GRC Capability Model 3.0 (Red Book) full version

The GRC Capability Model 3.0 (Red Book) helps GRC professionals plan, assess, and improve their GRC capabilities in order to achieve Principled Performance.

Principled Performance is the healthy and vigorous state of being that enables organizational success. It can only be achieved by integrating and aligning information and core functions, and supporting them with strong communication, effective technology, and development of the desired culture.

It’s not enough to aggressively move toward established objectives. For success, we must consider the boundaries of laws, social mores, and uncertainties that arise with regard to potential risks and rewards.

Nor can the management of risk, compliance, and ethical conduct be separated from the objective-seeking activity. Everything must be brought into alignment and operate through fully integrated governance, risk management, and compliance capabilities. The GRC Capability Model (a free and open-source standard) was created to provide guidance to achieve this alignment.

GRC Capability Model Updates

OCEG was the first to publish a GRC Capability Model (and the only one independent of a specific profession or vendor solution). We have updated the model to:

  • Clearly represent the integrated nature of GRC capabilities
  • Highlight the relationship of risk and compliance management to strategic planning
  • Improved ease of use through structure and language updates.

The Red Book can be applied to a range of situations from small projects to organization-wide rollouts, as well as a variety of subject areas from anti-corruption to business continuity to third party management. The Model is an excellent tool to frame conversations about GRC capabilities with board, senior executives, and managers.

Four Components of The Model

The Model has been made easier to understand and navigate with four main components (reduced from eight components in version 2.1). The components are defined as:

  1. LEARN about the organization context, culture and key stakeholders to inform objectives, strategy and actions.
  2. ALIGN strategy with objectives, and actions with strategy, by using an effective decision-making approach that addresses values, opportunities, threats and requirements.
  3. PERFORM actions that promote and reward things that are desirable, prevent and remediate things that are undesirable, and detect when something happens as soon as possible.
  4. REVIEW the design and operating effectiveness of the strategy and actions, as well as the ongoing appropriateness of objectives to improve the organization.

(Download the LEARN Component IllustrationALIGN Component Illustration,  PERFORM Component Illustration and the REVIEW Component Illustration — the four companion infographics in the OCEG GRC Capabilities Illustrated series.) Additionally, the number of elements that support the four components of the model have been reduced from 32 to 20 (see image below).

OCEG GRC Capability Model v3 Components & Elements

Sources For The Model Update

Updates to the Model were based a variety of sources including:

  • Feedback from users of the Red Book
  • Input from OCEG Executives and Fellows, Council members and GRC leaders from the OCEG community
  • Changing perspectives highlighted in OCEG surveys (GRC Technology Strategy Survey, GRC Metrics Survey and GRC Maturity Survey)
  • Consideration of other standards and technologies used by governance, risk, compliance and audit professionals

Companion Materials

An Excel spreadsheet version of the Model practices is available for download for All Access Pass members. This spreadsheet can be used to:

  • Create task lists
  • Set priorities
  • Rank capabilities
  • Conduct gap analysis
  • Load practices into performance management and/or audit management tools

Additionally, the following companion materials are available to All Access Pass members:

Video highlighting changes in the Red Book from version 2.1 to 3.0
Watch Video

Archive of past versions

Version 2.1