The GRC Capability Model 3.5: A Comprehensive Guide to the Latest Governance Risk and Compliance Capability Model
Brianna Wheeler
Director of Marketing | GRCP
From developing the original GRC capability model to spending two decades dedicated to training our members on leveraging interdisciplinary skillsets, OCEG is releasing The GRC Capability Model 3.5 on its 20th anniversary to improve how GRC is implemented across the globe.
Table of Contents:
- Introduction
- GRC and Principled Performance®
- Importance of GRC in the current business context
- The Evolution of GRC
- Origin of GRC and Principled Performance®
- Development of The GRC Capability Model
- Introduction of the first GRC standard (OCEG Red Book)
- Recognition and adoption of GRC
- Exploring The GRC Capability Model
- Part I: GRC Concepts
- Part II: GRC Capabilities
- Part III: GRC Glossary
- GRC Capability Model Tools & Techniques
- The Role of GRC Professionals as Protectors
- The importance of GRC professionals in safeguarding organizations
- Protector Mindset(tm) and Protector Skillset(tm)
- Addressing challenges in the business landscape
- The GRC Capability Model 3.5 - Enhancing GRC Excellence
- Overview of The GRC Capability Model 3.5
- Objectives of the model update
- Updates and improvements in the 3.5 version
- Leveraging The GRC Capability Model
- Recommended approach for utilizing the document
- Reading order suggestions
- The benefit of referencing the GRC Glossary
- Celebrating 20 Years of GRC & Principled Performance®
- OCEG's 20th-anniversary celebration
- Significance of The GRC Capability Model 3.5
- Empowering GRC professionals and addressing unprincipled conduct
- Sign up for an All Access Pass Today
- Exclusive access to the GRC Red Book: Capability Model 3.5
- 90 exclusive tools and resources referenced in the members-only framework
The GRC Capability Model 3.5: A Comprehensive Guide to the Latest Governance Risk and Compliance Capability Model
Over the last 20 years, OCEG has dedicated itself to developing Principled Performance® on a global scale by implementing its GRC Capability Model. In celebration of this milestone, OCEG is releasing The GRC Capability Model 3.5, marking significant enhancements and updates to the original, influential model. Over the years, GRC has become an essential discipline for organizations aiming to achieve Principled Performance® by effectively managing risks, ensuring compliance, and promoting ethical conduct.
In the following, you'll gain a deep understanding of the origin of The GRC Capability Model, its key concepts, capabilities, glossary, and recent updates found in the 3.5 version.
To gain access to an exclusive version of the GRC Red Book: Capability Model 3.5, complete with 90 tools and resources referenced in the framework, Sign up for an All Access Pass Today.
What is GRC?
Before jumping into the details of this guide, it's crucial to have a baseline knowledge of what GRC is and why it's more important to your current business context than ever, empowering GRC professionals to drive value and mitigate the trillion-dollar problem caused by unprincipled conduct.
The acronym GRC (Governance, Risk, and Compliance) was created by OCEG (Open Compliance and Ethics Group) to denote the six critical capabilities that must work together to achieve a concept called Principled Performance®. These capabilities integrate the governance, management, and assurance of performance, risk, and compliance activities.
GRC aims to help organizations operate in the context of disconnection and volatile, uncertain, complex, and ambiguous (VUCA) conditions. VUCA and disconnection are substantial "destabilizing forces" that make producing and preserving value challenging. Protectors are the stabilizing forces to face this instability and to help organizations gain, maintain, and sustain Principled Performance®.
Learn more about "What is GRC?" on our website.
The Evolution of GRC
Two decades ago, the OCEG Community pioneered the concept of GRC, recognizing the need for an integrated approach to address the challenges organizations worldwide face. GRC and Principled Performance® were conceptualized, leading to the creation of The GRC Capability Model. The model served as a structured framework to simplify, clarify, and augment GRC practices. OCEG collaborated with hundreds of members and experts in the GRC ecosystem to continuously update and improve the model, aligning it with evolving industry needs and best practices.
Over time, the conversations expanded to include performance management, risk management, governance, and assurance. In 2004, the first GRC standard, the OCEG Red Book, was released, detailing practices for integrating governance, risk, compliance, and ethics. GRC evolved, gained recognition, and saw wide adoption in subsequent years.
The concept of "Principled Performance®" was defined to describe the goal of GRC. OCEG expanded its educational efforts, developed certification programs, finalized the GRC Glossary, and updated The GRC Capability Model versions.
By 2015, the GRC movement had reached over 50,000 members worldwide. In 2023, OCEG celebrates its 20th anniversary by releasing the 3.5 version of its Red Book to our 130,000 members and to the public.
To gain access to an exclusive version of the GRC Red Book: Capability Model 3.5, complete with 90 tools and resources referenced in the framework, Sign up for an All Access Pass Today.
Exploring The GRC Capability Model
The GRC Capability Model is organized into three main parts: GRC Concepts, GRC Capabilities, and GRC Glossary. Each section is crucial in helping GRC professionals understand and implement effective GRC strategies.
Part I - GRC Concepts: This section delves into the pervasive ideas and models that underlie all aspects of GRC. GRC professionals can quickly establish a solid foundation and navigate complex GRC challenges by understanding these fundamental concepts.
Part II - GRC Capabilities: Part II focuses on the structured expression of high-performing GRC. It outlines the key capabilities necessary to achieve effective GRC, covering risk management, compliance, ethics, internal control, and more. The GRC Capability Model is a roadmap for organizations to develop and enhance these capabilities.
Part III - GRC Glossary: The GRC Glossary provides an alphabetic listing of consistent terms and definitions, offering clarity and standardization in GRC vocabulary. It is a valuable reference for GRC professionals seeking to untangle and harmonize terminology across departments and functions.
GRC Capability Model Tools & Techniques
This appendix highlights the various tools and techniques referenced in The GRC Capability Model. This section contains a total of 90 tools, resources, and references that are exclusively available to OCEG All Access Pass Members. These collected resources assist GRC professionals in implementing GRC strategies effectively and efficiently, supporting their efforts to achieve Principled Performance®.
To gain access to an exclusive version of the GRC Red Book: Capability Model 3.5, complete with 90 tools and resources referenced in the framework, Sign up for an All Access Pass Today.
The Role of GRC Professionals as Protectors
GRC professionals, often called Protectors, play a vital role in safeguarding organizations against unprincipled misconduct, mistakes, and miscalculations. They possess a Protector MindsetTM and an interdisciplinary Protector SkillsetTM, allowing them to advise and collaborate across departments such as the board, strategy, risk, compliance, ethics, human resources, legal, security, quality, internal control, and audit.
The role of Protectors is to produce and preserve value, ensuring Principled Performance® by reliably achieving objectives, addressing uncertainty, and acting with integrity. With their expertise, Protectors help organizations tackle the trillion-dollar problem caused by unprincipled conduct.
However, being a Protector can be challenging due to the volatile, uncertain, complex, and ambiguous nature of the business landscape, commonly known as VUCA. Moreover, departmental silos and disconnections between people, values, and skills can hinder effective GRC implementation.
The OCEG community introduced Principled Performance® and GRC to address these challenges two decades ago. This interdisciplinary approach aims to solve problems by fostering collaboration and breaking down silos. The continuously improving knowledge presented in The GRC Capability Model codifies this approach in the form of GRC Concepts, GRC Capabilities, and the GRC Glossary.
The GRC Capability Model 3.5 - Enhancing GRC Excellence
On its 20th anniversary, OCEG is proud to release The GRC Capability Model 3.5, marking a significant milestone in the evolution of GRC. This latest iteration of The GRC Capability Model builds upon the foundation laid by its predecessors and incorporates valuable enhancements to improve GRC practices further worldwide.
The GRC Capability Model 3.5 results from an extensive collaboration between OCEG, hundreds of members, and GRC experts from various disciplines. The update focused on three primary objectives: simplifying, clarifying, and augmenting the model.
By adding, editing, and removing content throughout The GRC Capability Model, OCEG aimed to make it more accessible, user-friendly, and easier to navigate. Using new technologies to capture and publish the document ensures that GRC professionals can leverage digital resources for efficient implementation.
The GRC Capability Model 3.5 includes updated GRC Concepts that comprehensively understand the foundational ideas and models underlying effective GRC. These concepts serve as guiding principles for organizations seeking to enhance their GRC capabilities.
In addition, the model introduces new concepts, models, and practices that have become commonly used in the GRC ecosystem. By augmenting the existing content, The GRC Capability Model 3.5 reflects the evolving landscape of GRC and equips professionals with the latest tools to address emerging challenges.
To gain access to an exclusive version of the GRC Red Book: Capability Model 3.5, complete with 90 tools and resources referenced in the framework, Sign up for an All Access Pass Today.
Leveraging The GRC Capability Model
The GRC Capability Model is a versatile resource that can be utilized in various ways to maximize its benefits. While no prescribed order exists for reading the document, a suggested approach can enhance comprehension and implementation.
Begin by reading the Introduction, which provides an overview of the drivers of Principled Performance® and GRC, setting the context for the model. This section helps establish an extensive understanding of the role GRC plays in organizations.
Next, delve into the GRC Concepts section, which outlines the pervasive ideas used throughout the GRC ecosystem. This foundational knowledge enables professionals to grasp the underlying principles and frameworks that shape effective GRC strategies.
The GRC Glossary is invaluable for untangling and harmonizing vocabulary across departments and functions. Referencing the glossary can ensure consistent understanding and communication throughout the organization.
Moving on to the GRC Capabilities section, professionals can explore the structured expression of high-performing GRC. This section breaks down the key capabilities necessary for organizations to achieve effective GRC, such as risk management, compliance, ethics, internal control, etc. By studying these capabilities, GRC professionals can identify areas of improvement and develop strategies to enhance their organization's GRC practices.
Lastly, exploring the other sections of the document, such as Tools & Techniques, is beneficial, which provides additional resources and references that complement The GRC Capability Model. These tools and techniques can support GRC professionals in implementing practical solutions and best practices.
Celebrating 20 Years of GRC & Principled Performance®
As OCEG celebrates the 20th anniversary of GRC as an industry, its release of The GRC Capability Model 3.5 marks a significant milestone in advancing the field of GRC. With its simplified, clarified, and augmented content, this model empowers GRC professionals to navigate the complexities of today's business landscape and effectively address the trillion-dollar problem caused by unprincipled conduct.
By leveraging The GRC Capability Model, organizations can develop a robust GRC framework, cultivate a Protector MindsetTM, and foster interdisciplinary collaboration across departments. As the GRC ecosystem evolves, OCEG remains committed to providing the latest insights, updates, and resources to enable GRC professionals to drive Principled Performance®, achieve objectives, and uphold integrity in their organizations.
Through continued dedication, collaboration, and adherence to The GRC Capability Model, GRC professionals can build resilient and responsible organizations in the face of uncertainty and contribute to a more principled and ethical business landscape globally.
To gain access to an exclusive version of the GRC Red Book: Capability Model 3.5, complete with 90 tools and resources referenced in the framework, Sign up for an All Access Pass Today.
Featured in: Certification , GRC Capabilities , Principled Performance , Capability Model , OCEG HQ