• Compliance

  OCEG’s GRC Capability Model – A Pioneering Approach Towards Integrity of Organiz

  Posted by Garry Jones on October 25, 2022 at 1:27 pm

  What is OCEG?

  OCEG is a nonprofit think tank that is dedicated to achieving a world where every organization and every person strives to achieve objectives, address uncertainty and act with integrity. OCEG invented GRC (integration of governance, risk management and compliance) and the GRC Capability Model as the means to achieve Principled Performance and that promotes the attainment of Principled Performance the ability to reliably achieve objectives while addressing uncertainty and acting with integrity. OCEG informs and empowers a community of more than 65,000 members worldwide, helping to advance knowledge of how to integrate and mature governance, risk management, and compliance.

  Independent of specific professions and domains of risk, we provide content, best practices, education, and certifications to drive leadership and business strategy through the application of the OCEG GRC Capability Model. OCEG’s GRC Professional (GRCP) and GRC Audit (GRCA) certifications are the only credentials that evidence an individual’s capability to apply the GRC Capability Model and assist organizations in improving GRC.

  OCEG’s GRC Capability Model (also known as the OCEG Red Book) provides open source standards, available for free. Founded in 2002, OCEG is headquartered in Phoenix, Arizona. To access the OCEG Red Book and for more information, visit http://www.oceg.org.

  At the turn of the century, in the early 2000s, scandals rocked the global economy evaporating millions of jobs and trillions of dollars of wealth. At the root of these scandals were siloed, misguided, and ineffective systems intended to address governance, risk, compliance and ethics. For example, strategic systems were separate from performance management systems, which were separate from risk management systems, which were separate from compliance management systems, and so on. Unfortunately, this “siloed approach” was all too common and the seeds of future problems continued to grow in this deficient current state.

  OCEG wanted to create a future state that was more effective, more efficient and able to address modern challenges. The ideas behind Principled Performance and GRC to break down silos between governance, strategy, performance management, risk management, compliance management, internal audit and other departments. Published open source standards so that everyone could have access. What this means is that people from diverse backgrounds and professions can get on the same page and be more principled performers:

  • Governance and strategy
  • Risk management
  • Audit and internal audit
  • Compliance and legal
  • Ethics and culture
  • IT

  Governance, risk management, and compliance (GRC) represents a coordinated approach to achieve efficiencies in an organization’s activities of corporate governance, risk management, and compliance with regulations. While “big data” is being harnessed to free the human mind from number crunching to perform higher-level analysis, GRC is an area that is benefitting from the availability of not only more data, but also the ability to assimilate data from different areas of an organization’s activities.

  The GRC Capability model contains 8 integrated components, and each are embodying a number of related Practices:

  1. C: ContextUnderstand the current culture and business context so that the organisation can address, and proactively influence conditions to support objectives.
     C1-External Context
     C2-Internal Context
     C3-Culture
     C4-Objectives
  2. O. OrganiseOrganise and oversee an integrated capability that enables the organisation to reliably achieve objectives while addressing uncertainty and acting with integrity.
     O1-Commitment
     O2-Roles
     O3-Accountability
  3. A. AssessIdentify threats, opportunities and requirements; assess the level of risk, rewand and conformance; and align an approach to reliably achieve objectives while addressing uncertainty and acting with integrity.
     A1-Identification
     A2-Analysis
     A3- Planning
  4. P. ProactIncent desirable conditions and events; and prevent undesirable conditions and events with management actions and control;
     P1-Proactive Actions and Controls
     P2-Codes of Conduct
     P3-Policies
     P4-Education
     P5-Incentives
     P6-Stakeholder relations
     P7-Risk Financing
  5. D. DetectDetect ongoing progress toward objectives as well as actual and potential undesirable conditions and events using management actions and controls;
     D1-Detective Actions and Controls
     D2-Notification
     D3- Inquiry
  6. R. RespondRespond to desirable conditions and events with rewards; and correct undesirable conditions and events so that the organisation recovers from and resolves each immediate issue and improves future performance;
     R1-Responsive Action and Controls
     R2-Internal Investigation
     R3-3rd Party Investigation
     R4-Crisis Response
     R5-Remediation
     R6-Rewards
  7. M. MeasureMonitor, measure and modify the GRC capability on a periodic and ongoing basis to ensure it contributes to business objectives, while being effective, efficient and responsive to the changing environment.
     M1-Context Monitoring
     M2-Performance Monitoring
     M3-Systemic Improvement
     M4-Assurance
  8. I. InteractCapture, document and manage GRC information so that it efficiently and accurately flows up, down and across the extended enterprise, and to external stakeholders.
     I1-Info Management
     I2-Communication
     I3-Technology

  Ensuring 8 Universal Outcomes :

  1. Achieve Business Objectives:
     Every CGR capability must contribute to attaining the desired business objectives;
  2. Enhance Organisational Culture:
     Inspire and promote a culture of performance, accountability, integrity, trust and communication;
  3. Increase Stakeholder Confidence:
     Increase stakeholder confidence and trust in the organisation;
  4. Prepare and Protect the Organisation:
     Prepare the organisation to address risks and requirements; and protect the organisation from negative consequences of adverse events, noncompliance and unethical behaviour.
  5. Prevent, Detect and Reduce Adversity:
     Discourage, prevent and provide consequences of misconduct; reduce the tangible and intangible damage caused by adverse events; noncompliance and unethical behaviour and the likelihood of similar events happening in the future;
  6. Motivate and Inspire Desired Conduct:
     Provide incentives and awards for desirable conduct, especially in the face of challenging circumstances;
  7. Improve Responsiveness & Efficiency:
     Continuously improve the responsiveness (timeliness and agility) and efficiency (speed and quality) of all GRC Capabilities activities while improving effectiveness (ability to meet objectives and requirements)
  8. Optimise Economic & Social Value:
     Optimise the allocation of human and financial capital to GRC capability activities to maximise the value generated, benefitting the organisation and the society in which it operates.

  Garry Jones replied 1 year, 6 months ago 1 Member · 0 Replies
• 0 Replies

Log In to Reply