LEARN Component Considerations

A. Learning about internal and external realities is a “sensemaking” process that aims to
understand reality so the organization can act.

B. External context, internal context, culture, and stakeholders are interrelated elements
without clear boundaries. The most important outcome is an understanding of the internal
and external factors and how these realities impact the organization.

C. External context and stakeholder needs are outside the organization’s direct control. Strive
to influence and shape these external realities over time.

D. Internal context and culture are, at least theoretically, under an organization's direct
control. Still, these internal realities require long-term planning to influence and shape.

E. Context, culture, and stakeholders are defined relative to the organization in scope. For
example, if the organization in scope is a single team, then the “external context” would
include all aspects outside of the team.

F. Even if the organization in scope is a subordinate unit (business units, departments, and
teams), it is important to understand the realities at the highest organizational unit (the
enterprise) as these realities cascade to subordinate organizational units.

G. Changes in context should be sensed and analyzed to determine why, what, when, and how
to change the organization.

H. It is crucial to understand what changes are important and which are mere distractions.

LEARN Component Measurement

● Effective. Do we have the capability to LEARN? Do we have the capability to understand
internal and external contexts? Do we have the capability to understand culture? Do we
have the capability to understand stakeholders? Do these capabilities operate as
designed?

● Efficient. How efficient is our use of capital to LEARN? How efficient is our use of financial
capital? Physical capital? Human capital? Information capital?

● Agile. When things change, how quickly do we RE-LEARN the context and culture?

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 88

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

● Resilient. Do we have appropriate depth and coverage to withstand stress? After stress, are
we more capable or less capable to LEARN?

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 89

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

L1 External Context

Examine and understand the external context in which the organization

operates.

Practices
1. Analyze External Context. Consider industry, market, political, economic, societal,
technology, legal, environmental, demographic, geopolitical, and other external factors
that may affect the organization.

2. Influence External Context. Identify external factors that the organization may attempt to
influence.

3. Assign External Factors - Assign accountability to individuals with authority and resources
to successfully analyze, influence and sense external factors.

4. Sense External Context. Continually watch for and make sense of changes in the external
context that have a direct, indirect, or cumulative effect on the organization and notify
appropriate personnel and systems.

5. Reconsider External Context. Define the events and timescale that trigger reconsideration
of external factors.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 90

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Considerations
a. The external context is outside of the direct control of most organizations. Strive to
influence and shape these external realities over time.

b. Categories of sources and forces that originate outside of the organization.

○ Industry factors include new entrants, competitors, suppliers, customers,

substitutes, and industry norms.

○ Market factors include customer trends, demographics, and economic conditions.

○ Economic factors include growth, exchange, inflation, and interest rates

○ Technology factors include technological aspects like R&D activity, automation,

storage, computation, technology incentives, innovations in materials, mechanical
efficiency, and the rate of technological change.

○ Societal factors include cultural aspects, attitudes, customs, and norms.

○ Legal and regulatory factors include laws, rules, regulations, litigation, and judicial or
administrative opinions

○ Political factors relate to how the government intervenes in the economy, including
laws, rules, regulations, tax policy, and political stability.

○ Environmental factors include ecological and environmental aspects such as

climate and natural resources.

○ Demographic factors include gender, age, ethnicity, knowledge of languages,

disabilities, mobility, home ownership, employment status, religious belief or
practice, culture and tradition, living standards, and income level.

○ Geopolitical forces include sanctions, export controls, and potential military

conflicts.

Tools & Techniques

● Sensemaking, SWOT Analysis, PESTLE Analysis, Porter’s Five Forces Framework Scenario
Planning, STEEPLE Analysis

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 91

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

L2 Internal Context

Examine and understand the internal context, including how the

organization is structured and operating.

Practices
1. Analyze the Internal Context - Consider internal strengths and weaknesses, strategic
plans, operating plans, organizational structures, policies, people, processes, technology,
resources, information, and other internal factors that define the organization's operations.

2. Influence Internal Context - Identify internal factors that the organization may choose to
influence.

3. Assign Internal Factors - Assign accountability to individuals with authority and resources
to successfully analyze, influence and sense internal factors.

4. Sense the Internal Context - Continually watch for and make sense of changes in the
internal context that have a direct, indirect, or cumulative effect on the organization and
notify appropriate personnel and systems.

5. Reconsider Internal Context - Define the events and timescale that trigger reconsideration
of internal factors.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 92

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Considerations
a. Mission and vision clarify why the organization exists and what it aims to achieve and
become.

b. Values set voluntary boundaries for how the organization operates and often explain
design decisions about the operating model.

c. Value propositions and operating models clarify how the organization serves its
customers/stakeholders.

d. Organizational charts and operating model mapping provide insight into how departments
and functions relate to each other, especially key people, processes, technology, and
information.

e. Understanding key department scope and purpose helps to clarify their “line of
accountability” and areas where there are inappropriate gaps or overlaps.

f. Organizational structures, policies, and other internal items may present perverse
incentives that require immediate attention.

Tools & Techniques

● Sensemaking, SWOT Analysis, Business Model Canvas, Enterprise Architecture,
Resource-Based View, Value Chain Analysis, Balanced Scorecard

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 93

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

L3 Culture

Understand the existing culture, climate, and mindsets about the governance,
assurance, and management of performance, risk, and compliance.

Practices
1. Analyze Governance Culture – Analyze the climate and mindsets about constraining and
conscribing the organization, including how the governing authority and executive team
are engaged and whether leadership models behavior in words and deeds.

2. Analyze Management Culture – Analyze the climate and mindsets about arranging
resources and operating the organization, including how the organization is inspired to
achieve effective, efficient, agile, and resilient performance.

3. Analyze Assurance Culture – Analyze the climate and mindsets about how the organization
objectively examines and judges the effectiveness, efficiency, agility, and resilience of
critical activities and outcomes.

4. Analyze Performance Culture – Analyze the climate and mindsets about how the workforce
perceives performance, especially the associated trade-offs.

5. Analyze Risk Culture – Analyze the climate and mindsets about how the workforce
perceives risk, its impact on work, and its integration with decision-making.

6. Analyze Compliance Culture – Analyze the climate and mindsets about how the workforce
fulfills its mandatory and voluntary obligations.

7. Analyze Ethical Culture – Analyze the climate and mindsets about how the workforce
generally demonstrates integrity.

8. Analyze Workforce Culture – Analyze the climate and mindsets about workforce
satisfaction, loyalty, turnover rates, skill development, and engagement.

9. Assign Culture Factors - Assign accountability to individuals with authority and resources
to successfully analyze and sense factors associated with culture.

10. Influence Culture. Identify aspects of culture that the organization may attempt to
influence.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 94

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

11. Sense the Culture – Continually watch for and make sense of changes in culture that may
have a direct, indirect, or cumulative effect on objectives or strategies.

12. Reconsider Culture - Define the events and timescale that trigger reconsideration of
culture.

Considerations
a. Culture is difficult or even impossible to “design” because it is an emergent property of a
group of people that results from the interaction of individual values, beliefs, and behaviors
that is difficult to predict or plan.

b. Culture change requires long-term commitment, consistent modeling in both words and
deeds and reinforcement by leaders and the workforce.

c. Some aspects of culture will change despite the organization's best efforts to maintain the
status quo.

d. Multiple " subcultures" often exist in different geographic locations or functional areas.

e. Culture is idiosyncratic, so comparing culture and subcultures to internal baselines is

better than attempting to “benchmark” or compare to external indicators.

Tools & Techniques

● Survey Software to “pull” information, Ethnography, Culture Map, Competing Values
Framework, Denison Organizational Culture Model, Schein Model of Organizational Culture,

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 95

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

L4 Stakeholders

Interact with stakeholders to understand expectations, requirements,

and perspectives that impact the organization.

Practices

1. Identify Stakeholders – Identify and understand both the organizations and specific
individuals within organizations to understand the concerns and needs of stakeholders.

2. Prioritize Stakeholder Needs – Analyze and prioritize key stakeholder concerns and needs
based on relative interest and power, highlighting needs that compete with or conflict with
each other.

3. Develop Relationships & Influence Stakeholders - Develop plans and accountability to

develop relationships with and influence each stakeholder and effectively communicate
how to address concerns and needs.

4. Assign Stakeholders - Assign accountability to individuals with authority and resources to

successfully analyze and sense stakeholders.

5. Sense Stakeholders - Continually watch for and make sense of changes in stakeholders
that have a direct, indirect, or cumulative effect on the organization and notify appropriate
personnel and systems.

6. Reconsider Stakeholders - Define the events and timescale that trigger reconsideration of
stakeholders.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 96

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Considerations
a. Key external stakeholders include Customers (the most important stakeholder),
Shareholders (fractional owners who are not involved in the organization), Creditors and
Lenders, Suppliers, Underwriters, Government, Non-governmental organizations, Media,
and Society.

b. Key internal stakeholders include Personnel (and unions that represent the workforce),
Managers, Executives, Board members, and Owners (major owners involved in the
organization).

c. Stakeholders are self-legitimizing (those who judge themselves as stakeholders are

stakeholders), and organizations must prioritize how to address needs.

d. Not every stakeholder should have the same influence over the organization, mainly
because stakeholder needs may conflict.

e. Develop relationships with key individuals and champions with power and influence in each
stakeholder group.

f. Communicate early, often, and sufficiently with stakeholders to maintain trust and
confidence.

Tools & Techniques

● Sensemaking, Stakeholder Analysis, Stakeholder Interest and Power Analysis, Network
Analysis, Ethnography, Surveys and Focus Groups, Social Media Monitoring

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 97

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

A – ALIGN

Define direction and objectives, and an approach to address

opportunities, obstacles, and obligations.

Principled Performance® requires that organizations can define the direction of the organization,
set objectives, and design an approach that addresses the opportunities, obstacles, and
obligations along the way.

Mission, vision, and values establish long-term direction, while objectives and indicators measure
progress. Identify and analyze opportunities, obstacles, and obligations so the organization can
design actions & controls to reliably achieve objectives, address uncertainty and act with integrity.

ALIGN Component - Elements

Figure - ALIGN Component Overview Diagram

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 98

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

ALIGN Component Considerations

A. Alignment is a process that requires several stages of divergent and convergent thinking,
iteration, and elaboration to ensure that the organization sets the appropriate direction,
defines appropriate objectives, and designs an appropriate approach to address
opportunities, obstacles, and obligations.

B. Decision-making criteria should be established and applied at every stage of the alignment
process to ensure that the organization stays on track and achieves its objectives.

C. Mission, vision, and values play a critical role in providing a clear direction and ubiquitous
decision-making criteria for the organization. These guiding principles should be
well-defined and consistently communicated throughout the organization.

D. Objectives drive all other identification and analysis of opportunities, obstacles, and
opportunities.

E. The end result of alignment is an integrated plan of action.

ALIGN Component Measurement

● Effective. Do we have the capability to ALIGN? Do we have the capability to define direction
and objectives? Do we have the capability to identify and analyze opportunities, obstacles,
and obligations? Do we have the capability to design our organization? Do these
capabilities operate as designed?

● Efficient. How efficient is our use of capital for ALIGN? How efficient is our use of financial
capital? Physical capital? Human capital? Information capital?

● Agile. When things change, how quickly do we RE-ALIGN? How quickly do we change or
refine direction and objectives? How quickly do we respond to new opportunities,
obstacles, and obligations?

● Resilient. Do we have appropriate depth and coverage to withstand stress? After stress, are
we more capable or less capable to ALIGN?

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 99

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

A1 Direction

Direct the organization with a clear mission, vision, and values that guide

overall goals and strategies.

Practices
1. Define Direction-Setting Criteria - Guide, constrain, and conscribe how to set direction,
including how the internal and external context, culture, and stakeholders factor into
decisions about the direction and which organizational level/unit should be accountable.

2. Define Mission, Vision & Values - Create formal statements about core values, what the
organization aims to do, what it aims to be, and why it exists, including the key stakeholders
it serves.

3. Select Stakeholders - Select and prioritize stakeholders, especially customers, and

understand their wants, needs, and associated functional, social, and emotional
requirements.

4. Explore Goals & Strategies - Use direction-setting criteria to explore a balanced set of goals
and strategies that link to mission, vision and values.

5. Select Goals & Strategies - Use direction-setting criteria to select, prioritize and link goals
and strategies with each other and with the direction of other organizational levels/units.

6. Validate Direction - Communicate, negotiate, and finalize direction with other

organizational levels/units.

7. Reconsider Direction - Define the events or timescale to reconsider direction.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 100

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Considerations
a. Formally documenting the direction-setting criteria helps communicate, coordinate, and
monitor with other units, especially subordinate units.

b. It is typical for the governing authority and executives to set the direction for the
enterprise. Subordinate unit direction should provide input and align with the enterprise.

c. It is essential to gain subordinate buy-in so that subordinate units understand and define
ways to contribute to success.

d. Making the mission, vision, and values explicit helps the workforce understand and make
decisions at all levels and in every unit. Absent a clearly articulated mission, vision, and
values, the organization will operate on ad hoc beliefs and interests.

e. Strategic Goals should balance perspectives such as economic, customer, stakeholder,

operational, talent, enabling, and learning and growth; and timescales such as long and
short term.

f. Value statements will vary for every organization, but all should call for adherence to
mandatory obligations and common principles of integrity and ethical conduct.

g. Values should “do work” for the organization and shape decision-making criteria.

h. Leadership at all levels must serve as role models and should not act contrary to the stated
values without consequence.

i. Continuously communicate how all levels participate in the direction to reduce the risk of
strategic misalignment and engagement decay.

Tools & Techniques

● Scenario Planning, Balanced Scorecard & Strategy Mapping, Business Model Canvas &
Value Proposition Canvas, Jobs-to-be-Done Framework, Objectives & Key Results, Mind
Mapping, Design Thinking

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 101

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

A2 Objectives

Define a balanced set of measurable objectives, results, and indicators.

Practices
1. Define Objective-Setting Criteria - Guide, constrain, and conscribe how to set objectives,
including how the direction factors into decisions about objectives and which
organizational unit should be accountable.

2. Explore Objectives - Define initial, tentative objectives and work with other units to explore
how objectives may link to other units and how opportunities, obstacles, and obligations
may shape the selection of final objectives.

3. Select Objectives - Use objective-setting criteria to select, prioritize, and finalize

objectives and link them with the objectives of other organizational units.

4. Define Indicators & Results – Define measurable results, including a mix of leading and
lagging indicators of progress and status.

5. Assign Objectives - Assign objectives, results, and indicators to an accountable individual

with authority and resources to succeed.

6. Validate Objectives – Communicate, negotiate, and finalize objectives with other

organizational units.

7. Reconsider Objectives - Define the events or timescale to reconsider objectives.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 102

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Considerations
a. Understanding and aligning with superior-level (especially enterprise-level) objectives is
essential to ensure organizational alignment.

b. Gaining subordinate-level buy-in is essential to ensure everyone can contribute to

success, especially when objectives cascade to subordinate-level units.

c. Objectives should consider perspectives such as economic, customer, stakeholder,

operational, talent, enabling, and learning and growth; and timescales such as long and
short term.

d. Objective-setting criteria may include categorical preferences such as “buy versus build,”
“acquire versus organically grow,” or “maintain team size versus hire.”

e. Objectives should link to both subordinate-levels (often called “cascading down”) and to
superior-levels (often called “laddering up”)

f. Objectives should address the “what” and “why” and should not be numeric. Results and
indicators address the numeric aspects of “how much.”

g. Results and indicators that “run the organization” should use the SMART model: Specific,
Measurable, Achievable, Relevant, and Time-Bound.

h. Results and indicators that “transform the organization” should be milestone or progress
based.

i. When setting targets for results and indicators, use a consistent philosophy to avoid
confusion (e.g., “commitments” versus “aspirational”).

j. When cascading objectives and results, localize how the objectives apply to specific
organizational units so that they understand the “what” and “why” in their functional or
departmental language.

Tools & Techniques

● Balanced Scorecard & Strategy Mapping, Objectives & Key Results (OKRs), Management By
Objectives (MBO), SMART framework

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 103

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

A3 Identification

Imagine, identify, and describe the opportunities, obstacles, and

obligations that might impact objectives.

Practices
1. Define Identification Criteria - Guide, constrain, and conscribe how opportunities,
obstacles, and obligations are identified, categorized, and prioritized, including targets,
appetites, tolerances, and capacities.

2. Understand Existing Approach – Review and map the existing context, direction,
objectives, strategies, tactics, actions, and controls to understand gaps, overlaps, and
other factors that introduce opportunities, obstacles, and obligations.

3. Identify Opportunities & Reward - Identify opportunities and levels of reward associated
with existing and proposed strategies.

4. Identify Obstacles & Risk - Identify obstacles and levels of risk associated with existing and
proposed strategies.

5. Identify Obligations & Compliance - Identify mandatory and voluntary obligations and levels
of compliance associated with existing and proposed strategies.

6. Identify Interrelatedness & Trends - Identify how opportunities, obstacles, and obligations
are linked and influenced by each other.

7. Validate Identification - Communicate, negotiate, and finalize the identified opportunities,

obstacles, and obligations with other organizational units.

8. Prioritize Analysis - Prioritize opportunities, obstacles, and obligations for further analysis
based on identification criteria and the priority of associated objectives.

9. Modify Objectives - Consider modifying objectives and results based on opportunities,

obstacles, and obligations.

10. Reconsider Identification - Define the events or timescale to reconsider identification.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 104

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Considerations
a. Given limited resources, identification criteria should be used to focus on priority
objectives and results.

b. Categorize opportunities, obstacles, and obligations to structure the identification

process and ensure uniformity of response where sensible.

c. Use both top-down and bottom-up techniques to identify a full range of opportunities,
obstacles, and obligations.

d. As forces, events, and conditions evolve, monitoring and identification must be a

continuous process.

Tools & Techniques

● Literature Reviews, Historical Data Analysis, Scenario Testing, Modeling and Analysis,
Perception Surveys, Decomposition (e.g., HAZOP, FMEA, and SWIFT analysis),
Brainstorming, Risk Libraries

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 105

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

A4 Analysis

Analyze the current and planned approach to quantify and address risk,
reward, and compliance.

Practices

1. Define Analysis Criteria - Guide, constrain, and conscribe how opportunities, obstacles,
and obligations are analyzed and prioritized using quantitative and qualitative techniques
to estimate risk, reward, and compliance; and compare them to targets, tolerances, and
capacities.

2. Analyze Risk/Reward – Consider the sources, likelihood, and consequences of

opportunities and obstacles to determine the levels of inherent and residual risk/reward
based on the adequacy of actions & controls.

3. Analyze Compliance – Consider mandatory and voluntary obligations/requirements to

determine the level of compliance based on the adequacy of actions & controls.

4. Evaluate Adequacy – Use analysis criteria to evaluate the adequacy of current levels of
residual risk/reward and levels of compliance to determine if additional analysis is required.

5. Validate Analysis - Communicate, negotiate, and finalize the analysis of risk/reward and
compliance with other organizational units.

6. Prioritize Design – Use analysis criteria to prioritize areas where modifications are
necessary to address opportunities, obstacles, and obligations so that levels of residual
risk/reward and compliance are acceptable.

7. Reconsider Analysis - Define the events or timescale to reconsider analysis.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 106

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Considerations
a. Priority objectives deserve priority, quantitative analysis.

b. Areas with high inherent risk, and areas with low likelihood but very high possible impact,
deserve priority, quantitative analysis.

c. Analysis criteria associated with performance (e.g., ROI, margins, budget, and objectives
coverage) are used to determine if the current levels of reward are in line with performance
objectives.

d. Analysis criteria associated with risk (e.g., risk appetite, tolerance, and capacity) are used
to determine if the level of residual risk is acceptable and whether the established targets
are commensurate with the acceptable risk levels.

e. Analysis criteria associated with compliance (e.g., coverage, depth relative to the ranking
of risk, and compliance to both mandatory and voluntary requirements) are used to
determine if the level of compliance is sufficient.

f. Analyzing costs associated with how opportunities, threats, and requirements are
currently addressed enables management to allocate resources based on the current and
planned approaches and ensure that they are not over-managed or under-managed.

g. No further action is required if residual risk/reward or compliance status is acceptable. If

unacceptable, consider design changes, further analysis to understand the situation
better, or reconsider objectives.

Tools & Techniques

● Ishikawa (Fishbone) Diagram, ● Business Impact Analysis (BIA)

● Bowtie Diagram ● Event Tree Analysis (ETA) & Fault Tree

Analysis (FTA)
● Hazard analysis and critical control
points (HACCP) ● Failure Modes and Effects Analysis
(FMEA)
● Layers of Protection Analysis (LOPA)
● Markov Analysis
● Bayesian Analysis
● Monte Carlo Simulation

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 107

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

● Causal Mapping & Cross Impact ● Minimax, ALARP, SFAIRP decision

Analysis framework

● Value at Risk (VaR) ● Factor Analysis of Information Risk

(FAIR)

A5 Design

Develop an integrated plan to reliably achieve objectives within

acceptable levels of risk, reward, and compliance.

Practices
1. Define Design Criteria - Guide, constrain, and conscribe how actions & controls are
prioritized to achieve acceptable levels of risk, reward, and compliance.

2. Explore Design Options & Details – Explore design options to avoid, accept, share or control
with more awareness by making design decisions about policies, people, processes,
technology, and information.

3. Design Management Actions & Controls - Select a mix of proactive, detective, and
responsive controls to manage acceptable levels of risk/reward and compliance.

4. Design Governance Actions & Controls - Select additional actions & controls for the
governing authority to guide, constrain and conscribe the organization.

5. Design Assurance Actions & Controls - Select additional actions & controls for the
assurance providers to evaluate priority areas and subject matter.

6. Evaluate Costs & Benefits - Consider the costs and benefits associated with design
options.

7. Allocate Actions & Controls - Allocate actions & controls across multiple lines of
accountability and organizational units to gain depth and coverage, while segregating
duties to prevent conflicts of interest.

8. Refine Key Indicators – Refine key indicators to monitor performance, risk, and compliance.

9. Validate Design - Communicate, negotiate, and finalize design decisions with other
organizational units.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 108

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

10. Develop Integrated Plan – Develop a plan and acquire resources to govern, assure and
manage organizational changes.

11. Reconsider Design - Define the events or timescale to reconsider the design.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 109

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Considerations
a. An integrated plan will ensure that all key opportunities, obstacles, and opportunities are
addressed and that performance, risk, and compliance are at acceptable levels.

b. High-level design options to accept, avoid, and share may obviate the need for detailed
design. The choice to control tends to require more detailed planning.

c. Using a mix of actions & control types, action & control categories are important to address
all action & control orientations.

d. Use consistent definitions and terms whenever possible, or invest in a method to translate
meaning across departments and disciplines to avoid misunderstandings.

e. Not every cost and not every benefit can be quantified with precision – when using
quantitative methods, choose a degree of confidence (e.g., 50%, 75%, 90%, 95%, 99%) as
appropriate.

f. Avoid selecting technologies in advance of thoroughly assessing needs and taking

inventory of current approaches. Use existing investments whenever possible and
adequate.

g. When allocating actions & controls across lines of accountability, ensure that the right
levels of objectivity and competence are available.

h. Identify actions & controls that specifically address areas with high levels of inherent risk
that, should the actions & controls cease to perform effectively, would expose the
organization to unacceptable, existential consequences.

Tools & Techniques

● Cost-Benefit Analysis (CBA), Enterprise Architecture Frameworks, Information
Architecture Frameworks, Process Design Frameworks, Organizational Design &
Development Frameworks, Project Management Frameworks, Design Thinking

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 110

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

P – PERFORM

Address opportunities, obstacles, and obligations by performing

proactive, detective, and responsive actions & controls to serve
governance, management, and assurance needs.

Principled Performance requires that organizations address opportunities, obstacles, and

obligations using a mix of actions & controls. Actions & controls are organized by type, category,
and orientation.

Action & control types include proactive, detective, and responsive controls. These types use
techniques from categories such as policy, people, process, physical, technology, and information.
Regardless of type or technique, every action & control aims to serve a management, governance,
or assurance orientation.

PERFORM Component - Elements

Figure - PERFORM Component Overview Diagram

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 111

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

PERFORM Component Considerations

A. Action & Control types include proactive, detective, and responsive actions & controls.
Proactive actions & controls promote favorable events and prevent unfavorable events.
Detective actions & controls detect favorable and unfavorable events as soon as possible.
Responsive controls compound the effect of favorable events and correct/recover from
unfavorable events.

B. Action & Control orientation includes management, governance, and assurance actions &
controls. Management actions & controls comprise the majority of work performed by the
organization. Additional governance actions & controls are added when management
actions & controls do not provide enough information or guidance to constrain and
conscribe the organization. Additional assurance controls are added when management
and governance actions & controls do not provide sufficient value to assurance providers.

C. Action & Control categories include policy, people, process, physical, technology, and
information. Some techniques may span categories. For example, “segregation of duties” is
a “people-oriented control” that is often articulated in a “policy” and embodied in
“technology-oriented access controls.”

PERFORM Component Measurement

● Effective. Do we have the capability to PERFORM? Do we have the capability to proactively
address objectives? Do we detect the right things? Do we respond appropriately? Do our
actions & controls operate as designed?

● Efficient. How efficient is our use of capital to PERFORM? How efficient is our use of
financial capital? Physical capital? Human capital? Information capital?

● Agile. When things change, how quickly do we change direction in PERFORM?

● Resilient. Do we have appropriate depth and coverage to withstand stress? After stress, are
we more capable or less capable to PERFORM?

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 112

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

P1 Controls

Implement a mix of action & control types, categories, and techniques to

serve the governance, management, and assurance of opportunities,

obstacles, and obligations.

Practices
1. Establish & Perform Proactive actions & controls – Encourage favorable events and prevent
unfavorable ones.

2. Establish & Perform Detective actions & controls – Determine progress toward objectives
and identify the actual or potential occurrence of favorable and unfavorable conduct,
conditions, and events.

3. Establish & Perform Responsive actions & controls – Recover from unfavorable conduct,
events, and conditions; correct identified weaknesses; execute necessary discipline;
recognize and reinforce favorable conduct and deter future undesired conduct or
conditions.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 113

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Considerations
a. Proactive Actions & Controls prevent unfavorable events before they happen and promote
favorable events.

○ Prevent/Deter Actions & Controls decrease the likelihood of unfavorable events.

○ Promote/Enable Actions & Controls increase the likelihood of favorable events.

b. Detective Actions & Controls detect the occurrence of favorable and unfavorable events.

c. Responsive Actions & Controls compound/accelerate the benefits of favorable events and
correct/recover from the harm of unfavorable events.

○ Compound/Accelerate Actions & Controls accelerate and compound the impact of

favorable events to increase benefits and promote future occurrence.

○ Correct/Recover Actions & Controls slow down or decrease the impact of

unfavorable events, and return the organization to its original state, stable state, or
superior state after harm has occurred to minimize harm and prevent future
occurrences.

d. Actions & controls may address more than one opportunity, obstacle, or obligation.

e. Actions & controls should neither "under-control" nor "over-control."

f. A depth of actions & controls across multiple organizational units and lines of
accountability (without unplanned or unnecessary overlap) helps ensure a single point of
failure does not exist for high-risk areas.

g. Stress testing actions & controls will identify weaknesses, opportunities for manipulation
or circumvention, and areas for improvement.

h. Correcting both the immediate adverse effect, as well as the root cause reduces the
likelihood of future adverse events and conditions.

i. Documenting changes to established actions & controls and decisions on discipline

provides an audit trail that personnel can use to demonstrate consideration, resolution,
and consistency of action.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 114

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Tools & Techniques

● Integrated Action & Control Model, Internal controls, COSO Internal Control - Integrated
Framework

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 115

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

P2 Policies

Implement policies to address opportunities, obstacles, and obligations

and set clear expectations of conduct for the key internal stakeholders

and the extended enterprise.

Practices
1. Develop Codes of Conduct – Work with stakeholders to develop codes of conduct that
address the mission, vision, values, and expected business conduct.

2. Establish Policy Framework – Establish a framework for identifying, creating, approving,

enforcing, and updating policies and related procedures.

3. Develop Policies and Procedures – Use a mix of preventative and directive policies, related
procedures, and standards to address opportunities, obstacles, and obligations.

4. Manage Policies – Implement, communicate, manage, enforce, and audit policies, related
procedures, and standards to ensure that they operate as intended and remain relevant.

5. Champion Policies – Demonstrate support for policies, procedures, and standards to

ensure stakeholders and personnel understand the organization’s commitment.

6. Establish Ethical Decision-Making Guidelines – Establish and champion decision-making

guidelines on choosing a course of action when the circumstances are not explicitly
covered by the code of conduct or other policies.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 116

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Considerations
a. The Code of Conduct is not legally mandated for all organizations. However, it can serve as
an effective guidepost for organizations of all sizes and in all industries.

b. Use a balance of prescriptive policies (what to do) and proscriptive policies (what NOT to
do).

c. Leadership must demonstrate commitment to the policies and act as champions because
the workforce will pursue what it believes matters and not necessarily what is
published/stated.

d. Using the policy development process helps to secure champions, commitment, and
buy-in; and can help to drive acceptance.

e. Policies are most effective when adapted to the audience, local culture, language, norms,
legal requirements, and needs while staying true to the core decision-making criteria.

f. Ethical decision guidelines help people decide what to do without an explicit policy or
procedure.

g. The organization should identify need for applying policies in the extended enterprise.

h. Training on policies should be prioritized based on role and applicability to the role – to be
clear, not every policy requires formal training.

Tools & Techniques

● OCEG Policy Management Capability Model, Electronic Document Management software,
Enterprise Content Management (ECM) software.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 117

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

P3 Communication

Implement communications to address opportunities, obstacles, and

obligations by interacting with the right audiences at the right time with

the right information and intelligence.

Practices
1. Establish Communication Framework - Establish a framework to identify, create, approve,
deliver, enforce, and update communications, including how to select the appropriate
sender, recipient/audience, intention, message, cadence, and channel.

2. Develop Stakeholder Reporting - Establish formal communications, reports, and filings

required by mandatory obligations; and those voluntarily agreed to in contracts and
promises made to other stakeholders.

3. Develop Internal Reporting – Establish formal communications, reports, and dashboards

that enable the board, senior management, and other personnel to govern and manage the
organization.

4. Develop Informal Communications – Establish informal communications that enable the

workforce, and allow personnel to share information.

5. Develop Communications Channels – Develop a range of channels for external, internal,

and informal communications, including a way to solicit feedback from
recipients/audiences.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 118

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Considerations
a. Not all communication occurs through formal methods, and informal communications may
have more impact.

b. Maintaining a complete and accurate record of how communication was managed provides
evidence for use in assurance and mandatory compliance efforts.

c. Ensure that every communication encourages feedback.

d. Multiple “layers” of communication that summarize subordinate unit information (e.g.,

reports and summarize other reports) may compress, suppress or distort signals from
subordinate units. This means that information does not flow to superior units.

e. Information overload may occur if communication is delivered too rapidly or voluminously.

Tools & Techniques

● Communication Strategy Framework, Stakholder Analysis, Feedback Surveys

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 119

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

P4 Education

Implement education and support for the workforce and extended

enterprise to develop job-specific awareness and skills that address

opportunities, obstacles, and obligations.

Practices
1. Define an Education Plan – Develop a job-specific plan to inform, educate, and support the
workforce and extended enterprise by linking learning outcomes, learning objectives, and
learning activities to close the gap between the current level and desired level of skill and
knowledge based on the desired level of performance, risk, and compliance.

2. Develop or Acquire Content – Develop, acquire, and tailor content to address learning
objectives and the appropriate skill level.

3. Provide Education – Implement and manage the education program to ensure that the
target audience achieves learning objectives and can use knowledge and skills in their jobs.

4. Provide Integrated Performance Support – Implement and manage ways for the workforce
to get integrated performance support within their work environment so that education
and assistance are available at the point of need.

5. Provide Helpline – Implement and manage ways for the workforce and other stakeholders to
seek guidance about future conduct and ask general questions, including the option for
anonymity in locations where that is required or allowed.

6. Measure Learning Outcomes - Establish periodic and ongoing measures to ensure that
learning outcomes and learning objectives are achieved.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 120

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Considerations
a. Education includes activities that aim to transfer/increase knowledge (what someone
knows) and skill (what someone can do). Educational Models may also be used to
implement educational plans. Learning activities between instructors and students are
based on structured learning content that aims at achieving learning objectives and
learning outcomes; mainly to fill the skill gap between the current skill level and the target
skill level.

b. Implementing integrated support or a helpline post-education is highly advised. As it allows

learners to seek professional advice and receive it in a timely manner and ultimately
increase the level of performance.

c. Education and support should address all levels of the organization.

d. Awareness, education, and ongoing support enable individuals to:

○ Know what is expected,

○ Reduce the likelihood of misconduct, mistakes, and miscalculations,

○ Increase the likelihood of favorable conduct,

○ Be comfortable about asking for help, and

○ Be comfortable reporting unusual activities.

e. Education and support should match the significance of the underlying objective.

f. Education and support are most effective in the context of actually performing the job at
hand, and at the point of need.

g. Learning assessments provide evidence that knowledge is transferred.

h. Tracking attendance and assessments provide evidence of “best efforts.”

i. Tracking usage and access provide evidence of need and identify potential trends.

Tools & Techniques

● ADDIE (Analysis Design Development Implementation), Bloom’s Taxonomies (Cognitive,
Affective, and Psychomotor), Anderson and Krathwohl Taxonomy Update (2002 update of

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 121

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Bloom), Kirkpatrick Model of Training Evaluation, Learning Management Systems,

Microlearning platforms,

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 122

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

P5 Incentives

Implement incentives to address opportunities, obstacles, and

obligations by encouraging the right proactive, detective, and responsive

conduct in the workforce and extended enterprise.

Practices
1. Define Desired Conduct – Determine the types of desired conduct, including definitions,
classifications, and procedures necessary to identify those who exhibit the right proactive,
detective, and responsive conduct.

2. Hire and Promote Based on Conduct Expectations – Articulate desired conduct when
defining jobs, career paths, and performance review criteria of employees and business
partners, using the same criteria for promoting individuals.

3. Implement Economic Incentives – Establish compensation, reward, and recognition

programs for the workforce and extended enterprise.

4. Implement Non-Economic Incentives - Establish appreciation, status, professional

development, career opportunities, and other non-economic incentive programs for the
workforce and extended enterprise.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 123

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Considerations
a. Incentives include financial and non-financial things that encourage favorable conduct.

○ Economic (monetary compensation, bonuses, profit-sharing, gain-sharing)

○ Appreciation (gratitude, acknowledgment)

○ Status (esteemed roles, promotion, visible achievement)

○ Professional Development (access to training, tuition reimbursement)

○ Career Opportunities (access to career path opportunities)

b. Use a full range of incentives throughout the personnel lifecycle, from hiring,
compensation, and promotion.

c. Incentives should balance prescriptive norms and proscriptive norms.

d. Ensure that incentives are not “perverse incentives” that encourage adverse conduct.

e. Inconsistent incentives can lead to perceptions of favoritism and mistrust.

f. Economic incentives attached to “moral sentiments” can backfire because they remove the
“goodwill” benefit for the individual.

g. Hiring criteria can be a powerful incentive to attract the right candidates and repel the
wrong candidates.

h. Different people prefer different financial and non-financial incentives.

i. Recognition should occur as close as possible to the favored conduct in both timescale and
location.

Tools & Techniques

● Behavioral economics, Behavioral psychology, Society of HR Management (SHRM)
Incentive Compensation Guidelines, Total Rewards Framework (TRF)

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 124

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

P6 Notification

Implement multiple pathways for people and systems to report progress

toward objectives and the actual or potential occurrence of unfavorable

and favorable conduct, conditions, and events.

Practices
1. Capture Favorable Events - Implement pathways to capture and alert the organization
about favorable performance, risk, and compliance successes, especially emerging
opportunities, high performance, and events that exemplify the organizational mission,
vision, and values.

2. Capture Unfavorable Events - Implement pathways to capture and alert the organization
about unfavorable performance, risk, and compliance incidents, especially emerging
threats, low performance, suspicions of noncompliance, violations of company policies,
and concerns about unethical conduct.

3. Filter and Route Notifications – Prioritize, substantiate, validate, and route notifications to
be handled by the right organizational units based on topic, type, and severity.

4. Protect Notification Information – Protect information associated with notifications and

ensure pathways comply with mandatory requirements in the locale where the notification
originates and the organization operates.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 125

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Considerations
a. Notifications can be conceptualized as a “pushing” mechanism for both people and
systems to push information to appropriate individuals for analysis and follow-up.

b. For both unfavorable and favorable events:

○ Technology-based notifications alert the organization sooner than other methods,

especially when human methods fail or are delayed.

○ Train management on how to handle and record informal notifications to reduce

uncertainty and inconsistency in management response.

○ Establish pathways that are easy to use, and conform to the culture.

c. For unfavorable events:

○ Design pathways such as hotlines so stakeholders can trust, without fear of reprisal,
that concerns are taken seriously and are promptly and objectively addressed.

○ Encourage stakeholders to raise issues directly with the organization, rather than
using external pathways, to afford more flexibility in corrective action.

○ Afford anonymity where legally permitted or required.

d. Both formal and informal mechanisms are helpful to ensure a “big funnel” is available to
capture notifications.

Tools & Techniques

● People

○ Whistleblower Hotlines / Helplines

○ Open Door Policy

○ Case Management Systems / Incident Management Systems

○ Communication and collaboration tools

○ Social Listening Tools

● Systems

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 126

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

○ Continuous Control Monitoring

○ Log Management (automated alerts)

○ Application Performance Monitoring (automated alerts)

○ Management Dashboards and Business Intelligence (automated alerts)

P7 Inquiry

Implement multiple pathways to discover information from people and

systems about progress toward objectives and the actual or potential

occurrence of unfavorable and favorable conduct, conditions, and

events.

Practices
1. Discover Favorable Events - Implement pathways to discover information and alert the
organization about favorable performance, risk, and compliance successes, especially
emerging opportunities, high performance, and events that exemplify the organizational
mission, vision, and values.

2. Discover Unfavorable Events - Implement pathways to discover information and alert the
organization about unfavorable performance, risk, and compliance incidents, especially
emerging threats, low performance, suspicions of noncompliance, violations of company
policies, and concerns about unethical conduct.

3. Establish an Approach to Surveys and Information Requests – Establish an

organization-wide approach to surveys, self-assessments, and other information requests
that reduces the burden on survey subjects and improves information quality.

4. Gather Information Through Observations and Conversations – Establish informal

pathways through observations, meetings, focus groups, and individual conversations.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 127

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

5. Analyze Information and Findings – Analyze information and findings from all pathways to
identify, prioritize, and route findings to management and stakeholders.

6. Protect Inquiry Information – Protect information associated with inquiry and ensure
pathways comply with mandatory requirements in the locale where the inquiry originates
and the organization operates.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 128

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Considerations
a. Inquiry can be conceptualized as a “pulling” mechanism where individuals pull information
from people and systems for follow-up and action.

b. For both unfavorable and favorable events:

○ Technology-based inquiry often provides information sooner than other methods,

especially when human inquiry fails or is delayed.

c. For unfavorable events:

○ Design specific inquiry routines and cycles to detect unfavorable events as soon as
possible.

d. Systems that support day-to-day management often provide information that can be used
to discover favorable and unfavorable events.

e. Considering feedback from stakeholder groups, and taking appropriate actions, makes
stakeholders feel their views are valued and encourages future feedback.

f. Avoiding any actual or perceived connection between inquiry responses and individual
performance appraisals is critical to maintaining the integrity of the process.

g. Coordinating survey efforts throughout the organization helps to avoid survey and
self-assessment fatigue.

h. Consolidating, comparing, and reconciling information obtained from various pathways and
stakeholders is essential to developing a total view.

Tools & Techniques

● People

○ Employee Surveys & Focus Groups

○ Ethnography (“Management by Walking Around”)

○ Exit Interviews

● Systems

○ Continuous Control Monitoring

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 129

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

○ Log Management (periodic audits)

○ Application Performance Monitoring (periodic audits)

○ Management Dashboards and Business Intelligence (periodic audits)

○ Data Mining and Analytics

P8 Response

Implement responses that uncover and address root causes to compound

and accelerate favorable events and benefits – and to correct and recover

from unfavorable events and harm.

Practices
1. Correct and Recover - Perform actions & controls to slow down, stop and recover from the
impact of threats after they occur to minimize harm and prevent future occurrence.

2. Recognize, Compound & Accelerate - Deliver incentives and perform actions & controls
that accelerate and compound the impact of favorable events after they occur to maximize
benefit and promote future occurrence.

3. Implement Investigations – Develop and execute internal investigation processes to

address allegations or indications of unfavorable events, and maintain a process for
responding to external inquiries and investigations.

4. Implement Crisis Responses – Develop and execute plans to respond to various crises,
correct unfavorable events, and recover from harm.

5. Conduct After Action Reviews - Uncover root causes of favorable and unfavorable events
and improve proactive, detective, and responsive actions & controls.

6. Discipline and Retrain – Apply consistent discipline to individuals at fault and provide
necessary retraining.

7. Determine Disclosures – Determine if, when, how, and what to disclose, especially those
events that require external disclosures to stakeholders.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 130

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

8. Improve Actions & Controls – Ensure that root causes and any weaknesses in proactive,
detective, and responsive actions & controls are addressed.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 131

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Considerations
a. Quickly responding to favorable events may compound or accelerate benefits.

b. It is important to to quickly respond to favorable conduct by personnel so that they

associate rewards with the favorable conduct.

c. Establishing a tiered approach for responding to unfavorable events based on different

levels of the potential impact on the organization helps to:

○ Capture and validate incidents,

○ Escalate incidents for investigation, and identify them as in-house or external,

○ Ensure confidentiality of the information and determine privilege,

○ Define internal management that is responsible for oversight of the investigation or

resolution of the issue,

○ Ensure protection of anonymity and non-retaliation for reporters,

○ Preserve records and other evidence, and

○ Ensure timely and consistent reporting to applicable stakeholders.

d. Ensuring that each issue/incident is resolved is essential to maintain employee and other
stakeholder confidence in the system's effectiveness.

e. Responses should address the immediate issue and the underlying root causes identified,
including changes to actions & controls if necessary.

f. Disciplinary measures that are applied consistently and objectively serve as deterrents.

g. Providing timely disclosures about the resolution of issues to relevant stakeholders meets
requirements and provides confidence in the process.

h. Making changes to actions & controls, processes, or resources that contributed to or

allowed the incident or issue to occur reduces the likelihood of future noncompliance or
misconduct.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 132

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Tools & Techniques

● After Action Reviews (AAR), Internal Investigations Process (OCEG Illustrations), Crisis
Management & Business Continuity Planning

R – REVIEW

Continuously improve total performance by monitoring actions &

controls – and providing assurance about priority objectives,
opportunities, obstacles, and obligations.

Principled Performance® requires that organizations monitor actions & controls, provide
assurance about priority areas, and continuously improve total performance to be effective,
efficient, agile, and resilient in all areas.

Monitoring helps management and the governing authority understand progress toward
objectives and whether opportunities, obstacles, and obligations are addressed. Assurance
activities objectively and competently evaluate the organization to provide justified conclusions
and confidence about total performance.

Both monitoring and assurance activities identify opportunities to improve total performance so
that the capability and organization are more effective, efficient, agile, and resilient.

REVIEW Component - Elements

Figure - REVIEW Component Overview Diagram

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 133

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

REVIEW Component Considerations

A. Monitoring activities help personnel generally manage the total performance of the
organization.

B. Assurance activities should be considered when information users want or need more
confidence and justified belief about subject matter provided by information producers.

C. Design effectiveness and operating effectiveness of compliance actions & controls is a

critical minimum requirement of every organization.

D. Total Performance should be the goal of every elements and process area because it helps
to achieve Principled Performance.

E. Improvement may result from Monitoring or Assurance activities and other elements and
activities in the capability.

F. Applying a consistent process to consider, plan, and implement improvement helps

prioritize and execute across the organization.

REVIEW Component Measurement

● Effective. Do we have the capability to REVIEW? Do we have the capability to monitor the
capability? Do we have the capability to provide assurance? Do we learn from prior mistakes
and improve?

● Efficient. How efficient is our use of capital to REVIEW? How efficient is our use of financial
capital? Physical capital? Human capital? Information capital?

● Agile. When things change, how quickly do we change direction in REVIEW?

● Resilient. After stress, are we more capable or less capable to REVIEW?

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 134

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

R1 Monitoring

Implement ongoing and periodic activities to gauge the effectiveness,

efficiency, agility, and resilience of actions & controls.

Practices
1. Plan Monitoring Approach – Establish a strategy for ongoing and periodic monitoring of the
effectiveness, efficiency, agility, and resilience of actions & controls.

2. Identify Monitoring Information – Identify information to support monitoring activities.

3. Perform Monitoring Activities – Perform monitoring activities.

4. Analyze and Report Monitoring Results – Analyze the results of monitoring activities to
identify weaknesses and opportunities for improvements.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 135

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Considerations
a. Monitoring activities help personnel generally manage the total performance of the
organization.

b. Total Performance includes these aspects:

○ Effective (“Sound”). Is the design of the element or process logical? Does it follow
best practices? Is it operating as designed?

○ Efficient (“Lean”). What does it cost to operate the element or process? Is the cost
worth the benefit? How does this cost compare to organizations of similar size?

○ Agile (“Responsive”). How long does it take to perform the element or process?
When an error is found, how long does it take to be detected and corrected?

○ Resilient (“Antifragile”). What will we do if the element or process fails? What kind of
slack do we have in timelines in case of unplanned distractions? What kind of
backup staff do we have in case someone gets sick? Do we come back stronger?

c. Monitoring requires indicators such as KPIs, KRIs, and KCIs to be established.

d. When indicators hit or miss targets (based on associate appetite, tolerance and capacity)
management should take appropriate action.

e. Monitoring may generate information for assurance or governance activities.

f. Periodically evaluating the Total Performance capability ensures that the capability
remains relevant in light of changing circumstances – especially changes in the internal
and external context.

Tools & Techniques

● Management By Objectives (MBO), Balanced Scorecard, Objectives and Key Results (OKR),
Business Intelligence and Analytics Frameworks, Management Reporting

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 136

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

R2 Assurance

Objectively and competently evaluate priority areas to enhance the

confidence of management, the governing authority, and other

stakeholders about levels of performance, risk, and compliance.

Practices
1. Formulate Assurance Approach – Formulate a strategy for selecting, assessing, monitoring,
and improving the overall approach to providing periodic and ongoing assurance over
performance, risk, and compliance.

2. Select Assurance Assessment Areas – Select assessment areas based on priority

objectives and the related likelihood and impact of meaningful misunderstanding between
associated information producers and information users.

3. Conduct Assurance Assessments – Define the desired level of assurance and then plan,
perform, report, and follow up on individual assessments.

4. Monitor Assurance Assessments – Monitor progress, completion, and follow-up for

individual assessments and the portfolio of assessments.

5. Improve Assurance Approach – Improve the overall assurance strategy and execution.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 137

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Considerations
a. Assurance increases confidence that statements made by information producers are
justified and true so that information consumers can trust what is stated.

b. The governing authority is often obligated to seek assurance about the effectiveness of
the capability, especially those aspects mandated by law.

c. Assurance helps the governing authority to have confidence that delegated activities are
performed and that the organization is constrained and conscribed as intended.

d. Personnel may request assurance about the total performance of the capability, an
element, a topic, a discipline, or some crisis area so that it can be better managed.

e. The level of assurance required will vary depending on the priority of objectives,
opportunities, obstacles, and obligations. Not everything requires a high level of
assurance.

f. Level of assurance possible is dependent on the Assurance Objectivity and the Assurance
Competence of the Assurance Provider.

g. The highest level of assurance is possible when sufficiently objective and competent
personnel conduct assurance activities.

h. Independence is a means to objectivity (not vice versa).

i. Assurance may be provided by any organizational unit and, thus, teams may “check their
own work” with self-assessment to provide lower levels of assurance.

Tools & Techniques

● GRC Assessment Tools (Burgundy Book), OCEG GRC Assurance (GRCA) certification,
Internal audit standards, External audit standards, Quality audit standards

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 138

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

R3 Improvement

Review information from monitoring and assurance to identify

opportunities for improvement.

Practices
1. Plan Improvement Approach – Develop a strategy and prioritized plan for implementing
improvements to the capability.

2. Conduct Improvement Initiatives – Implement improvement initiatives.

3. Monitor Improvements - Monitor improvement initiative progress, completion, and

follow-up.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 139

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Considerations
a. Continual improvement is the hallmark of a mature and high-performing capability and
organization.

b. Budgeting for regular improvement activities enables continual capability maturation and
efficiency.

c. Incorporating feedback loops and post-assessments (lessons learned, root-cause

analysis, after action reviews, etc.) activities into organizational processes help identify
and address needed improvement areas.

d. Incorporating change management activities in all improvement plans helps make people
aware of and accept changes.

Tools & Techniques

● Continuous Process Improvement, Total Quality Management (TQM), Six Sigma, Lean,
Benchmarking

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 140

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Part III - GRC Glossary

The GRC Glossary provides comprehensive and unified definitions for terms that span
governance, strategy, performance, risk, compliance, security, continuity, audit & assurance. For
the most recent version, please refer to https://oceg.org/glossary/

—----------------------------------------------

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 141

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Absolute Assurance
A level of assurance that is impossible to achieve.

Usage Notes
Absolute assurance is not attainable because of limitations including the nature of evidence and
the characteristics of misconduct, mistakes and miscalculations (especially intentional fraud).
Thus, even when assurance activities are conducted with the highest levels of objectivity and
competence, it is still impossible to achieve absolute assurance.

Part of: Level of Assurance

Also related to: Assurance , Level of Assurance

ACCEPT (Design Option)

An intentional design decision to embrace, or concede to the current level of risk, reward, and
compliance.

Usage Notes
Sometimes ACCEPT is used when embracing or conceding to a planned level of risk, reward, or
compliance.

Part of: Design Options

Also related to: AVOID (Design Option) , CONTROL (Design Option) , TRANSFER (Design Option) ,
SHARE (Design Option)

Accountable
The characteristic of an individual who takes responsibility and ownership for tasks and their
outcomes, transcending a narrow job description.

Usage Notes
The quality of an individual who assumes responsibility and ownership, going beyond the idea of
"it's not my job"

This involves maintaining a balance between stepping up without overstepping boundaries,

avoiding both the lack of accountability that manifests as blame-shifting and excessive
accountability that may encroach on others' roles.

Part of: Protector Mindset™

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 142

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Also related to: Protector Mindset™ , Stable , Visionary , Collaborative , Versatile , Proactive

Action & Control

A specific way, usually used in combination, that an organization addresses risk, reward, and
compliance.

Action & Control Type

A method to organize actions & controls, based on whether they are proactive, detective, or
responsive to risk, reward, or compliance.

Action & Control Category

A method to organize actions & controls, according to the specific resources they involve.

Action & Control Orientation

A method to organize actions & controls, based on whether they primarily support management,
governance, or assurance activities.

Also related to: Integrated Action & Control Model™

Action & Control Category

A method to organize actions & controls, according to the specific resources they involve.

Policy Action & Controls

Formal statements and rules about organizational intentions and expectations used to address
risk, reward, and compliance.

People Actions & Controls

Human factors, including structure, accountability, education, and enablement used to address
risk, reward, and compliance.

Process Action & Controls

Decisions about how and when to perform activities, and where and to whom to assign
accountability used to address risk, reward, and compliance.

Physical Actions & Controls

Physical safeguards, barriers, or constraints, such as fences, locks, guards, cameras, or other
protective mechanisms, used to address risk, reward, and compliance.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 143

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Information Actions & Controls

Communications and reports up, down, and across the organization used to address risk, reward,
and compliance.

Technology Action & Controls

Hardware and software systems used to address risk, reward, and compliance.

Financial Action & Controls

Insurance, captives, hedging, reserves, or other financial instruments used to address risk,
reward, and compliance.

Part of: Action & Control

Also related to: Integrated Action & Control Model™

Action & Control Orientation

A method to organize actions & controls, based on whether they primarily support management,
governance, or assurance activities.

Usage Notes
Some actions & controls may serve management, governance, and assurance orientations. In fact,
it is desirable for actions & controls to serve all three orientations to avoid duplication and
complexity.

Management Actions & Controls

Actions & controls that primarily serve management activities to address opportunities,
obstacles, and obligations.

Governance Actions & Controls

Actions & controls that primarily serve governance activities to constrain and conscribe the
organization or some aspect of it.

Assurance Actions & Controls

Actions & controls that primarily serve assurance activities.

Part of: Action & Control

Also related to: Integrated Action & Control Model™

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 144

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Action & Control Type

A method to organize actions & controls, based on whether they are proactive, detective, or
responsive to risk, reward, or compliance.

Proactive Actions & Controls

Actions & controls that promote or enable favorable events and prevent or deter unfavorable
events.

Detective Actions & Controls

Actions & controls that detect the occurrence of favorable and unfavorable events.

Responsive Actions & Controls

Actions & controls that aim to accelerate or compound the benefit of favorable events, and correct
or recover from the harm of unfavorable events.

Part of: Action & Control

Also related to: Event , Integrated Action & Control Model™

Agile
Evidence that the organization can respond quickly and positively to changes and stress.

Usage Notes
Agility is often measured by tracking how long it takes to adapt to a change in circumstances. For
example:

When a new regulation is announced, how long does it take to address it?

When a new customer requirement is uncovered, how long does it to deliver value?

When a change in organizational structure happens, how long does it take other areas of the
organization to respond?

Part of: Total Performance™

Synonyms: Responsive

Ambiguous
A property that refers to the presence of multiple, unclear, or conflicting interpretations of
conditions, events, or behaviors in a system.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 145

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Usage Notes
These questions help to understand if a situation is ambiguous:

1. Is there a prevailing lack of clarity on how to interpret the situation?

2. Are multiple, and often contradictory, interpretations possible for the situation?

3. Is the context or frame of reference for the situation unclear or subject to frequent
changes?

Part of: VUCA

Analysis Criteria
The criteria used to analyze, quantify and select ways to address risk, reward, and compliance.

Part of: Decision-Making Criteria

Antifragile
A property or description of systems that increase in capability to thrive as a result of stressors,
shocks, volatility, noise, mistakes, faults, attacks, or failures.

Usage Notes
The concept was developed by Nassim Nicholas Taleb in his book, Antifragile , and in technical
papers.

Many professionals who aim for organizational resilience say that "getting stronger" has always
been an objective of resilience and that "antifragile" may be considered a "maximal form of
resilience."

See canonical synonym: Resilient

Appetite
A range for the value of an indicator that defines a preferred or expected level of variation around a
target.

Usage Notes
Any variation within the appetite would be considered expected and normal. No adjustments to
actions & controls are necessary when a system operates within the appetite.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 146

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Part of: Indicator Targets & Ranges (ITR) Model, Indicator

Also related to: Risk Appetite

Appreciation Incentives
Incentives to perform favorable behaviors that provide meaningful gratitude and
acknowledgement to the individual that otherwise would not be available.

Part of: Incentives

Assessment Procedures
See canonical synonym: Review Procedures

Assurance
The act of objectively and competently evaluating subject matter to provide conclusions and
confidence that statements and beliefs about the subject matter are justified and true.

Assurance Provider
Someone who conducts assurance activities.

Objectivity (in Assurance)

The degree to which an Assurance Provider can be impartial, disinterested, independent, and free
to conduct necessary activities and to form an opinion about the subject matter.

Competence (in Assurance)

The degree to which an Assurance Provider can use sophisticated, professional, and structured
techniques to evaluate subject matter.

Evaluate
The act of judging subject matter by comparing evidence against suitable criteria.

Subject Matter
Identifiable statements, conditions, events, or activities for which there is evidence.

Level of Assurance
A measure of the degree of confidence that an assurance provider can deliver to an information
consumer about statements an information provider makes about the subject matter.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 147

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Assurance Assessment
An objective and competent evaluation of subject matter to provide conclusions and confidence
that statements and beliefs about the subject matter are justified and true.

Also related to: Level of Assurance , Information Producer , Information Consumer , Assurance
Actions & Controls , Absolute Assurance

Assurance Actions & Controls

Actions & controls that primarily serve assurance activities.

Usage Notes
Assurance actions & controls should only be designed and operated if management or governance
actions & controls are insufficient for assurance activities.

Part of: Action & Control Orientation

Also related to: Assurance , Management Actions & Controls , Governance Actions & Controls

Assurance Assessment
An objective and competent evaluation of subject matter to provide conclusions and confidence
that statements and beliefs about the subject matter are justified and true.

Usage Notes
Providing conclusions and enhancing the confidence of stakeholders are key objectives of any
assurance assessment.

Part of: Assurance

Assurance Provider
Someone who conducts assurance activities.

Part of: Assurance

Also related to: Level of Assurance , Competence (in Assurance) , Objectivity (in Assurance) ,
Information Producer , Information Consumer

Assurance Risk
The risk that an assurance assessment provides inaccurate conclusions, especially inaccurate
positive conclusions, that statements about the subject matter are justified and true.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 148

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Usage Notes
A meaningful misunderstanding happens when information producers make inaccurate
statements to information consumers about subject matter. Common reasons for inaccurate
statements include:

● Misconduct. The information producer intentionally made inaccurate statements.

● Mistakes. The information producer made statements that turned out to be inaccurate
because of errors in underlying systems, actions, and controls.

Audience
The person or group that is intended to receive a message.

Part of: Channel

Synonyms: Receiver

Also related to: Student , Communicator

Audit & Assurance Discipline

A critical discipline that provides methods to enhance confidence that the organization is reliably
achieving objectives, addressing uncertainty, and acting with integrity

Part of: Critical Disciplines

AVOID (Design Option)

A design option to cease all activity or terminate sources that give rise to the opportunity,
obstacle, or obligation.

Part of: Design Options

Also related to: ACCEPT (Design Option)

Behaviors
Observable actions of a person or group of people, informed by beliefs and values.

Also related to: Values , Beliefs

Beliefs

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 149

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Unobservable ideas and assumptions of a person or group, often caused by experience,

perception, and personality.

Part of: Culture

Also related to: Values , Behaviors

Benefit
A measure of the positive impact that an event has on the organization.

Part of: Impact, Reward, Consequence

Also related to: Harm

Best Possible Value

A value of an indicator that is likely to be achieved under the best possible assumptions and best
possible execution.

Also related to: Indicator , Committed Value , Stretch Value

See canonical synonym: Target

Board of Directors
A group of individuals elected by shareholders to represent their interests and to manage the
business and affairs of the organization.

Usage Notes
The board of directors often delegates substantial authority to management and provide more
oversight of management and major corporate decisions, and hold a fiduciary duty to protect
shareholders' interests.

Part of: Internal Stakeholders

See canonical synonym: Governing Authority

Boundary

Mandatory Boundary
Obligations that an organization must address because of some legitimate authority (e.g., laws,
rules, regulations).

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 150

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Voluntary Boundary
Obligations an organization chooses to address because of voluntary decisions (e.g., contracts,
agreements and values).

See canonical synonym: Obligation

Business Model
A model that describes how a company creates, delivers, and captures value for its stakeholders. It
defines the fundamental aspects of a company's operations, such as its target customers, value
proposition, revenue streams, cost structure, and key resources and activities.

Business Unit
An organizational unit that is subordinate to the enterprise and often responsible for specific
products, customers, or geography.

Usage Notes
Business unit may be used even when the organization is not a “business” (e.g., government
agency, a nonprofit organization)

Part of: Organizational Unit

Capacity
A range for an indicator that defines the maximum level of variation around a target that the
organization is unwilling, unable and incapable to address; and may result in jeopardy or ruin.

Part of: Indicator Targets & Ranges (ITR) Model, Indicator

Also related to: Risk Capacity

Career Opportunities Incentives

Incentives to perform favorable behaviors that provide access to career path opportunities that
otherwise would not be available.

Part of: Incentives

Cause
The trigger or potential trigger of events that lead to a consequence including agents or forces
that are responsible for bringing something into existence or changing it.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 151

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Usage Notes
Causes tend to be narrative, descriptive, or qualitative in nature. When quantifying causes, the
term likelihood is typically used.

Prospect
A cause that has the potential to eventually result in benefit.

Hazard
A cause that has the potential to eventually result in harm.

Part of: Event, Cause, Event, Consequence (CEC) Model

Synonyms: Source

Also related to: Consequence

Cause, Event, Consequence (CEC) Model

An integrated model that illustrates the causes and consequences associated with events.

Cause
The trigger or potential trigger of events that lead to a consequence including agents or forces
that are responsible for bringing something into existence or changing it.

Event
Something that happens, including a change in condition or behavior.

Consequence
The outcome or potential outcome of an event or series of events.

Channel
The medium used to get the message from the communicator to the audience.

Audience
The person or group that is intended to receive a message.

Communicator
The person or group that sends or signals a message.

Also related to: Message

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 152

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Climate
The collective perception about self, surroundings, and others – including perceptions about
culture, some aspect of culture, or some topical area.

Part of: Culture

Also related to: Mindsets

Code of Conduct
The Code of Conduct sets out the principles, values, standards, or rules of behavior that guide the
organization's decisions, procedures, and systems. The Code of Conduct is, in effect, a set of the
most important core policies.

Usage Notes
The Code of Conduct is, perhaps, the most important policy in an organization.

Synonyms: Code of Ethics

Also related to: Policy

Code of Ethics
See canonical synonym: Code of Conduct

Collaborative
The quality of an individual to engage in productive relationships and teamwork, understanding
their fundamental role in achieving greater outcomes.

Usage Notes
This characteristic necessitates a balance to avoid underuse, which may lead to isolation and
antagonism, and overuse, which may create a social atmosphere without clear accountability.

Part of: Protector Mindset™

Also related to: Accountable

Committed Value
A value of an indicator that is likely to be achieved given current assumptions and planned
execution.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 153

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Usage Notes
When used, this can be considered synonymous with Target

Also related to: Indicator , Best Possible Value , Stretch Value

Communicator
The person or group that sends or signals a message.

Message
The content of what is communicated.

Part of: Channel

Synonyms: Sender

Also related to: Audience

Competence
The ability to do something successfully.

Competence (in Assurance)

The degree to which an Assurance Provider can use sophisticated, professional, and structured
techniques to evaluate subject matter.

Usage Notes
Being “competent” in assurance means to be cognitively and physically capability of using
sophisticated, professional, and structured techniques to evaluate subject matter.

Part of: Assurance, Level of Assurance

Also related to: Assurance Provider

Complex
A property that refers to the interconnected, interdependent, and interrelated nature of the parts
of a system that often give rise to nonlinear dynamics, emergent properties and unpredictable
outcomes.

Usage Notes
These questions help to understand if a situation is complex:

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 154

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

1. Are there a multitude of interconnected variables that need to be considered?

2. Does the situation involve navigating through numerous layers of complexity?

3. Are the solutions multifaceted, necessitating a thorough consideration of a wide array of

elements?

Part of: VUCA

Compliance
A measure of the degree to which obligations are proven to be addressed.

Also related to: Obligation , Compliance Management , Key Compliance Indicator (also KCI)

Compliance & Ethics Discipline

A critical discipline that provides methods to identify and address mandatory and voluntary
obligations and the underlying ethical principles and values.

Part of: Critical Disciplines

Compliance Management
The act of managing processes and resources to achieve the desired level of compliance.

Part of: GRC

Also related to: Compliance , Key Compliance Indicator (also KCI)

Compound/Accelerate Actions & Controls

Actions & controls that compound, accelerate, and increase the impact of favorable events to
maximize benefit and promote future occurrence.

Part of: Responsive Actions & Controls

Condition
A state of reality.

Also related to: Event

Consequence
The outcome or potential outcome of an event or series of events.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 155

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Usage Notes
Consequences tend to be narrative, descriptive, or qualitative in nature. When quantifying
consequences, the term impact is typically used.

Impact
A measure that estimates the consequence of an event.

Harm
A measure of the negative impact that an event has on the organization.

Benefit
A measure of the positive impact that an event has on the organization.

Part of: Event, Cause, Event, Consequence (CEC) Model

Also related to: Event , Cause

CONTROL (Design Option)

A design option to implement actions that govern and manage the opportunity, obstacle, or
obligation according to its nature.

Usage Notes
Using the word "control" by itself is sometimes used to mean "action & control"

Part of: Design Options

Synonyms: TREAT (as a Design Option)

Also related to: ACCEPT (Design Option)

Convergent Thinking
Focused on high-likelihood possibilities, most favorable/unfavorable conditions and events,
current and most relevant circumstances, and most rewarding/riskiest outcomes.

Also related to: Divergent Thinking

Correct/Recover Actions & Controls

Actions & controls that slow down or decrease the impact of unfavorable events, and return the
organization to its original state, stable state, or superior state after harm has occurred to
minimize harm and prevent future occurrences.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 156

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Usage Notes
Returning the organization to its original state or stable state is a sign of resilience.

Returning the organization to a superior state is a sign of antifragility.

Recovery Actions & Controls

Actions & controls that return the organization to its original state, stable state, or superior state
after harm has occurred.

Corrective Actions & Controls

Actions & controls that safeguard the organization or some asset after an unfavorable event
occurs.

Part of: Responsive Actions & Controls

Corrective Actions & Controls

Actions & controls that safeguard the organization or some asset after an unfavorable event
occurs.

Usage Notes
Corrective actions & controls and Recovery actions & controls are related but slightly different.

For example, restoring a server to a clean image is a corrective control because it solves the
immediate problem of a malware intrusion, while recovering the server data from backup is a
recovery control because it returns the server to a known previous good state allowing the
business to resume normal operation.

Part of: Correct/Recover Actions & Controls

Creditor
An individual, institution, or entity to whom the organization owes money or services.

Part of: External Stakeholders

Critical Disciplines
The background disciplines that comprise the interdisciplinary approach to GRC, including:
Governance & Oversight, Strategy & Performance, Risk & Decision Support, Compliance & Ethics,
Security & Continuity, and Audit & Assurance.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 157

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Governance & Oversight Discipline

A critical discipline that provides methods to guide, constrain and conscribe the organization to
achieve its purpose, mission, vision, and values.

Strategy & Performance Discipline

A critical discipline that provides methods to guide, arrange and operate resources to achieve
objectives and monitor performance.

Risk & Decision Support Discipline

A critical discipline that provides methods to identify and address the effect of uncertainty on
objectives, including ways to support decisions under uncertainty.

Compliance & Ethics Discipline

A critical discipline that provides methods to identify and address mandatory and voluntary
obligations and the underlying ethical principles and values.

Security & Continuity Discipline

A critical discipline that provides methods to identify and address threats to critical physical and
digital assets and infrastructure.

Audit & Assurance Discipline

A critical discipline that provides methods to enhance confidence that the organization is reliably
achieving objectives, addressing uncertainty, and acting with integrity

Also related to: Protector Skillset™

Culture
An emergent property of a group of people caused by the interaction of individual beliefs, values,
mindsets, and behaviors and demonstrated by observable norms and articulated opinions that
shape beliefs, values, mindsets, and behaviors in wide-ranging and durable ways.

Usage Notes
Culture has a bi-directional relationship with individuals. It is both an emergent property of a group
of individual beliefs, as well as something that shapes individual beliefs.

Values
Fundamental beliefs, principles, and ideals that an organization, group, or individual demonstrates
and adheres to when making decisions and acting.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 158

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Climate
The collective perception about self, surroundings, and others – including perceptions about
culture, some aspect of culture, or some topical area.

Mindsets
Individual perceptions about self, surroundings, and others – including perceptions about culture,
some topical area, or how to approach work.

Beliefs
Unobservable ideas and assumptions of a person or group, often caused by experience,
perception, and personality.

Norms
Customs, rules, or expectations that a group socially reinforces, usually through informal means.

Current Residual Risk

The level of residual risk under currently operating actions & controls.

Part of: Residual Risk

Current Skill Level

Existing level of skill a person, or “typical” person in a group, possesses.

Part of: Learning Activity

Customer
An individual, institution, or entity that purchases products or services.

Usage Notes
● The customer is sometimes considered the "most important stakeholder" because without
a customer, an organization cannot provide value.

● For departments or teams, the customer may include a superior, subordinate, or peer
organizational unit. For governmental entities, the customer is a constituent or regulated
entity.

Part of: External Stakeholders

Damage

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 159

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

See canonical synonym: Harm

Decision-Making Criteria
The principles, values, rules, variables, conditions, targets, tolerances, and other thresholds used
to select an option or make a decision.

Direction-Setting Criteria
The criteria used to set the direction for the organization and its objectives based on
external/internal context, culture, and stakeholder needs.

Objective-Setting Criteria
The criteria used to set objectives and results in accordance with the organization’s direction.

Identification Criteria
The criteria used to identify opportunities, obstacles, and obligations that stand in front of the
organization and its objectives.

Analysis Criteria
The criteria used to analyze, quantify and select ways to address risk, reward, and compliance.

Design Criteria
The criteria used to select actions & controls that address risk, reward, and compliance.

Demographic Factors
External factors that include gender, age, ethnicity, knowledge of languages, disabilities, mobility,
home ownership, employment status, religious belief or practice, culture and tradition, living
standards, and income level.

Part of: External Factors

Department
A department is subordinate to the enterprise and often cuts across multiple business units
providing shared services such as human resources, information technology (IT), compliance, risk
management, and other services.

Part of: Organizational Unit

Descriptive Norms

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 160

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Observation of what individuals do, providing information about what is “normal” in a particular
culture.

Part of: Norms

Design Criteria
The criteria used to select actions & controls that address risk, reward, and compliance.

Part of: Decision-Making Criteria

Design Effectiveness
Evidence of logically designed actions & controls relative to objectives, opportunities, obstacles,
and obligations. This is accomplished by evaluating the design actions & controls against suitable
criteria.

Design Options
Broad design decisions to address an opportunity, obstacle, or obligation.

Usage Notes
Design options address both risk and reward. The term Risk Response is sometimes used when
applied only to risks.

ACCEPT (Design Option)

An intentional design decision to embrace, or concede to the current level of risk, reward, and
compliance.

SHARE (Design Option)

To outsource, joint ventures, partnerships, buy insurance, or use other financial instruments to
address the opportunity, obstacle, or obligation.

AVOID (Design Option)

A design option to cease all activity or terminate sources that give rise to the opportunity,
obstacle, or obligation.

TRANSFER (Design Option)

A special case of a sharing design option where an attempt is made to give close to 100% of
responsibility and consequence to a third party.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 161

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

CONTROL (Design Option)

A design option to implement actions that govern and manage the opportunity, obstacle, or
obligation according to its nature.

Synonyms: Response Options

Design Review Procedure

A procedure that compares the documentation of the design of a system against suitable criteria
that defines an acceptable design of that system.

Usage Notes
Suitable criteria is often available by using available standards or best practices.

Suitable criteria for assessing the GRC Capability Model (or some aspect of it) is available in the
GRC Assessment Tools.

Part of: Review Procedures

Detective Actions & Controls

Actions & controls that detect the occurrence of favorable and unfavorable events.

Usage Notes
Unfavorable events include incidents of non-compliance.

Part of: Integrated Action & Control Model™, Action & Control Type

Deterrent
A type of action and control that reduces the likelihood of an event from occurring.

Usage Notes
Often, a deterrent refers to a specific action, control, or strategy employed to reduce the
likelihood of an event by instilling fear, risk, or negative consequences, thereby reducing the
probability of its happening.

Also related to: Prevent/Deter Actions & Controls

Direction-Setting Criteria
The criteria used to set the direction for the organization and its objectives based on
external/internal context, culture, and stakeholder needs.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 162

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Part of: Decision-Making Criteria

Directives
Policy, process, and technology that encourage favorable events.

Part of: Promote/Enable Actions & Controls

Divergent Thinking
Considering all possibilities, conditions and events, circumstances, and outcomes.

Also related to: Convergent Thinking

Duration
A measure that estimates how long an event or impact might last.

Economic Factors
External factors that include growth, exchange, inflation, and interest rates.

Part of: External Factors

Economic Incentives
Incentives to perform favorable behaviors that provide monetary compensation, bonuses,
profit-sharing or gain-sharing that otherwise would not be available.

Part of: Incentives

Education Activity
See canonical synonym: Learning Activity

Effect
A measure that estimates the likelihood and impact that an event has on objectives.

Risk
A measure of the negative, unfavorable effect of uncertainty on objectives.

Reward
A measure of the positive, favorable effect of uncertainty on objectives.

Also related to: Event , Objective

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 163

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Effective
An aspect of Total Performance which demonstrates evidence of logically designed actions &
controls that address appropriate objectives, opportunities, obstacles, and obligations; and
evidence that these actions & controls are operating as designed.

Part of: Total Performance™

Synonyms: Sound

Efficient
An aspect of Total Performance which demonstrates evidence that the organization productively
uses financial, human, and other capital resources without wasted effort or expense.

Part of: Total Performance™

Synonyms: Lean

Enterprise
The most superior unit that encompasses the entirety of the organization.

Usage Notes
Enterprise may be used even when the organization is a government agency, a nonprofit
organization, or a small organization.

Part of: Organizational Unit

Environmental Factors
External factors that include ecological and environmental aspects such as climate and natural
resources.

Part of: External Factors

Ethics
Values that define right and wrong decisions and actions based on the norms of a group.

Usage Notes
Ethics get their authority from external social systems relating to a specific group. Ethics are often
codified in a set of rules that apply to a member of the group (e.g., lawyers, doctors, and
accountants follow the ethical system adopted by those in the field).

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 164

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Ethics and morals are sometimes used interchangeably, but these words have nuanced meanings.
Much of the confusion between these two words can be traced back to their origins. For example,
the word “ethic” comes from Old French (etique), a set of rules for customs and behaviors,
whereas Late Latin (ethica) and Greek (ethos) referred to customs or moral philosophies. “Morals”
comes from Late Latin’s moralis, which refers to appropriate behavior and manners in society. The
two words originally had very similar meanings.

Also related to: Morals , Values

Evaluate
The act of judging subject matter by comparing evidence against suitable criteria.

Subject Matter
Identifiable statements, conditions, events, or activities for which there is evidence.

Suitable Criteria
Benchmarks used to evaluate subject matter that yield consistent and meaningful results.

Part of: Assurance

Event
Something that happens, including a change in condition or behavior.

Usage Notes
All events have a cause. Most events have a consequence. However, some causes and
consequences may be ambiguous, complex, or uncertain.

Cause
The trigger or potential trigger of events that lead to a consequence including agents or forces
that are responsible for bringing something into existence or changing it.

Consequence
The outcome or potential outcome of an event or series of events.

Part of: Cause, Event, Consequence (CEC) Model

Also related to: Effect , Risk , Condition , Action & Control Type , Reward , Consequence

Executive Management

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 165

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

See canonical synonym: Executive Team

Executive Team
A group of executives, often a group of the senior-most executives in an organization.

Usage Notes
The Executive Team is often referred to as the "C-Suite" because the individuals on the Executive
Team hold titles such as "chief executive officer," "chief financial officer," and "chief legal officer."

Synonyms: Executive Management, Senior Management

Also related to: Executives , Workforce

Executives
Senior-most managers with broad responsibilities over the entire organization or some significant
part of the organization (e.g., all technology, all sales, and marketing, all administration, all
finance).

Usage Notes
Executives often have words such as “chief” in their titles, such as “chief executive officer” or
“chief operating officer.”

Part of: Workforce

Also related to: Executive Team

Extended Enterprise
See canonical synonym: Third Party

External Context
See canonical synonym: External Factors

External Factors
Categories of sources and forces that originate outside of the organization including: industry
factors, market factors, economic, technology, societal, legal, political, environmental,
demographic factors.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 166

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Industry Factors
External factors that include new entrants, competitors, suppliers, customers, substitutes, and
industry norms.

Market Factors
External factors that include customer trends, demographics, and economic conditions.

Economic Factors
External factors that include growth, exchange, inflation, and interest rates.

Technology Factors
External factors include technological aspects like R&D activity, automation, storage,
computation, technology incentives, innovations in materials, mechanical efficiency, and the rate
of technological change.

Societal Factors
External factors that include cultural aspects, attitudes, customs, and norms.

Legal and Regulatory Factors

External factors that include laws, rules, regulations, litigation, and judicial or administrative
opinions.

Political Factors
External factors that relate to how the government intervenes in the economy, including laws,
rules, regulations, tax policy, and political stability.

Environmental Factors
External factors that include ecological and environmental aspects such as climate and natural
resources.

Demographic Factors
External factors that include gender, age, ethnicity, knowledge of languages, disabilities, mobility,
home ownership, employment status, religious belief or practice, culture and tradition, living
standards, and income level.

Geopolitical Factors
External factors that include sanctions, export controls, and potential military conflicts.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 167

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Synonyms: External Context

External Stakeholders
An individual, institution, or entity outside of the organization that is affected by, or has an interest
in, the company's decisions and activities.

Usage Notes
These stakeholders do not directly participate in the company's operations but can influence or be
influenced by the company's business outcomes. Examples of external stakeholders include
customers, suppliers, creditors, investors, regulators, the government, competitors, the media,
and the community or society in which the company operates. The company's decisions and
policies often aim to consider and balance the interests of both internal and external
stakeholders.

Customer
An individual, institution, or entity that purchases products or services.

Investor
An individual, institution, or entity that provides capital to the organization either by purchasing
shares (thus becoming shareholders), bonds, or other financial instruments, with the expectation
of receiving a financial return.

Shareholder
An individual, institution, or entity that owns shares or stock (or some functionally comparable
instrument) in the organization.

Creditor
An individual, institution, or entity to whom the organization owes money or services.

Lender
An individual, institution, or entity that provides funds to the organization with the expectation
that the funds will be paid back in full, usually with interest.

Supplier
An individual, institution, or entity that provides goods or services to the organization.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 168

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Regulator
Government or independent authorities that oversee and control specific aspects of the
organization's practices. They set standards and rules that the organization must follow and can
impose penalties for non-compliance.

Media
Various channels of communication, like newspapers, television, radio, and online platforms, which
can shape public perception of the organization.

Society
The local, national, or global population affected by the organization's operations.

Part of: Stakeholder

Factor
A category of forces in the internal or external context.

Feedback
The reaction from the audience to a message.

Fifth Line of Accountability

The Governing Authority (Board) is ultimately accountable and responsible for the governance,
management, and assurance of performance, risk, and compliance. While the governing authority
may choose to delegate, this plenary accountability means that the governing authority must use
due care to ensure that the right systems are in place to learn about and address important
performance, risk, and compliance issues – especially those that present “red flags.”

Part of: Lines of Accountability™ Model (also LoA)

Financial Action & Controls

Insurance, captives, hedging, reserves, or other financial instruments used to address risk,
reward, and compliance.

Part of: Action & Control Category

Financial Capital
Liquidity, budgets, and other economic resources.

Part of: Resources

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 169

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

First Line of Accountability

Individuals and teams that own and manage performance, risk, and compliance associated with
day-to-day operational activities.

Part of: Lines of Accountability™ Model (also LoA)

Folkways
Informal norms that govern everyday behaviors and social etiquette that are not strictly enforced,
but where violations may lead to mild disapproval or social awkwardness (e.g., table manners,
punctuality, and appropriate dressing).

Part of: Norms

Force
A cause that is an emergent property of volatility, uncertainty, complexity, or ambiguity in the
internal or external context.

Fourth Line of Accountability

The Executive team is accountable and responsible for the portfolio of organization-wide
performance, risk, and compliance. The Fourth Line gains information from the First Line and the
Second Line and assurance from the Third Line to make decisions about managing performance,
risk, and compliance.

Part of: Lines of Accountability™ Model (also LoA)

Fractal
The property of self-similarity or the repetition of patterns at different scales in a system or
structure.

Usage Notes
In fractal geometry, a fractal is a mathematical set that exhibits self-similarity and has a structure
that is similar at every scale. Fractals are often found in nature, such as in the branching patterns
of trees, the veins of leaves, or the shapes of clouds.

In organizations, fractality is used to describe the self-similar patterns and structures of social
networks and interactions, as well as in the study of collective behavior and decision-making.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 170

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Fractality means that problems and solutions can replicate and scale to multiple levels of the
organization.

Frequency
A measure that estimates how often the same event might occur.

Geopolitical Factors
External factors that include sanctions, export controls, and potential military conflicts.

Part of: External Factors

Governance
The act of indirectly guiding, controlling, and evaluating an entity by constraining and conscribing
resources.

Usage Notes
Govern. To govern; governing

Part of: GRC

Governance & Oversight Discipline

A critical discipline that provides methods to guide, constrain and conscribe the organization to
achieve its purpose, mission, vision, and values.

Part of: Critical Disciplines

Governance Actions & Controls

Actions & controls that primarily serve governance activities to constrain and conscribe the
organization or some aspect of it.

Usage Notes
Governance actions & controls are added when management actions & controls do not provide
enough information or guidance to constrain and conscribe the organization.

Part of: Action & Control Orientation

Also related to: Assurance Actions & Controls , Management Actions & Controls

Governing Authority

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 171

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

The most superior level of accountability and authority.

Usage Notes
● The governing authority is often responsible for balancing the competing needs of
stakeholders so that it can guide, constrain, and conscribe the organization to reliably
achieve objectives, address uncertainty, and act with integrity to meet these needs.

● The governing authority is often a board of directors if the organization in scope is an

enterprise.

● The governing authority may be an oversight committee if the organization in scope is a

business unit or department.

Synonyms: Board of Directors

GRC
An initialism that stands for Governance, Risk, and Compliance, and is an interdisciplinary
approach of integrated capabilities, interconnected relationships, and interlinked shared values,
which enable Principled Performance.

Usage Notes
GRC, as an initialism, denotes governance, risk, and compliance — but the full story of GRC is so
much more than those three words.

The acronym GRC was created as a shorthand reference to the critical capabilities that must work
together to achieve Principled Performance — the capabilities that integrate the governance,
management, and assurance of performance, risk, and compliance activities.

This includes work done by departments in governance, strategy, risk, compliance, security, audit,
finance, legal, IT, and HR. But it also includes operators in lines of business, the executive suite,
and the board itself.

While GRC was created by OCEG in 2003, the first peer-reviewed academic paper on the topic was
published in 2007 by OCEG founder Scott Mitchell in the International Journal of Disclosure and
Governance.

This groundbreaking paper influenced the related software and services industry and began
open-source GRC standards.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 172

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

● GRC is the pathway to Principled Performance.

● GRC is a collection of integrated capabilities to enable Principled Performance.

● GRC is a collection of integrated capabilities that enable an organization to reliably achieve

objectives, address uncertainty, and act with integrity.

● GRC is an interdisciplinary approach of integrated capabilities, interconnected

relationships, and interlinked shared values, which enable Principled Performance.

Governance
The act of indirectly guiding, controlling, and evaluating an entity by constraining and conscribing
resources.

Risk Management
The act of managing processes and resources to address risk while pursuing reward.

Compliance Management
The act of managing processes and resources to achieve the desired level of compliance.

Also related to: Principled Performance

GRC Capability Model™

The collection of capabilities that help an organization reliably achieve objectives, address
uncertainty, and act with integrity formalized and documented in the GRC Capability Model™ from
OCEG.

Usage Notes
The GRC Capability Model is the pathway to Principled Performance and comprises several
capabilities from critical disciplines including:

● Governance & Oversight

● Strategy & Performance

● Risk & Decisions

● Compliance & Ethics

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 173

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

● Security & Continuity

● Audit & Assurance

Habitual Behaviors
Semi-automatic human actions informed by beliefs and values and governed by free will and
discipline.

Harm
A measure of the negative impact that an event has on the organization.

Part of: Impact, Risk, Consequence

Synonyms: Damage

Also related to: Benefit

Hazard
A cause that has the potential to eventually result in harm.

Part of: Risk, Cause

Synonyms: Threat

Also related to: Obstacle

Helpline
A live or on-demand channel for individuals to ask questions before or while they are engaged in a
task.

Also related to: Hotline , Integrated Performance Support

Hotline
A live or on-demand channel for individuals to report problems.

Also related to: Helpline

Human Capital

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 174

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

The collective knowledge, skills, abilities, and experiences of an organization's workforce, along
with the relationships, attitudes, and values that enable them to work together to achieve the
organization's objectives

Part of: Resources

IACM
See canonical synonym: Integrated Action & Control Model™

Identification Criteria
The criteria used to identify opportunities, obstacles, and obligations that stand in front of the
organization and its objectives.

Part of: Decision-Making Criteria

Impact
A measure that estimates the consequence of an event.

Benefit
A measure of the positive impact that an event has on the organization.

Harm
A measure of the negative impact that an event has on the organization.

Part of: Risk, Reward, Consequence

Incentives
Incentives include financial and non-financial things that encourage favorable conduct.

Usage Notes
There are two parts to an incentive:

● Promise - Incentives must be announced in advance of the expected conduct.

● Payoff - Incentives must be delivered as promised and meet or exceed the expectations of
the individual. Otherwise, news will spread that the incentives aren't what they appear to
be.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 175

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Economic Incentives
Incentives to perform favorable behaviors that provide monetary compensation, bonuses,
profit-sharing or gain-sharing that otherwise would not be available.

Appreciation Incentives
Incentives to perform favorable behaviors that provide meaningful gratitude and
acknowledgement to the individual that otherwise would not be available.

Status Incentives
Incentives to perform favorable behaviors that provide access to esteemed roles, promotions or
other visible recognition that otherwise would not be available.

Professional Development Incentives

Incentives to perform favorable behaviors that provide access to professional development
opportunities such as training or tuition reimbursements that otherwise would not be available.

Career Opportunities Incentives

Incentives to perform favorable behaviors that provide access to career path opportunities that
otherwise would not be available.

Part of: Promote/Enable Actions & Controls

Independence
The state of being free from structural or functional conditions that threaten the ability of the
assurance provider to perform assurance activities with objectivity and without any undue
influence. It includes the independence of the assurance provider from those who own, manage,
operate, or support the activity being assured.

Usage Notes
To achieve the degree of independence necessary to deliver the desired Level of Assurance, an
Assurance Provider should have direct and unrestricted access to information producers and
information consumers.

Indicator
A measure of progress toward or status of an objective.

Target
An expected or planned value for an indicator.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 176

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Appetite
A range for the value of an indicator that defines a preferred or expected level of variation around a
target.

Tolerance
A range for an indicator that defines an acceptable, though not preferred, level of variation around
a target the organization is willing and able to address.

Capacity
A range for an indicator that defines the maximum level of variation around a target that the
organization is unwilling, unable and incapable to address; and may result in jeopardy or ruin.

Part of: Indicator Targets & Ranges (ITR) Model

Also related to: Committed Value , Best Possible Value , Stretch Value , Objective

Indicator Targets & Ranges (ITR) Model

A model that describes how indicator targets and ranges such as appetite, tolerance and capacity
relate to one another and can be used to evaluate total performance.

Usage Notes
The Indicator Targets & Ranges (ITR) Model is a robust model that provides a complete
explanation of how to set targets and important ranges of values to evaluate the total
performance of an indicator.

Indicator
A measure of progress toward or status of an objective.

Target
An expected or planned value for an indicator.

Appetite
A range for the value of an indicator that defines a preferred or expected level of variation around a
target.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 177

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Tolerance
A range for an indicator that defines an acceptable, though not preferred, level of variation around
a target the organization is willing and able to address.

Capacity
A range for an indicator that defines the maximum level of variation around a target that the
organization is unwilling, unable and incapable to address; and may result in jeopardy or ruin.

Industry Factors
External factors that include new entrants, competitors, suppliers, customers, substitutes, and
industry norms.

Part of: External Factors

Information Actions & Controls

Communications and reports up, down, and across the organization used to address risk, reward,
and compliance.

Part of: Action & Control Category

Information Capital
Data, communications, and intelligence.

Part of: Resources

Information Consumer
An individual, group, or any entity that receives information sent from any source within the
organization. Information is used as evidence to evaluate and compare against given criteria to
provide a certain level of assurance.

Synonyms: Information User

Also related to: Assurance , Assurance Provider

Information Producer
An individual, group, or any entity that produces data/information to send to another individual,
group, or entity that requests such information for the purpose of providing assurance.

Also related to: Assurance , Assurance Provider

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 178

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Information User
See canonical synonym: Information Consumer

Inherent Effect
The effect of uncertainty in the absence of actions & controls.

Inherent Risk
The level of risk in the absence of actions & controls.

Also related to: Residual Risk

Injunctive Norm
Perceived behavior of what most people approve of, providing information on what one “should”
do.

Part of: Norms

Instructor
Individual who teaches.

Intangible Resources
Resources that refer to non-physical assets, such as knowledge, brand equity, and organizational
culture.

Part of: Resources

Integrated Action & Control Model™

A structure that considers the purpose and types of actions & controls used for the governance,
management, and assurance of performance, risk, and compliance.

Proactive Actions & Controls

Actions & controls that promote or enable favorable events and prevent or deter unfavorable
events.

Detective Actions & Controls

Actions & controls that detect the occurrence of favorable and unfavorable events.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 179

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Responsive Actions & Controls

Actions & controls that aim to accelerate or compound the benefit of favorable events, and correct
or recover from the harm of unfavorable events.

Synonyms: IACM

Also related to: Action & Control , Action & Control Orientation , Action & Control Type , Action &
Control Category

Integrated Performance Support

A function that provides the exact information needed to solve a learner’s question at the moment
of need. The goal is to increase performance by empowering individuals with self-help resources in
the flow of work rather than interrupting work with periodic and episodic learning.

Also related to: Helpline

Integrated Plan
An integrated plan details processes and resources allocated to reliably achieve objectives,
address uncertainty, and act with integrity.

Integrity
The state of being whole and complete by fulfilling obligations, honoring promises, and cleaning
up the mess if a promise was broken.

Usage Notes
One way to evaluate integrity is with the formula Integrity = Promises Kept / Promises Made.

Sometimes factors outside of the control of the organization prevent promises from being
honored. For example, an organization makes an implicit promise to every employee that they will
be gainfully employed so long as the employee adds value. However, external factors, such as an
economic downturn, might prevent the organization from honoring the employment promise, even
if the employee is adding value. To maintain integrity, then, an organization must do its best to
help the employee find gainful employment.

Part of: Principled Performance

Intention (Call to Action)

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 180

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

What the communicator wants the audience to believe, value, or do as a consequence of the
message.

Internal Audit
A function inside of the organization that helps the workforce, especially management, reliably
achieve objectives, address uncertainty, and act with integrity by providing assurance that the
right objectives, opportunities, obstacles, and obligations are addressed in the right way, to
increase the total performance.

Usage Notes
Internal audit objectively and competently evaluates subject matter to provide conclusions and
confidence that statements and beliefs about the subject matter are justified and true. This is
especially important for key objectives, opportunities, obstacles, and obligations to make sure
that the organization is operating within acceptable levels of risk/reward and compliance.

Internal Context
See canonical synonym: Internal Factors

Internal Factors
Categories of sources and forces that originate inside of the organization.

Synonyms: Internal Context

Internal Stakeholders
Stakeholders with an internal influence from within the organization; Personnel (and unions that
represent the workforce), Managers, Executives, Board members, and Owners (who are involved in
the organization).

Workforce
The collection of individuals the organization employs.

Owners
Individuals or entities that possess legal ownership and control of the organization.

Board of Directors
A group of individuals elected by shareholders to represent their interests and to manage the
business and affairs of the organization.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 181

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Part of: Stakeholder

Investor
An individual, institution, or entity that provides capital to the organization either by purchasing
shares (thus becoming shareholders), bonds, or other financial instruments, with the expectation
of receiving a financial return.

Part of: External Stakeholders

Involuntary Behaviors
Automatic, often instinctual human actions informed by beliefs and values and governed by
nature.

Key Compliance Indicator (also KCI)

Indicators that help govern, manage, and provide assurance about compliance related to an
objective.

Also related to: Compliance , Compliance Management

Key Milestone Indicator (also KMI)

A Boolean value (yes/no) or a percentage value (% complete) that measures the degree to which a
milestone is met.

Key Performance Indicator (also KPI)

Indicators that help govern, manage, and provide assurance about performance related to an
objective.

Key Risk Indicator (also KRI)

Indicators that help govern, manage, and provide assurance about risk related to an objective.

Key Risks
Highest priority risks that an organization selects, usually based on key objectives.

Usage Notes
An organization is free to voluntarily select its key risks. Key risks should be defined and selected
based on their relationship to key objectives.

Lagging Indicators

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 182

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Indicators that provide information about past events or conditions.

Leaders
Individuals at any level of the organization who have the de facto attention and respect of the
workforce regardless of their title or position.

Part of: Workforce

Synonyms: Leadership

Leadership
See canonical synonym: Leaders

Leading Indicators
Indicators that provide information about future events or conditions.

Lean
See canonical synonym: Efficient

Learner
See canonical synonym: Student

Learning Activity
A directed collection of learning content that achieves learning objectives by enhancing student
ability from current skill level to target skill level.

Usage Notes
Learning activities may be synchronous or asynchronous and may be in-person or online.

Student
Individual who learns.

Learning Objective
Statements that define an educational activity's expected goal(s). Learning objectives can be
used to structure the content of educational activities.

Learning Outcome
A statement that reflects what the learner will be able to do as a result of participating in the
educational activity.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 183

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Current Skill Level

Existing level of skill a person, or “typical” person in a group, possesses.

Target Skill Level

The desired level of skill a person, or “typical” person in a group, is expected to possess.

Learning Content
The content in a learning activity includes text, image, audio, and video and takes the form of
lecture, discussion, debate, and demonstration.

Synonyms: Education Activity

Learning Content
The content in a learning activity includes text, image, audio, and video and takes the form of
lecture, discussion, debate, and demonstration.

Part of: Learning Activity

Learning Objective
Statements that define an educational activity's expected goal(s). Learning objectives can be
used to structure the content of educational activities.

Part of: Learning Activity

Learning Outcome
A statement that reflects what the learner will be able to do as a result of participating in the
educational activity.

Part of: Learning Activity

Legal and Regulatory Factors

External factors that include laws, rules, regulations, litigation, and judicial or administrative
opinions.

Part of: External Factors

Lender
An individual, institution, or entity that provides funds to the organization with the expectation
that the funds will be paid back in full, usually with interest.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 184

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Part of: External Stakeholders

Level of Assurance
A measure of the degree of confidence that an assurance provider can deliver to an information
consumer about statements an information provider makes about the subject matter.

Usage Notes
A greater degree of Assurance Objectivity and a greater degree of Assurance Competence
generally result in a higher Level of Assurance.

Objectivity (in Assurance)

The degree to which an Assurance Provider can be impartial, disinterested, independent, and free
to conduct necessary activities and to form an opinion about the subject matter.

Competence (in Assurance)

The degree to which an Assurance Provider can use sophisticated, professional, and structured
techniques to evaluate subject matter.

Absolute Assurance
A level of assurance that is impossible to achieve.

Reasonable Assurance
A special type and level of assurance, provided by external auditors as part of a financial audit or
examination, that subject matter conforms to suitable criteria and is free from material error.

Limited Assurance
A level of assurance resulting from reviews, compilations, and other activities performed by
competent personnel who are sufficiently objective about the subject matter.

Lower Assurance
A more limited level of assurance resulting from activities such as self-assessments and
benchmarking performed by the personnel responsible for the subject matter.

Part of: Assurance

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 185

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Also related to: Assurance , Assurance Provider , Absolute Assurance

Likelihood
A measure that estimates the occurrence of an event.

Part of: Risk, Reward

Limited Assurance
A level of assurance resulting from reviews, compilations, and other activities performed by
competent personnel who are sufficiently objective about the subject matter.

Part of: Level of Assurance

Lines of Accountability™ Model (also LoA)

A model that helps organizations govern, manage and provide assurance over performance, risk,
and compliance by allocating specific responsibilities to different individuals or groups within the
organization and creating a layered approach to produce and preserve value.

Usage Notes
The Lines of Accountability Model segregates responsibilities so that each “line” or group has the
appropriate objectivity and competence to address the nature of the required work.

This model is "fractal" in nature and may be applied at both the organizational level or some lower
level such as a team. Hence, while the Lines of Accountability Model is presented using five lines,
the reality is that organizations comprise unique and idiosyncratic arrangements of people,
processes, information, and technology.

Importantly, the Lines of Accountability Model recognizes that a single department or function
may perform activities associated with multiple lines of accountability.

For example, an accounting department may function as a "first line" when it records financial
transactions, and as a "second line" when it analyses the performance of a business unit or
reconciles each sale with a receipt of cash.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 186

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Further, consider a sole proprietor who may “physically” have just one “line” in their organization –
namely, themselves. Despite this arrangement, the Lines of Accountability Model may be applied
by thoughtfully segregating activities in time and space by just one person.

For example, the sole proprietor may perform daily bookkeeping with an aim toward efficiency and
accuracy ( first line ). Then, once a month, and though not completely objective, this same person
may perform “desk checking” and review of their own work ( second line ). Quarterly, they may
conduct some strategic planning and review ( fourth line ). A meticulous sole proprietor may even
take a weekend at the end of the year to trace transactions to perform assurance activities ( third
line ) before preparing materials for an external auditor. And being a board member ( fifth line ),
this same person may perform some “ultimate accountability” activities by filing the annual report
to keep the organization in good standing with the tax authority.

Contrast this with a global enterprise with many business units and dozens of lines of
accountability with varying degrees of scope and scale. Each business unit may have multiple lines
of accountability, providing varying degrees of service to other departments and business units.

Hence, every organization will have a unique arrangement of the Lines of Accountability based on
the size, scope, and preferences of the board and executive management. What is critical is that
the arrangement helps the organization be reliable.

First Line of Accountability

Individuals and teams that own and manage performance, risk, and compliance associated with
day-to-day operational activities.

Second Line of Accountability

Individuals and teams that establish performance, risk, and compliance programs for the First Line.
The Second Line provides oversight through frameworks, standards, policies, tools, and
techniques to support performance, risk, and compliance management. The Second Line often
manages its own portfolio of objectives and associated performance, risk, and compliance. The
Second Line may provide limited assurance over First Line activities.

Third Line of Accountability

Individuals and teams that specialize in and provide a high level of assurance on activities
performed by the First Line and Second Line. The Third Line may include internal audit, external
audit or outside experts who are sufficiently objective and competent.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 187

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Fourth Line of Accountability

The Executive team is accountable and responsible for the portfolio of organization-wide
performance, risk, and compliance. The Fourth Line gains information from the First Line and the
Second Line and assurance from the Third Line to make decisions about managing performance,
risk, and compliance.

Fifth Line of Accountability

The Governing Authority (Board) is ultimately accountable and responsible for the governance,
management, and assurance of performance, risk, and compliance. While the governing authority
may choose to delegate, this plenary accountability means that the governing authority must use
due care to ensure that the right systems are in place to learn about and address important
performance, risk, and compliance issues – especially those that present “red flags.”

Lower Assurance
A more limited level of assurance resulting from activities such as self-assessments and
benchmarking performed by the personnel responsible for the subject matter.

Part of: Level of Assurance

Management (as a GRC Concept)

The act of directly guiding, controlling, and evaluating an entity by arranging and operating
resources.

Management Actions & Controls

Actions & controls that primarily serve management activities to address opportunities,
obstacles, and obligations.

Usage Notes
Management actions & controls comprise most of the work performed by the organization.

Whenever possible, management actions & controls should be used by both the governing
authority and assurance providers to avoid unnecessary complexity and duplication.

Part of: Action & Control Orientation

Also related to: Assurance Actions & Controls , Governance Actions & Controls

Management Team

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 188

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

A group of managers who are responsible for an area of the business.

Usage Notes
Often, the Management Team comprises the most senior managers for that particular area. For
example, if the area of the business is the financial operations, then the management team may
comprise the chief financial officer, the lead controller, and the treasurer.

See canonical synonym: Managers

Managers
Personnel who manage others.

Usage Notes
Qualifiers such as “senior managers” refer to managers with more responsibility in scale or scope,
while “junior managers” have less responsibility.

Part of: Workforce

Synonyms: Management Team

Mandatory Boundary
Obligations that an organization must address because of some legitimate authority (e.g., laws,
rules, regulations).

Part of: Obligation, Boundary

Market Factors
External factors that include customer trends, demographics, and economic conditions.

Part of: External Factors

Material Fact
A fact is material if there is a substantial likelihood that a reasonable information user would
consider it important in making a decision, or if it would have been viewed by the reasonable
information user as having significantly altered the 'total mix' of information made available and
used to make the decision.

Usage Notes

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 189

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

This definition is based on the standard of materiality articulated by the U.S. Supreme Court in
TSC Industries v. Northway, 426 U.S. 438, 449 (1976). While the original standard was applied to
financial reporting information in the United States, it is often used as a basis for global financial
reporting, cybersecurity reporting and sustainability reporting.

A more direct quote of the original standard would be "a fact is material if there is a substantial
likelihood that a reasonable shareholder would consider it important in making an investment
decision or if it would have been viewed by the reasonable investor as having significantly altered
the 'total mix' of information made available."

Material Misstatement
A material misstatement refers to a significant error or omission in financial statements that could
potentially influence the decisions of information consumers of those statements. It can be
caused by an error, fraud, or the misapplication of accounting principles. Material misstatements
can affect the accuracy and reliability of financial information and may cause financial statements
to be misleading or incomplete. Materiality is determined based on the size and nature of the
misstatement, as well as its potential impact on the financial statements and the decisions of
users of those statements.

Material Misstatements
A special case of Meaningful Misunderstanding where the information producer makes a
significant error or omission in financial statements that could potentially influence the decisions
of information consumers.

Part of: Meaningful Misunderstanding

Maturity
The level of development, progress, or sophistication of a particular process, function, or
organization

Maturity Model
A structured framework that is used to assess and measure an organization's maturity or level of
development in a particular area. Maturity models typically define a series of levels, each
representing a higher level of maturity, and identify specific characteristics, practices, or
capabilities that organizations should demonstrate to achieve each level.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 190

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Meaningful Misunderstanding
Meaningful misunderstanding occurs when an information producer makes statements that
contain material errors or omissions that could affect the decisions of information users of those
statements.

Usage Notes
The risk of meaningful misunderstanding determines the purpose and nature of assurance and
assessment activities.

Material Misstatements are a special case of Meaningful Misunderstanding where the information
producer makes a significant error or omission in financial statements that could potentially
influence the decisions of information consumers.

Material Misstatements
A special case of Meaningful Misunderstanding where the information producer makes a
significant error or omission in financial statements that could potentially influence the decisions
of information consumers.

Means

Usage Notes
One may talk about the "ways and means" that an organization uses to reliably achieve objectives,
address uncertainty, and act with integrity.

Also related to: Ways

See canonical synonym: Resources

Media
Various channels of communication, like newspapers, television, radio, and online platforms, which
can shape public perception of the organization.

Part of: External Stakeholders

Message
The content of what is communicated.

Part of: Communicator

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 191

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Also related to: Channel

Message Cadence
The velocity and frequency of sending a message.

Mindsets
Individual perceptions about self, surroundings, and others – including perceptions about culture,
some topical area, or how to approach work.

Part of: Culture

Also related to: Climate

Mission
An objective that states who the organization serves, what it does, and what it hopes to achieve
today and in the long term.

Usage Notes
The mission statement is often used to guide decision-making and priority-setting within the
organization, and serves as a clear and consistent statement of its overall purpose and direction.

Part of: Purpose

Monitoring
Ongoing and periodic activities that observe actions & controls, and the information generated by
these controls, to gauge effectiveness, efficiency, responsiveness, and resilience.

Morals
Values that define good and bad (evil) decisions and actions based on a system of beliefs or
personal intuitions.

Usage Notes
Morals get their authority from personal intuitions, a "higher power," or other systems of beliefs.

When a society, organization, or group fully embodies a specific system of beliefs, the ethics and
morals of that group may be almost synonymous. For example, a religious organization may find its
"ethical code" and "moral code" synonymous. For example, a political organization may find its
ethics nearly synonymous with the moral code embodied by the political system of belief.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 192

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Even though morals may come from an external system of beliefs (e.g., religious or political),
morals (unlike ethics) are often internalized and expressed in nuanced ways that are specific to
the individual.

Ethics tend to be embodied and expressed in consistent ways across individuals. Morals tend to be
embodied and expressed in nuanced, idiosyncratic ways across individuals.

Also related to: Ethics , Values

Mores
More formalized and serious norms that are deeply ingrained in a culture and have moral
significance. Violating mores can lead to severe social disapproval, ostracism, or even legal
consequences (e.g., honesty, respect for elders, and adherence to religious practices).

Part of: Norms

Noise
Anything that causes difficulties during the communication process.

Norms
Customs, rules, or expectations that a group socially reinforces, usually through informal means.

Descriptive Norms
Observation of what individuals do, providing information about what is “normal” in a particular
culture.

Proscriptive Norms
Customs, rules, or expectations that discourage behavior the group deems negative (e.g., “do not
cheat”).

Prescriptive Norms
Customs, rules, or expectations that encourage behavior the group deems positive (e.g., “be
honest”).

Injunctive Norm
Perceived behavior of what most people approve of, providing information on what one “should”
do.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 193

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Folkways
Informal norms that govern everyday behaviors and social etiquette that are not strictly enforced,
but where violations may lead to mild disapproval or social awkwardness (e.g., table manners,
punctuality, and appropriate dressing).

Mores
More formalized and serious norms that are deeply ingrained in a culture and have moral
significance. Violating mores can lead to severe social disapproval, ostracism, or even legal
consequences (e.g., honesty, respect for elders, and adherence to religious practices).

Part of: Culture

Objective
A measurable outcome to achieve.

Part of: Principled Performance

Also related to: Strategic Goals , Indicator , Effect

Objective-Setting Criteria
The criteria used to set objectives and results in accordance with the organization’s direction.

Part of: Decision-Making Criteria

Objectivity (in Assurance)

The degree to which an Assurance Provider can be impartial, disinterested, independent, and free
to conduct necessary activities and to form an opinion about the subject matter.

Part of: Assurance, Level of Assurance

Also related to: Assurance Provider

Obligation
A requirement that an organization must or should address because of a promise, whether
mandatory or voluntary.

Mandatory Boundary
Obligations that an organization must address because of some legitimate authority (e.g., laws,
rules, regulations).

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 194

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Voluntary Boundary
Obligations an organization chooses to address because of voluntary decisions (e.g., contracts,
agreements and values).

Synonyms: Boundary

Also related to: Obstacle , Compliance

Obstacle
An uncertain future event that may, on balance, have a negative effect on objectives.

Part of: Risk

Synonyms: Threat

Also related to: Hazard , Opportunity , Obligation

Operating Effectiveness
Evidence that actions & controls operate as intended. This is accomplished by substantive testing
of information generated by actions & controls to judge actual results against expected results.

Operating Geographies
Legal jurisdictions where the organization operates.

Operating Review Procedure

A procedure that compares the actual events or transactions performed by a system (including
people, processes and technologies) against the expected events and transactions given the
design of the system.

Part of: Review Procedures

Opportunity
An uncertain future event that may, on balance, have a positive effect on objectives.

Part of: Reward

Also related to: Obstacle

Org Chart
See canonical synonym: Organizational Chart

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 195

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Organization
See canonical synonym: Organization in Scope

Organization in Scope
The organizational unit in scope for applying the GRC Capability Model.

Usage Notes
The Organization in Scope may be at any level including:

● Enterprise

● Business Unit

● Department

● Team

Some professionals even apply the GRC Capability Model at an individual level, though the
guidance provided is intended for organizations with multiple people.

Organizational Level
A hierarchical tier within an organization that is responsible for specific tasks, functions,
decisions, actions, and controls.

Organizational Layer
A unit within an organization that is responsible for specific tasks, functions, decisions, actions,
and controls and typically referenced in relationship to other layers.

Organizational Unit
A specific subdivision of an organization that is formed for the purpose of achieving particular
objectives.

Synonyms: Organization

Also related to: Organizational Level

Organizational Chart
A diagram that shows the structure of an organization and the relationships and relative ranks of
its parts and positions/jobs

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 196

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Synonyms: Org Chart

Organizational Layer
A unit within an organization that is responsible for specific tasks, functions, decisions, actions,
and controls and typically referenced in relationship to other layers.

Usage Notes
When "organizational layer" is used, it typically involves some "layering" of organizational units to
achieve an objective. For example:

● Having multiple layers of protection to address a particular risk

● Having multiple layers so that an important strategic priority isn't forgotten

Part of: Organization in Scope

Also related to: Organizational Level , Organizational Unit

Organizational Level
A hierarchical tier within an organization that is responsible for specific tasks, functions,
decisions, actions, and controls.

Usage Notes

Superior Level
Organizational units to which the organization in scope is accountable.

Peer Level
Organizational units that are lateral to the organization in scope and often report to or are
accountable to the same superior unit.

Subordinate Level
Organizational units that are accountable to the organization in scope.

Part of: Organization in Scope

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 197

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Also related to: Organizational Layer , Organizational Unit , Organization in Scope , Team

Organizational Unit
A specific subdivision of an organization that is formed for the purpose of achieving particular
objectives.

Enterprise
The most superior unit that encompasses the entirety of the organization.

Business Unit
An organizational unit that is subordinate to the enterprise and often responsible for specific
products, customers, or geography.

Department
A department is subordinate to the enterprise and often cuts across multiple business units
providing shared services such as human resources, information technology (IT), compliance, risk
management, and other services.

Team
The smallest organizational unit. Teams may be part of a department or maybe cross-functional.
Teams may be permanent or temporary.

Part of: Organization in Scope

Synonyms: Unit

Also related to: Organizational Layer , Organizational Level

Owners
Individuals or entities that possess legal ownership and control of the organization.

Usage Notes
Owners, unlike external shareholders or investors, tend to have direct operational involvement in
the organization.

Part of: Internal Stakeholders

Paragons
Role models that encourage favorable events.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 198

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Part of: Promote/Enable Actions & Controls

Peer Level
Organizational units that are lateral to the organization in scope and often report to or are
accountable to the same superior unit.

Usage Notes
Recall that the Organization in Scope may be an enterprise, business unit, department or team.
Thus the "Peer Level" would be a unit that shares a common Superior Level to which both the
Organization in Scope and the Peer Level report.

Part of: Organizational Level

People Actions & Controls

Human factors, including structure, accountability, education, and enablement used to address
risk, reward, and compliance.

Part of: Action & Control Category

Performance
See canonical synonym: Reward

Performance Management
The act of managing processes and resources to pursue reward while addressing risk.

Personnel
See canonical synonym: Workforce

Physical Actions & Controls

Physical safeguards, barriers, or constraints, such as fences, locks, guards, cameras, or other
protective mechanisms, used to address risk, reward, and compliance.

Part of: Action & Control Category

Physical Capital
The physical assets of an organization, including manufactured goods, buildings, equipment, and
infrastructure.

Part of: Resources

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 199

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Planned (Simulated) Stress

Scenarios that use historical, hypothetical, or simulated events to test how forces will be
addressed.

Planned Residual Risk

The level of residual risk under planned (or desired) actions & controls.

Part of: Residual Risk

Policy
A broad articulation of what the organization expects on a particular topic, that describes the
“why” or intent, considers context, sets the tone, and changes infrequently.

Prescriptive Policy
A policy that states what to do.

Proscriptive Policy
A policy that says what not to do.

Also related to: Policy Action & Controls , Code of Conduct

Policy Action & Controls

Formal statements and rules about organizational intentions and expectations used to address
risk, reward, and compliance.

Part of: Action & Control Category

Also related to: Policy

Political Factors
External factors that relate to how the government intervenes in the economy, including laws,
rules, regulations, tax policy, and political stability.

Part of: External Factors

Prescriptive Norms
Customs, rules, or expectations that encourage behavior the group deems positive (e.g., “be
honest”).

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 200

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Part of: Norms

Prescriptive Policy
A policy that states what to do.

Part of: Policy

Prevent/Deter Actions & Controls

Actions & controls that decrease the likelihood of an unfavorable event by preventing or deterring
it from happening.

Part of: Proactive Actions & Controls

Also related to: Deterrent

Principled Performance
To reliably achieve objectives, address uncertainty, and act with integrity.

Usage Notes
Principled Performance is the goal of GRC. Principled Performance is an approach to business (and
life!) that helps organizations reliably achieve objectives, address uncertainty and act with
integrity.

Note that “Reliably” pertains to all other parts of the definition. Thus Principled Performance
means to:

● reliably achieve objectives;

● reliably address uncertainty; and

● reliably act with integrity.

Reliably
To thoughtfully, consistently, dependably, and transparently do something.

Objective
A measurable outcome to achieve.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 201

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Uncertainty
A state of being unsure about something due to incomplete knowledge or underlying randomness
making it difficult to understand with complete confidence.

Integrity
The state of being whole and complete by fulfilling obligations, honoring promises, and cleaning
up the mess if a promise was broken.

Also related to: GRC

Proactive
The quality of an individual to anticipate and act on situations, reducing the risk of unforeseen
problems.

Usage Notes
This trait requires a balance, preventing both an underuse that can result in inaction or timidity
and an overuse that might lead to rash decisions or a state of constant flux without stability.

Part of: Protector Mindset™

Also related to: Accountable

Proactive Actions & Controls

Actions & controls that promote or enable favorable events and prevent or deter unfavorable
events.

Prevent/Deter Actions & Controls

Actions & controls that decrease the likelihood of an unfavorable event by preventing or deterring
it from happening.

Promote/Enable Actions & Controls

Actions & controls that increase the likelihood of a favorable event by promoting, enabling and
incentivizing it to happen.

Part of: Integrated Action & Control Model™, Action & Control Type

Procedure
A detailed articulation of what the organization expects on a particular topic, that describes the
“how to” or instructions, guides implementation, and is audience-specific.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 202

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Process
A series of actions or steps to achieve an objective.

Synonyms: Ways

Process Action & Controls

Decisions about how and when to perform activities, and where and to whom to assign
accountability used to address risk, reward, and compliance.

Part of: Action & Control Category

Professional Development Incentives

Incentives to perform favorable behaviors that provide access to professional development
opportunities such as training or tuition reimbursements that otherwise would not be available.

Part of: Incentives

Promote/Enable Actions & Controls

Actions & controls that increase the likelihood of a favorable event by promoting, enabling and
incentivizing it to happen.

Directives
Policy, process, and technology that encourage favorable events.

Paragons
Role models that encourage favorable events.

Incentives
Incentives include financial and non-financial things that encourage favorable conduct.

Part of: Proactive Actions & Controls

Proscriptive Norms
Customs, rules, or expectations that discourage behavior the group deems negative (e.g., “do not
cheat”).

Part of: Norms

Proscriptive Policy

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 203

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

A policy that says what not to do.

Part of: Policy

Prospect
A cause that has the potential to eventually result in benefit.

Part of: Reward, Cause

Protector
A GRC Professional who spends substantial time producing and preserving value and serving as a
stabilizing force in their organization.

Protector Mindset™
Traits that strengthen the way that a high-performing Protector makes decisions and appraises
problems, solutions, people, and reality. These traits include being: Collaborative, Accountable,
Stable, Proactive, Visionary, and Versatile.

Protector Skillset™
Interdisciplinary skills that strengthen the way that a high-performing Protector does their job
including the critical disciplines.

Protector Mindset™
Traits that strengthen the way that a high-performing Protector makes decisions and appraises
problems, solutions, people, and reality. These traits include being: Collaborative, Accountable,
Stable, Proactive, Visionary, and Versatile.

Stable
The quality of an individual to consistently provide calm, composed and orderly influence within
volatile, uncertain, complex and ambiguous environments.

Versatile
The quality of an individual to employ a multi-disciplinary approach and a wide range of skills to
address complex issues.

Accountable
The characteristic of an individual who takes responsibility and ownership for tasks and their
outcomes, transcending a narrow job description.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 204

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Collaborative
The quality of an individual to engage in productive relationships and teamwork, understanding
their fundamental role in achieving greater outcomes.

Proactive
The quality of an individual to anticipate and act on situations, reducing the risk of unforeseen
problems.

Visionary
The quality of an individual to maintain a long-term, optimistic perspective and remain
purpose-driven, even amidst distractions.

Part of: Protector

Also related to: Accountable

Protector Skillset™
Interdisciplinary skills that strengthen the way that a high-performing Protector does their job
including the critical disciplines.

Part of: Protector

Also related to: Critical Disciplines

Purpose
The purpose states who the organization serves, what it does, what it believes, what is stands for,
what it hopes to achieve in the near term and long term, and why all of this matters; usually
through its Mission, Vision and Values statements.

Mission
An objective that states who the organization serves, what it does, and what it hopes to achieve
today and in the long term.

Vision
An objective that describes what the organization aspires to be and why it matters.

Values
Fundamental beliefs, principles, and ideals that an organization, group, or individual demonstrates
and adheres to when making decisions and acting.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 205

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

RACI Matrix
A chart that describes the participation of various roles in completing tasks or deliverables for a
project or business process.

Usage Notes
RACI is an acronym derived from the four key responsibilities most typically used: responsible,
accountable, consulted, and informed.

● R = Responsible (also recommender)

Those who do the work to complete the task. There is at least one role with this role,
although others can be delegated to assist in the work required.

● A = Accountable (also approver or final approving authority)

Those who are ultimately answerable for the correct and thorough completion of the
deliverable or task, ensure the prerequisites of the task are met, and delegate the work to
those responsible. In other words, an accountable must sign off (approve) work that the
responsible person provides. There must be only one person or entity accountable for each
task or deliverable.

● C = Consulted (sometimes consultant or counsel)

Those whose opinions are sought, typically subject-matter experts, and with whom there is
two-way communication.

● I = Informed (also informee)

Those who are kept up-to-date on progress, often only on completion of the task or
deliverable, and with whom there is just one-way communication.

Reasonable Assurance
A special type and level of assurance, provided by external auditors as part of a financial audit or
examination, that subject matter conforms to suitable criteria and is free from material error.

Part of: Level of Assurance

Receiver
See canonical synonym: Audience

Recovery Actions & Controls

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 206

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Actions & controls that return the organization to its original state, stable state, or superior state
after harm has occurred.

Usage Notes
Corrective actions & controls and Recovery actions & controls are related but slightly different.

For example, restoring a server to a clean image is a corrective control because it solves the
immediate problem of a malware intrusion, while recovering the server data from backup is a
recovery control because it returns the server to a known previous good state allowing the
business to resume normal operation.

Part of: Correct/Recover Actions & Controls

Regulator
Government or independent authorities that oversee and control specific aspects of the
organization's practices. They set standards and rules that the organization must follow and can
impose penalties for non-compliance.

Part of: External Stakeholders

Reliably
To thoughtfully, consistently, dependably, and transparently do something.

Part of: Principled Performance

Residual Effect
The effect of uncertainty in the presence of actions & controls.

Residual Risk
The level of risk in the presence of actions & controls.

Current Residual Risk

The level of residual risk under currently operating actions & controls.

Planned Residual Risk

The level of residual risk under planned (or desired) actions & controls.

Also related to: Inherent Risk

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 207

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Resilient
Evidence that the organization can withstand or recover quickly from difficult conditions and even
become stronger after stress.

Part of: Total Performance™

Synonyms: Antifragile

Resources
A general term referring to Capital Resources that include tangible and intangible assets and
capabilities that an organization may use to achieve objectives.

Tangible Resources
Resources that refer to physical assets, such as land, buildings, and equipment.

Intangible Resources
Resources that refer to non-physical assets, such as knowledge, brand equity, and organizational
culture.

Financial Capital
Liquidity, budgets, and other economic resources.

Human Capital
The collective knowledge, skills, abilities, and experiences of an organization's workforce, along
with the relationships, attitudes, and values that enable them to work together to achieve the
organization's objectives

Physical Capital
The physical assets of an organization, including manufactured goods, buildings, equipment, and
infrastructure.

Information Capital
Data, communications, and intelligence.

Technology Capital
Hardware, software, and related technological resources that an organization may use to achieve
its objectives.

Synonyms: Means

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 208

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Response Options
See canonical synonym: Design Options

Responsive
See canonical synonym: Agile

Responsive Actions & Controls

Actions & controls that aim to accelerate or compound the benefit of favorable events, and correct
or recover from the harm of unfavorable events.

Correct/Recover Actions & Controls

Actions & controls that slow down or decrease the impact of unfavorable events, and return the
organization to its original state, stable state, or superior state after harm has occurred to
minimize harm and prevent future occurrences.

Compound/Accelerate Actions & Controls

Actions & controls that compound, accelerate, and increase the impact of favorable events to
maximize benefit and promote future occurrence.

Part of: Integrated Action & Control Model™, Action & Control Type

Review Procedures
Procedures performed by an assurance provider to review or assess subject matter.

Design Review Procedure

A procedure that compares the documentation of the design of a system against suitable criteria
that defines an acceptable design of that system.

Operating Review Procedure

A procedure that compares the actual events or transactions performed by a system (including
people, processes and technologies) against the expected events and transactions given the
design of the system.

Synonyms: Assessment Procedures

Reward
A measure of the positive, favorable effect of uncertainty on objectives.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 209

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Usage Notes

Likelihood
A measure that estimates the occurrence of an event.

Impact
A measure that estimates the consequence of an event.

Prospect
A cause that has the potential to eventually result in benefit.

Benefit
A measure of the positive impact that an event has on the organization.

Opportunity
An uncertain future event that may, on balance, have a positive effect on objectives.

Part of: Effect

Synonyms: Performance

Also related to: Event , Risk

Risk
A measure of the negative, unfavorable effect of uncertainty on objectives.

Usage Notes

Likelihood
A measure that estimates the occurrence of an event.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 210

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Impact
A measure that estimates the consequence of an event.

Harm
A measure of the negative impact that an event has on the organization.

Hazard
A cause that has the potential to eventually result in harm.

Obstacle
An uncertain future event that may, on balance, have a negative effect on objectives.

Part of: Effect

Also related to: Event , Reward

Risk & Decision Support Discipline

A critical discipline that provides methods to identify and address the effect of uncertainty on
objectives, including ways to support decisions under uncertainty.

Part of: Critical Disciplines

Risk Appetite
The level and type of risk the organization is WILLING to address given the level and type of reward
it pursues.

Also related to: Appetite

Risk Capacity
The MAXIMUM cumulative level and type of risk that the organization can address. Anything over
the risk capacity may affect the organization’s survival.

Also related to: Capacity

Risk Management
The act of managing processes and resources to address risk while pursuing reward.

Part of: GRC

Risk Target

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 211

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

The level and type of risk the organization EXPECTS to address given the level and type of reward it
pursues.

Risk Tolerance
The level and type of risk the organization is UNWILLING to exceed given the level and type of
reward it pursues.

Also related to: Tolerance

Scope
The boundaries, limitations, and extent where the GRC Capability Model is applied. The scope is
often expressed in terms of organizational unit, geographic area, or functional department.

Second Line of Accountability

Individuals and teams that establish performance, risk, and compliance programs for the First Line.
The Second Line provides oversight through frameworks, standards, policies, tools, and
techniques to support performance, risk, and compliance management. The Second Line often
manages its own portfolio of objectives and associated performance, risk, and compliance. The
Second Line may provide limited assurance over First Line activities.

Part of: Lines of Accountability™ Model (also LoA)

Security & Continuity Discipline

A critical discipline that provides methods to identify and address threats to critical physical and
digital assets and infrastructure.

Part of: Critical Disciplines

Sender
See canonical synonym: Communicator

Senior Management
See canonical synonym: Executive Team

SHARE (Design Option)

To outsource, joint ventures, partnerships, buy insurance, or use other financial instruments to
address the opportunity, obstacle, or obligation.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 212

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Usage Notes
TRANSFER is a special case of SHARING where an attempt is made to give close to 100% of
consequence to another party such as an insurance company.

Part of: Design Options

Also related to: TRANSFER (Design Option) , ACCEPT (Design Option)

Shareholder
An individual, institution, or entity that owns shares or stock (or some functionally comparable
instrument) in the organization.

Part of: External Stakeholders

Skill Gap
The difference between the current skill level and the target skill level.

SMART Criteria
Criteria used to design/set Objectives to work with Indicators; to be specific, measurable,
achievable (yet aspirational), relevant, and time-bound.

Societal Factors
External factors that include cultural aspects, attitudes, customs, and norms.

Part of: External Factors

Society
The local, national, or global population affected by the organization's operations.

Part of: External Stakeholders

Sound
See canonical synonym: Effective

Source
See canonical synonym: Cause

Stable

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 213

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

The quality of an individual to consistently provide calm, composed and orderly influence within
volatile, uncertain, complex and ambiguous environments.

Usage Notes
This trait includes an avoidance of neurotic or chaotic behavior and an ability to distance oneself
from emotional turmoil, while at the same time steering clear from an overuse of stability that may
come across as indifferent or uncaring.

Part of: Protector Mindset™

Also related to: Accountable

Staff
Junior-level personnel who typically do not manage others.

Part of: Workforce

Synonyms: Team Members

Stakeholder
A self-legitimizing person, group, or other entity with a direct or indirect stake in the organization's
actions because of actual or perceived impact.

Internal Stakeholders
Stakeholders with an internal influence from within the organization; Personnel (and unions that
represent the workforce), Managers, Executives, Board members, and Owners (who are involved in
the organization).

External Stakeholders
An individual, institution, or entity outside of the organization that is affected by, or has an interest
in, the company's decisions and activities.

Stakeholder Expectation
(also Stakeholder Want, Stakeholder Need)
A general term that refers to what a stakeholder requests, wants, or expects from the
organization.

Synonyms: Stakeholder Want, Stakeholder Need

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 214

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Stakeholder Need
See canonical synonym: Stakeholder Expectation

Stakeholder Want
See canonical synonym: Stakeholder Expectation

Status Incentives
Incentives to perform favorable behaviors that provide access to esteemed roles, promotions or
other visible recognition that otherwise would not be available.

Part of: Incentives

Strategic Goals
Long-term objectives typically at higher levels of the organization.

Also related to: Objective

Strategy & Performance Discipline

A critical discipline that provides methods to guide, arrange and operate resources to achieve
objectives and monitor performance.

Part of: Critical Disciplines

Stress
A significant magnitude of force applied to the organization.

Stretch Value
A value that is unlikely to be achieved, but still possible.

Also related to: Indicator , Committed Value , Best Possible Value

Student
Individual who learns.

Usage Notes
A student is a specialized term to refer to the target audience for communications and learning
activities.

Part of: Learning Activity

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 215

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Synonyms: Learner

Also related to: Audience

Subject Matter
Identifiable statements, conditions, events, or activities for which there is evidence.

Part of: Assurance, Evaluate

Also related to: Suitable Criteria

Subordinate Level
Organizational units that are accountable to the organization in scope.

Usage Notes
Recall that the Organization in Scope may be an enterprise, business unit, department or team.
Thus the "Subordinate Level" would be any unit that reports to the Organization in Scope.

Part of: Organizational Level

Suitable Criteria
Benchmarks used to evaluate subject matter that yield consistent and meaningful results.

Part of: Evaluate

Also related to: Subject Matter

Superior Level
Organizational units to which the organization in scope is accountable.

Usage Notes
Recall that the Organization in Scope may be an enterprise, business unit, department or team.
Thus the "Superior Level" would be the unit to which the Organization in Scope reports.

Part of: Organizational Level

Supplier
An individual, institution, or entity that provides goods or services to the organization.

Part of: External Stakeholders

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 216

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

System
A collection of interconnected, interdependent, and interrelated parts that interact with each
other to form a coherent whole. In the context of organizations, these parts may be people,
processes, information, physical assets, digital assets, financial capital, and other resources.

Tangible Resources
Resources that refer to physical assets, such as land, buildings, and equipment.

Part of: Resources

Target
An expected or planned value for an indicator.

Part of: Indicator Targets & Ranges (ITR) Model, Indicator

Synonyms: Best Possible Value

Target Skill Level

The desired level of skill a person, or “typical” person in a group, is expected to possess.

Part of: Learning Activity

Team
The smallest organizational unit. Teams may be part of a department or maybe cross-functional.
Teams may be permanent or temporary.

Part of: Organizational Unit

Also related to: Organizational Level

Team Members
See canonical synonym: Staff

Technology Action & Controls

Hardware and software systems used to address risk, reward, and compliance.

Part of: Action & Control Category

Technology Capital

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 217

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Hardware, software, and related technological resources that an organization may use to achieve
its objectives.

Part of: Resources

Technology Factors
External factors include technological aspects like R&D activity, automation, storage,
computation, technology incentives, innovations in materials, mechanical efficiency, and the rate
of technological change.

Part of: External Factors

Third Line of Accountability

Individuals and teams that specialize in and provide a high level of assurance on activities
performed by the First Line and Second Line. The Third Line may include internal audit, external
audit or outside experts who are sufficiently objective and competent.

Part of: Lines of Accountability™ Model (also LoA)

Third Party
A partner that conducts substantial actions & controls on behalf of the organization.

Usage Notes
Organizations often “outsource” actions & controls to third parties to benefit from their
competence while focusing the organization's efforts on its core competencies. Even when an
organization outsources actions & controls, it is crucial to recognize that the organization often
retains legal or reputational responsibility for any problems in the extended enterprise.

Synonyms: Extended Enterprise

Threat
See canonical synonym: Obstacle, Hazard

Timescale
The expected or planned time frame to achieve an objective or meet a target.

Timing
A measure that estimates when an event or impact might occur.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 218

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Tolerance
A range for an indicator that defines an acceptable, though not preferred, level of variation around
a target the organization is willing and able to address.

Part of: Indicator Targets & Ranges (ITR) Model, Indicator

Also related to: Risk Tolerance

Total Performance™
A model of balanced performance that includes effectiveness (soundness), efficiency (leanness),
agility (responsiveness), and resiliency (antifragility).

Effective
An aspect of Total Performance which demonstrates evidence of logically designed actions &
controls that address appropriate objectives, opportunities, obstacles, and obligations; and
evidence that these actions & controls are operating as designed.

Efficient
An aspect of Total Performance which demonstrates evidence that the organization productively
uses financial, human, and other capital resources without wasted effort or expense.

Agile
Evidence that the organization can respond quickly and positively to changes and stress.

Resilient
Evidence that the organization can withstand or recover quickly from difficult conditions and even
become stronger after stress.

TRANSFER (Design Option)

A special case of a sharing design option where an attempt is made to give close to 100% of
responsibility and consequence to a third party.

Usage Notes
Examples for transfer include:

● Purchasing insurance for particular eventualities

● Transferring responsibility for processes to a third party / vendor

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 219

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

● Outsourcing sales and marketing activities

Even though a process is transferred to a third party, ultimate accountability is often retained with
the organization.

Part of: Design Options

Also related to: SHARE (Design Option) , ACCEPT (Design Option)

TREAT (as a Design Option)

See canonical synonym: CONTROL (Design Option)

Uncertain
A property that refers to the lack of predictability or clarity regarding the future behavior or
outcomes of a system due to limited information, intricate interactions between system parts, the
influence of internal and external factors, or physical nature of the system.

Usage Notes
These questions help to understand if a situation is uncertain:

1. Is predicting future outcomes based on past trends proving difficult?

2. Is there a pervasive lack of clarity about what the future holds in this situation?

3. Is it difficult to determine how external factors may affect the outcome due to a high degree
of unpredictability?

Part of: VUCA

Uncertainty
A state of being unsure about something due to incomplete knowledge or underlying randomness
making it difficult to understand with complete confidence.

Part of: Principled Performance

Unit
See canonical synonym: Organizational Unit

Values

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 220

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Fundamental beliefs, principles, and ideals that an organization, group, or individual demonstrates
and adheres to when making decisions and acting.

Usage Notes
Values are often expressed and codified as a list of attributes with associated definitions or
descriptions of what they mean.

Values often highlight those ethics and morals that are most important to an organization, group,
or individual.

Part of: Culture, Purpose

Also related to: Ethics , Morals , Beliefs , Behaviors

Velocity
A measure that estimates how quickly an event or impact might occur.

Versatile
The quality of an individual to employ a multi-disciplinary approach and a wide range of skills to
address complex issues.

Usage Notes
This attribute involves a balance, avoiding the underutilization that can lead to a narrow
problem-solving approach and the overuse which may result in overly complicated and impractical
solutions.

Part of: Protector Mindset™

Also related to: Accountable

Vision
An objective that describes what the organization aspires to be and why it matters.

Usage Notes
The vision is often used to inspire and motivate employees, stakeholders, and customers and
serves as a guidepost for long-term strategic planning.

Part of: Purpose

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 221

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Visionary
The quality of an individual to maintain a long-term, optimistic perspective and remain
purpose-driven, even amidst distractions.

Usage Notes
This attribute involves a delicate balance, warding off the underuse that can lead to a narrow and
pessimistic outlook and the overuse that can result in overly abstract and unrealistic goals.

Part of: Protector Mindset™

Also related to: Accountable

Volatile
A property that refers to the susceptibility of a system and its parts to experience rapid, significant
and often unpredictable changes.

Usage Notes
These questions help identify if a situation is volatile:

1. How rapidly are conditions changing in the situation?

2. Are there recurrent and drastic fluctuations in the activities or circumstances?

3. Are sudden and significant changes the norm in this context?

Part of: VUCA

Voluntary Behaviors
Intentional human actions informed by beliefs and values and governed by free will and discipline.

Voluntary Boundary
Obligations an organization chooses to address because of voluntary decisions (e.g., contracts,
agreements and values).

Part of: Obligation, Boundary

VUCA
A reality that an organization must face that is volatile, uncertain, complex, and ambiguous.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 222

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Volatile
A property that refers to the susceptibility of a system and its parts to experience rapid, significant
and often unpredictable changes.

Uncertain
A property that refers to the lack of predictability or clarity regarding the future behavior or
outcomes of a system due to limited information, intricate interactions between system parts, the
influence of internal and external factors, or physical nature of the system.

Complex
A property that refers to the interconnected, interdependent, and interrelated nature of the parts
of a system that often give rise to nonlinear dynamics, emergent properties and unpredictable
outcomes.

Ambiguous
A property that refers to the presence of multiple, unclear, or conflicting interpretations of
conditions, events, or behaviors in a system.

Ways

Usage Notes
One may talk about the "ways and means" that an organization uses to reliably achieve objectives,
address uncertainty, and act with integrity.

Also related to: Means

See canonical synonym: Process

Workforce
The collection of individuals the organization employs.

Executives
Senior-most managers with broad responsibilities over the entire organization or some significant
part of the organization (e.g., all technology, all sales, and marketing, all administration, all
finance).

Managers
Personnel who manage others.

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 223

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Staff
Junior-level personnel who typically do not manage others.

Leaders
Individuals at any level of the organization who have the de facto attention and respect of the
workforce regardless of their title or position.

Part of: Internal Stakeholders

Synonyms: Personnel

Also related to: Executive Team

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 224

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Acknowledgments
Special thanks to all of the individuals who have contributed to the development of the GRC
Capability Model over the years. This body of work would not have been possible without their
feedback and support.

OCEG Team
● Scott Mitchell

● Carole Switzer

OCEG Community
Clark Abrahams Toks Azeez Hadi Beski

Daoud Abu-Joudom Vani Badhya Matthew Blake

John Adamsons Goutama Bachtiar Jose A. R. Blanco

Shahid Ahmed Timour Baiazitov Ronald De Boer

Mani Akella Ted Banks Robert Bordynuik

Abdulaziz M. Aldomaiji Dinesh O. Bareja Oleg Boyko

Ahmed Alfaddaghi Brian Barnier Wayne Brody

Ferry Alfian Stephen Baruch Earnie Broughton

Mona Alhawsawi Mashael M. Basakran Bruce Buckley

Julia Allen Carole Basri French Caldwell

Ali A. Almalki Bob Bassetti Joseph V. Carcello

Sanjay Anand Mark S. Beasley Mark Carey

Sam Apps Indarduth Beejah Glenn Carleton

Michael Atmore Ronald Berenbeim Anthony Chalker

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 225

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Robert Chastain Joe DeVita Christopher Fox

Graham Chee Andrea Dias Raymond Frangie

Anthony Cheng Rochelle C. Dichaves Eugene Fredriksen

Derek Cherneski Lee Dittmar Arnold Galit

Brian Chevlin Stephen Donovan Jason Garelli

David Childers Patrick Donovan Russ Gates

Mandar Chitre Rory Douglas Trent Gazzaway

Nick Ciancio Christine Doyle David Gebler

Tom Cleary Mary Doyle Richard G. Gid'Agui

Paul Cogswell Robert Drolet Leon Goldman

Richard Cohan Rocky Dwyer Allan Goldstein

Marco Colonna Kip Ebel Stephen Gonc

Norman Comstock Kathleen Edmond Royd Graham

Brian Conrey M. Mert Ekin Joe Grettenberger

Laura Cote Mahmoud Elbagoury Luis Guadarrama

Doug Cotton Rabih ElKhatib Parveen Gupta

David B. Crawford Tim Elliott Miguel Gutierrez

Kevin Crimmins Pete Fahrenthold Kurnia Hadi

John Cross Dave Ferguson Assem H. Hamam

Brett Curran Sheila Fields Abdel K. Hamou-Lhadj

Andrew Dahle Cyndi Fleming Larry Harrington

Deb Davis Carlo Di Florio Rodrigo Hayvard

Yo Delmar John Fons David Heller

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 226

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Michael Helmantoler Christiane Jourdain Anna Luszpinska

Anita Helpert Rodriguez Julio Colleen Lyons

Steven Helwig Gaurav Kapoor Pedro M. N. O. Machado

Catherine F. Henry Daniel Karrer Andre Macieira

Eric Hespenheide Marion Keraudren John MacKessy

David Hess Piala Kinabo Worth MacMurray

Arnold Hill Cary Klafter Nikolai Magnaye

Peter Hillier David Koenig Eamonn Maguire

David Hoberg Sam Koh Marjorie A. Maguire-Krupp

Eric Hong Alon Kohalny Muhammad M. B. Majeed

Michael Horowitz Rick Kulevich Dimitrios Maketas

Matthew Hourin Melissa Lea Norman Marks

Pieter Van Hout Ismael R. Leal Jorge S. Marques

Hisham Ibrahim Tim Leech Jay Martin

Jawaid Iqbal Stephane Legay Gabriel Moreno M.

Dennis Irwin Richard Levy Gabe Mazzarolo

Bob Jacobson Adlinna Liang Amelia McCarty

Jörgen Jarleman Paul Liebman Bruce McCuaig

Shaheen Javadizadeh Sara A. Liftman Andrea McElroy

Stephanie Jenkins Jimmy Lin Paul McGreal

Anil Jhumkhawala Peter Liria Ashish Mehta

Angela Johnson Khamsavath K. Liu Robert N. Merrill

Jim Jolley Mogamad Louw Colette Meyer

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 227

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Jeffrey Miller Peter Parmenter Azwar Ritonga

Bruce R. Millman Marie Patterson Kim Rivera

Bob Miromonte Tian Peng David M. Roberts

Monika R. Mladenov Deborah Penza Roy Robinson

Tlhabano Mmusi Alice Peterson Katherine Robinson

Mohammad Z. A. M. Mooraby Diane Pettie Joel Rogers

Eric Moorehead Barbara S. Phair Johanna Rogers

Paul Moxey Wael G. Philops Lori Rogers

Florie Munroe Summer M. Pistorius Gabriel Piedra Romero

Joe Nadivi Judy Pokorny Scott Roney

Andrew Neblett Tobin Pospisil Peter Rosenzweig

George E. Neizer Richard Poworski Stefano Rossi

Warren Nelson Varunee Pridanonda Mike Rost

Randy Nornes Mary Pruitt Mary Roth

Xunlez Nunez Patrick Quinlan Paul Russo

Brin Odell Jennifer Racer Karen Rutledge

Gaston O. Odhiambo Lisa C. Ragsdale Sayed Sadjady

Bunmi Ogundeji Bala Ramanan Sanghamitra Saha

James O'Keeffe Javvadi H. Rao Suvendu Samantaray

Haydee Olinger Michael Rasmussen Nicole Sandford

Alnahdi Omar Kelly Ray Richard Sanzin

Paul C. Palmes Peter Reichard Ram Sastry

Xenia L. Parker F. Richard Ricketts James Sehloff

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 228

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Bob Semple C. Karen Stopford Surya Vangara

Roshan N. Sequeira Geoffrey Storms Ricardo Vasquez

John Serrano Nan Stout Kishore Vekaria

Jerry Shafran Martijn Van Stratum Nitish Verma

Ken Shaurette P. J. Sullivan Dean Wagers

Janet Sheiner Dan Swanson Tom Wardell

William Shenkir Celia Szelwach Kathy Washenberger

Monica Shilling Jose Tabuena David Wassel

Jay Shinde Heidi Teresi Ian L. Webster

Elizabeth Siemens Tim Tesluk Chip Weiant

Samir Singh Calvin Thompson Hartian S. Widhanto

Fandhy H. Siregar Kendall Tieck Michael M. Wilkinson

Mark Snyderman Lou Tinto Mary K. Wills

Ratan Sonti Kevin Tisdel ChunHua Yang

Billy Spears Boy M. Tjahyono Jie Yang

Andrea Spudich Marshall Toburen Ibrahim Yeku

Faye Stallings Terry Todd Shirley Yoshida

Darla Stanley Patricia Towers Chet Young

Richard Steinberg Dan Twing Juven Zeng

Allen Stewart George Tziaros Gunter Zimm

Dan Zitting

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 229

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 230

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM
 GRC Capability Model version 3.5 revision 2024-01-22

Appendix - Tools & Techniques

50+ pages of tools and techniques

are available to OCEG members
who hold an All Access Pass
Learn more about the All Access Pass on the OCEG website

© 2002 - 2024 OCEG. All Rights Reserved (feedback to [email protected]) Page 231

Licensed for noncommercial personal use by Ihyth Ananthapalli ([email protected]) on 4/11/2024, 11:38:17 AM