Embed Size (px)
Citation preview
oceg © 2011
Driving Principled Performance An Overview of the OCEG GRC Capability Model
OCEG and Risk Management
• What is OCEG?• Is the OCEG Red Book a risk management
standard?
OCEG is a nonprofit organization that uniquely helps organizations drive Principled Performance® by enhancing corporate culture and integrating governance, risk management, and compliance processes by providing:• Guidelines and Standards• Community of Practice• Evaluation Criteria & Benchmarks
OCEG Red Book 2.1
What it is andwhat it is not…
Let’s start with the “Big Picture”
The goal is Principled Performance
The Goal: Principled Performance
OBJECTIVESstrategic, operational, customer, process, and compliance objectives
OPTIMIZE PERFORMANCEstrategy, people, process, technology, and infrastructure in place to drive toward objectives
MANDATED BOUNDARYboundary established by external forces including laws, government regulation, and other mandates
VOLUNTARY BOUNDARYboundary defined by management including public commitments, organizational values, contractual obligations, and other voluntary policies
OPPORTUNITIES
OBS
TACL
ES
Principled Performance
reliable achievement of objectives
while addressing uncertainty
and acting with integrity
GRC Defined
a capability that enables an organization to reliably achieve objectives while addressing
uncertainty and acting with integrity…
(c) OCEG. All rights reserved.
…including the governance, assurance and management of performance, risk, and
compliance.
Or, you could sayGRC is the integration of capabilities that enable principled performance
(c) OCEG. All rights reserved.
What does this capability look
like?
Management
Assurance
Governance
High Level View
© OCEG. All rights reserved.
Risk CompliancePerformancePrincipled
Performance
The rigorous governance, assurance and management of performance, risk and compliance helps an organization reliably achieve objectives while addressing uncertainty and acting with integrity.
Management
Assurance
Governance
Too Much Fragmentation
© OCEG. All rights reserved.
Risk CompliancePerformancePrincipled
Performance
NACD, OECD, King 3Domain-Specific Governance (IT, Project, etc.)
Balanced ScorecardStrategic Planning
Business IntelligenceDecision Science
Quality Management
COSOCoCo
TurnbullPCAOB
US FSGAS 3806
Quality ManagementDomain-SpecificCOSO ERM
ISO 31000 / BSI 31100UK Orange Book
IRM / ALARM / AirmicDomain-Specific (BASEL)
Management
Assurance
Governance
Red Book – Makes it Easier and ‘Better’
© OCEG. All rights reserved.
Risk CompliancePerformancePrincipled
Performance
OCEG Red BookGRC Capability
Model
GRC Body of Knowledge
› Open Source
› Quality Controlled
› Complete• 8 Components• 40 Elements• 100s Practices
www.oceg.org/standards
© OCEG. All rights reserved.
OCEG Red BookGRC Capability
Model
GRC Capability Model
© OCEG. All rights reserved.
8 UNIVERSAL OUTCOMES
Enhance Organizational Culture
Increase Stakeholder Confidence
Prepare & Protect the Organization
Prevent, Detect & Reduce Adversity
Motivate & Inspire Desired Conduct
Improve Responsiveness & Efficiency
Optimize Economic & Social Value
Achieve Business Objectives
INTERACT
DETECT
ORGANIZE
ASSESSMEASURE
PROACTRESPOND
8 INTEGRATED COMPONENTS
What the Red Book is and is not
• It is not a risk management standard/framework• You can use ISO or COSO if you prefer• It addresses the optimized delivery of value, and
risk management is an essential element• Optimized performance requires multiple
elements to work together in an orchestrated fashion
Thank You!
Norman Marks
SAPPalo Alto, California
http://www.theiia.org/blogs/marks/
http://normanmarks.wordpress.com/
Twitter: normanmarks
