Citation preview
April, 2009
OCEG Basic Member Edition
Basic Member Edition --- DOES NOT INCLUDE Appendix C
OCEG Premium and Enterprise members may use the links to Technology
Arenas and Modules in the online version of the Model (located
within each Element) to access Appendix A of the GRC-IT Blueprint™,
which identifies and defines types of technologies that enable the
GRC system. The Technology Arenas and Modules in the Model
represent a bridge between the GRC professional and the IT
professional. GRC professionals can use the Technology Arenas and
Modules as a basis for discussing technology options with their IT
counterparts. Enterprise member IT professionals can use the
Technology Arenas and Modules as a bridge from the Model into the
GRC Blueprint™. While the downloadable version of the Model
available to all OCEG members provides high level guidance on which
Technology Arenas and Modules support each Element of the Model,
the GRC-IT Blueprint™ provides the definitions of these Arenas and
Modules as well as visual representation of how they relate to each
other. The GRC-IT Blueprint™ also is available as a downloadable
stand-alone document. To sign up: For OCEG Premium Membership go
to: https://www.oceg.org/subscribe/PremiumUpgrade
For OCEG Enterprise Membership contact info@oceg.org
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10
(mladenoviczoran8@gmail.com). EMAIL INFO@OCEG.ORG FOR COMMERCIAL
LICENSE.
The continuing work of OCEG is made possible in part by the
generosity of the following organizations. Please join us in
thanking these leading organizations and their
representatives:
Leadership Council /Charter Members:
®
Principal Authors:
Scott L. Mitchell, OCEG Chairman and CEO Carole Stern Switzer,
Esq., OCEG President
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10
(mladenoviczoran8@gmail.com). EMAIL INFO@OCEG.ORG FOR COMMERCIAL
LICENSE.
LEGAL NOTICE
This is NOT Legal or Professional Advice. This Document, including
its appendices, is provided for general information purposes only.
The application of law to individual circumstances must be
addressed for each unique situation. In preparing and providing
this document, neither OCEG nor any of its Contributors are engaged
in rendering legal, tax or any other professional advice or
services. OCEG and its Contributors do not purport to identi fy all
conceivable compliance requirements or recommended controls. It is
the responsibility of each organization to understand which legal;
accounting and other compliance requirements apply to its
activities. Users of this document are advised to seek specific
legal advice by contacting members of relevant and applicable bar
associations regarding any specific legal issues
This document or custom report versions of this document may
contain links to third party websites. Monitoring the vast
information disseminated and accessible through those links is
beyond our resources and neither OCEG nor any Contributors attempt
to do so. This Document provides links for convenience only and
nothing herein shall constitute an endorsement of the information
contained in linked web sites nor guarantee its accuracy,
timeliness, or fitness for a particular purpose. OCEG and its
Contributors disclaim all warranties and liability for the content
of any such other sources.
. Using the document or any part herein does not create a
lawyer-client relationship or any other type of professional
relationship.
While OCEG and its Contributors attempt to provide accurate,
complete and up to date content, errors or omissions may occur.
This document is offered AS IS, WHERE IS
To the fullest extent permitted by applicable law, neither OCEG nor
the Contributors (including their officers, directors, partners and
employees, and their affiliates, related entities and successors
and assigns) warrant or guarantee the quality, accuracy or
completeness of any information on this document. Neither OCEG nor
its Contributors shall be liable for any damages or costs,
including any direct, consequential, incidental, indirect, punitive
or special damages (including loss of profits, data, business or
good will) in connection with use of this product, whether or not
liability is based on breach of contract, tort, strict liability,
breach of warranty, failure of essential purpose or otherwise, and
even if a party is advised of the likelihood of such damages.
. Neither OCEG nor any Contributor makes any representations or
warranties regarding the completeness, accuracy or timeliness of
the contents, and each disclaims all implied warranties (including
merchantability, fitness for a particular purpose and
non-infringement) and all liability for any loss, damage or claim,
whether due to an error or omission or otherwise.
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10
(mladenoviczoran8@gmail.com). EMAIL INFO@OCEG.ORG FOR COMMERCIAL
LICENSE.
Table of Contents Table of Contents
.......................................................................................................................
4 RED BOOK INITIATIVE LEADERSHIP
................................................................................
i
OCEG Leadership Council
(2008)...........................................................................................
i Red Book 2.0 Initiative Leadership
..........................................................................................
i Red Book Steering Committee
Co-Chairs..............................................................................
i Steering Committee
.................................................................................................................ii
Task Force and Review Panel
.................................................................................................iii
Task Force Members
..............................................................................................................iii
Review Panel Members
...........................................................................................................iv
The OCEG Framework for Principled Performance®
....................................................... 2 The Red
Book
.............................................................................................................................
2 The Burgundy Book
....................................................................................................................
2 Additional Resources Available from OCEG
.............................................................................
2 Content Domains
.......................................................................................................................
2 GRC Requirements
Database.....................................................................................................
3 GRC-IT
Blueprint™....................................................................................................................
4
Changing Times: The Evolution of GRC
...............................................................................
5 Corporate Misconduct and Regulatory
Reform.........................................................................
5 Value and Stakeholders
...............................................................................................................
6
The Rise of Principled Performance®
....................................................................................
6 Defining the Boundaries of Conduct
..........................................................................................
7 GRC: Governance, Risk Management, Compliance and Beyond
............................................... 8
GRC: Breaking it Apart and Pulling it All Together
........................................................ 10 The
Corporate Governance Discipline: The G in GRC
.......................................................... 10 The
Risk Management Discipline: The R in GRC
............................................................................
11 A Brief Detour: Sustainability
....................................................................................................
11 The Compliance Discipline: The C in
GRC..............................................................................
13 Other Critical Components of
GRC........................................................................................
13 A Unified Framework
...............................................................................................................
14 An Integrated Approach
...........................................................................................................
15 Embedded in the Business
........................................................................................................
16
High-Performing GRC
.............................................................................................................
16 Efficient, Effective and Responsive
............................................................................................
17 Specific GRC Benefits
...............................................................................................................
18 Integrated GRC: A Pathway to Principled Performance
.......................................................... 18
Key Roles and Accountability
................................................................................................
19 The Role of the Board
..............................................................................................................
19 The Role of Management
..........................................................................................................
19
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10
(mladenoviczoran8@gmail.com). EMAIL INFO@OCEG.ORG FOR COMMERCIAL
LICENSE.
The Role of
Assurance..............................................................................................................
19 The Anatomy of the GRC Capability Model
......................................................................
21 Universal GRC System Outcomes
.......................................................................................
24
Component Overview
.............................................................................................................
25 CULTURE & CONTEXT (C)
...................................................................................................
25 ORGANIZE & OVERSEE (O)
...................................................................................................
25 ASSESS & ALIGN (A)
................................................................................................................
25 PREVENT & PROMOTE (P)
.....................................................................................................
25 DETECT & DISCERN (D)
........................................................................................................
25 RESPOND & RESOLVE (R)
......................................................................................................
25 MONITOR & MEASURE
(M)....................................................................................................
25 INFORM & INTEGRATE (I)
.....................................................................................................
25
How to Read the GRC Capability Model Report (1)
....................................................... 26 How to
Read the GRC Capability Model Report (2)
....................................................... 27 How to
Read the GRC Capability Model Report (3)
....................................................... 28 GRC
Capability Model™ Version
2.0..................................................................................
29
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10
(mladenoviczoran8@gmail.com). EMAIL INFO@OCEG.ORG FOR COMMERCIAL
LICENSE.
Intro - i
RED BOOK INITIATIVE LEADERSHIP OCEG enjoys the expertise of an
elite group of individuals and organizations who provide their
invaluable wisdom and advice as we pursue serving the knowledge and
resource needs of GRC and related professionals.
OCEG Leadership Council (2008) Please join us in thanking these
leading organizations and their representatives. Aon • Approva
Archer Daniels Midland Company Axentis Baker Hughes CA, Inc Cisco
Systems • Compliance Initiatives Corporate Integrity Dell •
Deloitte • Dow Chemical Company Ernst & Young • EthicsPoint
•
Freddie Mac Gevity HR Global Compliance Services• Grant Thornton •
Interactive Alchemy Kalorama Partners Kraft Foods Levick Stra tegic
Marketing Communications Littler Mendelson • LRN • Marsh•
Metricstream • Microsoft • OpenPages
Oracle • PETCO PricewaterhouseCoopers • Qwest Communications.•
Raytheon SAP• Staples Sun Microsystems Temple-Inland Toyota Motor
Sales, U.S.A UHY Advisors Unilever Ventura Foods Wal•Mart
XPLANE
• denotes OCEG Charter Members in 2008
Red Book 2.0 Initiative Leadership A select group of individuals
representing cross-disciplinary, cross-industry, and trans- global
perspectives committed substantial time and expertise to shaping
the OCEG Capability Model™. We would like to take this opportunity
to thank each of our contributors. OCEG accepted the input of each
of the individuals in the following roles as individual
contributions, recognizing that their views and perspectives may
not represent official views of the organizations with which they
are affiliated.
Red Book Steering Committee Co-Chairs Mr. Larry Harrington, CPA,
CIA Vice President, Internal Audit, Raytheon Company (Professional
Issues Committee – IIA) Mr. Brad Jewett Vice President, Enterprise
Risk Management, BMC Software (Formerly during this process -
Director, Enterprise Risk Management, Microsoft Corporation) Mr.
Scott Roney, Esq., Vice President, Compliance and Ethics, Archer
Daniels Midland Company Mr. John Steer Partner, Allenbaugh Samini
LLP (Vice Chair US Sentencing Commission, 1999-2007)
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10
(mladenoviczoran8@gmail.com). EMAIL INFO@OCEG.ORG FOR COMMERCIAL
LICENSE.
Intro - ii
We would like to thank the OCEG executives and staff members
(present and past) who helped to make Red Book 2.0 possible,
especially: Avi Fichman Kelly Ray Carole Waesche Stephane Legay
Vinaya Mayya Jeanna Mitchell Lane Leskela We appreciate all that
you do to support our members and our work. With our thanks, Carole
and Scott
Steering Committee Steering Committee members attended several
drafting and review sessions, and individually prepared comments on
each draft of the Red Book document throughout the development
process. A special thank you to Jose Tabuena, VP Integrity and
Compliance/Corporate Secretary, MedicalEdge Healthcare Group, Inc.
for his contributions to the narrative overview. Mr. Michael
Horowitz — Partner, Cadwalader Wickersham & Taft LLP and U.S.
Sentencing Commission Member Mr. Eric Moorehead, Assistant General
Counsel, United States Sentencing Commission Mr. Richard Steinberg
– CEO, Steinberg Governance Advisors, Inc. (Author, COSO Internal
Control & COSO ERM and formerly corporate governance practice
leader of PricewaterhouseCoopers) Mr. Carlo di Florio - Partner,
Advisory, PricewaterhouseCoopers LLP Mr. Lee Dittmar – Principal,
Deloitte Mr. Randy Nornes – Executive Vice President, Aon
Corporation Mr. Trent Gazzaway - Managing Partner of Corporate
Governance, Grant Thornton LLP Mr. Norman Comstock, CIA, CISA,
CISSP, CCSA, CSOXP - Managing Director, UHY Advisors TX LLC Mr.
Gaurav Kapoor – CFO and General Manager, MetricStream, Inc. Mr.
Jose Tabuena - VP Integrity and Compliance/Corporate Secretary,
MedicalEdge Healthcare Group, Inc. Mr. Mark S. Beasley - Deloitte
Professor of Enterprise Risk Management and ERM Initiative Director
Professor of Accounting College of Management - COSO Board Member
Mr. David B. Crawford, CIA, CCSA - Audit Manager Emeritus, System
Audit Office, The University of Texas System Mr. Ronald Berenbeim
-Director of Ethics Research, The Conference Board Mr. Earnie
Broughton - Executive Director/Ethics Program Coordinator, USAA Mr.
David Koenig - Past Chairman of The Board of Directors, PRMIA Ms.
Melissa Lea - Chief Global Compliance Officer, SAP AG Mr. Paul
Liebman - Chief Compliance Counsel, Dell Corporation Mr. Dave
Ferguson - VP of Operations Compliance, Wal-Mart Stores, Inc. Mr.
Pete Fahrenthold -Managing Director Risk Management, Continental
Airlines Mr. Eugene Fredriksen – CISO, Tyco International Mr. Abdel
Krim Hamou-Lhadj, Manager, Regulatory Compliance & Quality
Assurance Cognos Products – IBM Mr. David Heller, VP Risk and Chief
Ethics and Compliance Officer, Qwest Communications Mr. Allen
Stewart - Managing Director Ethics, Duke Energy Ms. Nan Stout -
Vice President, Business Ethics, Staples Mr. Kendall Tieck - Audit
Director, Business Groups,-Microsoft Corporation
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10
(mladenoviczoran8@gmail.com). EMAIL INFO@OCEG.ORG FOR COMMERCIAL
LICENSE.
Intro - iii
Ms. Shirley Yoshida - SVP, Internal Audit, Macy’s Inc. Mr. Chet
Young - Divisional VP Audit Compliance and Loss Prevention,
Walgreen Co Mr. Brian Chevlin - Deputy General Counsel, Unilever
Ms. Mary Doyle - Ethics & Compliance, Intel Corporation Ms.
Kathleen Edmond - Chief Ethics Officer, Best Buy Mr. Rick Kulevich
- Sr. Director, Ethics and Compliance, CDW Corporation Mr. Jay
Martin - VP CCO & Sr Deputy Gen Counsel, Baker Hughes Inc. Mr.
Xunlez Nunez - Ethics and Compliance Business Consultant, Baker
Hughes, Inc. Ms. Haydee Olinger - VP Chief Compliance Officer,
McDonalds Mr. Paul C Palmes – President, Business Standards
Architects, Inc. Ms. Xenia Ley Parker - Senior Director, Marsh
& McLennan Cos Ms. Tian Peng, CIA - Audit Manager, China
National Offshore Oil Corporation Ltd- Ms. Deborah Penza - VP
Corporate Compliance, Elan Pharmaceuticals, Inc. Ms. Janet Sheiner,
Director, Ethics & Compliance, PETCO Ms. Faye Stallings - Vice
President Audit & Ethics, El Paso Corporation Mr. Michael
Rasmussen - President, Corporate Integrity Dr. Parveen Gupta,
LL.B., Ph.D.-Professor of Accounting and Chairman Accounting -
Lehigh University Prof. Mr. Sanjay Anand - Chairperson, Sox
Institute, G R C Group Mr. Robert Chastain - General Council-VP
Compliance-Chief Security Officer, Pepperweed Consulting LLC Mr.
Andrew Dahle, CPA, CIA, CISA, CFE – Partner, Advisory,
PricewaterhouseCoopers LLP Ms. Deb Davis - Executive Vice
President, Great River Compliance & Advisory Services LLC Mr.
Kip Ebel, CFE - Senior Manager, Health Sciences, Fraud
Investigations & Dispute Services, Ernst & Young LLP Mr.
David Gebler – President, Skout Group, LLC Mr. Allan Goldstein -
Retired Managing Director Risk Advisory, ARGUS Holdings Ltd Mr.
Steven Helwig - Director Professional Services, Compliance Spectrum
Mr. David Hess – Director, Internal Audit and Controls, Jefferson
Wells International, Inc. Ms. Sara A. Liftman - Senior Manager,
AABS Advisory Services, Ernst & Young LLP Mr. Worth MacMurray,
Esq. – Principal, Compliance Initiatives, LLC Mr. Bruce McCuaig -
Chief Risk Officer/Principal Consultant, Paisley Consulting Ms.
Andrea McElroy - Sr. Director Compliance System Integrity, Golden
Living Mr. Robert N. Merrill, JD – Senior Manager, Fraud
Investigation and Dispute Services, Ernst & Young LLP Mr. Tom
Wardell – Partner, McKenna Long & Aldridge LLP Mr. F. Richard
Ricketts, JD -Director of Finance, Workforce Development Council
Snohomish County Ms. Carole Basri - President, The Corporate
Lawyering Group LLC
Task Force and Review Panel Task Force members attended online
review meetings and both Task Force and Red Book Review Panel
contributors provided their focused review of the Red Book 2.0
drafts throughout the process.
Task Force Members Mr. Ted Banks – Compliance & Competition
Consultants, LLC (formerly Chief Counsel Global Compliance, Kraft
Foods) Mr. Dinesh O. Bareja - Program Director, CSI eSecure, Inc.
(Canada) Mr. Hadi Beski – PM, Hashem Co Mr. Matthew Blake –
Analyst, Ikobo Mr. Wayne Brody - CCO VP Legal Affairs, Arrow
Electronics, Inc Mr. Mark Carey - Partner, Deloitte & Touche
LLP Mr. Glenn Carleton - Director National Consulting, RSM
McGladrey Mr. Nick Ciancio - Vice President Marketing, Global
Compliance Mr. Paul Cogswell – Vice President ERC, Comdata Network,
Inc. Mr. Brett Curran – Vice President GRC and Regulatory
Practices, Axentis LLC
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10
(mladenoviczoran8@gmail.com). EMAIL INFO@OCEG.ORG FOR COMMERCIAL
LICENSE.
Intro - iv
Mr. Ronald De Boer - Senior Sales Executive GRC, SAP Nederland
(Netherlands) Mr. Stephen Donovan - Chief Counsel - International
Compliance, International Paper Company Ms. Christine Doyle - SVP
Senior Compliance Director, Bank of America Mr. Rocky Dwyer, PhD,
CMA – Principal, Chief Review Services, National Defence (Canada)
Ms. Catherine Finamore Henry, CIA – Ethics Officer and VP, Business
Development, SmartPros Legal & Ethics, Ltd. Mr. John Fons, Esq.
– Attorney, John Fons Solo Practice Mr. Christopher Fox – Senior
Principal Manager, Governance Risk and Compliance, CA Mr. Arnold
Galit - VP Risk and Compliance, Ikobo, Inc Mr. Jason Garelli - Head
of Operational Risk and Sox Management, Och-Ziff Capital Management
Mr. Joe Grettenberger - Compliance Solutions Integration Manager,
Quest Software Mr. Eric Hespenheide - Internal Audit Services –
Global Leader, Audit and Enterprise risk Services, Deloitte &
Touche LLP Mr. Eric Hong – Manager, Security Consulting, A3
Security (Republic of Korea) Mr. Jawaid Iqbal - System Analyst,
Saudi Pan Gulf (Saudi Arabia) Mr. Dennis Irwin, CIA - Internal
Audit Manager, Health Care Practice, Wipfli LLP Mr. Bob Jacobson -
Managing Director National Consulting, RSM McGladrey Ms. Colleen
Lyons, MBE, CCEP – Principal, Ethical Stability™ Mr. John MacKessy
– President & CEO, Prism Risk Advisors, Inc. Mr. Eamonn Maguire
- Managing Director, PricewaterhouseCoopers LLP Mr. Paul McGreal -
Prof of Law, Southern Illinois University School of Law Mr. Ashish
Mehta - IT Manager, BP (United Arab Emerates) Mr. Jeffrey Miller -
Chief Compliance Officer, Synthes Mr. Bruce R. Millman -
Shareholder, Littler Mr. James O'Keeffe - Consulting Manager, Sycor
Americas Mr. Brin Odell - Director - Client Services, EthicsPoint
Ms. Mary Pruitt - Associate Director Firm Compliance, Americas
Office of Ethics and Compliance, Ernst & Young Mr. Azwar
Ritonga - OSS Eng, TELKOM (Indonesia) Mr. David Mace Roberts - Vice
President and Gen Counsel, Elbit Systems of America LLC Mr. Roy
Robinson - Vice President Communications Education, Archer Daniels
Midland Company Mr. Sayed Sadjady - Partner, PricewaterhouseCoopers
LLP Mr. Suvendu Samantaray - Business Consultant, Infosys
Consulting Mr. William Shenkir, Ph.D., CPA - William Stamps Farish
Prof Emeritus, McIntire School of Commerce, University of Virginia
Mr. Ratan Sonti - Software Engineer, SAP Ms. Andrea Spudich, CCEP –
Principal, The Responsible Leader Group Ms. Darla Stanley –
Wal-mart Stores, Inc. Ms. PJ Sullivan - Sr Technical Mgr-IT
Compliance, Freight System, FedEx Corporation Mr. Lou Tinto -
Engagement Manager Technology Risk Management, Jefferson Wells Ms.
Patricia Towers - Senior Manager, Global Ethics & Compliance,
Procter & Gamble Ms. Juven Zeng – Consultant, Smartdot
Tech
Review Panel Members
Mr. Daoud Abu-Joudom, MBA, CISA, CISM – VP, Head of IT Audit, Group
Internal Audit, Arab Bank (Jordan) Mr. John Adamsons – Coordinator,
WHO Mr. Mani Akella - Director, Technology, Consultantgurus Ms.
Julia Allen - Senior Researcher, Carnegie Mellon University Ms. Sam
Apps - Group Manager Compliance, Origin Energy Limited (Australia)
Mr. Toks Azeez - Compliance Business Consultant, Legal Department,
Baker Hughes Inc Mr. Timour Baiazitov – Head of Risk Management and
Control, Severstal (Russia) Mr. Brian Barnier – GRC, IBM
Corporation Mr. Stephen Baruch, CBCP – Disaster Preparedness,
Business Continuity, Enterprise Risk Management Mr. Bob Bassetti -
Senior Manager, BearingPoint, Inc. Mr. Indarduth Beejah – Deputy
Director Internal Control, US Government (Mauritius)
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10
(mladenoviczoran8@gmail.com). EMAIL INFO@OCEG.ORG FOR COMMERCIAL
LICENSE.
Intro - v
Mr. Jose Antonio Rubio Blanco - Rey Juan Carlos University (Spain)
Mr. Robert Bordynuik - Sr Security Consultant, Versatile Solutions
LLC (Saudi Arabia) Mr. Bruce Buckley -General Counsel, IIR Mr.
French Caldwell - VP – Analyst, Gartner, Inc. Dr. Joseph V.
Carcello – Ernst & Young Professor and Director of Research -
Corporate Governance Center, University of Tennessee Mr. Anthony
Chalker - Director, Protiviti Mr. Derek Cherneski - Business
Continuity & Security Analyst, Federal Communications
Commission (Canada) Mr. Mandar Chitre - Solution Architect,
Infrastructure Management Services, Patni (India) Mr. Tom Cleary
(Australia) Mr. Richard Cohan, FACHE, CHC, CCEP - Director of
Integrity and Compliance and Chief Privacy Officer, Providence
Health & Services Mr. Marco Colonna (Italy) Mr. Brian Conrey,
CISA - Program Manager, Controls Integrity LLC Ms. Laura Cote -
Senior Auditor, Allergan Mr. Doug Cotton - MD Business Ethics &
Compliance Program, American Airlines Mr. Kevin Crimmins - VP GC,
Software Impressions LLC Mr. John Cross - Lecturer, California
State University Fullerton Ms. Yo Delmar, CMC, CISM - Chief
Marketing Officer, Brabeion Software Corporation Ms. Andrea Dias –
Manager, ICTS Global (Brazil) Mr. Patrick Donovan – Chief
Compliance Officer, Airbus SAS (France) Mr. Rory Douglas - Ethics
Analyst Mr. Robert Drolet - Oracle Financials and GRC Professional,
OraApps Consulting, Inc. Mr. Tim Elliott – Senior Vice-President,
Operational Risk Director, Financial Intelligence Division,
Comerica Bank Ms. Sheila Fields - Knowledge Management , HS FIDS
Ms. Cyndi Fleming - Director of IM/IT, DTSSAB (Canada) Mr. Russ
Gates – President, Dupage Consulting LLC Mr. Leon Goldman - Chief
Compliance and Privacy Officer, Beth Israel Deaconess Medical
Center Mr. Royd Graham - Corporate Controller and Senior Director
of Accounting, Academy Sports + Outdoors Mr. Luis Guadarrama - Sr
Data Security Consultant (Mexico) Mr. Richard Gudoi Gid'Agui, CIA,
CGFM, CFSA, MSc. Audit(UK), MBA - Senior Lecturer / Program
Coordinator Internal Auditing, School of Accountancy, Witwatersrand
University (South Africa) Mr. Miguel Gutierrez, CISA, CISM -
Director Global IT Risk & Compliance, International Information
Technology, Brink's Incorporated Mr. Rodrigo Hayvard, Esq. (Chile)
Mr. Michael Helmantoler – Business Continuity, Helmantoler.net Mr.
Arnold Hill - Project Manager, Property Development Division – WPC,
US General Services Administration Mr. Peter Hillier - Principal
Consultant, Hillier Security Services (Canada) Mr. David Hoberg -
Corporate Finance Manager, Voith Paper, Inc. Mr. Matthew Hourin, -
Senior Manager, Deloitte Mr. Jörgen Jarleman - Principal, JMC
Management Consulting (Sweden) Mr. Anil Jhumkhawala –
Director-Compliance, Secure Matrix I Pvt Ltd. (India) Mr. Jim
Jolley - Training and Research Manager, Office of Communication and
Professional Development, Florida Department of Revenue Mrs.
Christiane Jourdain - Business Continuity Planning Project Manager,
Sussex HIS, NHS (United Kingdom) Mr. Rodriguez Julio - Chief
Compliance Officer, Banco Pastor (Spain) Mr. Daniel Karrer - E-Loan
Inc (Brazil) Ms. Marion Keraudren Ms. Cary Klafter - VP Legal and
Corporate Affairs and Corporate Secretary, Intel Corporation Mr.
Sam Koh - Technical Manager, Vasco (Singapore) Mr. Alon Kohalny -
CAE, Municipality of Kadima-Zoran (Israel) Mr. Richard Levy - Vice
President of Engineering, Mitratech Holdings, Inc. Ms. Adlinna
Liang – Director, MetLife
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10
(mladenoviczoran8@gmail.com). EMAIL INFO@OCEG.ORG FOR COMMERCIAL
LICENSE.
Intro - vi
Mr. Peter Liria – Director, Global Ethics & Compliance, Avaya
Inc. Ms. Anna Luszpinska – Director, Prudential Regulations
Department, Bank Zachodni WBK SA (Poland) Mr. Andre Macieira –
Director, ELO Group (Brazil) Prof. Andre Macieira- Assistant
Professor, Concordia University Ms. Marjorie A. Maguire-Krupp, CPA,
CIA, CFSA – President, Coastal Empire Consulting Mr. Jorge Soeiro
Marques - Chief Risk Officer, Lusitania Seguros (Portugal) Mr. Gabe
Mazzarolo - VP – Technology, Pareto (Canada) Ms. Amelia McCarty -
VP Ethics and Compliance, Cardinal Health, Inc. Mr. Tlhabano Mmusi
- Compliance Trainee (Botswana) Mr. Paul Moxey - Head of Corporate
Governance and Risk Management, ACCA (Association of Chartered
Certified Accountants)(United Kingdom) Ms. Florie Munroe - Vice
President for Compliance, Health Quest Mr. Joe Nadivi - CEO, SBS
(Israel) Mr. Warren Nelson - Risk Advisor, Risk & Assurance,
Inland Revenue Department (New Zealand) Mr. Peter Parmenter –
Director, Internal Controls, Biomed Realty Trust, Inc. Ms. Alice
Peterson – President, Syrus Global Ms. Diane Pettie - Vice
President General Counsel & Corporate Secretary, Legal, Canexus
Limited (Canada) Ms. Judy Pokorny – Director, Utili ties
Consulting, Huron Consulting Mr. Tobin Pospisil - Chief Financial
Officer, Gallatin Steel Company Mr. Richard Poworski – ITA, SGI
(Canada) Ms. Monika Rajh Mladenov – Auditor, The Court of Audit of
the Republic of Slovenia (Slovenia) Mr. Bala Ramanan, -.Sr.
Consultant, Microland Ltd (India) Mr. Javvadi H Rao, FICWA, ACA,
CMA, CFM(USA) - Head of Risk Management, Agri Business Division,
ITC Ltd. (India) Dr. Peter Reichard - Group Compliance Officer,
Allianz Risk Transfer (Switzerland) Ms. Kim Rivera - VP Associate
GC, The Clorox Company Mr. Joel Rogers – Director, Ethics &
Corporate Compliance, Kaplan EduNeeringMs. Johanna Rogers - Chief
Compliance Officer, SunGard Mr. Peter Rosenzweig - Senior Manager,
Advisory Services, Ernst & Young LLP Mr. Stefano Rossi – Dott,
Guidance SRL (Italy) Ms. Mary Roth - Executive Director, RIMS (Risk
and Insurance Management Society) Mr. Paul Russo - Systems
Engineer, BAE Systems Ms. Karen Rutledge, -.Ethics & Compliance
Specialist, PNM Resources, Inc. Mr. Richard Sanzin - Company
Secretary, Royal Automotive Club of Victoria (RACV) Limited
(Australia) Mr. Ram Sastry - Director - IT Audits Mr. James Sehloff
- Information Security Analyst, Holy Family Memorial Mr. Bob Semple
- PricewaterhouseCoopers LLP (Ireland) Mr. Jerry Shafran - CEO,
Compliance Assurance Corporation Mr. Ken Shaurette - Engagement
Manager, Jefferson Wells Ms. Monica Shilling – Partner, Proskauer
Rose LLP Mr. Jay Shinde, Assistant Professor, Eastern Illinois
University Ms. Elizabeth Siemens - Senior Legal Advisor Governance,
Cameco Corporation (Canada) Mr. Samir Singh Mr. Mark Snyderman -
Chief Ethics & Compliance Officer & Assistant General
Counsel, The Coca-Cola Company Ms. Barbara Stegun Phair – Partner,
Abrams Fensterman Fensterman Eisman Greenberg Formato &
Einiger, LLP Ms. C Karen Stopford - AVP Information Security, The
Commerce Insurance Company, Inc. Mr. Geoffrey Storms - Chief
Internal Auditor, Cameco Corporation (Canada) Mr. Dan Swanson -
President and CEO, Dan Swanson & Associates (Canada) Ms. Celia
Szelwach - Ethics and Compliance Manager, PBS&J Ms. Heidi
Teresi - Compliance Manager, Alcatel-Lucent Mr. Tim Tesluk - SVP,
Greater China Legal & Compliance, DBS Bank (China) Mr. Calvin
Thompson - Manager, TSWCCUL (Bahamas) Mr. Kevin Tisdel - Director
of Corporate Compliance, Shaw Industries Group, Inc.
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10
(mladenoviczoran8@gmail.com). EMAIL INFO@OCEG.ORG FOR COMMERCIAL
LICENSE.
Intro - vii
Mr. Dan Twing – COO, EMA (South Africa) Mr. Pieter Van Hout, Ing
Mba Mbci - Essent Corporation (Netherlands) Mr. Surya Vangara –
SCSL (Trinidad and Tobago) Mr. Kishore Vekaria - Director.Secure
Keys Consulting (Mauritius) Mr. Nitish Verma - Director Mr. Dean
Wagers -SOX Compliance, The Kroger Co. Ms. Kathy Washenberger –
IPSO, Hennepin County Mr. David Wassel - VP, Business Development,
ZeroTouchWare Mr. Ian Lawrence Webster - Governance Officer,
Performance Technologies (Brazil) Mr. Chip Weiant – Chair, American
Center for Civic Character Ms. Mary Karen Wills – Partner,
Consulting, Argy Wiltse & Robinson Ms. ChunHua Yang - Student,
Southern Illinois University Ms. Jie Yang, MBA (China) Mr. Gunter
Zimmermann – Consultant, Controlware Gmbh (Germany)
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10
(mladenoviczoran8@gmail.com). EMAIL INFO@OCEG.ORG FOR COMMERCIAL
LICENSE.
Intro - viii
Executive Summary Problems always have solutions. And the very
simple solution to the almost unimaginably complex challenges
organizations face as they do business in an increasingly
complicated global marketplace is this: Step back, get a good look
at the challenges and develop an integrated approach to managing
risks and maximizing opportunities throughout the enterprise. The
result: what the Open Compliance and Ethics Group calls Principled
Performance®1
Corporate Misconduct and Regulatory Reform
. The simple step of adopting an integrated approach to setting
operational standards and making sure they’re met – by integrating
activities that are now siloed and often duplicative or
contradictory – enhances the corporation’s value by making its
governance, risk management and compliance activities more
efficient and effective.
The rise in incidents of corporate misconduct in recent years led
to numerous reforms in organizational legal and regulatory regimes.
Yet, even with increased regulatory control, organizations have
shown themselves to remain unprepared for the wide-ranging risks
they face. A big part of the problem is too much of too many
companies’ efforts to eradicate misconduct focuses on the
individuals and their supposed malicious intent rather than on the
systems and processes that should have kept the misconduct from
happening in the first place. So, despite warning signs, companies
often fail to see an emerging calamity, even when it is fully
predictable. Threats that should have been recognized and avoided
continue to catch them by surprise, a state of affairs that has
emphasized the importance of establishing an ethical culture and a
more integrated approach to organizational oversight, comprehensive
risk management and compliance efforts.
Striving for Principled Performance Organizational balance of power
relies on the interrelationship of management, the Board of
Directors (or other governing body) and key stakeholders. That
interrelationship depends on mutual accountabilities and an
unfettered exchange of information. When the parties work together
well, they provide an authoritative set of checks and balances that
enables the organization to achieve Principled Performance, which
is the outcome of clearly articulating an enterprise’s objectives,
both financial and nonfinancial, and defining the methods by which
it establishes and stays within the boundaries it will observe
while driving toward those objectives. Principled Performance is
achieved by defining “right” for your company, then doing the
“right” things the “right” way — not only to create value in the
traditional view, but to protect value, address uncertainty and
help the organization stay within its customized boundaries of
conduct.
GRC: An Integrated Approach to Governance, Risk Management and
Compliance A number of key business processes help organizations
achieve Principled Performance, and processes under the areas of
governance, risk management and compliance are particularly
critical to its success. Because there is significant overlap in
the activities that underlie and support those broad areas,
addressing them and all others that contribute to Principled
Performance in an integrated fashion allows a consistent view of
information and efficient application of resources that greatly
enhance the power each individual process brings to the
organization. We call that integrated approach “GRC”. 1 Principled
Performance is a registered trademark of OCEG.
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10
(mladenoviczoran8@gmail.com). EMAIL INFO@OCEG.ORG FOR COMMERCIAL
LICENSE.
Intro - ix
GRC activities are fundamentally interconnected and dependent on
similar processes, people and technology. It is important to note
that integration of these activities does not mean consolidation.
Rather, integration means applying a common vocabulary, approach
and, ideally, technology infrastructure to GRC processes. It also
means coordinating the activities that ensure a flow of consistent
information throughout the organization and that enhance efficient
use of resources. By establishing an integrated GRC system of
people, processes and technologies, an organization can replicate
improvements in one GRC area across other GRC areas in the
enterprise, enabling the organization to achieve Principled
Performance. And once the GRC system is in place, companies can
fine-tune their efforts as they move forward, reallocating human
and capital resources to the GRC areas that their ongoing
monitoring tell them need the most attention.
The GRC Capability Model™ At the heart of the OCEG Framework is the
GRC Capability Model™. Although various standards and guidance
frameworks exist that address discrete portions of governance, risk
management and compliance issues, the OCEG GRC Capability Model™ is
the only one that provides comprehensive and detailed Practices for
an integrated GRC system. Those Practices address the many Elements
that make up a complete GRC system.
Figure 1 – GRC Capability Model Elements View
Applying the Elements in the GRC Capability Model™ and the
Practices within them enables an organization to: • Achieve
Business Objectives • Enhance Organizational Culture • Increase
Stakeholder Confidence • Prepare & Protect the
Organization
• Prevent, Detect & Reduce Adversity • Motivate & Inspire
Desired Conduct • Improve Responsiveness & Efficiency •
Optimize Economic & Social Value
1
Intro - 2
The OCEG Framework for Principled Performance® The shortest
distance between any organization and Principled Performance is
application of the guidance and resources provided by OCEG. The
OCEG Framework for Principled Performance® (commonly referred to as
the OCEG Framework) is relevant to those in oversight, strategic,
operational and assurance positions. The OCEG Framework is centered
on the GRC Capability Model™ (commonly known as the Red Book),
which describes key elements of an effective GRC system that
integrate the principles of good corporate governance, risk
management, compliance, ethics and internal control. The OCEG
Framework also includes the Burgundy Book, which details the
assessment criteria and procedures for evaluating GRC systems under
OCEG’s GRC Capability Assessment Program™. Here are important
content and format details:
The Red Book The Red Book contains the GRC Capability Model™, the
central piece of the OCEG Framework. It provides a comprehensive
guide for anyone implementing and managing a GRC system or some
aspect of that system – including those involved in compliance,
training, hotlines and investigations. The Model also is contained
in a searchable database on the OCEG site, where OCEG enterprise
members can mine the data it contains and create custom reports to
include content from the additional resources described below.
Premium members may also view the online version but do not have
access to custom report creation. As a downloadable document on the
OCEG site available to all OCEG members, the Red Book also includes
a narrative overview about achieving Principled Performance through
an integrated approach to governance, risk management and
compliance. This narrative also provides a basic understanding of
the principles and structure of the OCEG Framework. OCEG also makes
the narrative overview available as a separate downloadable
document that can serve as a quick- start guide to orient
leadership and new GRC team members about GRC and the OCEG
Framework.
The Burgundy Book The Burgundy Book provides procedures and
assessment criteria to facilitate management and evaluation of a
GRC system. It identifies the key aspects of a GRC system that an
organization should evaluate to provide assurance of system design
and baseline operations to management and the Board and it
establishes common procedures for conducting an independent
assessment of the system. The Burgundy Book’s procedures also serve
as the basis for evaluations that support an application for
certification of GRC system design by OCEG. The Burgundy Book is
available for download by all OCEG enterprise members and may be
purchased for download by premium members.
Additional Resources Available from OCEG OCEG offers additional
resources to enterprise members that supplement the OCEG Framework.
The searchable and downloadable resources include:
Content Domains Content Domains provide application guides
(supplements) that offer additional information to use with the
OCEG Framework when addressing topical or industry-specific aspects
of a GRC
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10
(mladenoviczoran8@gmail.com). EMAIL INFO@OCEG.ORG FOR COMMERCIAL
LICENSE.
Intro - 3
system. They delineate practices for applying the GRC Capability
Model that are bundled either broadly for a particular area of risk
applicable to any number of entities or specifically for a unique
area of risk applicable within a particular industry. In that way,
the Content Domains address the nuances and exceptions in applying
the Model to the unique activities of an organization. OCEG members
may download GRC Content Domain materials as discrete electronic
publications based on a single industry issue or a single area of
risk. Alternatively, enterprise members may search across multiple
Content Domains and download a customized comprehensive report. The
GRC Capability Model can be used as a common backbone to support
compliance and risk management of common and industry specific risk
areas.
GRC Capability Model™ (People, Process & Technology)
common compliance risk area domains (apply to most
organizations)
industry or geography specific domains
GRC Requirements Database The OCEG Requirements Database under
development contains detailed information about Requirements that
are related to the Elements of the GRC Capability Model or to
Content Domains, which OCEG has identified from specific laws,
rules, cases, treaties, standards and other guidance. OCEG maps
these “Related Requirements” to the specific Elements of the Model
or Domain Practices to which they relate. In that way, enterprise
members can use the OCEG resources to ensure that they are aware of
relevant Requirements. During 2009, OCEG is reviewing publications
— Authority Documents — of more than 100 standards bodies and other
industry organizations, as well as governments in numerous
countries, to identify additional global Requirements relevant to
the Model. Given the enormity of the task of addressing a global
audience, Transnational standards and those from the
following
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10
(mladenoviczoran8@gmail.com). EMAIL INFO@OCEG.ORG FOR COMMERCIAL
LICENSE.
Intro - 4
15 countries and regional bodies, based on their position in global
affairs and OCEG member priorities, represent the starting point
for Requirements that will be added to the database: Australia
Brazil Canada China France
Germany India Italy Japan Mexico
Russia South Africa United Kingdom United States European
Union
OCEG will provide citations to relevant portions of Related
Requirements with links to the text when available and depending
upon agreements reached with issuing authorities. An example of
this format, available only through custom reports generated by
Enterprise members through use of the OCEG Requirements Database,
is presented in Appendix A.
GRC-IT Blueprint™ OCEG Premium and Enterprise members may use the
links to Technology Arenas and Modules in the online version of the
Model (located within each Element) to access Appendix A of the
GRC-IT Blueprint™, which identifies and defines types of
technologies that enable the GRC system. The Technology Arenas and
Modules in the Model represent a bridge between the GRC
professional and the IT professional. GRC professionals can use the
Technology Arenas and Modules as a basis for discussing technology
options with their IT counterparts. Enterprise member IT
professionals can use the Technology Arenas and Modules as a bridge
from the Model into the GRC Blueprint™. While the downloadable
version of the Model available to all OCEG members provides high
level guidance on which Technology Arenas and Modules support each
Element of the Model, the GRC-IT Blueprint™ provides the
definitions of these Arenas and Modules as well as visual
representation of how they relate to each other. The GRC-IT
Blueprint™ also is available as a downloadable stand-alone
document.
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10
(mladenoviczoran8@gmail.com). EMAIL INFO@OCEG.ORG FOR COMMERCIAL
LICENSE.
Intro - 5
Changing Times: The Evolution of GRC The globalization of financial
markets, rapid expansion of outsourcing, and growth of layer upon
layer of regulatory oversight within governments across the globe
make today’s business environment as challenging as any has ever
been. The global economic systems in which organizations now
operate have become profoundly complex and inter-related, and it is
not always clear where requirements originate and responsibilities
lie for various aspects of governance, risk management, compliance,
and oversight of controls. That lack of clear accountability has
resulted in abuses of power, compliance failures and other
dysfunction that affect shareholder capital, employees and the
social environment at large. When accountability in an organization
breaks down, it can have severe consequences. Not surprisingly,
investors have indicated they are willing to pay a premium for
well-governed companies. The problem that most corporate executives
see when it comes to staying on top of changing legal requirements,
business circumstances and economic realities is this: There are
too many fragmented solutions to too many problems, a micro
approach if you will. What they too often don’t see is that there
is a unified solution – a macro solution to a macro problem – that
addresses all the separate problems that come up as the business
environment changes. Application of OCEG’s GRC Capability Model™ is
every organization’s key to developing key systems and processes,
required controls around them and assessments that help ensure that
the organization can adapt to address every business risk it faces.
The bottom line: An integrated approach to governance, risk
management and compliance that’s embedded in an organization’s
day-to-day operations will maximize its performance and minimize
its risk.
Corporate Misconduct and Regulatory Reform By most accounts, the
prominent lapses associated with companies that lost their way in
recent years were due in large part to corporate governance
failures, including all too common and undue pressure to meet
short-term objectives and not enough pressure to build long-term
value. That lack of attention to fundamentals and appropriate
oversight led to the destructive behavior that undermined the
financial market’s credibility and, in turn, inspired numerous
reforms in legal and regulatory regimes imposed on organizations.
The Sarbanes-Oxley Act of 2002 was just the start of an onslaught
of regulatory and other reforms that regulatory bodies have put in
place globally in an attempt to improve corporate governance.
Public companies are not alone. Although not required to comply
with the provisions of SOX or its regulatory counterparts in other
countries, reforms around the world also have addressed various
areas of private company business practices. Likewise, though the
stated goal for not-for-profits is fulfilling a mission rather than
maximizing share price, they too have faced increased regulatory
oversight. But even with that increased regulatory control,
organizations have proved themselves unprepared for the
wide-ranging risks they face these days. Even with warning signs,
companies still fail to see emerging calamities, even when they’re
fully predictable. Often, threats that should have been recognized
and avoided still catch too many companies by surprise. This state
of affairs emphasizes the importance of effective organizational
oversight, comprehensive risk management and a more integrated
approach to controls & compliance. Organizations have struggled
to manage the myriad of governance, risk management and
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10
(mladenoviczoran8@gmail.com). EMAIL INFO@OCEG.ORG FOR COMMERCIAL
LICENSE.
Intro - 6
compliance requirements they face and many continue to apply
fragmented approaches to those critical functions resulting in
suboptimal performance. However, some are successfully reducing
their vulnerability and managing the complexity of requirements by
employing a more integrated approach to governance, risk management
and compliance.
Value and Stakeholders To best see the path ahead — the path to
integrated governance, risk management and compliance — it’s
necessary to look back to see why it’s critical to embark on the
integration journey. Organizations and business enterprises are
formed and exist for a variety of reasons, but at their core, they
function to achieve a common goal or set of goals. All
organizations - whether publicly traded corporations, private
entities, not-for-profits or governmental units - exist to provide
value for their stakeholders. They all must strive for strong
performance to safeguard and grow value while ensuring sustainable
operations. But while organizations exist to provide value to
stakeholders, the actions they must take and goals they must
achieve to provide that value are constantly changing. In the past,
it was generally accepted that the “social responsibility” of
business is a duty to maximize profits, particularly in the case of
corporations. Today, though, the free market view that business
decisions should be based solely on a narrowly defined notion of
what is good for a single category of stakeholders, namely the
shareholder, is eroding. Some businesses are adopting an emerging
perspective that behaving in a different type of “socially
responsible” manner reduces legal risks, enhances employee
satisfaction and generally reflects good management practices — all
things that ultimately maximize long-term shareholder value while
benefiting all stakeholders of the organization. That emerging
perspective holds that in today’s global markets, where
shareholders and other stakeholders are diverse and widely
dispersed, a stakeholder is anyone who is affected by, or who can
affect, the organization. That includes internal stakeholders, or
employees, and those in the value chain, suppliers and customers,
as well as external influencers such as investors, communities,
regulators and the media. Stakeholder concerns, including
non-financial concerns, have become more important as all types of
stakeholders have gained credibility and influence. That evolving
approach to value, and to the holistic and comprehensive view of
stakeholder demands, is contributing to a drive toward an
integrated approach to governance, risk management and compliance
and, ultimately, to what OCEG calls Principled Performance®.
The Rise of Principled Performance® Organizational balance of power
relies on the relationship between management, the Board of
Directors or other such governing body and key stakeholders. That
relationship in turn, depends on mutual accountabilities and an
unfettered exchange of information. When the parties work together,
they provide an authoritative set of checks and balances that
enables the organization to achieve Principled Performance.
Principled Performance is the outcome of a clear articulation of an
enterprise’s objectives, both financial and non-financial, and
application of the GRC methods by which it establishes and stays
within the boundaries it will observe while driving toward those
objectives. Principled Performance goes beyond ethical performance,
economic
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10
(mladenoviczoran8@gmail.com). EMAIL INFO@OCEG.ORG FOR COMMERCIAL
LICENSE.
Intro - 7
performance, or corporate social responsibility. Principled
Performance represents achievement of all of the objectives an
organization chooses to pursue while employing an effective,
efficient, and responsive approach to governance, risk management
and compliance that supports those objectives.
Defining the Boundaries of Conduct All organizations must operate
within defined boundaries. Outside forces, such as legal and
regulatory requirements, establish the mandated boundaries that
some refer to as “externally driven mandates.” Similarly, entities
must also determine the voluntary boundaries within which they
should function. Those are often called “internally driven
mandates.” A company’s Board and management assess the
organization’s voluntary boundaries — which include public socio-
economic commitments, standards, certifications, contractual and
representational obligations such as warranties and guarantees and
organizational ethics and values. It is important that
organizations treat voluntary boundaries as seriously as they do
the mandated boundaries, as violations of either can carry equally
significant adverse consequences. In the course of conducting
business and managing risk, an organization must understand the
internal and external obstacles that may get in the way of
achieving its objectives and it must recognize the opportunities
that may transform either the objectives themselves or the business
model required to achieve the objectives. An organization must be
adept at operating within boundaries, overcoming obstacles — or
preventing them from undermining its efforts — and seizing upon
opportunities to attain its objectives. But few companies have a
handle on the wide range of policies, processes, and controls
needed to manage compliance with both internal and external
boundaries and its risks. The integration of governance, risk
management, and compliance (“GRC”) helps an organization more
effectively and efficiently drive performance. Governance, of
course, establishes objectives and, at a high level, the boundaries
inside which the entity must operate. A strong culture of ethical
culture, as an aspect of internal governance, provides a safety net
when formal controls and structures are weak or nonexistent —
while, at the same time, providing an environment that helps the
workforce reach its highest level of productivity. Risk management
helps the organization identify and address potential obstacles to
achieving objectives. A healthy Enterprise Risk Management
discipline can enhance the value protection and value creation
decision making within an organization. Compliance management
ensures that the boundaries are well set, and that the organization
does indeed conduct business within them through established
policies and controls. For an organization to achieve Principled
Performance it must: • clearly define its mission, vision and
values; • define what it seeks to achieve; • define how it will
pursue those objectives while addressing risks and uncertainty,
protecting and creating value, identifying new opportunities and
staying within defined boundaries of conduct along the way; • make
these choices transparent to appropriate internal and external
stakeholders; and • do all of that using an integrated approach
where the “whats” and “hows” are continuously improved for the
highest level of performance.
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10
(mladenoviczoran8@gmail.com). EMAIL INFO@OCEG.ORG FOR COMMERCIAL
LICENSE.
Intro - 8
It is important to note that achieving Principled Performance means
each entity defining what is “right” for it, then doing the “right”
things the “right” way. Principled Performance, then, is about
enhancing the traditional shareholder view of financial performance
to include desired outcomes that are not directly or exclusively
financial, but that address other stakeholder interests that secure
long-term success.
GRC: Governance, Risk Management, Compliance and Beyond A number of
key business processes help organizations achieve Principled
Performance. While there are many activities and functions that
contribute, such as internal controls, audit, assurance, quality,
IT, HR and others, GRC (the acronym drawn from the three primary
contributors – governance, risk management and compliance) stands
in for all of those critical functions and represents the
synergistic effect of an integrated approach; the creation of a
whole that is far more than merely the sum of its parts. Within the
context of the integrated GRC system, all the individual functions
share a mutuality of interest, a common need for information and
contribution to the organization’s efforts to achieve Principled
Performance. There are many reasons an organization seeks to
integrate and align its governance, risk and compliance efforts
into a GRC system. Here are a few examples: • The global footprint
of the business requires an understanding of additional laws, rules
and regulations beyond the headquartered domicile. • The cost of
complying with an increasingly complex, voluminous and
ever-changing patchwork of legal mandates is always rising. • There
is a lack of visibility into not only operational issues, but also
risk and compliance activities. • There is unnecessary complexity
and duplication of effort taking place to address risks and
requirements. • The Board and senior management face increased
accountability and liability. • There is redundancy in some areas
and possible gaps in coverage for critical risks in others. • The
cost of maintaining duplicate sets of information for different
purposes and reconciling information when necessary is high. To
address such drivers, many organizations are integrating GRC
activities to achieve Principled Performance in an effective,
efficient and responsive manner. To most effectively accomplish
that, it’s important to understand the nomenclature. Formally
defined, GRC is a system of people, processes and technology that
enables an organization to: • understand and prioritize stakeholder
expectations; • set business objectives congruent with values and
risks; • achieve objectives while optimizing risk profile and
protecting value; • operate within legal, contractual, internal,
social and ethical boundaries; • provide relevant, reliable and
timely information to appropriate stakeholders; and • enable the
measurement of the performance and effectiveness of the system. A
“GRC activity,” then, is any process or activity that contributes
to or is part of the system. Processes and functions that are
typically included include: • Governance • Strategy and Business
Performance Management
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10
(mladenoviczoran8@gmail.com). EMAIL INFO@OCEG.ORG FOR COMMERCIAL
LICENSE.
Intro - 9
• Risk Management • Compliance • Internal Control • Corporate
Security • Legal • Information Technology • Business Ethics •
Sustainability and Corporate Social Responsibility • Quality
Management • Human Capital and Culture • Audit and Assurance •
Finance Each contributes to an organization’s ability to drive
Principled Performance, and all can benefit from improved
communication, shared strategy, common processes, coordinated
schedules and integrated technology. Processes under the areas of
governance, risk management and compliance are particularly
critical to system success, so a deeper look at their definitions
is helpful: • Governance is the culture, values, mission, structure
and layers of policies, processes and measures by which
organizations are directed and controlled. Governance, in this
context, includes but is not limited to the activities of the
Board, for governance bodies at various levels throughout the
organization also play a critical role. The tone that is set,
followed and communicated at the top is critical to success. •
Risk, in this context, is the measure of the likelihood of
something happening that will have an effect on achieving
objectives; most importantly, but not exclusively, an adverse
effect. Thus, Risk Management is the systematic application of
processes and structures that enable an organization to identify,
evaluate, analyze, optimize, monitor, improve, or transfer risk
while communicating risk and risk decisions to stakeholders. The
overriding goal of risk management is to realize potential
opportunities while managing adverse effects of risk. • Compliance
is the act of adhering to, and the ability to demonstrate adherence
to, mandated requirements defined by laws and regulations, as well
as voluntary requirements resulting from contractual obligations
and internal policies. There is some overlap among these functions,
but they have distinct areas of focus and each has activities
dispersed throughout an organization. For example, the definition
of governance characterizes the maintenance of “culture” as a
feature, even though many US-based companies incorporate ethical
culture concepts into their compliance programs as defined by the
US Federal Organizational Sentencing Guidelines.
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10
(mladenoviczoran8@gmail.com). EMAIL INFO@OCEG.ORG FOR COMMERCIAL
LICENSE.
Intro - 10
GRC: Breaking it Apart and Pulling it All Together Most companies
historically have approached the GRC components separately and have
tacked them on top of the business rather than embedding them into
operations. Many have designed and implemented risk assessments and
compliance policies and processes within narrow risk areas and at
distinct locations, without consideration of how or when the
organization has addressed similar issues in other areas. As a
result, numerous processes and controls are buried in isolated
silos, leading to complexity, duplication and major gaps. To better
understand the power of integration, it is useful to more closely
examine the individual GRC components of governance, risk
management and compliance, as well as some of the significant
supporting functions that contribute to GRC goals.
The Corporate Governance Discipline: The G in GRC The Organisation
for Economic Co-operation and Development defines corporate
governance as “the system by which business corporations are
directed and controlled. The governance structure specifies the
distribution of rights and responsibilities among different
participants in the corporation, such as the Board, managers,
shareholders and other stakeholders, and spells out the rules and
procedures for making decisions on corporate affairs. By doing
[so], it also provides the structure through which the company
objectives are set, and the means of attaining those objectives and
monitoring performance.” Traditionally, governance processes were
constrained to “what happens in the Boardroom.” Contemporary views
expand that, though, to encompass key governance activities that
may take place throughout the organization — and even those of some
external stakeholders — to support Board responsibilities,
including the company’s system of internal control and oversight of
compliance. Conventional corporate governance standards attempt to
balance the goals of protecting the interests of shareholders and
stakeholders with the requirement to respect the duty of Boards and
managers to direct the affairs of the organization. As owners of
securities, shareholders rely on the Board to protect their
interests. The Board acts as an active monitor for shareholders’
and stakeholders’ benefit with the goal of Board oversight to make
management accountable, and thus more effective. The key to
corporate governance is the distribution of rights and
responsibilities across the entire business. All too often,
however, organizations still apply governance principles solely to
Board processes and Boardroom issues. Yet critical to good
governance are the systems “below the Board” and the distribution
of rights and responsibilities that ensure tone, objectives and
expectations cascade throughout the organization and down to every
individual. In the context of GRC, effective corporate governance
is supported and in layers throughout the organization, with the
emphasis on processes that affect and influence Board understanding
of critical information that allows good decision-making. Those
systems and processes help the organization:
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10
(mladenoviczoran8@gmail.com). EMAIL INFO@OCEG.ORG FOR COMMERCIAL
LICENSE.
Intro - 11
• understand entity vulnerabilities; • provide insight and
intelligence to the right people, at the right time, to make the
right “risk-aware” decisions; • reduce the likelihood that
unauthorized decisions will be made; • identify and reduce entity
vulnerability to specific risks; • reduce the likelihood and impact
of undesirable events; and • produce evidence about effectiveness
to management, the Board and stakeholders.
The Risk Management Discipline: The R in GRC Between the direction
and authority of governance and the requirements and boundaries of
compliance lie a plethora of obstacles and opportunities that may
affect an organization’s ability to achieve desired objectives. To
be effective, organizations need to take control of the risks they
face. The Committee of Sponsoring Organizations (COSO) ERM Report
defines risk as “the possibility that an event will occur and
adversely affect the achievement of objectives.”2
The COSO report further defines enterprise risk management as “a
process, effected by an entity’s Board of directors, management and
other personnel, applied in strategy-setting and across the
enterprise, designed to identify potential events that may affect
the entity and manage [that] risk to be within [the entity’s] risk
appetite to provide reasonable assurance regarding the achievement
of entity objectives.”
The Australia and New Zealand risk management standard3
uses a more concise, yet arguably broader definition of risk: “The
chance of something happening that will have an impact on
objectives.” It defines risk management as “the systematic
application of management policies, procedures and practices to the
tasks of communicating, establishing the context, identifying,
analyzing, evaluating, treating, monitoring and reviewing
risk.”
A group of UK organizations in “A Risk Management Standard” uses
the definition set forth in ISO/IEC Guide 73 for risk as “the
combination of the probability of an event and its consequences.”
British Standards in the forthcoming BS 31100
2 COSO ERM definition, page 16. 3 AU/NZS 4360 is the basis for the
forthcoming ISO 31000 standard on enterprise risk management.
A Brief Detour: Sustainability
The concept of sustainability is sometimes mingled with other,
similar expressions that have become widely used. For example, many
businesspeople, authors and scholars refer to “corporate social
responsibility” to mean a company’s obligations to society at
large. Others prefer “sustainability” because “responsibility”
emphasizes the benefits to groups outside the organization, while
“sustainability” gives equal importance to the benefits enjoyed by
the corporation itself. In that respect, sustainability can be
viewed as related to business ethics, and thereby corporate
compliance and ethics programs, but on a scale that emphasizes
broader social issues such as poverty, education and human rights,
versus specific choices by individual managers. Other terminology
usage includes “corporate responsibility,” perhaps more commonly
seen in Europe, “environmental social governance” and “sustainable
development,” to name a few. Sustainability addresses the wide and
diverse range of business concerns about the environment, workers’
rights and consumer protection and the impact of business decisions
on those broad social issues – and ultimately the decision-making
process itself and the relationship of the issues to profit or
other organizational purposes. As such, the Governance role and
setting of voluntary boundaries includes decisions about the
organization’s commitment to sustainability.
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10
(mladenoviczoran8@gmail.com). EMAIL INFO@OCEG.ORG FOR COMMERCIAL
LICENSE.
Intro - 12
standard define risk as “something that might happen and its
effect(s) on the achievement of objectives.”4
There are other definitions to note, including one from the
Institute of Internal Auditors: “Enterprise-wide risk management is
a structured, consistent and continuous process across the whole
organization for identifying, assessing, deciding on responses to
and reporting on opportunities and threats that affect the
achievement of its objectives.”
5
4 BS 31100 public draft, July 31, 2007 5 IIA definition in the Role
of Internal Auditing in ERM
This multitude of definitions suggests that there is a divide in
the risk management profession around the concepts and definition
of risk and how risk relates to uncertainty, opportunities, threats
and obstacles. The most striking difference is how authorities
include or exclude various types of risk outcomes. Some emphasize
risk as the potential negative events that an organization may
experience as it pursues objectives. Others define risk as the
potential negative or positive events that may be experienced. Some
of that is not so much a debate about “risk” as it is about the
context thereof. For example, the insurance community is primarily
concerned with the downside of risk. By contrast, the financial
community is concerned about upside benefits from taking risk.
Personal behavior mirrors that. When someone buys automobile or
property insurance, he or she is concerned about the potential of
an adverse event. When that person utilizes a retirement plan’s
financial tools, he or she is managing risk to maximize
opportunities and also to seek better returns. Notably, despite
those differences, nearly all risk management frameworks and risk
management professionals themselves agree that opportunities,
obstacles and threats must be addressed in a holistic fashion to
yield an optimal result. In that sense, the fundamental difference
in how different frameworks and organizations define risk becomes
functionally irrelevant. Indeed, in the context of GRC, most
organizations have implemented at least minimal strategic planning
processes and have developed an approach to pursue opportunities.
What is often lacking is an integrated approach to: • identifying
the obstacles and threats along the way, • assessing their
potential impact, • making risk-intelligent decisions and •
implementing governance structures to ensure that the organization
appropriately pursues opportunities in light of those obstacles and
threats. In the context of GRC, there is a need to make governance
and business performance more “risk-aware.” In relationship to
corporate governance, companies struggle in determining the
appropriate risk oversight role of the Board of directors. Various
functions have been proposed with respect to the Board regarding
risk, including approving the company’s risk appetite as a
component of its strategy-setting and ensuring robust risk
oversight by senior management. In other words, it is not the
Board’s responsibility to identify and assess actual risks, but to
monitor line management’s competence in doing so.
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10
(mladenoviczoran8@gmail.com). EMAIL INFO@OCEG.ORG FOR COMMERCIAL
LICENSE.
Intro - 13
The Compliance Discipline: The C in GRC Boards of directors in the
United States have focused heavily on meeting the financial
reporting requirements of the Sarbanes-Oxley Act and are likely
facing compliance fatigue. Yet financial reporting is just one
aspect of compliance, and the Sarbanes-Oxley Act is just one
regulatory scheme, and many organizations are facing increasing
regulatory demands, especially as they extend into global markets.
Every country, of course, has laws and regulations for conducting
business within its borders. Neighboring and economically
interdependent countries also draft treaties and other legal
instruments to govern cross-border transactions. As the focus of
business becomes increasingly global, non-government organizations
concerned with the world economy and with corporate sustainability
increasingly promote principles that multiple countries agree to
abide by and thereby bind the organizations that operate within
their borders to operate under those principles. Other branches of
government, in their interpretation and enforcement of laws and
regulations, also create compliance requirements at a more granular
level. In many cases, a law may tell a company what it should be
doing, but it is the enforcing agency or a court that details the
how, when, why and to what standard it’s looking to know that an
organization has met both the letter and the spirit of the law or
regulation. Compliance requirements are not solely the province of
nations. Individual organizations work together through industry
and trade associations and standards bodies to create best
practices and guidance on how to execute processes, make products
or deliver services. By subscribing to those bodies’ ideas, and in
many cases, publicizing adherence to particular standards or
practices, entities themselves shape both the requirements they
operate under and the expectation that they will conform to those
requirements. Most directly, organizations agree to and impose upon
themselves requirements through their contracts with employees,
agents, partners, suppliers and customers. There are more formal
definitions of “compliance” as well, of course. The Australian
standard 3806 defines it as “an outcome of an organization meeting
its obligations” and a compliance program as “a series of
activities that, when combined, are intended to achieve
compliance.”6
Other Critical Components of GRC
The United States Sentencing Commissions more narrowly defines a
compliance program as one “to prevent and detect violations of
law,” although the amended organizational sentencing guidelines
added the promotion of “an organizational culture that encourages
ethical conduct and commitment to compliance” in its definition of
an effective compliance and ethics program. In the context of GRC,
compliance is the act of adhering to, and the ability to
demonstrate adherence to, mandated requirements defined by laws and
regulations, as well as voluntary requirements resulting from
contractual obligations and internal policies. In other words,
compliance is all about identifying requirements, legal or
otherwise, and taking steps to ensure that the organization
addresses all of them.
There are certain other components of GRC that merit special
attention, and the internal control discipline is one of them. The
concept of internal controls has a long history and has been
addressed in various legislative and regulatory standards. The COSO
Internal Control Report defines internal controls as “a process,
effected by an entity’s Board of directors, 6 AU 3806,
definitions
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10
(mladenoviczoran8@gmail.com). EMAIL INFO@OCEG.ORG FOR COMMERCIAL
LICENSE.
Intro - 14
management and other personnel, designed to achieve reasonable
assurance regarding the achievement of objectives in: (1)
effectiveness and efficiency of operations; (2) reliability of
financial reporting; and (3) compliance with applicable laws and
regulations.” In its ERM integrated framework, COSO expanded the
concept of internal control to addressing the management of risk.
Internal control is clearly a common thread among the GRC
components, and an organization should employ a system of internal
controls that specify the policies, procedures and practices that
guide it in its efforts to achieve its objectives. Internal
controls inform management whether processes are being performed as
intended and with the intended outcomes. The assurance discipline
is another critical component of GRC. To maintain stakeholder
confidence, an organization must provide some level of assurance
that it has appropriate governance, risk management and compliance
capabilities. The critical question is what level of assurance the
stakeholders, especially the Board and shareholders, demand. What
satisfies the request for assurance? Is a clear authoritative
statement from management sufficient? Or is independent assurance
required? Does an objective internal department – such as internal
audit – suffice? Or does the required level of assurance compel
review by a completely independent third party? The answers to
those questions tend to vary by stakeholder constituency, and they
may also vary over time, given the organization’s history of
favorable or unfavorable findings. In the context of GRC, an
organization must provide objective, reasonable assurance that the
underlying GRC system or any aspect of the system is designed and
operating effectively. A focus on human behavior and conduct is yet
another critical component of GRC. As much focus as there is on
risk assessments, policies and controls, perhaps the most
significant factor in achieving Principled Performance is
understanding and addressing what motivates human behavior. How
organizations intentionally prize, cultivate and reinforce both
high character and high competence behaviors is critical.
Organizations must recognize that behavior cannot be completely
controlled or even managed, but that they can influence it through
leadership example, effective two-way communications and the
implementation of processes that motivate people to follow rules
and apply ethical decision-making to their actions. There is more
recognition that behavior and corporate culture have a significant
impact on company performance. Culture can be defined and it
generally develops out of tangible and controllable actions within
a company. Human resource professionals, particularly in
conjunction with compliance and ethics officers, are a critical
part of the GRC team, as they design and implement procedures to
educate the workforce and enhance their capabilities, appraise
individual and team performance and work to develop a culture of
high competence, good character, openness and accountability.
A Unified Framework GRC encompasses a wide range and scope of
functions, equally wide variations in approaches taken by
organizations and a vast number of existing frameworks and guidance
approaches. This presents a number of problems for those seeking to
implement GRC, including the following limitations: 1. Framework
developers often create them from a particular point of view to
enable a narrow aspect of GRC. 2. Frameworks overlap in their
coverage, so complete implementation of multiple frameworks could
cause confusion and duplication of effort. 3. Management often
implements frameworks narrowly, in one area of the business.
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10
(mladenoviczoran8@gmail.com). EMAIL INFO@OCEG.ORG FOR COMMERCIAL
LICENSE.
Intro - 15
4. Frameworks from one discipline may have weaknesses that
frameworks from another discipline address more fully. For example,
compliance frameworks tend to provide little guidance around
conducting risk assessments. Risk frameworks, on the other hand,
provide a great deal of guidance around risk assessments, but offer
little if any linkage to compliance requirements, with the
exception of some frameworks that address IT, banking and business
continuity risks.7
An Integrated Approach
5. Internal control frameworks tend to focus primarily on controls
rather than incentives. Compliance frameworks have always included
powerful ideas around using incentives to motivate positive
conduct. 6. Some frameworks still leave many wondering how to
translate their principles into practice. Organizations need a
clear understanding of what to do in the face of voluminous
frameworks. The good news is that the fundamental principles behind
the frameworks often are similar. Consistent principles readily
emerge, but just as often the sound, practical guidance on how to
implement them is unclear or absent. So GRC professionals,
particularly those who support multinational organizations that
have adopted or are required to meet a multitude of frameworks,
need to determine what is practical and identify what does not
work. By pulling together different points of view about business
processes and practices into an integrated GRC approach, a greater
depth of view is gained and the best aspects of each can be used to
drive Principled Performance. That’s the goal and benefit of the
OCEG Framework.
It is important to note that “integration” does not mean
“consolidation.” Rather, integration means applying a common
vocabulary, approach and, ideally, technology infrastructure to GRC
processes. It also means coordinating those activities that ensure
a flow of consistent information throughout the organization and
that enhance efficient use of resources. In that manner, an
organization can replicate improvements in one GRC area across
other GRC areas in the enterprise. The term “integration” refers to
several ideas, all of which are important to establishing a GRC
system: 1. Integration of GRC disciplines. Disciplines including
corporate governance, risk management, compliance, internal
control, assurance and quality management all use powerful yet
separate frameworks to conduct their work. But those frameworks are
more similar than different, and organizations can apply an
integrated approach to them, using a common “backbone” to enable
their varying GRC activities.
2. Integration of GRC activities across risk categories and
departments. The various risk silos – strategic, cultural,
operational, financial, compliance and external — and the
departments that handle specific risk areas — business strategy,
treasury, IT, employment, environmental, corruption, etc. — can be
addressed using a common approach to cross silos, reduce the burden
on the business and bring the organization together around business
objectives.
3. Integration of GRC activities with business processes. GRC
activities should augment strategic planning, product design,
development, logistics, service, support and other mainline
business 7 An exception to this “rule” can be seen in some industry
or risk area specific risk frameworks in the IT, banking and
business continuity areas.
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10
(mladenoviczoran8@gmail.com). EMAIL INFO@OCEG.ORG FOR COMMERCIAL
LICENSE.
Intro - 16
processes. Management can integrate risk assessments with strategic
planning, for example, and HR can integrate education about and
awareness of GRC-related topics with general skills development
programs.
Perhaps most importantly, integration provides “a single version of
the truth.” That’s essential when senior executives and the Board
ask questions like: • Are we achieving our objectives? • How are we
achieving them relative to risk? • What are the most important
risks that we face? • How are we addressing them and who is
accountable? • Is the organization operating within defined
boundaries? • Are we experiencing any material issues?
Embedded in the Business Clarifying GRC is not about dissecting the
acronym itself, of course, just as integrating its components is
not about consolidating effort inappropriately. Rather, clarifying
GRC is about understanding the underlying business issues that have
given rise to the widespread use of the term. GRC activities must
work with and be embedded in mainline business processes. In that
manner, GRC becomes part of the organizational DNA. Just as there
are matched chromosome pairs in each living thing’s DNA, wherever
there are business activities and decisions, there are related GRC
activities and decisions. Just as the tens of thousands of genes
contained in chromosomes carry information throughout the organism,
the GRC system consists of inter- related yet distinct components
that carry information throughout the organization. And integration
includes incorporating coordination requirements into mainstream
business processes and decision-making. The rationalization of
controls and testing and the increased use of automation reduce the
burden on line-of-business operations, thus decreasing the risk of
non-compliance. An enterprise perspective is required to reduce
redundancy across lines of businesses and functions, enabling
enterprise-wide oversight of key risks while enhancing operational
effectiveness and use of resources.
High-Performing GRC A high-performing GRC system will always
deliver value. Organizations typically assess the value of an
activity by determining if it’s contributing to business
objectives. For that reason, in achieving Principled Performance,
it is not sufficient to focus only on the GRC activities
themselves. Rather, primary focus must be on the desired system
outcomes that result from those activities. Each organization is
unique, of course, and pursues unique business objectives. As a
result, every GRC system has a different mix of business objectives
that it is expected to support and, thus, a different mix of
desired GRC system outcomes. However, surveys of experts and
historical evidence of the key system outcomes stated in mission
and vision statements suggest that most organizations share several
desired outcomes that appear to be universal across GRC systems.
Among them are the desire to: 1. Meet Business Objectives 2.
Enhance Leadership and Organizational Culture 3. Increase
Stakeholder Confidence
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10
(mladenoviczoran8@gmail.com). EMAIL INFO@OCEG.ORG FOR COMMERCIAL
LICENSE.
Intro - 17
4. Prepare and Protect the Organization 5. Prevent, Detect and
Reduce Adversity 6. Motivate and Inspire Desired Conduct 7. Improve
Responsiveness and Efficiency 8. Optimize Economic and Social
Value
Efficient, Effective and Responsive A high-performing GRC
capability will deliver those universal system outcomes while being
effective, efficient and responsive. Effectiveness describes the
quality of a system along two dimensions: • Design effectiveness
describes the degree to which a system or process is logically
designed to meet legal and other defined requirements. Does the
system or process contain all the necessary elements to thoroughly
evaluate risk? Has it been designed for maximum effectiveness? If
not, what features must be added to improve the system? Design
effectiveness is very much a logical test that considers all
requirements, risks and boundaries and determines if the system is
appropriately designed. &b