The Easy Way to Assess GRC Capabilities
Jason Mefford
Jason Mefford is a sought after executive coach, thought leader, and professional speaker on risk management, GRC, and internal audit topics.
As a GRC professional, or auditor, how do you provide assurance on the GRC capabilities within your organization? Where do you turn?
As a GRC professional or auditor, how do you provide assurance on the GRC capabilities within your organization? Where do you turn?
Organizations need a natural progression and interaction between governance, risk management, and compliance (GRC). Regulatory fines, the global nature of business, and the complexity of technology demand it.
Don’t reinvent the wheel — OCEG has the resources to help you.
Finding Help To Build GRC Capabilities
In my first job as a Chief Audit Executive (CAE), I needed to establish a new internal audit department at my organization. I had been auditing for many years but had never started a new audit department.
I turned to the Institute of Internal Auditors (IIA) for help. At the IIA, I found a wonderful resource on how to start an internal audit department. I learned all the necessary steps, and I even found sample templates. Within a short time, I had all the pieces in place. No need to reinvent the wheel.
Years later, I found myself responsible for ethics and compliance in a new organization. I was familiar with ethics and compliance but had never set up a capability in an organization.
I turned to OCEG and found the GRC Capability Model. The Red Book (as it’s called) helped me perform a gap analysis at my organization. I had a road map. I knew all the necessary components and elements I needed to have in an integrated ethics and compliance capability. Within a short time I knew what we needed to do. No need to reinvent the wheel.
As many of you know, to be successful, you must measure the effectiveness of your processes and capabilities. But where do you go to find help measuring integrated GRC?
If You Build It, You Must Audit It
Years ago, a group of leaders who worked with OCEG decided we needed a consistent way to audit GRC capabilities.
We came together as a community and developed the GRC Assessment Tools. We worked to develop an approach that any organization can use. We took the time and effort to practice the procedures in our own organizations. We made sure they worked.
GRC Assessment Tools
The purpose of the GRC Assessment Tools (Burgundy Book) is to provide a guideline for GRC professionals and those responsible for providing assurance. The Burgundy Book provides a common set of assessment procedures and a common understanding of what to expect during an assessment of GRC Capabilities. These procedures align with the OCEG GRC Capability Model, and you can use them for self-assessment as well as independent assessment.
OCEG’S goals in creating the Burgundy Book are to:
- Help organizations evaluate the design and operating effectiveness of their GRC Capability
- Reduce the cost of such evaluations by eliminating the time and expense of creating procedures
- Raise the overall level of maturity and quality of organizational GRC globally by helping individual organizations create their prioritized improvement plans
- Provide external judgment and recognition of sound practices
Be Informed. As an OCEG Basic Member (it’s free to join) you can download the GRC Capability Model and an excerpt of the GRC Assessment Tools.
Measure Your GRC Capabilities
OCEG recently released the newest version of the OCEG GRC Assessment Tools that aligns with version 3.0 of the OCEG GRC Capability Model.
You can learn more by downloading an excerpt. Or, if you have an OCEG All Access Pass, you can access the complete GRC Assessment Tools document.
Again, there is no need to reinvent the wheel since others before you have already done the work. All you have to do is download and use the available resources.
Featured in: Assurance / Audit , Capability Model