oceg © 2011 driving principled performance an overview of the oceg grc capability model

oceg © 2011

Driving Principled Performance An Overview of the OCEG GRC Capability Model

OCEG and Risk Management

• What is OCEG?• Is the OCEG Red Book a risk management

standard?

OCEG is a nonprofit organization that uniquely helps organizations drive Principled Performance® by enhancing corporate culture and integrating governance, risk management, and compliance processes by providing:• Guidelines and Standards• Community of Practice• Evaluation Criteria & Benchmarks

OCEG Red Book 2.1

What it is andwhat it is not…

Let’s start with the “Big Picture”

The goal is Principled Performance

The Goal: Principled Performance

OBJECTIVESstrategic, operational, customer, process, and compliance objectives

OPTIMIZE PERFORMANCEstrategy, people, process, technology, and infrastructure in place to drive toward objectives

MANDATED BOUNDARYboundary established by external forces including laws, government regulation, and other mandates

VOLUNTARY BOUNDARYboundary defined by management including public commitments, organizational values, contractual obligations, and other voluntary policies

OPPORTUNITIES

OBS

TACL

ES

Principled Performance

reliable achievement of objectives

while addressing uncertainty

and acting with integrity

GRC Defined

a capability that enables an organization to reliably achieve objectives while addressing

uncertainty and acting with integrity…

(c) OCEG. All rights reserved.

…including the governance, assurance and management of performance, risk, and

compliance.

Or, you could sayGRC is the integration of capabilities that enable principled performance

(c) OCEG. All rights reserved.

What does this capability look

like?

Management

Assurance

Governance

High Level View

© OCEG. All rights reserved.

Risk CompliancePerformancePrincipled

Performance

The rigorous governance, assurance and management of performance, risk and compliance helps an organization reliably achieve objectives while addressing uncertainty and acting with integrity.

Management

Assurance

Governance

Too Much Fragmentation

© OCEG. All rights reserved.

Risk CompliancePerformancePrincipled

Performance

NACD, OECD, King 3Domain-Specific Governance (IT, Project, etc.)

Balanced ScorecardStrategic Planning

Business IntelligenceDecision Science

Quality Management

COSOCoCo

TurnbullPCAOB

US FSGAS 3806

Quality ManagementDomain-SpecificCOSO ERM

ISO 31000 / BSI 31100UK Orange Book

IRM / ALARM / AirmicDomain-Specific (BASEL)

Management

Assurance

Governance

Red Book – Makes it Easier and ‘Better’

© OCEG. All rights reserved.

Risk CompliancePerformancePrincipled

Performance

OCEG Red BookGRC Capability

Model

GRC Body of Knowledge

› Open Source

› Quality Controlled

› Complete• 8 Components• 40 Elements• 100s Practices

www.oceg.org/standards

© OCEG. All rights reserved.

OCEG Red BookGRC Capability

Model

GRC Capability Model

© OCEG. All rights reserved.

8 UNIVERSAL OUTCOMES

Enhance Organizational Culture

Increase Stakeholder Confidence

Prepare & Protect the Organization

Prevent, Detect & Reduce Adversity

Motivate & Inspire Desired Conduct

Improve Responsiveness & Efficiency

Optimize Economic & Social Value

Achieve Business Objectives

INTERACT

DETECT

ORGANIZE

ASSESSMEASURE

PROACTRESPOND

8 INTEGRATED COMPONENTS

What the Red Book is and is not

• It is not a risk management standard/framework• You can use ISO or COSO if you prefer• It addresses the optimized delivery of value, and

risk management is an essential element• Optimized performance requires multiple

elements to work together in an orchestrated fashion

Thank You!

Norman Marks

SAPPalo Alto, California

norman.marks@sap.com

http://www.theiia.org/blogs/marks/

http://normanmarks.wordpress.com/

Twitter: normanmarks