GRC Capability Model Red Book

version 3.
Licensed for noncommercial personal use by Paulo Reis ([email protected]) on 5/28/2023, 2:45:47 PM
GRC Capability Model version 3.5 revision 2023-05-01
GRC Capability Model™

(OCEG Red Book)
Version 3.5 - PUBLIC DRAFT
revision 2023-05-01
Copyright © 2002 - 2023 OCEG. All rights reserved.
© 2002 - 2023 OCEG. All Rights Reserved. feedback to [email protected]
No part of this publication may be reproduced, distributed, or transmitted in any form or by any
means, including photocopying, recording, or other electronic or mechanical methods, without
the prior written permission of the publisher. For permission requests, contact [email protected]
OCEG, Principled Performance, Driving Principled Performance, Putting Principles Into Practice,
GRC360°, and LeanGRC are registered trademarks of OCEG.
Protector Skillset, Protector Mindset, Protector Code, Lines of Accountability, GRC Capability
Model, GRC Professional, GRCP, GRC Fundamentals, GRC Audit, GRCA, GRC Audit Fundamentals,
Data Privacy Fundamentals, Integrated Data Privacy Professional, IDPP, Policy Management
Fundamentals, Integrated Policy Management Professional, IPMP are trademarks of OCEG.
This publication is designed to provide accurate and authoritative information regarding GRC. It is
provided with the understanding that neither the author nor the publisher is engaged in rendering
legal, investment, accounting, or other professional services. While the publisher and author have
used their best efforts in preparing this book, they make no representations or warranties with
respect to the accuracy or completeness of the contents of this book and specifically disclaim any
implied warranties of merchantability or fitness for a particular purpose. No warranty may be
created or extended by sales representatives or written sales materials. The advice and strategies
contained herein may not be suitable for your situation. You should consult with a professional
when appropriate. Neither the publisher nor the author shall be liable for any loss of profit or other
commercial damages, including but not limited to special, incidental, consequential, personal, or
other damages.
Front cover image and illustrations by Sarah Hart & Scott Mitchell; other images and illustrations
by Scott Mitchell
3.5 revision 2023-05-01 prepared on May 1, 2023
ISBN: 979-8-9881268-0-5
OCEG
4144 N. 44th Street, Suite 6
Phoenix, AZ 85018
www.oceg.org
Foreword (May 2023)

20 years ago, the OCEG Community created GRC and Principled Performance®. These ideas were
formalized into a structured model called the GRC Capability Model (“Model”). This model is
periodically updated with the help of hundreds of members and experts in the GRC ecosystem. For
this update to version 3.5, the objectives were to:
● Simplify - Make The GRC Capability Model easier to understand, navigate and use.
● Clarify - Untangle and elaborate key concepts and definitions.
● Augment - Include new concepts, models, and practices that are commonly used.
We achieved these objectives by adding, editing, and removing content throughout The GRC
Capability Model and using new technologies to capture and publish this document.
This document is organized into several sections:
★ Introduction: Details about the drivers of Principled Performance and GRC.

★ Using this Guide: Conventions used in the document and tips for starting.
★ The GRC Capability Model
○ Part I - GRC Concepts: Pervasive ideas and models that underlie all aspects of GRC.
○ Part II - GRC Capabilities: Structured expression of high-performing GRC.
○ Part III - GRC Glossary: Alphabetic listing of consistent terms and definitions.
★ Tools & Techniques: Collected tools & techniques referenced in this document.
You may read this document in any way and in any order. I find it helpful to:
● Read the Introduction to understand the big picture and context.

● Read the GRC Concepts because it outlines pervasive ideas used throughout.
● Read the GRC Glossary because it helps to untangle and harmonize vocabulary.
● Read the GRC Capabilities because it provides structure for high-performing GRC.
● Read the other sections.
Warm Regards & Enjoy!
Scott Mitchell, Founder, OCEG
Table of Contents
Introduction 1
Executive Summary 1
The Problem: VUCA & Disconnection 2
The Solution: Principled Performance® & GRC 2
Protectors 9
Using this Document 17
Design Drivers 17
Anatomy of GRC Capabilities 20
Measuring GRC and Principled Performance 21
Applying the GRC Capability Model 24
Getting There 28
Part I - GRC Concepts 31
“Big Picture” Perspective 31
“Reliably” 35
“Achieve Objectives” 42
“Address Uncertainty” 55
“Act with Integrity” 62
Integrated Action & Control Model™ (IACM™) 68
Part II - GRC Outcomes & Capabilities 73
U - Universal Outcomes 74
L – LEARN 75
A – ALIGN 85
P – PERFORM 97
R – REVIEW 115
Part III - GRC Glossary 123
Acknowledgments 163
OCEG Team 163
OCEG Community 163
Appendix - Tools & Techniques 166
Introduction
Executive Summary
Over $1 trillion (USD) is destroyed every year because of unprincipled misconduct, mistakes, and
miscalculations. Organizations, individuals, and the public count on GRC Professionals to lead the
way and solve this trillion-dollar problem.
GRC Professionals are called “Protectors” because of the work that they do. They produce and
preserve value to achieve Principled Performance® – and to reliably achieve objectives, address
uncertainty, and act with integrity.
Protectors are skilled GRC Professionals who advise and work in departments such as the board,
strategy, risk, compliance, ethics, human resources, legal, security, quality, internal control, and
audit. What they have in common is a Protector Mindset™ and an interdisciplinary Protector
Skillset™.
But it can be difficult to be a Protector and address this massive trillion-dollar problem because of
volatility, uncertainty, complexity, and ambiguity (VUCA) – and the disconnection between
departments (silos), people, values, and skills.
Therefore, the OCEG community created Principled Performance and GRC over 20 years ago – to
help solve problems using an interdisciplinary approach. The continuously improving knowledge in
this document codifies this approach in GRC Concepts, GRC Capabilities, and the GRC Glossary.
© 2002 - 2023 OCEG. All Rights Reserved (feedback to [email protected]) Page 1
The Problem: VUCA & Disconnection

More than ever before, organizations of all shapes and sizes operate in the context of volatile,
uncertain, complex, and ambiguous (VUCA) conditions. And, despite innovations designed to
connect, organizations experience substantial disconnection:
● Disconnected departments that operate in silos and at cross-purposes

● Disconnected people with strained relationships that cause conflict and loneliness
● Disconnected purpose and culture that cause misalignment with stakeholders
● Disconnected and myopic skillsets that see and solve problems from a single discipline
VUCA and disconnection are substantial “destabilizing forces” that make it challenging to produce
and preserve value. Protectors are the stabilizing forces to face this instability and to help
organizations gain, maintain, and sustain Principled Performance.
The Solution: Principled Performance® & GRC

The OCEG community created Principled Performance and GRC to overcome VUCA and
disconnection – and to provide Protectors a framework for stabilizing and connecting in the face of
so much instability and disconnection.
This connected and integrated approach is the essence of GRC

– the pathway to Principled Performance.
By adopting Principled Performance and GRC, an organization moves from disconnected

departments to integrated capabilities; from disconnected people to interconnected relationships
and coworkers; from disconnected purpose to intentional culture; and from disconnected and
myopic skills to an interdisciplinary approach.
The first peer-reviewed paper on the topic laid a foundation for this solution by providing clear
definitions and guidance for Principled Performance and GRC.
Principled Performance®
Principled Performance is a noble goal for every organization to “reliably achieve objectives,
address uncertainty, and act with integrity.” The major parts of the definition are:
● Reliably (thoughtfully, consistently, dependably, and transparently)

● Achieve objectives (achieve mission, vision, and balanced objectives)
● Address uncertainty (address opportunities and obstacles that balance risk and reward)
● Act with integrity (live out values and stay within mandatory and voluntary boundaries)
Principled Performance is NOT synonymous with “Good” or “Good Intentions.” An organization

must measure up to the Principled Performance definition to be a “principled performer.”
To elaborate on the other side, just because an organization pursues objectives that someone
might perceive as “Bad” or as “Bad Intentions” does not mean that the organization is NOT a
Principled Performer. If this organization reliably achieves objectives, addresses uncertainty, and
acts with integrity, then it qualifies as a Principled Performer.
What matters most is that the organization measures up to the key parts of the Principled
Performance definition to:
● reliably
● achieve objectives,
● address uncertainty, and

● act with integrity.
And to accomplish this, the organization must integrate and orchestrate several Critical
Disciplines and capabilities.
“Big Picture” Perspective

Taking a step back, consider the big picture of what it means to “do” business. Every business,
every organization, is designed to achieve objectives. As the organization drives toward
objectives, it faces uncertainty – there are opportunities and obstacles along the way. And the
organization must establish a business model to address obligations and stay within mandatory
and voluntary boundaries.
● Opportunities are generally associated with reward (performance), a measure of the

positive, favorable effect of uncertainty on objectives. Reward is addressed using
performance management systems and key performance indicators (KPIs).
● Obstacles are generally associated with risk, a measure of the negative, unfavorable effect
of uncertainty on objectives. Risk is addressed using risk management systems and key risk
indicators (KRIs).
● Obligations are generally associated with compliance, a measure of the degree to which
obligations and requirements are addressed. Compliance is addressed using compliance
management systems and key compliance indicators (KCIs).
An organization must do more than manage the aspects of performance, risk, and compliance. An
organization must also govern and provide assurance around performance (reward), risk, and
compliance. Thus a complete picture of this approach is the governance, management, and
assurance of performance, risk, and compliance.
● Management - directly guiding, controlling, and evaluating an entity by arranging and

operating resources.
● Governance - indirectly guiding, controlling, and evaluating an entity by constraining and
conscribing resources.
● Assurance - objectively and competently evaluating subject matter to provide justified
conclusions and confidence that statements and beliefs about the subject matter are
justified and true.
GRC & Critical Disciplines

GRC and the GRC Capability Model provide governance, management, and assurance of
performance (reward), risk, and compliance.
GRC is an initialism that denotes Governance, Risk, and Compliance, but the reality is much more.
GRC is the “integrated collection of capabilities that enable an organization to reliably achieve
objectives, address uncertainty, and act with integrity.”
Thus, GRC is the “pathway” to Principled Performance representing a broad portfolio of

departments and capabilities. GRC is sometimes misconstrued as “something the board does,” “a
piece of software,” “a compliance program,” or even “IT security” or some other topical area.
In fact, GRC is an integration and orchestration of capabilities. It is an umbrella over several Critical
Disciplines that share similarities but also have their distinct advantages.
● Governance & Oversight provides methods to guide, constrain and conscribe the
organization to achieve its purpose, mission, vision, and values.
● Strategy & Performance provides methods to guide, arrange and operate resources to
achieve objectives and monitor performance.
● Risk & Decision-Support provides methods to identify and address the effect of
uncertainty on objectives, including ways to support decisions under uncertainty.
● Compliance & Ethics provides methods to identify and address mandatory and voluntary
obligations and the underlying ethical principles and values.
● Security & Continuity provides methods to identify and address threats to critical physical
and digital assets and infrastructure.
● Audit & Assurance provides methods to enhance confidence that the organization is
reliably achieving objectives, addressing uncertainty, and acting with integrity.
By integrating these disciplines, the unique strengths of each can be used to support the others.
For example, the Compliance & Ethics discipline can add strength in dealing with policies and
procedures to the other disciplines. The Strategy & Performance discipline can add strength in
setting objectives, mapping strategies, etc.
GRC Capabilities
The GRC Capability Model codifies the continuously improving body of knowledge about how GRC
works in an organization. It comprises four (4) components and twenty (20) elements that help an
organization ask and answer key questions such as:
● LEARN - Who are we? Where are we? What might affect us? Who do we serve? How will they
judge us? What is our business model?
● ALIGN - Where are we going? How will we get there? How will we address the opportunities,
obstacles, and obligations along the way?
● PERFORM - How proactive are we? How do we detect problems and progress? How do we
respond to favorable and unfavorable events?
● REVIEW - Are we making progress? How confident are we? How can we improve?
High-performing GRC Professionals and Protectors use The GRC Capability Model in many
different jobs, roles, and departments and in organizations of all types, shapes, and sizes. The GRC
Capability Model provides a sound foundation and versatile toolkit for diverse problems in diverse
departments.
Protectors
Organizations, coworkers, and the public count on GRC Professionals to solve the $1 trillion
problem. GRC Professionals are called Protectors because of the work that they do in departments
across the organization. A high-performing Protector is a versatile professional who takes an
interdisciplinary approach to their job.
Whether they're implementing a compliance program, a risk management program, a security

program, or conducting an audit, using a GRC approach means they are leveraging the best
strengths and techniques from all of the Critical Disciplines.
Produce & Preserve Value

One misconception is that a Protector only "plays defense" while the rest of the organization
"plays offense" – and that "playing defense" and "playing offense" are mutually exclusive.
The truth is that every organization must play both offense and defense because both add
significant value. High-performing Protectors know how to DO both and BE both.
Protectors are typically not in functions that harness the forces of VUCA and instability (such as
sales, marketing, and product innovation). More typically, Protectors are in departments that
serve as a stabilizing force (such as the board, risk, compliance, security, finance, security, HR, IT,
internal controls, or audit.)
Wherever they work, the organization and the public count on Protectors to be skilled at balancing
value production and value preservation – to be the ones who serve as stabilizing forces and help
the entire organization navigate VUCA and instability.
Using an analogy of a mountain climber – as climbers progress toward a summit, they "produce
value" toward that goal. Along the way, there are ups and downs. Things can go wrong, and
progress can be stopped or reversed. Things can go very wrong, and the climber may fall into deep
crevasses, permanently destroying value.
But high-performing Protectors lock in the progress and close gaps with tools and techniques to
"preserve value" along the way.
Preserving value not only reduces the “downs,” but it also helps to prevent fatal problems that
permanently destroy value. This helps organizations to reliably achieve objectives, address
uncertainty, and act with integrity – and achieve Principled Performance.
In the context of mountain climbing, this might include tools such as ropes and clamps. It might
mean techniques like tapping into the side of the mountain to secure safety gear.
In organizations, these tools include how Protectors use the Protector Mindset™ and Protector
Skillset™ to implement GRC and achieve Principled Performance. These tools are the
unmistakable “fingerprint” of a high-performing Protector:
● The Protector Mindset is the toolkit of ways that a high-performing Protector makes
decisions and appraises problems, solutions, and people. It is the way that they “think”
about their job.
● The Protector Skillset is the toolkit of versatile disciplines that a high-performing Protector
uses to solve problems, make progress, and lead. It is the way that they “do” their job.
The Protector Mindset™

The Protector Mindset™ consists of traits that together strengthen the way that a
high-performing Protector makes decisions and appraises problems, solutions, people, and reality.
The high-performing Protector is Collaborative, Accountable, Stable, Proactive, Visionary, and

Versatile. Importantly, a Protector strives for the Golden Mean between the overuse and underuse
of these traits.
Collaborative
Producing and preserving value requires relationships and teamwork with others, and a Protector
is collaborative. Protectors know that relationships are everything and that through teamwork,
more can be accomplished. Protectors avoid the underuse of collaboration, where they might be
isolated, antagonistic, and hoard information. Protectors avoid the overuse of collaboration,
where work becomes a social club, and nobody owns outcomes.
Stable
VUCA and Disconnection are fundamentally “destabilizing” forces, and a Protector brings stability
to the organization. Protectors strive to bring stability against the volatile, uncertain, complex, and
ambiguous (VUCA) realities. Protectors strive to be conscientious and careful. Protectors strive to
be calm and detached from turmoil. Protectors avoid the underuse of stability, where they might
be neurotic, chaotic, and “caught up” in drama. Protectors avoid the overuse of stability, where
they might appear not to care.
Accountable
Too many people blame others and pass the buck because “it’s not my job,” and a Protector brings
accountability. Protectors know that they can always be more accountable and take ownership of
more. Protectors avoid the underuse of accountability, where they might blame others, wait for
others, and say, "It's not my job!". Protectors avoid the overuse of accountability, where they might
step on toes, micromanage and potentially move beyond the scope.
Visionary
Dealing with obstacles and obligations can distract from the big picture, so a Protector brings
vision to the organization. Protectors know that being purposeful, optimistic, and focusing on the
long game is critical. Protectors avoid underuse where they might become myopic and pessimistic
(even cynical!), and focus on the short game. Protectors avoid overuse where they might become
too abstract, too naive, and without an end in sight.
Versatile
Wicked problems require an interdisciplinary approach, and a Protector Mindset brings a versatile
skillset to the solution. Protectors strive to integrate Critical Disciplines to approach their work
from multiple dimensions using the Protector Skillset. Protectors avoid the underuse of versatility,
where they might myopically have a "hammer, and everything looks like a nail." Protectors avoid
the overuse of versatility, where they might create overly complicated solutions that never get
implemented.
Proactive
The modern economy moves fast, and the Protector knows that being proactive helps win the day.
Protectors know that being proactive reduces the risk of being caught off guard, helps to correct
errors and be more courageous. Protectors avoid the underuse of proactivity, where they might
become “clueless,” paralyzed, or cowardly. Protectors avoid the overuse of proactivity, where they
might leap without looking or, too frequently, change without ever reaching a steady state.
The Protector Skillset™

GRC Professionals integrate the Critical Disciplines into their Protector Skillset™ to leverage the
strengths of each discipline to fill gaps and accelerate success.
Governance & Oversight

Governance & Oversight skills include ways to constrain and conscribe activities. These skills help
the organization to:
● Set direction (mission, vision, values)

● Identify and set boundaries
● Allocate authority and decision rights
● Authorize performance, risk, and compliance systems
● Shape a culture of integrity
Strategy & Performance

Strategy & Performance skills set objectives and results; and map strategies and tactics to
address opportunities, obstacles, and obligations. These skills help the organization to:
● Set direction (mission, vision, values)

● Set objectives and indicators
● Identify opportunities, obstacles, and obligations

● Align strategies and tactics
● Manage performance, risk, and compliance systems
Risk & Decisions

Risk & Decision Support skills include ways to address uncertainty and make sound decisions.
These skills help the organization to:
● Plan for risks

● Identify risks
● Assess risks
● Address risks
● Measure and monitor risks
● Use decision science and support techniques
Compliance & Ethics

Compliance & Ethics skills include ways to address obligations and the risks associated with both
mandatory and voluntary boundaries. These skills help the organization to:
● Identify mandatory obligations

● Identify and formalize voluntary obligations
● Assess compliance and ethics risk
● Set policy and procedures
● Educate and communicate with the workforce
● Inspire and shape an ethical culture
Security & Continuity

Security & Continuity skills include ways to address significant risks and crises, especially those
areas of the organization prone to attack or existential consequences. These skills help the
organization to:
● Identify critical physical and digital assets

● Assess, address, measure, and monitor related risks
● Use scenario planning and simulation to practice response
● Identify technology recovery and business resumption strategies
● Perform crisis response when appropriate
Audit & Assurance

Audit & Assurance skills include ways to enhance the confidence of internal and external
stakeholders that the organization is designed and operating effectively to reliably achieve
objectives, address uncertainty, and act with integrity. These skills help the organization to:
● Prioritize assurance based on objectives, opportunities, obstacles and obligations

● Plan, perform, report, and monitor assurance assessments
● Use design and substantive testing techniques
● Communicate with stakeholders and management to enhance confidence
Using this Document

This document introduces the GRC Capability Model (the “Model”). The GRC Capability Model
helps organizations reliably achieve objectives, address uncertainty, and act with integrity to
produce and preserve value – to achieve Principled Performance. The GRC Capability Model
describes components and elements that comprise high-performing GRC that are measured for
Maturity and Total Performance.
The GRC Capability Model integrates several Critical Disciplines and presents concepts familiar to
professionals skilled in Governance & Oversight, Strategy & Performance, Risk & Decision Support,
Compliance & Ethics, Security & Continuity, and Audit & Assurance.
The GRC Capability Model aims to unify, harmonize and integrate these disciplines with an
internally consistent vocabulary, models, and “meta-process” that can be applied in various
departments and functions.
The GRC Capability Model aims to “guide” rather than dictate. GRC Professionals should use this
Model like a cookbook rather than a chemistry set. In other words, the specific context and
idiosyncrasies of each organization will necessitate adding more or less emphasis on components,
elements, practices, considerations, and so forth.
Design Drivers
Several fundamental realities and drivers influence the design of the GRC Capability Model.
People
People are at the center of the most vexing aspects of the trillion-dollar problem.
People are the ones who commit misconduct and make mistakes and miscalculations. Even when
technology is at “fault” for miscalculating, a person is behind the design and implementation of
the technology.
And people are messy. People have free will (or something that looks and feels a lot like it). People
are free to choose this or that or otherwise. People are free to make choices that may result in
positive or negative outcomes.
People rarely respond to top-down dictates and coercion (and if they do respond, they don’t
respond for very long). Addressing this “human element” requires bottom-up, inside-out
techniques.
Wicked Problems
The trillion-dollar problem of misconduct, miscalculations, and mistakes is a Wicked Problem.
A "wicked problem" is a term used in design, policy-making, and social sciences to describe a
complex, dynamic, and multifaceted problem that is difficult or even impossible to solve
completely. These problems are characterized by high levels of uncertainty, multiple and
conflicting goals, and many interrelated and changing factors. With wicked problems, it is difficult
to identify the boundaries of their impact, or recognize all the variables that are in play for a
particular problem. It can even be difficult to tell if a wicked problem has been solved until many
years later because it may address long-term opportunities, obstacles, and obligations.
Unlike "tame" problems that have clear solutions and can be addressed using a straightforward
and linear approach, wicked problems are often characterized by a lack of clear definition,
incomplete or contradictory information, and the need for ongoing adaptation and
experimentation.
Solving wicked problems often requires collaboration, creativity, and innovation across multiple
disciplines and stakeholders. Rather than seeking a definitive solution, the aim is to develop
adaptive and flexible approaches that can respond to changing circumstances and evolving
priorities.
Complex Adaptive System of Systems

Organizations, teams, and even individuals are Complex Adaptive Systems of Systems.
A "complex adaptive system of systems" (CASoS) is a type of system that is made up of many
interacting subsystems, each with its own behavior, rules, and feedback loops. A CASoS is
characterized by its complexity, adaptivity, and emergence, meaning that it is capable of
self-organization and can exhibit emergent behaviors that are not predictable from the behavior
of its individual components.
Understanding and managing CASoS requires a systems thinking approach, which considers the
behavior of the system as a whole rather than just its individual components. It also requires an
understanding of the interactions and feedback loops between different sub-systems, as well as
an ability to anticipate and respond to emergent behaviors.
A complex adaptive system of systems is more like a flock and less like a clock. It would be ideal if
all problems could be solved as easily as fixing a clock, where a solution can be immediately
verified by the clock's ability to tell time again. However, the reality is that problems in CASoS
cannot be solved in such a straightforward manner. The nature of such problems is dynamic and
multifaceted, and solutions are not always predictable or immediately verifiable.
Fractality
Organizations comprise multiple levels and units of self-similar patterns and structures.
Fractality refers to the property of self-similarity or the repetition of patterns at different scales in
a system or structure. In fractal geometry, a fractal is a mathematical set that exhibits
self-similarity and has a structure that is similar at every scale. Fractals are often found in nature,
such as in the branching patterns of trees, the veins of leaves, or the shapes of clouds.
In organizations, fractality is used to describe the self-similar patterns and structures of social
networks and interactions, as well as in the study of collective behavior and decision-making.
Fractality means that problems and solutions can replicate and scale to multiple levels of the
organization.
Anatomy of GRC Capabilities

The GRC Capability Model describes components and elements that comprise a high-performing
GRC Capability – any part of which is measured for Maturity and Total Performance.
Components
The GRC Capability Model consists of four Components: (L) LEARN, (A) ALIGN, (P) PERFORM, and
(R)REVIEW. Each Component includes its own:
● Descriptive summary,
● Considerations to be taken into account, and
● Elements that are required under each Component.
Elements
There are 20 elements in the GRC Capability Model distributed among the four components: (4)
Elements under the LEARN Component, (5) Elements under the ALIGN Component, (8) Elements
under the PERFORM Component, and (3) Elements under the REVIEW Component. Each Element
includes its own:
● Descriptive summary,
● Practices that describe critical activities,
● Considerations that impact decisions, design, and operation, and
● Tools & Techniques that may optionally be used.
Measuring GRC and Principled Performance
Maturity Model
A Maturity Model provides a theoretical continuum, often expressed in “levels,” along which
maturity can be developed incrementally from one level to the next. Maturity levels may be used to
assess how capable (prepared) the organization is to perform practices:
● Level 1 - Initial. Practices are improvised, ad hoc, and often chaotic.

● Level 2 - Managed. Practices are defined and managed, though sometimes informally.
● Level 3 - Consistent. Practices are formally documented and consistently managed.
● Level 4 - Measured. Practices are measured and managed with data-driven evidence.
● Level 5 - Optimizing. Practices are consistently improved over time.
In some maturity models, the highest Level 5 is called “Optimized.” However, GRC Professionals
recognize that an area is never “optimized” but rather in the process of “optimizing” over time.
GRC Professionals apply the concept of maturity at all levels of The GRC Capability Model as
needed. For example, the Education Element could be assessed for Maturity:
● Level 1 - Initial. Education practices are improvised and often chaotic.

● Level 2 - Managed. Education Practices are defined and managed, though sometimes
informally. This means the team knows how to define, develop and deliver education, but
nothing is documented. And, when workers are educated, records are not always created or
stored.
● Level 3 - Consistent. Education Practices are formally documented and consistently

managed. This means the team follows documented practices to define, develop and
deliver education. Learner records are created and maintained.
● Level 4 - Measured. Education Practices are measured and managed with data-driven
evidence. This means that the documented process generates enough data and indicators
to judge the effectiveness, efficiency, responsiveness, and resilience of Education.
● Level 5 - Optimizing. Education Practices are consistently improved over time. This means
that the indicators are not only captured and judged but that the team can demonstrate
continuous improvement.
Total Performance Model™

For each element, the GRC Capability Model describes Total Performance across four dimensions:
Effectiveness, Efficiency, Responsiveness, and Resilience. These dimensions should be
considered across all components, elements, and practices.
For example, the Education Element could be assessed for Total Performance:
● Effective (“Sound”). Is the design of the education program logical? Does it follow best
practices? Are all topical areas covered? Are the workers we intend to educate actually
getting educated? Are they retaining the knowledge/skills they need? Is the education
program impacting the intended business objectives?
● Efficient (“Lean”). What does it cost to educate the workforce? Is the cost per Worker
going up/down? How does this cost compare to organizations of similar size?
● Responsive (“Agile”). How long does it take to educate a department? How long does it
take to identify an education need and 100% coverage of the intended audience? When an
error is found in the education program, how long does it take to be detected and
corrected?
● Resilient (“Antifragile”). What will we do if the online education system fails? What kind of
slack do we have in education timelines in case of unplanned distractions? What kind of
backup staff do we have in case someone gets sick?
Applying the GRC Capability Model

The GRC Capability Model can be applied at any level within the organization.
● Organization (also Organization in Scope): The organizational unit in scope for applying
the GRC Capability Model. This may be the enterprise, a business unit, a department, or a
team.
Organizations may be large or small, simple or complex. The organization in scope may be an entire
legal entity (enterprise) or some smaller subordinate unit (business unit, department, team).
While not every organization in scope has a complex hierarchy of levels, units, or layers, virtually all
have some structure for reporting, accountability, and approval.
The GRC Capability Model uses these terms and concepts when referring to the Organization in
Scope and its related units, levels, and layers.
Organizational Units
Organizational Unit (also Unit): A specific subdivision of an organization that is formed for the
purpose of achieving particular objectives.
● Enterprise: The most superior unit that encompasses the

entirety of the organization. The term “enterprise” may be
used even when the organization is a government
agency, a nonprofit organization, or a small organization.
● Business Unit: A business unit is subordinate to the
enterprise and often responsible for specific products,
customers, or geography. The term “business unit” may
be used even when the organization is not a “business”
(e.g., a government agency or a nonprofit organization).
● Department: A department is subordinate to the enterprise and often cuts across multiple
business units providing shared services such as human resources, information
technology (IT), compliance, risk management, and other services.
● Team: A team is the smallest organizational unit. Teams may be part of a department or may
be cross-functional. Teams may be permanent or temporary.
Organizational Levels
Organizational Level (also Organizational Layer): A description of the accountability relationship
between units.
● Superior Level (also Superior Unit, Superior Layer, and Superior): refers to other
organizational units to which the organization in scope is accountable.
● Subordinate Level (also Subordinate Unit, Subordinate Layer, and Subordinate): refers to
other organizational units accountable to the organization in scope.
● Peer Level (also Peer Unit, Peer Layer, and Peer): refers to organizational units that are
lateral to the organization and often report to or are accountable to the same superior unit.
Special Units and People

The GRC Capability Model refers to specialized units and people that have specific
responsibilities.
● Governing Authority (also Board): Refers to the most superior level of accountability and
authority. The governing authority is often responsible for balancing the competing needs
of stakeholders so that it can guide, constrain, and conscribe the organization to reliably
achieve objectives, address uncertainty, and act with integrity to meet these needs. The
governing authority is often a board of directors if the organization is an enterprise. (The
governing authority may be an oversight committee if the organization is a business unit or
department.)
● Workforce (also Personnel): Refers to the collection of individuals the organization

employs including:
○ Executives (also Executive Team or Executive Management or Executive
Management Team) Senior-most managers with broad responsibilities over the
entire organization or some significant part of the organization (e.g., all technology,
all sales, and marketing, all administration, all finance).
○ Managers (also Management or Management Team) refer to personnel who
manage others. Qualifiers such as “senior managers” refer to managers with more
responsibility in scale or scope, while “junior managers” have less responsibility.
○ Staff (also Team Members) refer to more junior-level personnel who typically do not
manage others.
○ Leaders (also Leadership) are individuals at any level of the organization who have
the de facto attention and respect of the workforce regardless of their title or
position.
● Third Party (or member of the Extended Enterprise): Refers to a partner that conducts
substantial actions & controls on behalf of the organization. Organizations often
“outsource” actions & controls to third parties to benefit from their competence while
focusing the organization's efforts on its core competencies. Even when an organization
outsources actions & controls, it is crucial to recognize that the organization often retains
legal or reputational responsibility for any problems in the extended enterprise.
Processes & Resources

The GRC Capability Model details the capabilities that arrange processes and resources to
achieve Principled Performance. These terms are used:
● Integrated Plan details processes and resources allocated to reliably achieve objectives,
address uncertainty, and act with integrity.
● Process (also Ways) is a series of actions or steps to achieve an objective.
● Resources (also Means) include people, technology, facilities, information, financial
capital, and other assets used to achieve objectives.
○ Human Capital - Individual capabilities and relationships.
○ Technology Capital - Hardware, software, and technology.
○ Physical Capital - Manufactured goods and facilities.
○ Information Capital - Data, communications, and intelligence.
○ Financial Capital - Liquidity, budgets, and other economic resources.
Getting There
An organization must implement and operate a collection of integrated capabilities (elements)
that drive cooperation, coordination, and collaboration. Some organizations achieve this by
keeping existing capabilities and improving integration. Other organizations may choose to
develop all or many new capabilities.
In every case, the organization must commit to the concept of Principled Performance and the
allocation of resources necessary to support integrated GRC.
Key Steps
1. Commit. Obtain commitment to Principled Performance and GRC.
2. Plan. Use the GRC Capability Model to guide the design of your capabilities.
3. Do. Assign accountability and implement the GRC Capability.
4. Check. Evaluate the execution of the GRC Capability.
5. Act. Use the results of the evaluation to fine-tune and improve the GRC Capability.
Starting Points
Getting somewhere requires both a destination and a starting point. For GRC Professionals and
the GRC Capability Model, the destination is the same – namely, Principled Performance.
But to navigate, the starting point tends to be different depending on the organizational type,
scale, scope, purpose, and current challenges. Moreover, even starting points may change over
time. It is possible to start with a Blank Canvas and then encounter a problem that can redirect you
to a Crisis starting point. Some of the starting points appear as an organization grows and
matures.
Thus, while every organization is unique and requires a unique starting point, most organizations
fall into one of these categories:
● SP0. Blank Canvas Starting Point

● SP1. Topical Starting Point
● SP2. Discipline Starting Point
● SP3. Element Starting Point
● SP4. Crisis Starting Point
SP0. Blank Canvas Starting Point

A blank canvas starting point is atypical because most organizations already have one or more
elements of the GRC Capability Model. However, some organizations work “as if” there is a blank
canvas so that the organization can take a step back to formalize and integrate its approach.
SP1. Topical Starting Point

A topical starting point is a project to address a category of opportunities, obstacles, or
obligations. For example, you may be assigned to
● Implement an information security system,

● Implement internal control over financial reporting, or
● Implement an anti-corruption program.
SP2. Discipline Starting Point

A discipline starting point is a project to address one or more of the background disciplines to
establish a framework or program for the organization:
● Governance & Oversight Framework

● Strategy & Performance Framework
● Risk Management Framework

● Decision-Making Framework
● Compliance & Ethics Framework
● Security Framework
● Business Continuity Framework
● Audit & Assurance Framework
SP3. Element Starting Point

An element starting point is a project to address an element in the GRC Capability, such as:
● Implement a training system,

● Implement a policy management system,
● Implement a risk analysis process, or
● Implement an insurance program.
SP4. Crisis Starting Point

A crisis starting point is a project to address a situation that caused significant harm to the
organization, such as
● Address a major financial scandal,

● Address a major workplace scandal,
● Address major breaches in security,
● Address a major sanction, or
● Address a major human rights scandal.
Regardless of the starting point, the GRC Capability Model will help an organization ensure that an
integrated system of components and elements work together to reliably achieve objectives,
address uncertainty, and act with integrity – to achieve Principled Performance.
Part I - GRC Concepts

GRC is a pathway to Principled Performance – a noble goal for every organization to “reliably
achieve objectives, address uncertainty, and act with integrity.” This definition can be broken
down into its major parts.
● Reliably (consistently, dependably, and transparently)

● Achieve objectives (mission, vision, values, and balanced objectives)
● Address uncertainty (address opportunities and obstacles that balance risk and reward)
● Act with integrity (stay within boundaries to address voluntary and mandatory obligations)
These parts are used to explain the Key GRC Concepts. But before stepping into the parts,
consider the big picture of what it means to “do” business.
“Big Picture” Perspective

Every business, every organization, is designed to achieve objectives. As an organization drives
toward objectives, it faces uncertain opportunities, uncertain obstacles, and mandatory and
voluntary obligations.
● Objective – a measurable outcome to achieve.

● Opportunity – an uncertain event that may, on balance, positively affect objectives.
● Obstacle – an uncertain event that may, on balance, negatively affect objectives.
● Obligation (also Boundary) – a requirement that an organization must or should address.
Managing Opportunities, Obstacles & Obligations

Addressing opportunities, obstacles, and obligations requires focus. By understanding each, a
balanced approach can be used to manage these perspectives.
Opportunities
Opportunities are generally associated with Reward, a measure of the positive, favorable effect of
uncertainty on objectives. Reward is often managed using Performance Management systems and
Key Performance Indicators (KPIs).
● Reward (also Performance) - A measure of the positive, favorable effect of uncertainty on

objectives.
● Performance Management - The act of managing processes and resources to pursue
reward while addressing risk.
● Key Performance Indicator (KPI) - Indicators designed to help govern, manage, and
provide assurance about performance.
Obstacles
Obstacles are generally associated with Risk, a measure of the negative, unfavorable effect of
uncertainty on objectives. Risk is often managed using Risk Management systems and Key Risk
Indicators (KRIs).
● Risk - A measure of the negative, unfavorable effect of uncertainty on objectives.

● Risk Management - The act of managing processes and resources to address risk while
pursuing reward.
● Key Risk Indicator (KRI) - Indicators designed to help govern, manage, and provide
assurance about risk.
Obligations
Obligations are generally associated with Compliance, a measure of the degree to which
obligations and requirements are addressed. Compliance is often managed using Compliance
Management systems and Key Compliance Indicators (KCIs).
● Compliance - a measure of the degree to which obligations are proven to be addressed.

● Compliance Management - the act of managing processes and resources to achieve the
desired level of compliance.
● Key Compliance Indicator (KCI) - Indicators designed to help govern, manage, and provide
assurance about compliance.
USAGE NOTE: Performance Management and KPIs are typically used to address opportunities and
reward. That said, KPIs may also be used more generally to address opportunities, obstacles and
obligations. In other words, Performance Management and the label “KPI” is sometimes used more
generally for “all types of performance” and “all types of indicators.”
This is consistent with the GRC notion of Total Performance and Principled Performance. Thus,
one might imagine using Key Total Performance Indicators (KTPIs) or Key Principled Performance
Indicators (KPPIs) to encompass ALL types of indicators, including “classic” performance
indicators and performance management systems.
Regardless of which approach is used to label indicators and management systems, it can be
helpful to understand these three perspectives of opportunities, obstacles, and obligations.
Governance, Management & Assurance

Beyond managing these perspectives, an organization must also govern and provide assurance
around performance (reward), risk, and compliance. Thus a complete picture of this approach is
the governance, management, and assurance of performance, risk, and compliance.
GRC and the GRC Capability Model guide the governance, management, and assurance of
performance (reward), risk, and compliance to reliably achieve objectives, address uncertainty,
and act with integrity.
Decisions & Error Correction

The GRC Capability Model is fundamentally about making better decisions. In several areas,
decision-making criteria is used so that decisions are more consistent and aligned with the
organization’s purpose.
● Decision-Making Criteria - the principles, values, rules, variables, conditions, targets,

tolerances, and other thresholds used to select an option or make a decision.
● Direction-Setting Criteria - criteria used to set the direction for the organization and its
objectives based on external/internal context, culture, and stakeholder needs.
● Objective-Setting Criteria - criteria used to set objectives and key results in accordance
with the organization’s direction.
● Identification Criteria - criteria used to identify opportunities, obstacles, and obligations
that stand in front of the organization and its objectives.
● Analysis Criteria - criteria used to analyze, quantify and select ways to address risk,
reward, and compliance.
● Design Criteria - criteria used to select actions & controls that address risk, reward, and
compliance.
“Reliably”
Principled Performance® requires an organization to reliably achieve objectives, address
Reliability applies to all other parts of the Principled Performance definition and means to:
● Reliably achieve objectives

● Reliably address uncertainty
● Reliably act with integrity
Reliability is all about being consistent, dependable, and transparent. And to be all these things,
GRC integrates the governance, management, and assurance of performance, risk, and
compliance.
Management & Governance Provide Reliability

Management and governance are economic functions that support each other. The difference
between the two is the relationship between the person doing the management/governance and
the thing being managed/governed.
● Management is the act of directly guiding, controlling, and evaluating an entity, process, or
resource by arranging and operating resources.
● Governance is the act of indirectly guiding, controlling, and evaluating an entity, process,
or resource by constraining and conscribing resources.
Management has direct contact with the thing being managed. Thus, managing something
involves direct actions & controls that arrange and operate resources. For example, a CIO has
direct contact with and control over the IT department. The CIO “manages” the IT department by
establishing policies and arranging resources to achieve departmental (and enterprise)
objectives.
Governance has an indirect influence over the thing being managed. Thus, governing something
involves indirect actions & controls that constrain and conscribe resources. For example, the
Board has indirect influence and control over the IT department. The Board may “govern” IT
resources by establishing policies and limits constraining what the CIO may do.
Sometimes, these economic functions overlap; and sometimes, it is unclear if an action or control
primarily serves a governance or management purpose. In fact, some actions & controls serve
both. Despite this ambiguity and potential overlap, it is helpful to distinguish between these two
economic functions so that both governance and management needs are addressed.
Assurance Provides Reliability

Those managing and governing the organization need to have confidence that what they BELIEVE
is happening, actually IS happening, and that it is working. Assurance provides this confidence to
management, the governing authority, and other stakeholders.
● Assurance - the act of objectively and competently evaluating subject matter to provide
justified conclusions and confidence that statements and beliefs about the subject matter
are true.
● Evaluate - the act of judging subject matter by comparing evidence against suitable
criteria.
● Subject Matter - identifiable statements, conditions, events, or activities for which there is
evidence.
● Suitable Criteria - benchmarks used to evaluate subject matter that yield consistent and
meaningful results.
● Information Consumer (also Information User) - an individual, group, or any entity that
receives information sent from any source within the organization. Information is utilized as
evidence to evaluate and compare against given criteria to provide a certain level of
assurance.
● Information Producer - an individual, group, or any entity that produces data/information
to send to another individual, group, or entity that requests such information for the
purpose of providing assurance.
Assurance is never absolute. It is common for GRC Professionals to specify a desired “level of
assurance” about some subject matter. The Level of Assurance about something is a function of
the Assurance Objectivity and Assurance Competence of the Assurance Provider.
● Assurance Provider - someone who conducts assurance activities.

● Objectivity - the degree to which an Assurance Provider can be impartial, disinterested,
independent, and free to conduct necessary activities and to form an opinion about the
subject matter.
● Competence - the degree to which an Assurance Provider can use sophisticated,
professional, and structured techniques to evaluate the subject matter.
A greater degree of Assurance Objectivity and a greater degree of Assurance Competence

generally result in a higher Level of Assurance.
● Level of Assurance - a measure of the degree of confidence that an assurance provider can
deliver to an information consumer about statements an information provider makes about
the subject matter.
Not everything requires a high level of assurance. For example, a manager in the sales department
may want “some” assurance that the way they conduct sales calls is sound. For this lower level of
assurance, they might call five colleagues in other companies and ask about their process. Then
use that information with the sales team to identify gaps.
The VP of sales, on the other hand, might want a “higher” level of assurance that all sales teams
are using best practices to conduct sales calls. This might entail hiring an outside expert, using a
vetted sales call maturity model, to conduct design and operational testing of controls used in the
sales process.
● Absolute Assurance - a level of assurance that is impossible to achieve.
● Reasonable Assurance - a special type of assurance, provided by external auditors as part

of a financial audit or examination, that subject matter conforms to suitable criteria and is
free from material error.
● Limited Assurance - a level of assurance resulting from reviews, compilations, and other
activities performed by competent personnel who are sufficiently objective about the
subject matter.
● Lower Assurance - a more limited level of assurance resulting from activities such as
self-assessments and benchmarking performed by the personnel responsible for the
subject matter.
The terms "independent" or "independence" are occasionally used in reference to assurance to

emphasize the importance of the structural or reporting relationship between the assurance
provider, the information producer, and the information consumer. The notion is that the
assurance provider should have a structurally independent status to enhance objectivity. This
means that the assurance provider must not report to the information producer, or have some
“dual reporting” relationship to an organizational unit outside of the information producer to
reduce conflict.
However, independence alone does not guarantee objectivity and is simply a means to achieve it.
Therefore, a GRC Professional must recognize that independence is a tool to achieve objectivity.
Independence is not synonymous with objectivity, and may not be recommended given a target
level of assurance.
For example, when a high level of assurance is desired (e.g., evaluating internal control over
financial reporting), it may be beneficial for the assurance provider to be fully independent of the
information producer. When a lower level of assurance is desired (e.g., benchmarking one’s own
work), independence may not be required or recommended.
Hence, it is important to note that independence should not be confused with objectivity. While
they are related concepts, independence alone does not guarantee objectivity and is not always
recommended.
Lines of Accountability™ (LoA™) Provide Reliability

The Lines of Accountability Model™ helps organizations identify structures and processes that
facilitate the governance, management, and assurance of performance, risk, and compliance by
focusing on the contribution each “line” makes to producing value and preserving value.
● First Line - Individuals and Teams that own and manage performance, risk, and compliance
associated with day-to-day operational activities.
● Second Line - Individuals and Teams that establish performance, risk, and compliance
programs for the First Line. The Second Line may include an organizational service center or
staff within risk, compliance, HR, internal audit, and technology departments. The Second
Line provides oversight through frameworks, standards, policies, tools, and techniques to
support the First Line. The Second Line often manages its own portfolio of objectives and
associated performance, risk, and compliance. The Second Line may provide limited
assurance over First Line activities, depending on the objectivity and competence related
to the subject matter.
● Third Line - Individuals and Teams that provide a high level of assurance on activities
performed by the First Line and Second Line. The Third Line may include internal audit,
external audit, or outside experts who are sufficiently objective and competent. The level
of assurance possible depends on the objectivity and competence related to the subject
matter.
● Fourth Line - The Executive Team is accountable and responsible for the organization-wide
performance, risk, and compliance. The Fourth Line gains information from the First Line
and the Second Line and assurance from the Third Line to make decisions about managing
performance, risk, and compliance.
● Fifth Line - The Governing Authority (Board) is ultimately accountable and responsible for
the governance, management, and assurance of performance, risk, and compliance. While
the governing authority may choose to delegate, this plenary accountability means that
the governing authority must use due care to ensure that the right systems are in place to
learn about and address important issues – especially those that present “red flags.”
The lines of accountability are not static and should be used according to the unique needs of an
organization.
For example, the Third Line isn’t the only line of accountability that can provide assurance.
Assurance on First Line activities may be provided by the Second Line so long as the activities
under examination were not designed or performed by the Second Line. This depends on the
degree of Assurance Objectivity and Assurance Competence the Second Line personnel have
relative to the subject matter and the desired Level of Assurance.
Likewise, the First Line may conduct assurance activities over a third party (vendor) it engages to
perform day-to-day operational activities.
Also, recall that many concepts in the GRC Capability Model are fractal. While the Lines of
Accountability Model is presented using five lines, the reality is that organizations comprise
unique and idiosyncratic arrangements of people, processes, information, and technology.
A sole proprietor may “physically” have just one “line” in their organization – namely, themselves.
Despite this arrangement, the Lines of Accountability Model may be applied by thoughtfully
segregating activities in time and space by just one person.
For example, the sole proprietor may perform daily bookkeeping with an aim toward efficiency and
accuracy (first line). Then, once a month, and though not completely objective, this same person
may perform “desk checking” and review of their own work (second line). Quarterly, they may
conduct some strategic planning and review (fourth line). A meticulous sole proprietor may even
take a weekend at the end of the year to trace transactions to perform assurance activities (third
line) before preparing materials for an external auditor. And being a board member (fifth line), this
same person may perform some “ultimate accountability” activities by filing the annual report to
keep the organization in good standing with the tax authority.
Contrast this with a global enterprise with many business units and dozens of lines of
accountability with varying degrees of scope and scale. Each business unit may have multiple lines
of accountability, providing varying degrees of service to other departments and business units.
Hence, every organization will have a unique arrangement of the Lines of Accountability based on
the size, scope, and preferences of the board and executive management. What is critical is that
the arrangement helps the organization be reliable.
“Achieve Objectives”
Everything in GRC flows from objectives – and objectives flow from the expectations of
stakeholders.
Objectives should be clearly defined at multiple levels and timescales, linked with one another,
and cascaded throughout the organization. Objectives must be intentional. Accidental
achievement does not count toward Principled Performance.
Objectives work with Indicators to be specific, measurable, achievable (yet aspirational), relevant,
and timebound (SMART Criteria).
Stakeholder Needs & Wants

There are several categories of stakeholders which have various needs and wants that drive
stakeholder expectations. These expectations inform the mission, vision, and objectives of the
organization.
● Stakeholder - a self-legitimizing person, group, or other entity with a direct or indirect

stake in the organization's actions because of actual or perceived impact.
● External stakeholders - stakeholders with an external influence on the organization:
○ Customers (the most important external stakeholder),
○ Shareholders (fractional owners who are not involved in the organization),
○ Creditors and lenders,
○ Suppliers,
○ Underwriters,
○ Government,
○ Non-governmental organizations,
○ Media, and
○ Society.
● Internal stakeholders - stakeholders with an internal influence from within the
organization:
○ Personnel (and unions that represent the workforce),
○ Managers,
○ Executives,
○ Board members, and
○ Owners (owners who are involved in the organization).
● Customer - A special type of external stakeholder. Every organization exists to serve a

customer, and it is the customer who judges value. For commercial enterprises, a customer
is an individual or entity that purchases products or services. For departments or teams,
the customer may include a superior, subordinate, or peer organizational unit. For
governmental entities, the customer is a constituent or regulated entity. In any case, the
customer judges whether the organization is producing, protecting, or destroying value.
An organization must balance the expectations of these diverse stakeholders – especially when
stakeholder expectations are in conflict.
● Stakeholder Expectation - is a general term that refers to what a stakeholder requests,

wants, needs, or expects from the organization.
Objectives & Objective-Setting

An organization sets objectives to address stakeholder needs and wants.
In the most general sense, an objective is simply something to achieve. And this “something” may
be at any timescale, may apply to any level of the organization, or may apply to a topic or theme.
● Objective - a measurable outcome to achieve (“something to achieve”)

● Indicator - a measure of progress toward or status of an objective
Objectives should be memorable, qualitative descriptions of what the organization wants to

achieve. Objectives should be short, inspirational, and engaging. Indicators measure progress
toward or status of an objective.
Sometimes, modifiers indicate a specific department or topic for the objective, such as
Compliance Objective or Reporting Objective. Sometimes, modifiers indicate a specific timescale
for the objective, such as Annual, Quarterly, Monthly, or Daily objectives.
Sometimes modifiers are added to an objective to indicate superior or subordinate importance,

such as Strategic Objective versus Tactical Objective or Operational Objective.
Note that one organizational unit’s “strategic objective” may be another unit’s “tactical objective.”
For example, a compliance department might have a strategic objective called “Improve
Compliance Program Coverage” to make sure that all relevant compliance areas have been
addressed. While a compliance program and its coverage are incredibly important for the
enterprise, this objective might be just one of many tactics the organization uses to meet an
Enterprise Objective called “Enhance Integrity.”
Sometimes, modifiers indicate a specific level of the organization:
● Enterprise Objective
● Department Objective
● Team Objective
● Individual Objective
Often, though not always, objectives at superior levels of the organization are associated with a
longer timescale. Thus, Enterprise Objectives are often Enterprise Long-Term Strategic
Objectives, and Department Objectives are often Department Near-Term Tactical Objectives.
The use of modifiers doesn’t change the fundamental nature of an objective – namely, “something
to achieve.”
Writing Objectives
Well-written objectives comprise a specific verb and a noun (object of the verb). Using simple and
direct language facilitates understanding and alignment.
Often, objectives are written to inspire progress using verbs such as “increase,” “decrease,” or
“improve,” or “enhance.” Achieving these objectives will “Change the Organization (CTO)” in some
way – and produce new value.
● Increase Revenue
● Grow Customer Base
● Increase Recurring Revenue
● Increase Scale of System Performance
● Increase Efficiency of XYZ
● Increase Effectiveness of XYZ
● Increase Responsiveness of XYZ
● Increase Resilience of XYZ
Sometimes, objectives are written to “maintain” or “Run the Organization (RTO).” RTOs allow an
organization to maintain what it has achieved – and preserve existing value.
Though seemingly boring or less inspirational, understand that RTOs are critical to managing the
organization and keeping the trust of stakeholders (especially customers). Think of RTOs as the
objectives related to service-level agreements or promises to stakeholders.
● Maintain High Customer Satisfaction

● Manage Debt Covenant Requirements
● Maintain Sales Lead Volume
● Maintain Conversion Rate
RTOs are often the source of future “Change the Organization” objectives. For example, a
customer service department may begin with a Manage the Organization objective of “Maintain
High Customer Satisfaction and use Net Promoter Score as an indicator. If the indicator falls
outside the target, appetite, tolerance or capacity; then “Change the Organization” objectives
may be defined in a subsequent period to resolve issues and elevate performance, such as:
● Improve Customer Satisfaction

● Improve Customer Loyalty
● Reduce Customer Support Hold Time
Change the Organization and Run the Organization objectives work together to align the
workforce with Mission, Vision, Values and Strategic Goals, that:
● Produce New Value

● Preserve Existing Value
● Increase Accountability & Transparency
Ownership
Each objective must have a clear accountability structure. A single, ultimate owner should be
assigned to each objective, and provided with the necessary resources and authority to ensure its
successful achievement.
Allocating ownership to multiple people may result in ambiguity and should be avoided.
For example, the Maintain Customer Satisfaction objective could be part of both the customer
service department but also part of the Executive Team. However, regardless of where that
objective appears, a single, ultimate owner should be assigned to the success and status of the
objective. In this instance, the Executive Team may monitor the indicators associated with
“Maintain Customer Satisfaction,” but the customer service department would likely have
ownership and resources to meet the objective.
Mission & Vision

Mission & Vision are special objectives that apply to all levels of the organization, and represent
the longest-term view of what the organization strives to achieve. Mission & Vision are part of the
organization’s overall Direction and purpose.
● Mission: An objective that states who the organization serves, what it does, and what it
hopes to achieve today and in the long term. The mission statement is often used to guide
decision-making and priority-setting within the organization, and serves as a clear and
consistent statement of its overall purpose and direction.
● Vision: An aspirational objective that states what the organization aspires to be and why it
matters. The vision is often used to inspire and motivate employees, stakeholders, and
customers and serves as a guidepost for long-term strategic planning.
Strategic Goals
Strategic Goals are long-term objectives that reflect the strategic themes and priorities of the
organization. Strategic Goals are part of the organization’s overall Direction and are used by
executive management and the board to guide the overall enterprise.
Strategic Goals should balance different perspectives or areas of focus. One popular framework,
the Balanced Scorecard, typically includes four perspectives: financial, customer, internal
processes, and learning and growth.
Regardless of which framework or model is used, it is important to balance short-term and

long-term timescales, financial and non-financial goals, and goals related to stakeholders,
customers, internal processes, and learning and growth.
Alignment
It is important for objectives to align throughout the organization. Superior-level objectives
should “cascade” to subordinate units to ensure that subordinate units contribute to the most
important objectives and priorities of the organization. Changes in superior-level objectives
should trigger changes in subordinate-level objectives.
That said, this is bi-directional.
Daily progress and feedback gathered on subordinate-level objectives bubbles up and updates
superior-level objectives. For example, progress that is slower or quicker at a subordinate level
might indicate that the superior-level objective is in jeopardy or not being achieved or that the
objective is in error.
Mapping
Besides cascading down and bubbling up objectives, it is helpful to map objectives to one another.
Mapping shows how (or at least if) objectives impact one another. This means mapping not only
UP to superior units and DOWN to subordinate units but also ACROSS the organization to peer
units and DIAGONALLY to superior and subordinate units in other areas of the organization.
Sophisticated mapping quantifies how objectives influence one another. For example, an
enterprise objective may cascade to objectives in separate subordinate units (Unit A and Unit B).
The mapping may conclude that Unit A influences the enterprise objective by 75% and Unit B by
25%. Understanding this relative influence helps to allocate resources to achieve enterprise
objectives.
Visibility
Superior units do not need visibility over all of the objectives of subordinate units and vice versa.
Sometimes, objectives can and should be localized to a single organizational unit.
For example, a strategic goal (enterprise objective) E1 may map to several other Enterprise
objectives E2, E3, and E4. Suppose that E2 cascades to Department A’s objective DA1. Within the
department, DA1 is mapped to DA2, DA3, and DA4. In this way, the Executive Team at the Enterprise
Level has visibility into department objective DA1 but doesn’t necessarily need to (or want to) have
visibility into the other department objectives.
Further, suppose that E4 cascades to Department A and Department B, linking to DA4 and DB1. In
this instance, DA4 and DB1 are visible at the enterprise level. And, because these departments
contribute to the same superior-level objective, their activities are coordinated to deliver value to
the organization.
In this situation, the enterprise level would only have visibility into DA1, DA4, and DB1. The other
subordinate-level objectives are things that do not directly map to the enterprise level.
Indicators
Indicators measure progress toward or status of objectives. Indicators must be linked to at least
one and potentially multiple objectives.
● Indicator - a measure of progress toward or status of an objective.

● Leading Indicators - an indicator that provides information about future events or
conditions.
● Lagging Indicators - an indicator that provides information about past events or
conditions.
Writing Indicators
A well-written indicator includes:
● Title - Descriptive name for the indicator

● Metric - Quantitative measure or standard
● Current Value
● Target Value for this period
● Starting Value at the beginning of this period
Using a Customer Satisfaction example, objectives, and indicators might be elaborated:
● OBJECTIVE: Enhance Customer Satisfaction

○ Title: Customer Satisfaction Rating (NPS)
■ Metric: Net Promoter Score (NPS)
■ Current Value: 82
■ Target Value (this month): 85
■ Starting Value (this month): 79
Types of Indicators
Indicators measure several aspects of progress or status associated with an objective:
● Key Performance Indicator (KPI) - Indicators that help govern, manage, and provide
assurance about performance related to an objective.
● Key Risk Indicator (KRI) - Indicators that help govern, manage, and provide assurance
about risk related to an objective.
● Key Compliance Indicator (KCI) - Indicators that help govern, manage, and provide
assurance about compliance related to an objective.
Not every objective needs performance, risk, and compliance indicators. Some objectives and
areas of the organization may only require KPIs.
For example, an organization that has a strategic goal to “Create Loyal Customers” will formulate
objectives and indicators such as:
● STRATEGIC GOAL: Create Loyal Customers

○ OBJECTIVE: Enhance Customer Satisfaction
■ KPI: Net Promoter Score (NPS) provides a lagging indicator of customer
satisfaction and loyalty.
■ KRI: Number of Customer Complaints provides a leading indicator that might
result in a reduction of NPS or other problems, especially if this value is high
or increasing.
○ OBJECTIVE: Increase Long-Term Contracts
■ KPI: Customers on Long Term Contracts provides a lagging indicator of how
many customers are on the new long-term contracts
■ KCI:% Customers on Long Term Contracts Consent is a lagging indicator that
tracks whether or not the customer consented to enter into a new long term
contract.
○ OBJECTIVE: Meet & Maintain Service Levels
■ KCI: Website Uptime Score
■ KCI: Website Speed Score
In this last part of the example, note that Website Uptime and Website Speed Score are classified
as Key Compliance Indicators because, in this instance, the objective is to Meet & Maintain Service
Levels. The Indicators are NOT being used for improving performance or to Change the
Organization (CTO). Rather, they are being used to Run the Organization (RTO) and to meet the
service level agreements.
But remember, well-written Indicators also include target and timescale. Some objectives and
indicators require additional sophistication and use ranges for appetite, tolerance, and capacity.
Targets, Appetite, Tolerance & Capacity

All indicators should detail a target value and timescale within which the target is expected to be
met. Sometimes, it is helpful to define the acceptable upper and lower range of appetite,
tolerance, and capacity related to the target.
● Target - An expected or planned value for an indicator.

● Timescale - The expected or planned time frame to meet a target.
● Appetite - A range that defines a preferred level of variation around a target.
● Tolerance - A range that defines an acceptable, though not preferred, level of variation
around a target the organization is willing and able to address.
● Capacity - A range that defines the absolute level of variation around a target that the
organization is unwilling and unable to address; and may result in jeopardy or ruin.
Appetite is a narrow range of variation around the target that defines limits to what the
organization prefers as it drives toward objectives. Tolerance is a wider range around the target
that defines limits to what the organization is willing and able to address. Capacity is the most
extreme range, defining limits beyond which the organization is unable to address, and may result
in jeopardy of ruin.
Values within the appetite typically don’t trigger a response from the organization. They represent
“business as usual.” Values beyond the appetite but within the tolerance typically trigger planned
responses to bring the organization back within the appetite. Values beyond the tolerance often
trigger significant responses either to bring the organization back within tolerance (ideally back
within appetite) or to cease operations. The most important purpose of this response is to avoid
reaching the limits of capacity – and to avoid jeopardy or ruin.
One-Sided Indicators
Not all indicators require this sophistication. And some indicators are practically “one-sided,”
having neither an upper nor a lower limit for appetite, tolerance, and capacity.
For example, there is typically no upper limit for Customer Satisfaction. The higher, the better. So,
in this case, there might only be lower limits set for appetite, tolerance, and capacity. That said,
having 100% of customers rating 100% customer satisfaction should raise suspicions – so even
this example suggests that certain limits may help identify potential problems.
Take the indicator of Customer Complaints. For this, there is no real lower limit. Ideally, this number
will be as low as possible, so upper limits may be the only ones defined. And a total lack of
customer complaints may indicate problems with the people, process or technology designed to
identify and address customer complaints.
When an indicator is “one-sided,” consider thinking about targets and limits as:
● Committed Value: a value that is likely to be achieved given current assumptions and
planned execution. When used, this is synonymous with Target.
● Best Possible Value: a value that is likely to be achieved under the best possible
assumptions and best possible execution.
● Stretch Value: a value that is unlikely to be achieved but still possible.
In the example of Customer Service:
● OBJECTIVE: Enhance Customer Satisfaction

○ INDICATOR: Customer Satisfaction Rating (NPS), Monthly
■ COMMITTED TARGET (this month): 80TARGET RANGE: 78 - 82; BEST
POSSIBLE: 85
■ STRETCH VALUE: 90
■ TOLERANCE: <78 thru 60 triggers response
■ CAPACITY: <60 triggers jeopardy and extreme response
“Address Uncertainty”
Principled Performance requires an organization to reliably achieve objectives, address
Uncertainty can arise from various sources, including incomplete data, conflicting information,
unpredictable circumstances, and unknown future developments. It is an inherent part of
everyday life. Addressing uncertainty involves making decisions based on incomplete or imperfect
information, weighing the risk and reward of different options, and adapting to changing
circumstances as new information becomes available.
Addressing uncertainty is about making decisions about potential opportunities and obstacles
that may arise while pursuing objectives. Decisions under uncertainty involve both upside and
downside – both favorable and unfavorable effects on objectives.
GRC Capability Model uses terms and definitions consistent with decision science and
quantitative methods. These disciplines use clear language to describe the upside and downside
of uncertainty.
● Uncertainty: A state of being unsure about something due to incomplete knowledge or

underlying randomness, making it difficult to understand with complete confidence.
● Opportunity (Prospect): an uncertain future event that may, on balance, have a positive
effect on objectives.
● Obstacle (Threat): an uncertain future event that may, on balance, have a negative effect
on objectives.
Cause & Consequence

Taking a step back, uncertainty can be illustrated simply by considering causes, events, and
consequences. A future, uncertain event (or condition) might have many causes. And, once the
event occurs, many consequences might follow.
The likelihood is a measure of the chance of an event occurring. The impact measures the
economic and non-economic consequences of the event. Taken together, the effect of
uncertainty on objectives is a function of the likelihood and impact of an event.
● Condition - a state of reality.

● Event - something that happens, including a behavior or change in condition.
● Cause (Source) - the trigger or potential trigger of events that lead to a consequence.
● Consequence - the outcome or potential outcome of an event.
● Effect - a measure that estimates the likelihood and impact of an event.
○ Likelihood - a measure that estimates the occurrence of an event.
○ Impact - a measure that estimates the consequence of an event.
In reality, this model of cause → event → consequence is more complex and fractal, involving
repeating events that cause other events and other events and so on.
Likelihood and impact are rarely (if ever) single values. When considering causes and
consequences, there are often distributions that are useful when using quantitative methods.
Distributions more realistically model situations such as, “It is more likely that a $1 problem will
occur but less likely that a $100 problem will occur.”
Not all distributions are the same, and each situation should consider using distributions that suit
situations: discrete versus continuous; bounded versus unbounded; parametric versus
nonparametric; and univariate versus multivariate.
Classifying the Effect of Uncertainty

Classifying the effect of uncertainty on objectives, and the underlying event, as either positive or
negative, is dependent on the objectives. Classification isn’t always easy or even possible. Events
may be ambiguous, with BOTH positive and negative consequences relative to objectives.
Positive
The positive, favorable effect of uncertainty on objectives is called reward. And the causes that
have the potential to eventually result in benefits are called prospects.
● Prospect - a cause that has the potential to eventually result in benefit.

● Opportunity - an event that may, on balance, have a positive effect on objectives.
● Benefit - a measure of the positive impact on the organization.
● Performance (Reward) - a measure of the positive, favorable effect of uncertainty on
objectives.
● Performance (Reward) Management - the act of managing processes and resources to
pursue reward while addressing risk.
Negative
The negative, unfavorable effect of uncertainty on objectives is called risk. And the causes that
have the potential to eventually result in harm/damage are called hazards or threats.
● Hazard - a cause that has the potential to eventually result in harm.

● Obstacle (Threat) - an event that may, on balance, have a negative effect on objectives.
● Harm (Damage) - a measure of the negative impact on the organization.
● Risk - a measure of the negative, unfavorable effect of uncertainty on objectives.
● Risk Management - the act of managing processes and resources to address risk while
pursuing reward.
Note that for both positive and negative circumstances, neutral language may be used to describe
causes, events, and consequences. But at times, it can be helpful to be more specific by using
specialized terminology.
Addressing the Situation

Addressing uncertainty means confronting reality and doing something about it. There are several
broad design options that an organization can use to address an opportunity, obstacle, or
obligation:
● Avoid Design Option - cease all activity or terminate sources that give rise to the
opportunity, obstacle, or obligation.
● Accept Design Option - embrace or concede to the situation with minor modifications and
awareness about the nature and level of risk/reward and compliance associated with the
opportunity, obstacle, or obligation.
● Share Design Option - outsource, joint venture, partner, buy insurance, or use other
financial instruments to address the opportunity, obstacle, or obligation (NOTE: TRANSFER
is a special case of SHARING where an attempt is made to give close to 100% of
consequence to another party such as an insurance company).
● Control Design Option - implement actions and controls that govern and manage the
opportunity, obstacle, or obligation according to its nature:
○ Opportunities
■ Promote the occurrence of the event or event causes
■ Detect the event as soon as possible
■ Compound consequences to accelerate the positive impact and benefit
○ Obstacles
■ Prevent the occurrence of the event or event causes

■ Detect the event as soon as possible and accelerate correction and recovery
■ Correct the event and reduce the negative impact
■ Recover from negative impact and harm
○ Obligations
■ Cover each requirement with at least one action and control
■ Layer multiple actions & controls to get appropriate depth
■ Detect adherence or violations (noncompliance) as soon as possible to accelerate
remediation
Controlling the Situation

An organization implements actions & controls to modify the inherent effect of uncertainty, to
realize a residual effect that is acceptable.
● Inherent Effect - the effect of uncertainty in the absence of actions & controls.
● Residual Effect - the effect of uncertainty in the presence of actions & controls.
The causes and consequences of risk and reward are addressed differently. In the case of reward,
the organization tries to promote favorable causes and compound benefits as soon as possible. In
the case of risk, the organization tries to deter and prevent causes and correct and recover from
harm as soon as possible.
Note that the binomial “actions and controls” is used because not everything is a control.
Sometimes a single action or decision is used to address a situation.
● Actions & Controls - Specific arrangements of people, processes, technology, or

information intended to modify risk, reward or compliance.
○ Proactive Actions & Controls promote favorable events and deter and prevent
unfavorable events.
○ Detective Actions & Controls detect the occurrence of favorable events and
unfavorable events.
○ Responsive Actions & Controls compound the effect of favorable events, and
correct and recover from unfavorable events.
And, while true for both risk and reward, it is most common to use inherent and residual
terminology when talking about risk.
● Inherent Risk - the level of risk in the absence of actions & controls.
● Residual Risk - the level of risk in the presence of actions & controls.
“Act with Integrity”

Reliably achieving objectives and addressing uncertainty is pointless unless the organization acts
with integrity – addressing its obligations to operate within mandatory and voluntary boundaries.
One way to think about integrity is to consider it as a ratio of Promises Kept divided by Promises
Made. The more Promises Kept, the closer this ratio is to 1 or 100%.
● Integrity - The state of being whole and complete by fulfilling obligations, honoring
promises, and cleaning up the mess if a promise is broken.
● Obligation (also Boundary) - a requirement that an organization must or should address
because of a promise, whether mandatory or voluntary.
○ Mandatory Obligation (Mandatory Requirement, Mandatory Boundary) -
obligations that an organization must address because of some legitimate authority
(e.g., laws, rules, regulations).
○ Voluntary Obligation (Voluntary Requirement, Voluntary Boundary) - obligations
that an organization chooses to address because of voluntary decisions (e.g.,
contracts, agreements, and values).
● Compliance - a measure of the degree to which obligations are proven to be addressed.
● Compliance Management - the act of managing processes and resources to achieve the
desired level of compliance.
Measuring compliance in a particular area must start with:
● Requirements
● Actions & controls to address requirements
● Evidence that actions & controls are effectively designed and operating.
Since compliance is a measure, there can be both lower and higher levels of compliance. A low
level of compliance means that a requirement is EITHER or BOTH:
● Not in fact, addressed by effective actions & controls

● Not in evidence, addressed by effective actions & controls
High level of compliance, on the other hand, means that a requirement is BOTH:
● In fact, addressed by effective actions & controls

● In evidence, addressed by effective actions & controls
Put more simply, high compliance requires that the requirement is not only addressed by effective
actions & controls, but that this fact has evidence to be true (documentation, records, etc.).
Duality of Obligations
Obligations present a duality – one involving risk and the other involving compliance.
For example, take a mandatory obligation that a government imposes to “implement an

anti-discrimination policy and training program.” This obligation is rooted in the ethical principle of
“treat people fairly.” The obligation may have several requirements:
● Post anti-discrimination policy in a public location

● Train all hiring managers for two hours every two years
● Train all employees for one hour every two years
Complying with these requirements might involve actions & controls such as:
● Policy – Anti-harassment policy. Additions to the Code of Conduct.

● People – Schedule and conduct manager and workforce training.
● Technology - Implement policy management and education management systems.
But beyond compliance, there are also related “compliance-related risks” that must be addressed
– that is, the risk that someone in the organization will be mistreated or discriminated against.
This risk may be higher or lower than other organizations based on the unique features of the
organization. If the risk of discrimination is assessed as low, the organization may decide that
mere “compliance” with the mandatory obligations is adequate. If the risk of discrimination is
hither, the organization may decide to enact additional actions & controls such as:
● Policy – Remove all names and dates from resumes to reduce inferences about race,
biological sex, and age.
● People – Enhance training with scenarios and reminders throughout the year.
● Process - Process hiring and promotion decisions through a centralized team to conduct
diligence on the hiring and promotion decision.
● Information – Make anti-discrimination one of the themes addressed in organizational
communications, including top executive communications.
● Financial - Purchase employment practices insurance.
Values in Action
Mandatory and voluntary boundaries are both important. But Values are an organization's most
important voluntary obligations. And putting values in action is key.
In some instances, acting contrary to organizational values may negatively impact the
organization much more than acting contrary to even mandated obligations. Stakeholders may
agree or disagree with any one particular mandate. And it is always possible that an organization
doesn’t know 100% of the mandatory obligations at a point in time.
However, unlike mandatory obligations, the organization voluntarily offers and expresses a
“promise” to stakeholders. The organization knows 100% of the values it expresses. Breaking this
voluntary commitment is sometimes more economically and reputationally damaging than missing
the mark on other commitments.
An effective organizational values statement can help to create a shared sense of purpose and
direction among the workforce, and can help to align the organization's actions and decisions with
its broader mission and goals.
In this way, Values work with Mission and Vision to describe the highest purpose of the
organization:
● Mission - A statement that describes who the organization serves, what it does, and what
it hopes to achieve today and in the long term.
● Vision - A statement that describes what the organization aspires to be and why it matters.
● Values - A statement about what the organization believes and stands for.
An organizational values statement typically reflects the shared beliefs and expectations of the
organization's leadership, employees, and stakeholders. It serves as a guide for establishing a
positive and productive organizational culture.
Organizational values statements can take many different forms, depending on the size, structure,
and mission of the organization. Some values statements may be short and simple, while others
may be more detailed and elaborate.
Examples of organizational values that may be included in a values statement could include
accountability, collaboration, innovation, respect, and customer service. These values may be
expressed through specific behaviors or actions.
Culture
Culture is important across all aspects of Principles Performance. But it plays a special role to help
the organization “act with integrity.” Various aspects make up the Culture, Climate, and Mindsets.
These aspects are defined for consideration when analyzing culture from different perspectives:
● Culture - is an emergent property of a group expressed in observable norms resulting from

the interaction of individual beliefs, values, and behaviors. (NEW: Culture is an emergent
property of a group of people caused by the interaction of individual beliefs, values,
mindsets, and behaviors and demonstrated by observable norms and articulated opinions
that shape beliefs, values, mindsets, and behaviors in wide-ranging and durable ways.)
● Mindsets - are individual perceptions about self, surroundings, and others – including
perceptions about culture, some aspect of culture, or some topical area.
● Climate - is the collective perception about self, surroundings, and others – including
perceptions about culture, some aspect of culture, or some topical area.
● Norms - are customs, rules, or expectations that a group socially reinforces. There are two
types of norms:
○ Prescriptive Norms encourage behavior the group deems positive (e.g., “be
honest”)
○ Proscriptive Norms discourage behavior the group deems negative (e.g., “do not
cheat”)
● Beliefs - are unobservable ideas and assumptions of a person or group, often caused by
experience, perception, and personality.
● Values - are principles that a person or group deems important, usually because of beliefs.
● Behaviors - are observable actions of a person or group of people, informed by beliefs and
values. There are three types of behaviors:
○ Voluntary Behaviors are intentional human actions informed by beliefs and values
and governed by free will and discipline.
○ Habitual Behaviors are semi-automatic human actions informed by beliefs and
values and governed by free will and discipline.
○ Involuntary Behaviors are automatic, often instinctual human actions informed by
beliefs and values and governed by nature.
Integrated Action & Control Model™ (IACM™)

The Integrated Action & Control Model™ (IACM™) provides a structure to consider the purpose
and types of actions & controls used for the governance, management, and assurance of
performance, risk, and compliance.
The IACM uses a simple construct of “before, during, and after, and “favorable and unfavorable
events” that apply across opportunities, obstacles, and obligations to:
● Decrease the effect (likelihood and impact) of unfavorable events and behaviors.
● Increase the effect (likelihood and impact) of favorable events and behaviors.
Favorable and unfavorable events relate to opportunities, obstacles, and obligations. For example:
● Opportunities
○ Favorable events: increase the ultimate likelihood and impact of benefit.
○ Unfavorable events: decrease the ultimate likelihood and impact of benefit.
● Obstacles
○ Favorable events: decrease the ultimate likelihood and impact of harm.
○ Unfavorable events: increase the ultimate likelihood and impact of harm.
● Obligations
○ Favorable events: decrease the ultimate likelihood and impact of violations.
○ Unfavorable events: increase the ultimate likelihood and impact of violations.
The use of “ultimate” in these definitions indicates that there may be a complex chain of events
that results in ultimate benefit/harm/violations.
For example, take an ambiguous event called “Senior Executive Quits.” On the surface, this event
may be construed as an obstacle that would result in harm of “Lost knowledge, relationships and
the potential to cascade worry into the team.” Digging into the many causes reveals hazards that
are unfavorable such as “Non-competitive compensation.” Things that ought to be prevented.
However, further analysis may indicate that “Senior Executive Quits” may also provide benefits.
Hiring a new person for the job from the outside provides “New ideas and relationships.” Promoting
an existing team member provides career advancement opportunities and hope for others.
What appeared to be a simple and straight-forward example of something to be avoided turns into
a more robust picture:
Before
● Promote/Enable
○ Promote executive careers beyond the organization with “job search” programs
○ Promote a culture where “moving on” is viewed as graduating instead of leaving
○
● Prevent/Deter
○ Deter quitting by ensuring compensation plans are always within benchmarks
○ Deter quitting by implementing feedback systems to learn about shortcomings
before they escalate
After
● Compound/Amplify
○ Recognize executives and employees who recently became “alumni”
○ Recognize alumni for many months and years with periodic communications
○ Accelerate “New Ideas” by pausing existing work for 2 weeks to adjust to new
situation
● Correct/Recover
○ Attempt to retain senior executive with lateral or other opportunities
○ Allow team left behind to pause existing work one week to adjust to new situation
○ Recover from relationship loss by connecting with former executive’s key accounts
Action & Control Types

Action and control types aim to be proactive, detective and responsive to address opportunities,
obstacles and obligations.
● Proactive Actions & Controls prevent unfavorable events before they happen and promote
favorable events. Proactive actions & controls include:
○ Prevent/Deter Actions & Controls decrease the likelihood of unfavorable events.
○ Promote/Enable Actions & Controls increase the likelihood of favorable events.
● Detective Actions & Controls detect the occurrence of favorable and unfavorable events.
● Responsive Actions & Controls compound/accelerate the benefits of favorable events and
correct/recover from the harm of unfavorable events. Responsive actions & controls
include:
○ Compound/Accelerate Actions & Controls accelerate and compound the impact of
favorable events to increase benefits and promote future occurrence.
○ Correct/Recover Actions & Controls slow down or decrease the impact of
unfavorable events, and return the organization to its original state, stable state, or
superior state after harm has occurred to minimize harm and prevent future
occurrences.
Action & Control Categories

Policy, people, process, physical, informational, technological, and financial actions & controls
represent the full range of action & control categories.
● Policy – formal statements and rules about organizational intentions and expectations.
● People – human factors, including structure, accountability, education, and enablement.
● Process - how/when to perform activities and where/who to assign accountability.
● Physical – infrastructures such as facilities and other structures.
● Information – communications up, down, and across the organization.
● Technology - hardware and software systems that facilitate other categories.
● Financial - insurance, captives, hedging, reserves, or other financial instruments.
Action & Control Techniques

Action and control techniques are within and may span multiple categories.
For example, “segregation of duties” is a technique that spans multiple categories (and may be
considered multiple controls). Segregation of duties:
● structures “people” in a way that specifies who can / cannot perform certain tasks;
● is often articulated in a “policy” outlining roles and responsibilities; and
● is embodied in “technology” access controls.
Action & Control Orientation

When designing actions & controls, an organization should consider the governance,
management, and assurance orientations.
Management actions & controls should be the primary focus when designing an approach. If, and
only if, management actions & controls are insufficient for governance and assurance purposes
should additional actions & controls be considered.
● Management Actions & Controls are required for management to address opportunities,
obstacles, and obligations. Management actions & controls comprise most of the work
performed by the organization. Whenever possible, management actions & controls should
be used by both the governing authority and assurance personnel to avoid unnecessary
complexity and duplication.
● Governance Actions & Controls are additional controls beyond management controls that
assist the governing authority in constraining and conscribing the organization. Additional
governance actions & controls are added when management actions & controls do not
provide enough information or guidance to constrain and conscribe the organization.
● Assurance Actions & Controls are additional controls beyond management and
governance controls that assist assurance personnel to provide assurance services.
Additional assurance controls are added when management and governance actions &
controls do not provide sufficient information to assurance providers.
Part II - GRC Outcomes & Capabilities

The GRC Capability Model codifies the continuously improving body of knowledge about how GRC
works in an organization. It comprises four (4) components and twenty (20) elements that help an
organization ask and answer key questions such as:
● LEARN - Who are we? Where are we? What might affect us? Who do we serve? How will they
judge us? What is our business model?
● ALIGN - Where are we going? How will we get there? How will we address the opportunities,
obstacles, and obligations along the way?
● PERFORM - How proactive are we? How do we detect problems and progress? How do we
respond to favorable events and unfavorable events?
● REVIEW - Are we making progress? How confident are we? How can we improve?
U - Universal Outcomes
While every organization has a unique mission, vision, and values, every GRC Capability should
strive to help organizations realize these Universal Outcomes.
● U1. Achieve Objectives that Produce and Preserve Value: Ensure that strategy and
execution prioritize objectives to simultaneously produce value and preserve value.
● U2. Balance Risk and Reward: Ensure that opportunities and obstacles are adequately
addressed so that levels of performance and risk are acceptable.
● U3. Improve Culture: Establish a culture of total performance, accountability, integrity,

trust, and communication in all aspects of the organization.
● U4. Enhance Stakeholder Confidence: Provide assurance to stakeholders to continually

increase confidence in the organization’s mission, vision, values, and total performance.
● U5. Integrate and Improve Decision-Making: Integrate the governance, management, and
assurance of performance, risk, compliance, and decision-making.
● U6. Prevent, Detect, and Correct Undesired Conduct and Weaknesses: Establish actions
& controls to prevent, detect, recover from, and reduce the negative effect of events.
● U7. Promote, Detect, and Reward Desired Conduct and Strengths: Establish actions &
controls to promote, detect, increase, and compound the positive effect of events.
● U8. Sense and Respond to Context: Proactively make sense of, predict, and address
changes in the internal and external context to adjust strategy and tactics.
● U9. Improve Total Performance: Improve effectiveness, efficiency, responsiveness, and

resilience with proactive, detective, and responsive actions & controls.
● U10. Honor and Express Values: Balance how the organization pursues total performance
while expressing and staying true to values, without sacrificing one for the other.
L – LEARN
Examine and understand stakeholders, the external context, the internal

context, and the culture of the organization to make sense of reality and
changes as they unfold.
Principled Performance® requires that an organization learn about and make sense of internal and
external realities as it strives to meet the needs of stakeholders.
The internal context and culture describe the capabilities and resources that the organization
uses to meet stakeholder needs. The external context represents the reality in which the
organization operates.
By making sense of internal realities, external realities, culture, and stakeholders, the organization
can shape the most appropriate direction, objectives, and approach to achieve Principled
Performance.
LEARN Component - Elements
Figure - LEARN Component Overview Diagram
LEARN Component Considerations

● Learning about internal and external realities is a “sensemaking” process that aims to
understand reality so the organization can act.
● External context, internal context, culture, and stakeholders are interrelated elements
without clear boundaries. The most important outcome is an understanding of the internal
and external factors and how these realities impact the organization.
● External context and stakeholder needs are outside the organization’s direct control. Strive
to influence and shape these external realities over time.
● Internal context and culture are, at least theoretically, under an organization's direct
control. Still, these internal realities require long-term planning to influence and shape.
● Context, culture, and stakeholders are defined relative to the organization in scope. For
example, if the organization in scope is a single team, then the “external context” would
include all aspects outside of the team.
● Even if the organization in scope is a subordinate unit (business units, departments, and
teams), it is important to understand the realities at the highest organizational unit (the
enterprise) as these realities cascade to subordinate organizational units.
● Changes in context should be sensed and analyzed to determine why, what, when, and how
to change the organization.
● It is crucial to understand what changes are important and which are mere distractions.
LEARN Component Measurement

● Effective. Do we have the capability to LEARN? Do we have the capability to understand
internal and external contexts? Do we have the capability to understand culture? Do we
have the capability to understand stakeholders? Do these capabilities operate as
designed?
● Efficient. How efficient is our use of capital to LEARN? How efficient is our use of financial
capital? Physical capital? Human capital? Information capital?
● Agile. When things change, how quickly do we RE-LEARN the context and culture?
● Resilient. Do we have appropriate depth and coverage to withstand stress? After stress,
are we more capable or less capable to LEARN?
L1 External Context
Examine and understand the external context in which the organization

operates.
Practices
1. Analyze External Context. Consider industry, market, political, economic, societal,
technology, legal, environmental, demographic, geopolitical, and other external factors
that may affect the organization.
2. Influence External Context. Identify external factors that the organization may attempt to
influence.
3. Assign External Factors - Assign accountability to individuals with authority and resources
to successfully analyze, influence and sense external factors.
4. Sense External Context. Continually watch for and make sense of changes in the external
context that have a direct, indirect, or cumulative effect on the organization and notify
appropriate personnel and systems.
5. Reconsider External Context. Define the events and timescale that trigger
reconsideration of external factors.
Considerations
● The external context is outside of the direct control of most organizations. Strive to
influence and shape these external realities over time.
● Categories of sources and forces that originate outside of the organization.
○ Industry factors include new entrants, competitors, suppliers, customers,
substitutes, and industry norms.
○ Market factors include customer trends, demographics, and economic conditions.
○ Economic factors include growth, exchange, inflation, and interest rates
○ Technology factors include technological aspects like R&D activity, automation,
storage, computation, technology incentives, innovations in materials, mechanical
efficiency, and the rate of technological change.
○ Societal factors include cultural aspects, attitudes, customs, and norms.
○ Legal and regulatory factors include laws, rules, regulations, litigation, and judicial or
administrative opinions
○ Political factors relate to how the government intervenes in the economy, including
laws, rules, regulations, tax policy, and political stability.
○ Environmental factors include ecological and environmental aspects such as
climate and natural resources.
○ Demographic factors include gender, age, ethnicity, knowledge of languages,
disabilities, mobility, home ownership, employment status, religious belief or
practice, culture and tradition, living standards, and income level.
○ Geopolitical forces include sanctions, export controls, and potential military
conflicts.
Tools & Techniques

● Sensemaking, SWOT Analysis, PESTLE Analysis, Porter’s Five Forces Framework Scenario
Planning, STEEPLE Analysis
L2 Internal Context
Examine and understand the internal context, including how the

organization is structured and operating.
Practices
1. Analyze the Internal Context - Consider internal strengths and weaknesses, strategic
plans, operating plans, organizational structures, policies, people, processes, technology,
resources, information, and other internal factors that define the organization's operations.
2. Influence Internal Context - Identify internal factors that the organization may choose to
influence.
3. Assign Internal Factors - Assign accountability to individuals with authority and resources
to successfully analyze, influence and sense internal factors.
4. Sense the Internal Context - Continually watch for and make sense of changes in the
internal context that have a direct, indirect, or cumulative effect on the organization and
notify appropriate personnel and systems.
5. Reconsider Internal Context - Define the events and timescale that trigger
reconsideration of internal factors.
Considerations
● Mission and vision clarify why the organization exists and what it aims to achieve and
become.
● Values set voluntary boundaries for how the organization operates and often explain
design decisions about the operating model.
● Value propositions and operating models clarify how the organization serves its
customers/stakeholders.
● Organizational charts and operating model mapping provide insight into how departments
and functions relate to each other, especially key people, processes, technology, and
information.
● Understanding key department scope and purpose helps to clarify their “line of
accountability” and areas where there are inappropriate gaps or overlaps.
● Organizational structures, policies, and other internal items may present perverse
incentives that require immediate attention.
Tools & Techniques

● Sensemaking, SWOT Analysis, Business Model Canvas, Enterprise Architecture,
Resource-Based View, Value Chain Analysis, Balanced Scorecard
L3 Culture
Understand the existing culture, climate, and mindsets about the governance,
assurance, and management of performance, risk, and compliance.
Practices
1. Analyze Governance Culture – Analyze the climate and mindsets about constraining and
conscribing the organization, including how the governing authority and executive team
are engaged and whether leadership models behavior in words and deeds.
2. Analyze Management Culture – Analyze the climate and mindsets about arranging
resources and operating the organization, including how the organization is inspired to
achieve effective, efficient, responsive, and resilient performance.
3. Analyze Assurance Culture – Analyze the climate and mindsets about how the
organization objectively examines and judges the effectiveness, efficiency,
responsiveness, and resilience of critical activities and outcomes.
4. Analyze Performance Culture – Analyze the climate and mindsets about how the
workforce perceives performance, especially the associated trade-offs.
5. Analyze Risk Culture – Analyze the climate and mindsets about how the workforce
perceives risk, its impact on work, and its integration with decision-making.
6. Analyze Compliance Culture – Analyze the climate and mindsets about how the workforce
fulfills its mandatory and voluntary obligations.
7. Analyze Ethical Culture – Analyze the climate and mindsets about how the workforce
generally demonstrates integrity.
8. Analyze Workforce Culture – Analyze the climate and mindsets about workforce
satisfaction, loyalty, turnover rates, skill development, and engagement.
9. Assign Culture Factors - Assign accountability to individuals with authority and resources
to successfully analyze and sense factors associated with culture.
10. Influence Culture. Identify aspects of culture that the organization may attempt to
influence.
11. Sense the Culture – Continually watch for and make sense of changes in culture that may
have a direct, indirect, or cumulative effect on objectives or strategies.
12. Reconsider Culture - Define the events and timescale that trigger reconsideration of
culture.
Considerations
● Culture is difficult or even impossible to “design” because it is an emergent property of a
group of people that results from the interaction of individual values, beliefs, and behaviors
that is difficult to predict or plan.
● Culture change requires long-term commitment, consistent modeling in both words and
deeds and reinforcement by leaders and the workforce.
● Some aspects of culture will change despite the organization's best efforts to maintain the
status quo.
● Multiple " subcultures" often exist in different geographic locations or functional areas.
● Culture is idiosyncratic, so comparing culture and subcultures to internal baselines is
better than attempting to “benchmark” or compare to external indicators.
Tools & Techniques

● Survey Software to “pull” information, Ethnography, Culture Map, Competing Values
Framework, Denison Organizational Culture Model, Schein Model of Organizational Culture,
L4 Stakeholders
Interact with stakeholders to understand expectations, requirements,
and perspectives that impact the organization.
Practices
1. Identify Stakeholders – Identify and understand both the organizations and specific
individuals within organizations to understand the concerns and needs of stakeholders.
2. Prioritize Stakeholder Needs – Analyze and prioritize key stakeholder concerns and needs
based on relative interest and power, highlighting needs that compete with or conflict with
each other.
3. Develop Relationships & Influence Stakeholders - Develop plans and accountability to

develop relationships with and influence each stakeholder and effectively communicate
how to address concerns and needs.
4. Assign Stakeholders - Assign accountability to individuals with authority and resources to

successfully analyze and sense stakeholders.
5. Sense Stakeholders - Continually watch for and make sense of changes in stakeholders
that have a direct, indirect, or cumulative effect on the organization and notify appropriate
personnel and systems.
6. Reconsider Stakeholders - Define the events and timescale that trigger reconsideration of
stakeholders.
Considerations
● Key external stakeholders include Customers (the most important stakeholder),
Shareholders (fractional owners who are not involved in the organization), Creditors and
Lenders, Suppliers, Underwriters, Government, Non-governmental organizations, Media,
and Society.
● Key internal stakeholders include Personnel (and unions that represent the workforce),
Managers, Executives, Board members, and Owners (major owners involved in the
organization).
● Stakeholders are self-legitimizing (those who judge themselves as stakeholders are
stakeholders), and organizations must prioritize how to address needs.
● Not every stakeholder should have the same influence over the organization, mainly
because stakeholder needs may conflict.
● Develop relationships with key individuals and champions with power and influence in each
stakeholder group.
● Communicate early, often, and sufficiently with stakeholders to maintain trust and
confidence.
Tools & Techniques

● Sensemaking, Stakeholder Analysis, Stakeholder Interest and Power Analysis, Network
Analysis, Ethnography, Surveys and Focus Groups, Social Media Monitoring
A – ALIGN
Define direction and objectives, and an approach to address

opportunities, obstacles, and obligations.
Principled Performance® requires that organizations can define the direction of the organization,
set objectives, and design an approach that addresses the opportunities, obstacles, and
obligations along the way.
Mission, vision, and values establish long-term direction, while objectives and indicators measure
progress. Identify and analyze opportunities, obstacles, and obligations so the organization can
design actions & controls to reliably achieve objectives, address uncertainty and act with integrity.
ALIGN Component - Elements
Figure - ALIGN Component Overview Diagram
ALIGN Component Considerations

● Alignment is a process that requires several stages of divergent and convergent thinking,
iteration, and elaboration to ensure that the organization sets the appropriate direction,
defines appropriate objectives, and designs an appropriate approach to address
● Decision-making criteria should be established and applied at every stage of the alignment
process to ensure that the organization stays on track and achieves its objectives.
● Mission, vision, and values play a critical role in providing a clear direction and ubiquitous
decision-making criteria for the organization. These guiding principles should be
well-defined and consistently communicated throughout the organization.
● Objectives drive all other identification and analysis of opportunities, obstacles, and
opportunities.
● The end result of alignment is an integrated plan of action.
ALIGN Component Measurement

● Effective. Do we have the capability to ALIGN? Do we have the capability to define direction
and objectives? Do we have the capability to identify and analyze opportunities, obstacles,
and obligations? Do we have the capability to design our organization? Do these
capabilities operate as designed?
● Efficient. How efficient is our use of capital for ALIGN? How efficient is our use of financial
● Agile. When things change, how quickly do we RE-ALIGN? How quickly do we change or
refine direction and objectives? How quickly do we respond to new opportunities,
obstacles, and obligations?
are we more capable or less capable to ALIGN?
A1 Direction
Direct the organization with a clear mission, vision, and values that guide
overall goals and strategies.
Practices
1. Define Direction-Setting Criteria - Guide, constrain, and conscribe how to set direction,
including how the internal and external context, culture, and stakeholders factor into
decisions about the direction and which organizational level/unit should be accountable.
2. Define Mission, Vision & Values - Create formal statements about core values, what the
organization aims to do, what it aims to be, and why it exists, including the key stakeholders
it serves.
3. Select Stakeholders - Select and prioritize stakeholders, especially customers, and

understand their wants, needs, and associated functional, social, and emotional
requirements.
4. Explore Goals & Strategies - Use direction-setting criteria to explore a balanced set of
goals and strategies that link to mission, vision and values.
5. Select Goals & Strategies - Use direction-setting criteria to select, prioritize and link goals
and strategies with each other and with the direction of other organizational levels/units.
6. Validate Direction - Communicate, negotiate, and finalize direction with other

organizational levels/units.
7. Reconsider Direction - Define the events or timescale to reconsider direction.
Considerations
● Formally documenting the direction-setting criteria helps communicate, coordinate, and
monitor with other units, especially subordinate units.
● It is typical for the governing authority and executives to set the direction for the
enterprise. Subordinate unit direction should provide input and align with the enterprise.
● It is essential to gain subordinate buy-in so that subordinate units understand and define
ways to contribute to success.
● Making the mission, vision, and values explicit helps the workforce understand and make
decisions at all levels and in every unit. Absent a clearly articulated mission, vision, and
values, the organization will operate on ad hoc beliefs and interests.
● Strategic Goals should balance perspectives such as economic, customer, stakeholder,
operational, talent, enabling, and learning and growth; and timescales such as long and
short term.
● Value statements will vary for every organization, but all should call for adherence to
mandatory obligations and common principles of integrity and ethical conduct.
● Leadership at all levels must serve as role models and should not act contrary to the stated
values without consequence.
● Continuously communicate how all levels participate in the direction to reduce the risk of
strategic misalignment and engagement decay.
Tools & Techniques

● Scenario Planning, Balanced Scorecard & Strategy Mapping, Business Model Canvas &
Value Proposition Canvas, Jobs-to-be-Done Framework, Objectives & Key Results, Mind
Mapping, Design Thinking
A2 Objectives
Define a balanced set of measurable objectives, results, and indicators.
Practices
1. Define Objective-Setting Criteria - Guide, constrain, and conscribe how to set objectives,
including how the direction factors into decisions about objectives and which
organizational unit should be accountable.
2. Explore Objectives - Define initial, tentative objectives and work with other units to explore
how objectives may link to other units and how opportunities, obstacles, and obligations
may shape the selection of final objectives.
3. Select Objectives - Use objective-setting criteria to select, prioritize, and finalize

objectives and link them with the objectives of other organizational units.
4. Define Indicators & Results – Define measurable results, including a mix of leading and
lagging indicators of progress and status.
5. Assign Objectives - Assign objectives, results, and indicators to an accountable individual

with authority and resources to succeed.
6. Validate Objectives – Communicate, negotiate, and finalize objectives with other

organizational units.
7. Reconsider Objectives - Define the events or timescale to reconsider objectives.
Considerations
● Understanding and aligning with superior-level (especially enterprise-level) objectives is
essential to ensure organizational alignment.
● Gaining subordinate-level buy-in is essential to ensure everyone can contribute to
success, especially when objectives cascade to subordinate-level units.
● Objectives should consider perspectives such as economic, customer, stakeholder,
operational, talent, enabling, and learning and growth; and timescales such as long and
short term.
● Objective-setting criteria may include categorical preferences such as “buy versus build,”
“acquire versus organically grow,” or “maintain team size versus hire.”
● Objectives should link to both subordinate-levels (often called “cascading down”) and to
superior-levels (often called “laddering up”)
● Objectives should address the “what” and “why” and should not be numeric. Results and
indicators address the numeric aspects of “how much.”
● Results and indicators that “run the organization” should use the SMART model: Specific,
Measurable, Achievable, Relevant, and Time-Bound.
● Results and indicators that “transform the organization” should be milestone or progress
based.
● When setting targets for results and indicators, use a consistent philosophy to avoid
confusion (e.g., “commitments” versus “aspirational”).
● When cascading objectives and results, localize how the objectives apply to specific
organizational units so that they understand the “what” and “why” in their functional or
departmental language.
Tools & Techniques

● Balanced Scorecard & Strategy Mapping, Objectives & Key Results (OKRs), Management By
Objectives (MBO), SMART framework
A3 Identification
Imagine, identify, and describe the opportunities, obstacles, and

obligations that might impact objectives.
Practices
1. Define Identification Criteria - Guide, constrain, and conscribe how opportunities,
obstacles, and obligations are identified, categorized, and prioritized, including targets,
appetites, tolerances, and capacities.
2. Understand Existing Approach – Review and map the existing context, direction,
objectives, strategies, tactics, actions, and controls to understand gaps, overlaps, and
other factors that introduce opportunities, obstacles, and obligations.
3. Identify Opportunities & Reward - Identify opportunities and levels of reward associated
with existing and proposed strategies.
4. Identify Obstacles & Risk - Identify obstacles and levels of risk associated with existing and
proposed strategies.
5. Identify Obligations & Compliance - Identify mandatory and voluntary obligations and
levels of compliance associated with existing and proposed strategies.
6. Identify Interrelatedness & Trends - Identify how opportunities, obstacles, and obligations
are linked and influenced by each other.
7. Validate Identification - Communicate, negotiate, and finalize the identified opportunities,

obstacles, and obligations with other organizational units.
8. Prioritize Analysis - Prioritize opportunities, obstacles, and obligations for further analysis
based on identification criteria and the priority of associated objectives.
9. Modify Objectives - Consider modifying objectives and results based on opportunities,

obstacles, and obligations.
10. Reconsider Identification - Define the events or timescale to reconsider identification.
Considerations
● Given limited resources, identification criteria should be used to focus on priority
objectives and results.
● Categorize opportunities, obstacles, and obligations to structure the identification
process and ensure uniformity of response where sensible.
● Use both top-down and bottom-up techniques to identify a full range of opportunities,
● As forces, events, and conditions evolve, monitoring and identification must be a
continuous process.
Tools & Techniques

● Literature Reviews, Historical Data Analysis, Scenario Testing, Modeling and Analysis,
Perception Surveys, Decomposition (e.g., HAZOP, FMEA, and SWIFT analysis),
Brainstorming, Risk Libraries
A4 Analysis
Analyze the current and planned approach to quantify and address risk,
reward, and compliance.
Practices
1. Define Analysis Criteria - Guide, constrain, and conscribe how opportunities, obstacles,
and obligations are analyzed and prioritized using quantitative and qualitative techniques
to estimate risk, reward, and compliance; and compare them to targets, tolerances, and
capacities.
2. Analyze Risk/Reward – Consider the sources, likelihood, and consequences of

opportunities and obstacles to determine the levels of inherent and residual risk/reward
based on the adequacy of actions & controls.
3. Analyze Compliance – Consider mandatory and voluntary obligations/requirements to

determine the level of compliance based on the adequacy of actions & controls.
4. Evaluate Adequacy – Use analysis criteria to evaluate the adequacy of current levels of
residual risk/reward and levels of compliance to determine if additional analysis is required.
5. Validate Analysis - Communicate, negotiate, and finalize the analysis of risk/reward and
compliance with other organizational units.
6. Prioritize Design – Use analysis criteria to prioritize areas where modifications are
necessary to address opportunities, obstacles, and obligations so that levels of residual
risk/reward and compliance are acceptable.
7. Reconsider Analysis - Define the events or timescale to reconsider analysis.
Considerations
● Priority objectives deserve priority, quantitative analysis.
● Areas with high inherent risk, and areas with low likelihood but very high posible impact,
deserve priority, quantitative analysis.
● Analysis criteria associated with performance (e.g., ROI, margins, budget, and objectives
coverage) are used to determine if the current levels of reward are in line with performance
objectives.
● Analysis criteria associated with risk (e.g., risk appetite, tolerance, and capacity) are used
to determine if the level of residual risk is acceptable and whether the established targets
are commensurate with the acceptable risk levels.
● Analysis criteria associated with compliance (e.g., coverage, depth relative to the ranking
of risk, and compliance to both mandatory and voluntary requirements) are used to
determine if the level of compliance is sufficient.
● Analyzing costs associated with how opportunities, threats, and requirements are
currently addressed enables management to allocate resources based on the current and
planned approaches and ensure that they are not over-managed or under-managed.
● No further action is required if residual risk/reward or compliance status is acceptable. If
unacceptable, consider design changes, further analysis to understand the situation
better, or reconsider objectives.
Tools & Techniques
● Ishikawa (Fishbone) Diagram, ● Markov Analysis

● Bowtie Diagram ● Monte Carlo Simulation
● Hazard analysis and critical control ● Causal Mapping & Cross Impact
points (HACCP) Analysis
● Layers of Protection Analysis (LOPA) ● Value at Risk (VaR)
● Bayesian Analysis ● Minimax, ALARP, SFAIRP decision
● Business Impact Analysis (BIA) framework
● Event Tree Analysis (ETA) & Fault Tree ● Factor Analysis of Information Risk
Analysis (FTA) (FAIR)
● Failure Modes and Effects Analysis
(FMEA)
A5 Design
Develop an integrated plan to reliably achieve objectives within

acceptable levels of risk, reward, and compliance.
Practices
1. Define Design Criteria - Guide, constrain, and conscribe how actions & controls are
prioritized to achieve acceptable levels of risk, reward, and compliance.
2. Explore Design Options & Details – Explore design options to avoid, accept, share or
control with more awareness by making design decisions about policies, people, processes,
technology, and information.
3. Design Management Actions & Controls - Select a mix of proactive, detective, and
responsive controls to manage acceptable levels of risk/reward and compliance.
4. Design Governance Actions & Controls - Select additional actions & controls for the
governing authority to guide, constrain and conscribe the organization.
5. Design Assurance Actions & Controls - Select additional actions & controls for the
assurance providers to evaluate priority areas and subject matter.
6. Evaluate Costs & Benefits - Consider the costs and benefits associated with design
options.
7. Allocate Actions & Controls - Allocate actions & controls across multiple lines of
accountability and organizational units to gain depth and coverage, while segregating
duties to prevent conflicts of interest.
8. Refine Key Indicators – Refine key indicators to monitor performance, risk, and compliance.
9. Validate Design - Communicate, negotiate, and finalize design decisions with other
organizational units.
10. Develop Integrated Plan – Develop a plan and acquire resources to govern, assure and
manage organizational changes.
11. Reconsider Design - Define the events or timescale to reconsider the design.
Considerations
● An integrated plan will ensure that all key opportunities, obstacles, and opportunities are
addressed and that performance, risk, and compliance are at acceptable levels.
● High-level design options to accept, avoid, and share may obviate the need for detailed
design. The choice to control tends to require more detailed planning.
● Using a mix of actions & control types, action & control categories are important to address
all action & control orientations.
● Use consistent definitions and terms whenever possible, or invest in a method to translate
meaning across departments and disciplines to avoid misunderstandings.
● Not every cost and not every benefit can be quantified with precision – when using
quantitative methods, choose a degree of confidence (e.g., 50%, 75%, 90%, 95%, 99%) as
appropriate.
● Avoid selecting technologies in advance of thoroughly assessing needs and taking
inventory of current approaches. Use existing investments whenever possible and
adequate.
● When allocating actions & controls across lines of accountability, ensure that the right
levels of objectivity and competence are available.
● Identify actions & controls that specifically address areas with high levels of inherent risk
that, should the actions & controls cease to perform effectively, would expose the
organization to unacceptable, existential consequences.
Tools & Techniques

● Cost-Benefit Analysis (CBA), Enterprise Architecture Frameworks, Information
Architecture Frameworks, Process Design Frameworks, Organizational Design &
Development Frameworks, Project Management Frameworks, Design Thinking
P – PERFORM
Address opportunities, obstacles, and obligations by performing

proactive, detective, and responsive actions & controls to serve
governance, management, and assurance needs.
Principled Performance requires that organizations address opportunities, obstacles, and

obligations using a mix of actions & controls. Actions & controls are organized by type, category,
and orientation.
Action & control types include proactive, detective, and responsive controls. These types use
techniques from categories such as policy, people, process, physical, technology, and information.
Regardless of type or technique, every action & control aims to serve a management, governance,
or assurance orientation.
PERFORM Component - Elements
Figure - PERFORM Component Overview Diagram
PERFORM Component Considerations

● Action & Control types include proactive, detective, and responsive actions & controls.
Proactive actions & controls promote favorable events and prevent unfavorable events.
Detective actions & controls detect favorable and unfavorable events as soon as possible.
Responsive controls compound the effect of favorable events and correct/recover from
unfavorable events.
● Action & Control orientation includes management, governance, and assurance actions &
controls. Management actions & controls comprise the majority of work performed by the
organization. Additional governance actions & controls are added when management
actions & controls do not provide enough information or guidance to constrain and
conscribe the organization. Additional assurance controls are added when management
and governance actions & controls do not provide sufficient value to assurance providers.
● Action & Control categories include policy, people, process, physical, technology, and
information. Some techniques may span categories. For example, “segregation of duties” is
a “people-oriented control” that is often articulated in a “policy” and embodied in
“technology-oriented access controls.”
PERFORM Component Measurement

● Effective. Do we have the capability to PERFORM? Do we have the capability to proactively
address objectives? Do we detect the right things? Do we respond appropriately? Do our
actions & controls operate as designed?
● Efficient. How efficient is our use of capital to PERFORM? How efficient is our use of
financial capital? Physical capital? Human capital? Information capital?
● Agile. When things change, how quickly do we change direction in PERFORM?
are we more capable or less capable to PERFORM?
P1 Controls
Implement a mix of action & control types, categories, and techniques to
serve the governance, management, and assurance of opportunities,
Practices
1. Establish & Perform Proactive actions & controls – Encourage favorable events and
prevent unfavorable ones.
2. Establish & Perform Detective actions & controls – Determine progress toward objectives
and identify the actual or potential occurrence of favorable and unfavorable conduct,
conditions, and events.
3. Establish & Perform Responsive actions & controls – Recover from unfavorable conduct,
events, and conditions; correct identified weaknesses; execute necessary discipline;
recognize and reinforce favorable conduct and deter future undesired conduct or
conditions.
Considerations
● Proactive Actions & Controls prevent unfavorable events before they happen and promote
favorable events.
○ Prevent/Deter Actions & Controls decrease the likelihood of unfavorable events.
○ Promote/Enable Actions & Controls increase the likelihood of favorable events.
● Detective Actions & Controls detect the occurrence of favorable and unfavorable events.
● Responsive Actions & Controls compound/accelerate the benefits of favorable events and
correct/recover from the harm of unfavorable events.
○ Compound/Accelerate Actions & Controls accelerate and compound the impact of
favorable events to increase benefits and promote future occurrence.
○ Correct/Recover Actions & Controls slow down or decrease the impact of
unfavorable events, and return the organization to its original state, stable state, or
superior state after harm has occurred to minimize harm and prevent future
occurrences.
● Actions & controls may address more than one opportunity, obstacle, or obligation.
● Actions & controls should neither "under-control" nor "over-control."
● A depth of actions & controls across multiple organizational units and lines of
accountability (without unplanned or unnecessary overlap) helps ensure a single point of
failure does not exist for high-risk areas.
● Stress testing actions & controls will identify weaknesses, opportunities for manipulation
or circumvention, and areas for improvement.
● Correcting both the immediate adverse effect, as well as the root cause reduces the
likelihood of future adverse events and conditions.
● Documenting changes to established actions & controls and decisions on discipline
provides an audit trail that personnel can use to demonstrate consideration, resolution,
and consistency of action.
Tools & Techniques

● Integrated Action & Control Model, Internal controls, COSO Internal Control - Integrated
Framework
P2 Policies
Implement policies to address opportunities, obstacles, and obligations
and set clear expectations of conduct for the key internal stakeholders
and the extended enterprise.
Practices
1. Develop Codes of Conduct – Work with stakeholders to develop codes of conduct that
address the mission, vision, values, and expected business conduct.
2. Establish Policy Framework – Establish a framework for identifying, creating, approving,

enforcing, and updating policies and related procedures.
3. Develop Policies and Procedures – Use a mix of preventative and directive policies, related
procedures, and standards to address opportunities, obstacles, and obligations.
4. Manage Policies – Implement, communicate, manage, enforce, and audit policies, related
procedures, and standards to ensure that they operate as intended and remain relevant.
5. Champion Policies – Demonstrate support for policies, procedures, and standards to

ensure stakeholders and personnel understand the organization’s commitment.
6. Establish Ethical Decision-Making Guidelines – Establish and champion decision-making

guidelines on choosing a course of action when the circumstances are not explicitly
covered by the code of conduct or other policies.
Considerations
● The Code of Conduct is not legally mandated for all organizations. However, it can serve as
an effective guidepost for organizations of all sizes and in all industries.
● Use a balance of prescriptive policies (what to do) and proscriptive policies (what NOT to
do).
● Leadership must demonstrate commitment to the policies and act as champions because
the workforce will pursue what it believes matters and not necessarily what is
published/stated.
● Using the policy development process helps to secure champions, commitment, and
buy-in; and can help to drive acceptance.
● Policies are most effective when adapted to the audience, local culture, language, norms,
legal requirements, and needs while staying true to the core decision-making criteria.
● Ethical decision guidelines help people decide what to do without an explicit policy or
procedure.
● The organization should identify need for applying policies in the extended enterprise.
● Training on policies should be prioritized based on role and applicability to the role – to be
clear, not every policy requires formal training.
Tools & Techniques

● OCEG Policy Management Capability Model, Electronic Document Management software,
Enterprise Content Management (ECM) software.
P3 Communication
Implement communications to address opportunities, obstacles, and
obligations by interacting with the right audiences at the right time with
the right information and intelligence.
Practices
1. Establish Communication Framework - Establish a framework to identify, create, approve,
deliver, enforce, and update communications, including how to select the appropriate
sender, recipient/audience, intention, message, cadence, and channel.
2. Develop Stakeholder Reporting - Establish formal communications, reports, and filings

required by mandatory obligations; and those voluntarily agreed to in contracts and
promises made to other stakeholders.
3. Develop Internal Reporting – Establish formal communications, reports, and dashboards

that enable the board, senior management, and other personnel to govern and manage the
organization.
4. Develop Informal Communications – Establish informal communications that enable the

workforce, and allow personnel to share information.
5. Develop Communications Channels – Develop a range of channels for external, internal,

and informal communications, including a way to solicit feedback from
recipients/audiences.
Considerations
● Not all communication occurs through formal methods, and informal communications may
have more impact.
● Maintaining a complete and accurate record of how communication was managed provides
evidence for use in assurance and mandatory compliance efforts.
● Ensure that every communication encourages feedback.
● Multiple “layers” of communication that summarize subordinate unit information (e.g.,
reports and summarize other reports) may compress, suppress or distort signals from
subordinate units. This means that information does not flow to superior units.
● Information overload may occur if communication is delivered too rapidly or voluminously.
Tools & Techniques

● Communication Strategy Framework, Stakholder Analysis, Feedback Surveys
P4 Education
Implement education and support for the workforce and extended
enterprise to develop job-specific awareness and skills that address
Practices
1. Define an Education Plan – Develop a job-specific plan to inform, educate, and support the
workforce and extended enterprise by linking learning outcomes, learning objectives, and
learning activities to close the gap between the current level and desired level of skill and
knowledge based on the desired level of performance, risk, and compliance.
2. Develop or Acquire Content – Develop, acquire, and tailor content to address learning
objectives and the appropriate skill level.
3. Provide Education – Implement and manage the education program to ensure that the
target audience achieves learning objectives and can use knowledge and skills in their jobs.
4. Provide Integrated Performance Support – Implement and manage ways for the workforce
to get integrated performance support within their work environment so that education
and assistance are available at the point of need.
5. Provide Helpline – Implement and manage ways for the workforce and other stakeholders
to seek guidance about future conduct and ask general questions, including the option for
anonymity in locations where that is required or allowed.
6. Measure Learning Outcomes - Establish periodic and ongoing measures to ensure that
learning outcomes and learning objectives are achieved.
Considerations
● Education includes activities that aim to transfer/increase knowledge (what someone
knows) and skill (what someone can do). Educational Models may also be used to
implement educational plans. Learning activities between instructors and students are
based on structured learning content that aims at achieving learning objectives and
learning outcomes; mainly to fill the skill gap between the current skill level and the target
skill level.
● Implementing integrated support or a helpline post-education is highly advised. As it allows
learners to seek professional advice and receive it in a timely manner and ultimately
increase the level of performance.
● Education and support should address all levels of the organization.
● Awareness, education, and ongoing support enable individuals to:
○ Know what is expected,
○ Reduce the likelihood of misconduct, mistakes, and miscalculations,
○ Increase the likelihood of favorable conduct,
○ Be comfortable about asking for help, and
○ Be comfortable reporting unusual activities.
● Education and support should match the significance of the underlying objective.
● Education and support are most effective in the context of actually performing the job at
hand, and at the point of need.
● Learning assessments provide evidence that knowledge is transferred.
● Tracking attendance and assessments provide evidence of “best efforts.”
● Tracking usage and access provide evidence of need and identify potential trends.
Tools & Techniques

● ADDIE (Analysis Design Development Implementation), Bloom’s Taxonomies (Cognitive,
Affective, and Psychomotor), Anderson and Krathwohl Taxonomy Update (2002 update of
Bloom), Kirkpatrick Model of Training Evaluation, Learning Management Systems,
Microlearning platforms,
P5 Incentives
Implement incentives to address opportunities, obstacles, and
obligations by encouraging the right proactive, detective, and responsive
conduct in the workforce and extended enterprise.
Practices
1. Define Desired Conduct – Determine the types of desired conduct, including definitions,
classifications, and procedures necessary to identify those who exhibit the right proactive,
detective, and responsive conduct.
2. Hire and Promote Based on Conduct Expectations – Articulate desired conduct when
defining jobs, career paths, and performance review criteria of employees and business
partners, using the same criteria for promoting individuals.
3. Implement Economic Incentives – Establish compensation, reward, and recognition

programs for the workforce and extended enterprise.
4. Implement Non-Economic Incentives - Establish appreciation, status, professional

development, career opportunities, and other non-economic incentive programs for the
workforce and extended enterprise.
Considerations
● Incentives include financial and non-financial things that encourage favorable conduct.
○ Economic (monetary compensation, bonuses, profit-sharing, gain-sharing)
○ Appreciation (gratitude, acknowledgment)
○ Status (esteemed roles, promotion, visible achievement)
○ Professional Development (access to training, tuition reimbursement)
○ Career Opportunities (access to career path opportunities)
● Use a full range of incentives throughout the personnel lifecycle, from hiring,
compensation, and promotion.
● Incentives should balance prescriptive norms and proscriptive norms.
● Ensure that incentives are not “perverse incentives” that encourage adverse conduct.
● Inconsistent incentives can lead to perceptions of favoritism and mistrust.
● Economic incentives attached to “moral sentiments” can backfire because they remove the
“goodwill” benefit for the individual.
● Hiring criteria can be a powerful incentive to attract the right candidates and repel the
wrong candidates.
● Different people prefer different financial and non-financial incentives.
● Recognition should occur as close as possible to the favored conduct in both timescale and
location.
Tools & Techniques

● Behavioral economics, Behavioral psychology, Society of HR Management (SHRM)
Incentive Compensation Guidelines, Total Rewards Framework (TRF)
P6 Notification
Implement multiple pathways for people and systems to report progress
toward objectives and the actual or potential occurrence of unfavorable
and favorable conduct, conditions, and events.
Practices
1. Capture Favorable Events - Implement pathways to capture and alert the organization
about favorable performance, risk, and compliance successes, especially emerging
opportunities, high performance, and events that exemplify the organizational mission,
vision, and values.
2. Capture Unfavorable Events - Implement pathways to capture and alert the organization
about unfavorable performance, risk, and compliance incidents, especially emerging
threats, low performance, suspicions of noncompliance, violations of company policies,
and concerns about unethical conduct.
3. Filter and Route Notifications – Prioritize, substantiate, validate, and route notifications to
be handled by the right organizational units based on topic, type, and severity.
4. Protect Notification Information – Protect information associated with notifications and

ensure pathways comply with mandatory requirements in the locale where the notification
originates and the organization operates.
Considerations
● Notifications can be conceptualized as a “pushing” mechanism for both people and
systems to push information to appropriate individuals for analysis and follow-up.
● For both unfavorable and favorable events:
○ Technology-based notifications alert the organization sooner than other methods,
especially when human methods fail or are delayed.
○ Train management on how to handle and record informal notifications to reduce
uncertainty and inconsistency in management response.
○ Establish pathways that are easy to use, and conform to the culture.
● For unfavorable events:
○ Design pathways such as hotlines so stakeholders can trust, without fear of reprisal,
that concerns are taken seriously and are promptly and objectively addressed.
○ Encourage stakeholders to raise issues directly with the organization, rather than
using external pathways, to afford more flexibility in corrective action.
○ Afford anonymity where legally permitted or required.
● Both formal and informal mechanisms are helpful to ensure a “big funnel” is available to
capture notifications.
Tools & Techniques

● People
○ Whistleblower Hotlines / Helplines
○ Open Door Policy
○ Case Management Systems / Incident Management Systems
○ Communication and collaboration tools
○ Social Listening Tools
● Systems
○ Continuous Control Monitoring
○ Log Management (automated alerts)
○ Application Performance Monitoring (automated alerts)
○ Management Dashboards and Business Intelligence (automated alerts)
P7 Inquiry
Implement multiple pathways to discover information from people and
systems about progress toward objectives and the actual or potential
occurrence of unfavorable and favorable conduct, conditions, and
events.
Practices
1. Discover Favorable Events - Implement pathways to discover information and alert the
organization about favorable performance, risk, and compliance successes, especially
emerging opportunities, high performance, and events that exemplify the organizational
mission, vision, and values.
2. Discover Unfavorable Events - Implement pathways to discover information and alert the
organization about unfavorable performance, risk, and compliance incidents, especially
emerging threats, low performance, suspicions of noncompliance, violations of company
policies, and concerns about unethical conduct.
3. Establish an Approach to Surveys and Information Requests – Establish an

organization-wide approach to surveys, self-assessments, and other information requests
that reduces the burden on survey subjects and improves information quality.
4. Gather Information Through Observations and Conversations – Establish informal

pathways through observations, meetings, focus groups, and individual conversations.
5. Analyze Information and Findings – Analyze information and findings from all pathways to
identify, prioritize, and route findings to management and stakeholders.
6. Protect Inquiry Information – Protect information associated with inquiry and ensure
pathways comply with mandatory requirements in the locale where the inquiry originates
and the organization operates.
Considerations
● Inquiry can be conceptualized as a “pulling” mechanism where individuals pull information
from people and systems for follow-up and action.
● For both unfavorable and favorable events:
○ Technology-based inquiry often provides information sooner than other methods,
especially when human inquiry fails or is delayed.
● For unfavorable events:
○ Design specific inquiry routines and cycles to detect unfavorable events as soon as
possible.
● Systems that support day-to-day management often provide information that can be used
to discover favorable and unfavorable events.
● Considering feedback from stakeholder groups, and taking appropriate actions, makes
stakeholders feel their views are valued and encourages future feedback.
● Avoiding any actual or perceived connection between inquiry responses and individual
performance appraisals is critical to maintaining the integrity of the process.
● Coordinating survey efforts throughout the organization helps to avoid survey and
self-assessment fatigue.
● Consolidating, comparing, and reconciling information obtained from various pathways and
stakeholders is essential to developing a total view.
Tools & Techniques

● People
○ Employee Surveys & Focus Groups
○ Ethnography (“Management by Walking Around”)
○ Exit Interviews
● Systems
○ Continuous Control Monitoring
○ Log Management (periodic audits)
○ Application Performance Monitoring (periodic audits)
○ Management Dashboards and Business Intelligence (periodic audits)
○ Data Mining and Analytics
P8 Response
Implement responses that uncover and address root causes to compound
and accelerate favorable events and benefits – and to correct and recover
from unfavorable events and harm.
Practices
1. Correct and Recover - Perform actions & controls to slow down, stop and recover from the
impact of threats after they occur to minimize harm and prevent future occurrence.
2. Recognize, Compound & Accelerate - Deliver incentives and perform actions & controls
that accelerate and compound the impact of favorable events after they occur to maximize
benefit and promote future occurrence.
3. Implement Investigations – Develop and execute internal investigation processes to

address allegations or indications of unfavorable events, and maintain a process for
responding to external inquiries and investigations.
4. Implement Crisis Responses – Develop and execute plans to respond to various crises,
correct unfavorable events, and recover from harm.
5. Conduct After Action Reviews - Uncover root causes of favorable and unfavorable events
and improve proactive, detective, and responsive actions & controls.
6. Discipline and Retrain – Apply consistent discipline to individuals at fault and provide
necessary retraining.
7. Determine Disclosures – Determine if, when, how, and what to disclose, especially those
events that require external disclosures to stakeholders.
8. Improve Actions & Controls – Ensure that root causes and any weaknesses in proactive,
detective, and responsive actions & controls are addressed.
Considerations
● Quickly responding to favorable events may compound or accelerate benefits.
● It is important to to quickly respond to favorable conduct by personnel so that they
associate rewards with the favorable conduct.
● Establishing a tiered approach for responding to unfavorable events based on different
levels of the potential impact on the organization helps to:
○ Capture and validate incidents,
○ Escalate incidents for investigation, and identify them as in-house or external,
○ Ensure confidentiality of the information and determine privilege,
○ Define internal management that is responsible for oversight of the investigation or
resolution of the issue,
○ Ensure protection of anonymity and non-retaliation for reporters,
○ Preserve records and other evidence, and
○ Ensure timely and consistent reporting to applicable stakeholders.
● Ensuring that each issue/incident is resolved is essential to maintain employee and other
stakeholder confidence in the system's effectiveness.
● Responses should address the immediate issue and the underlying root causes identified,
including changes to actions & controls if necessary.
● Disciplinary measures that are applied consistently and objectively serve as deterrents.
● Providing timely disclosures about the resolution of issues to relevant stakeholders meets
requirements and provides confidence in the process.
● Making changes to actions & controls, processes, or resources that contributed to or
allowed the incident or issue to occur reduces the likelihood of future noncompliance or
misconduct.
Tools & Techniques

● After Action Reviews (AAR), Internal Investigations Process (OCEG Illustrations), Crisis
Management & Business Continuity Planning
R – REVIEW
Continuously improve total performance by monitoring actions &

controls – and providing assurance about priority objectives,
Principled Performance® requires that organizations monitor actions & controls, provide
assurance about priority areas, and continuously improve total performance to be effective,
efficient, responsive, and resilient in all areas.
Monitoring helps management and the governing authority understand progress toward
objectives and whether opportunities, obstacles, and obligations are addressed. Assurance
activities objectively and competently evaluate the organization to provide justified conclusions
and confidence about total performance.
Both monitoring and assurance activities identify opportunities to improve total performance so
that the capability and organization are more effective, efficient, responsive, and resilient.
REVIEW Component - Elements
Figure - REVIEW Component Overview Diagram
REVIEW Component Considerations

● Monitoring activities help personnel generally manage the total performance of the
organization.
● Assurance activities should be considered when information users want or need more
confidence and justified belief about subject matter provided by information producers.
● Design effectiveness and operating effectiveness of compliance actions & controls is a
critical minimum requirement of every organization.
● Total Performance should be the goal of every elements and process area because it helps
to achieve Principed Performance.
● Improvement may result from Monitoring or Assurance activities and other elements and
activities in the capability.
● Applying a consistent process to consider, plan, and implement improvement helps
prioritize and execute across the organization.
REVIEW Component Measurement

● Effective. Do we have the capability to REVIEW? Do we have the capability to monitor the
capability? Do we have the capability to provide assurance? Do we learn from prior mistakes
and improve?
● Efficient. How efficient is our use of capital to REVIEW? How efficient is our use of financial
● Agile. When things change, how quickly do we change direction in REVIEW?
● Resilient. After stress, are we more capable or less capable to REVIEW?
R1 Monitoring
Implement ongoing and periodic activities to gauge the effectiveness,
efficiency, responsiveness, and resilience of actions & controls.
Practices
1. Plan Monitoring Approach – Establish a strategy for ongoing and periodic monitoring of
the effectiveness, efficiency, responsiveness, and resilience of actions & controls.
2. Identify Monitoring Information – Identify information to support monitoring activities.
3. Perform Monitoring Activities – Perform monitoring activities.
4. Analyze and Report Monitoring Results – Analyze the results of monitoring activities to
identify weaknesses and opportunities for improvements.
Considerations
● Monitoring activities help personnel generally manage the total performance of the
organization.
● Total Performance includes these aspects:
○ Effective (“Sound”). Is the design of the element or process logical? Does it follow
best practices? Is it operating as designed?
○ Efficient (“Lean”). What does it cost to operate the element or process? Is the cost
worth the benefit? How does this cost compare to organizations of similar size?
○ Responsive (“Agile”). How long does it take to perform the element or process?
When an error is found, how long does it take to be detected and corrected?
○ Resilient (“Antifragile”). What will we do if the element or process fails? What kind of
slack do we have in timelines in case of unplanned distractions? What kind of
backup staff do we have in case someone gets sick? Do we come back stronger?
● Monitoring requires indicators such as KPIs, KRIs, and KCIs to be established.
● When indicators hit or miss targets (based on associate appetite, tolerance and capacity)
management should take appropriate action.
● Monitoring may generate information for assurance or governance activities.
● Periodically evaluating the Total Performance capability ensures that the capability
remains relevant in light of changing circumstances – especially changes in the internal
and external context.
Tools & Techniques

● Management By Objectives (MBO), Balanced Scorecard, Objectives and Key Results (OKR),
Business Intelligence and Analytics Frameworks, Management Reporting
R2 Assurance
Objectively and competently evaluate priority areas to enhance the
confidence of management, the governing authority, and other
stakeholders about levels of performance, risk, and compliance.
Practices
1. Formulate Assurance Approach – Formulate a strategy for selecting, assessing,
monitoring, and improving the overall approach to providing periodic and ongoing
assurance over performance, risk, and compliance.
2. Select Assurance Assessment Areas – Select assessment areas based on priority

objectives and the related likelihood and impact of meaningful misunderstanding between
associated information producers and information users.
3. Conduct Assurance Assessments – Define the desired level of assurance and then plan,
perform, report, and follow up on individual assessments.
4. Monitor Assurance Assessments – Monitor progress, completion, and follow-up for

individual assessments and the portfolio of assessments.
5. Improve Assurance Approach – Improve the overall assurance strategy and execution.
Considerations
● Assurance increases confidence that statements made by information producers are
justified and true so that information consumers can trust what is stated.
● The governing authority is often obligated to seek assurance about the effectiveness of
the capability, especially those aspects mandated by law.
● Assurance helps the governing authority to have confidence that delegated activities are
performed and that the organization is constrained and conscribed as intended.
● Personnel may request assurance about the total performance of the capability, an
element, a topic, a discipline, or some crisis area so that it can be better managed.
● The level of assurance required will vary depending on the priority of objectives,
opportunities, obstacles, and obligations. Not everything requires a high level of
assurance.
● Level of assurance possible is dependent on the Assurance Objectivity and the Assurance
Competence of the Assurance Provider.
● The highest level of assurance is possible when sufficiently objective and competent
personnel conduct assurance activities.
● Independence is a means to objectivity (not vice versa).
● Assurance may be provided by any organizational unit and, thus, teams may “check their
own work” with self-assessment to provide lower levels of assurance.
Tools & Techniques

● GRC Assessment Tools (Burgundy Book), OCEG GRC Assurance (GRCA) certification,
Internal audit standards, External audit standards, Quality audit standards
R3 Improvement
Review information from monitoring and assurance to identify
opportunities for improvement.
Practices
1. Plan Improvement Approach – Develop a strategy and prioritized plan for implementing
improvements to the capability.
2. Conduct Improvement Initiatives – Implement improvement initiatives.
3. Monitor Improvements - Monitor improvement initiative progress, completion, and

follow-up.
Considerations
● Continual improvement is the hallmark of a mature and high-performing capability and
organization.
● Budgeting for regular improvement activities enables continual capability maturation and
efficiency.
● Incorporating feedback loops and post-assessments (lessons learned, root-cause
analysis, after action reviews, etc.) activities into organizational processes help identify
and address needed improvement areas.
● Incorporating change management activities in all improvement plans helps make people
aware of and accept changes.
Tools & Techniques

● Continuous Process Improvement, Total Quality Management (TQM), Six Sigma, Lean,
Benchmarking
Part III - GRC Glossary

This GRC Glossary is organized “alphabetically” to offer an accessible list representing the total
picture of GRC and the GRC Capability Model.
Absolute Assurance
A level of assurance that is impossible to achieve.
➔ See Also: Level of Assurance, Assurance
ACCEPT Design Option

A design option to embrace, or concede to the situation with minor modifications and awareness
about the nature and level of risk/reward and compliance associated with the opportunity,
obstacle, or obligation.
➔ See Also: Design Options
Actions & Controls

Specific arrangements of people, processes, technology, or information intended to modify risk,
reward, or compliance.
➔ See Also: Proactive, Detective, and Responsive Actions & Controls.
Agile (see Responsive)
Ambiguous
Unclear and open to more than one interpretation; not having one obvious meaning.
➔ See Also: VUCA, Volatile, Uncertain, Complex
Analysis Criteria
The criteria used to analyze, quantify and select ways to address risk, reward, and compliance.
➔ See Also: Decision-Making Criteria
Antifragile (see Resilient)
Appetite
A range that defines a preferred level of variation around a target.
➔ See Also:Target, Tolerance, Capacity
Assurance (as a GRC Concept)

The act of objectively and competently evaluating subject matter to provide conclusions and
confidence that statements and beliefs about the subject matter are justified and true.
➔ See Also: Evaluate, Subject Matter, Suitable Criteria

➔ See Also: Governance (as a GRC Concept), Management (as a GRC Concept).
➔ See Also: Assurance Competence, Assurance Objectivity, Level of Assurance
Assurance Actions & Controls

Additional actions & controls beyond management and governance actions & controls that assist
assurance personnel to provide assurance services.
➔ NOTE: Additional assurance controls are added when management and governance actions
& controls do not provide sufficient information to assurance providers.
➔ See Also: Management Actions & Controls, Governance Actions & Controls
Assurance Provider
Someone who conducts assurance activities.
➔ See Also: Objectivity, Competence, Independence

➔ See R2 Assurance
Audience
The person or group that is intended to receive a message.
➔ See Also: Message, Communicator, Intention

➔ See P3 Communication
➔ See Communication Strategy Framework
AVOID Design Option

A design option to cease all activity or terminate sources that give rise to the opportunity,
obstacle, or obligation.
Behaviors
Observable actions of a person or group of people, informed by beliefs and values.
➔ See Also: Voluntary, Habitual, and Involuntary Behaviors
Beliefs
Unobservable ideas and assumptions of a person or group, often caused by experience,
perception, and personality.
➔ See Also: Values, Mission, Vision, Purpose
Benefit
A measure of the positive impact on the organization.
➔ See Also: Impact, Opportunity, Harm, Consequence
Best Possible Value

A value that is likely to be achieved under the best possible assumptions and best possible
execution.
➔ See Targets, Appetite, Tolerance, and Capacity

➔ See Also: Indicator
Boundary (see Obligation)

➔ See Also: Mandatory Boundary and Voluntary Boundary
Business Model
A business model is a framework that outlines how a company creates, delivers, and captures
value for its stakeholders. It defines the fundamental aspects of a company's operations, such as
its target customers, value proposition, revenue streams, cost structure, and key resources and
activities.
➔ NOTE: See Business Model Canvas
Business Unit
A business unit is subordinate to the enterprise and often responsible for specific products,
customers, or geography.
➔ NOTE: Business unit may be used even when the organization is not a “business” (e.g.,
government agency, a nonprofit organization)
➔ See Also: Subordinate Level, Superior Level, Organization in Scope
Capacity
A range that defines the absolute level of variation around a target that the organization is
unwilling and unable to address; and may result in jeopardy or ruin.
➔ See Also: Target, Appetite, Tolerance
Cause (also Source)

The trigger or potential trigger of events that lead to a consequence including agents or forces
that are responsible for bringing something into existence or changing it.
● See Also: Force, Event, Consequence
Channel
The medium used to get the message from the communicator to the audience.
➔ See Also: Message, Communicator, Audience

Climate
The collective perception about self, surroundings, and others – including perceptions about
culture, some aspect of culture, or some topical area.
➔ See Also: Mindsets
Code of Conduct (also Code of Ethics)

The Code of Conduct sets out the principles, values, standards, or rules of behavior that guide the
organization's decisions, procedures, and systems. The Code of Conduct is, in effect, a set of the
most important core policies.
➔ See Also: Values, Behaviors, Beliefs

➔ See P2 Policies
Committed Value
A value that is likely to be achieved given current assumptions and planned execution. When used,
this is synonymous with Target.
➔ See Targets, Appetite, Tolerance, and Capacity

Communicator (also Sender)

The person or group that sends or signals a message.
➔ See Also: Message, Channel, Audience

Competence
The degree to which an Assurance Provider can use sophisticated, professional, and structured
techniques to evaluate subject matter.
➔ NOTE: Being “competent” in assurance means to be capable (cognitively/physically) of

using sophisticated, professional, and structured techniques to evaluate subject matter.
➔ See Also: Assurance Provider, Objectivity, and Independence
Complex
Involving factors related to multiple, and sometimes interconnected, systems.
➔ See Also: VUCA, Volatile, Uncertain, Ambiguous
Compliance
A measure of the degree to which obligations are proven to be addressed.
➔ See Also: Obligations, Indicators, Key Compliance Indicators (KCIs)
Compliance Management
The act of managing processes and resources to achieve the desired level of compliance.
➔ See Also: Compliance, Performance Management, Risk Management
Compound/Accelerate Actions & Controls

Actions & controls that compound, accelerate, and increase the impact of favorable events to
maximize benefit and promote future occurrence.
➔ See Also: Action & Control Types, Responsive Actions & Controls
Condition
A state of reality.
➔ See Also: Event, Cause, Consequence
Consequence
The outcome or potential outcome of an event.
➔ See Also: Event, Cause, Effect, Likelihood, Impact
CONTROL Design Option

A design option to implement actions and controls that govern and manage the opportunity,
obstacle, or obligation according to its nature.

➔ NOTE: Control is sometimes used to mean action & control
Convergent Thinking
Focused on high-likelihood possibilities, most favorable/unfavorable conditions and events,
current and most relevant circumstances, and most rewarding/riskiest outcomes.
➔ See Also: Divergent

➔ See Divergent & Convergent Thinking
Correct/Recover Actions & Controls

Actions & controls that low down or decrease the impact of unfavorable events, and return the
organization to its original state, stable state, or superior state after harm has occurred to
minimize harm and prevent future occurrences.
➔ See Also: Recovery Actions & Controls, Responsive Actions & Controls, Action & Control
Types, Actions & Controls
Critical Disciplines
The background disciplines that comprise the interdisciplinary approach to GRC, including:
Governance & Oversight, Strategy & Performance, Risk & Decision Support, Compliance & Ethics,
Security & Continuity, and Audit & Assurance.
➔ See Also: Protector Skillset™
Culture
An emergent property of a group of people caused by the interaction of individual beliefs, values,
mindsets, and behaviors and demonstrated by observable norms and articulated opinions that
shape beliefs, values, mindsets, and behaviors in wide-ranging and durable ways.
➔ See Also: Beliefs, Values, Mindsets, Behaviors, and Norms
Current Residual Risk

The level of residual risk under currently operating actions & controls.
➔ See Also: Planned Residual Risk
Current Skill Level

Existing level of skill a person, or “typical” person in a group, possesses.
➔ See Also: Target Skill Level and Skill Gap

➔ See P4 Education
Customer
An individual or entity that purchases products or services.
➔ See Also: Stakeholder, Organization in Scope

➔ NOTE: For departments or teams, the customer may include a superior, subordinate, or peer
organizational unit. For governmental entities, the customer is a constituent or regulated
entity.
Damage (see Harm)
Decision-Making Criteria
The principles, values, rules, variables, conditions, targets, tolerances, and other thresholds used
to select an option or make a decision.
➔ See Also: Direction-Setting Criteria, Objective-Setting Criteria, Identification Criteria,

Analysis Criteria, Design Criteria
Department
A department is subordinate to the enterprise and often cuts across multiple business units
providing shared services such as human resources, information technology (IT), compliance, risk
management, and other services.
Descriptive Norms
Observation of what others do, providing information about what is “normal” in a particular culture.
➔ See Also: Norms, Injunctive Norms
Design Criteria
The criteria used to select actions & controls that address risk, reward, and compliance.
Design Effectiveness
Evidence of logically designed actions & controls relative to objectives, opportunities, obstacles,
and obligations. This is accomplished by evaluating the design actions & controls against suitable
criteria.
➔ See Also: Operating Effectiveness, Suitable Criteria
Design Options
Broad design decisions to address an opportunity, obstacle, or obligation.
➔ See Also: AVOID, ACCEPT, SHARE, CONTROL
Detective Actions & Controls

Actions & controls that detect the occurrence of favorable and unfavorable events.
➔ NOTE: Unfavorable events include incidents of non-compliance.

➔ See Also: Proactive Actions & Controls, Responsive Actions & Controls
Deterrent (see Preventative)
Direction-Setting Criteria
The criteria used to set the direction for the organization and its objectives based on
external/internal context, culture, and stakeholder needs.
Divergent Thinking
Considering all possibilities, conditions and events, circumstances, and outcomes.
➔ See Also: Convergent

➔ See Divergent & Convergent Thinking
Duration
A measure that estimates how long an event or impact might last.
➔ See Also: Event, Impact, Likelihood, Frequency
Education Activity (see Learning Activity)
Effect
A measure that estimates the likelihood and impact of an event.
➔ See Also: Likelihood, Impact, Event
Effective (also Sound)

An aspect of Total Performance which demonstrates evidence of logically designed actions &
controls that address appropriate objectives, opportunities, obstacles, and obligations; and
evidence that these actions & controls are operating as designed.
➔ See Also: Design Effectiveness, Operating Effectiveness
Efficient (also Lean)

An aspect of Total Performance which demonstrates evidence that the organization productively
uses financial, human, and other capital resources without wasted effort or expense.
➔ See Also: Effective, Responsive, Resilient, Total Performance
Enterprise
The most superior unit that encompasses the entirety of the organization.
➔ NOTE: Enterprise may be used even when the organization is a government agency, a
nonprofit organization, or a small organization.
Evaluate
The act of judging subject matter by comparing evidence against suitable criteria.
➔ See Also: Assurance, Subject Matter, Suitable Criteria
Event
Something that happens, including a change in condition or behavior.
➔ See Also: Force, Cause, Consequence, Condition
Executives
(also Executive Team or Executive Management)
Senior-most managers with broad responsibilities over the entire organization or some significant
part of the organization (e.g., all technology, all sales, and marketing, all administration, all
finance).
➔ NOTE: Executives often have words such as “chief” in their titles, such as “chief executive
officer” or “chief operating officer.”
➔ See Also: Managers, Staff, Workforce
Executive Team (see Executives)
Executive Management (see Executives)
External Context (see External Factors)
External Factors (also External Context)

Categories of sources and forces that originate outside of the organization.
➔ See Also: Internal Factors

➔ Industry factors include new entrants, competitors, suppliers, customers, substitutes, and
industry norms.
➔ Market factors include customer trends, demographics, and economic conditions.
➔ Economic factors include growth, exchange, inflation, and interest rates
➔ Technology factors include technological aspects like R&D activity, automation, storage,
computation, technology incentives, innovations in materials, mechanical efficiency, and
the rate of technological change.
➔ Societal factors include cultural aspects, attitudes, customs, and norms.
➔ Legal and regulatory factors include laws, rules, regulations, litigation, and judicial or
administrative opinions
➔ Political factors relate to how the government intervenes in the economy, including laws,
rules, regulations, tax policy, and political stability.
➔ Environmental factors include ecological and environmental aspects such as climate and
natural resources.
➔ Demographic factors include gender, age, ethnicity, knowledge of languages, disabilities,
mobility, home ownership, employment status, religious belief or practice, culture and
tradition, living standards, and income level.
➔ Geopolitical forces include sanctions, export controls, and potential military conflicts.
External Stakeholders
Stakeholders with an external influence on the organization; Customers (the most important
stakeholder), Shareholders (who are not involved in the organization), Creditors and Lenders,
Suppliers, Underwriters, Government, Non-governmental organizations, Media, and Society.
➔ See Also: Internal Stakeholders, Stakeholders
Factor
A category of forces in the internal or external context.
➔ See Also: Internal Factors and External Factors

➔ See Also: Force
Feedback
The reaction from the audience to a message.
➔ See Also: Audience, Message, Communicator, Channel, Intention

➔ See P3 Communication, Communication Strategy Framework
Fifth Line (of the Lines of Accountability)

The Governing Authority (Board) is ultimately accountable and responsible for the governance,
management, and assurance of performance, risk, and compliance. While the governing authority
may choose to delegate, this plenary accountability means that the governing authority must use
due care to ensure that the right information systems are in place to learn about and address
important performance, risk, and compliance issues – especially those that present “red flags.”
➔ See Also: Lines of Accountability
Financial Actions & Controls

Insurance, captives, hedging, reserves, or other financial instruments.
➔ See Also: People Actions & Controls, Technology Actions & Controls, Information Actions &
Controls
Financial Capital
Liquidity, budgets, and other economic resources.
➔ See Also: Resources, Human Capital, Technology Capital, Physical Capital, Information
Capital
First Line (of the Lines of Accountability™ Model)

Individuals and teams that own and manage performance, risk, and compliance associated with
day-to-day operational activities.
➔ See Also: Lines of Accountability™
Folkways
Informal norms that govern everyday behaviors and social etiquette that are not strictly enforced,
but where violations may lead to mild disapproval or social awkwardness (e.g., table manners,
punctuality, and appropriate dressing).
➔ See Also: Norms
Force
A cause that is an emergent property of volatility, uncertainty, complexity, or ambiguity in the
internal or external context.
➔ See Also: Cause, VUCA

➔ See Also: Internal Context, External Context
Fourth Line (of the Lines of Accountability™ Model)

The Executive team is accountable and responsible for the organization-wide performance, risk,
and compliance. The Fourth Line gains information from the First Line and the Second Line and
assurance from the Third Line to make decisions about managing performance, risk, and
compliance.
Frequency
A measure that estimates how often the same event might occur.
➔ See Also: Event, Velocity, Likelihood, Duration, Impact
Governance (as a GRC Concept)

The act of indirectly guiding, controlling, and evaluating an entity by constraining and conscribing
resources.
➔ Govern. To govern; governing

➔ See Also: Management (as a GRC Concept), Assurance (as a GRC Concept)
Governance Actions & Controls

Actions & controls that go beyond management controls to assist the governing authority in
constraining and conscribing the organization.
➔ NOTE: Additional governance actions & controls are added when management actions &
controls do not provide enough information or guidance to constrain and conscribe the
organization.
➔ See Also: Management Actions & Controls, Assurance Actions & Controls
Governing Authority (also Board)

The most superior level of accountability and authority.
➔ NOTE: The governing authority is often responsible for balancing the competing needs of
stakeholders so that it can guide, constrain, and conscribe the organization to reliably
achieve objectives, address uncertainty, and act with integrity to meet these needs.
➔ NOTE: The governing authority is often a board of directors if the organization in scope is an
enterprise. (The governing authority may be an oversight committee if the organization in
scope is a business unit or department.)
➔ See Also: Workforce, Third Party
GRC
An initialism that stands for Governance, Risk, and Compliance, and is an interdisciplinary
approach of integrated capabilities, interconnected relationships, and interlinked shared values,
which enable Principled Performance.
➔ GRC is the pathway to Principled Performance.

➔ GRC is a collection of integrated capabilities to enable Principled Performance.
➔ GRC is a collection of integrated capabilities that enable an organization to reliably achieve
objectives, address uncertainty, and act with integrity.
➔ GRC is an interdisciplinary approach of integrated capabilities, interconnected
relationships, and interlinked shared values, which enable Principled Performance.
➔ See Also: Principled Performance®, Protector Skillset™, Protector Mindset™
Habitual Behaviors
Semi-automatic human actions informed by beliefs and values and governed by free will and
discipline.
➔ See Also: Voluntary and Involuntary Behaviors
Harm (also Damage)

A measure of the negative impact on the organization.
➔ See Also: Event, Likelihood, Impact, Effect
Hazard
A cause that has the potential to eventually result in harm.
➔ See Also: Cause, Harm, Effect, Risk
Helpline
A live or on-demand channel for individuals to ask questions before or while they are engaged in a
task.
➔ See Also: Channel, Learning Activities, Student, Integrated Performance Support

Human Capital
The collective knowledge, skills, abilities, and experiences of an organization's workforce, along
with the relationships, attitudes, and values that enable them to work together to achieve the
organization's objectives.
➔ See Also: Resources, Financial Capital, Technology Capital, Physical Capital, Information
Capital
Identification Criteria
The criteria used to identify opportunities, obstacles, and obligations that stand in front of the
organization and its objectives.
Impact
A measure that estimates the consequence of an event.
➔ See Also: Consequence, Event, Effect, Likelihood
Incentives
Incentives include financial and non-financial things that encourage favorable conduct.
● Economic (monetary compensation, bonuses, profit-sharing, gain-sharing)

● Appreciation (gratitude, acknowledgment)
● Status (esteemed roles, promotion, visible achievement)
● Professional Development (access to training, tuition reimbursement)
● Career Opportunities (access to career path opportunities)
➔ See Also: Promote/Enable Actions & Controls, Compound/Accelerate Actions & Controls
➔ See P5 Incentives
Independence
The state of being free from structural or functional conditions that threaten the ability of the
assurance provider to perform assurance activities with objectivity and without any undue
influence. It includes the independence of the assurance provider from those who own, manage,
operate, or support the activity being assured.
➔ NOTE: To achieve the degree of independence necessary to deliver the desired Level of
Assurance, the Assurance Provider should have direct and unrestricted access to
Information Consumers.
➔ See Also: Objectivity and Competence
Indicator
A measure of progress toward or status of an objective.
● See Targets, Appetite, Tolerance, and Capacity

● See Also: Leading Indicators, Lagging Indicators, Committed Value, Best Possible Value, and
Stretch Value
Information Actions & Controls

Communications up, down, and across the organization.
➔ See Also: Technology Actions & Controls, Financial Actions & Controls, People Actions &
Controls
Information Capital
Data, communications, and intelligence.
➔ See Also: Resources, Human Capital, Technology Capital, Physical Capital, Financial Capital
Information Consumer (also Information User)

An individual, group, or any entity that receives information sent from any source within the
organization. Information is used as evidence to evaluate and compare against given criteria to
provide a certain level of assurance.
➔ See Also: Suitable Criteria, Assurance, Level of Assurance
Information Producer
An individual, group, or any entity that produces data/information to send to another individual,
group, or entity that requests such information for the purpose of providing assurance.
➔ See Also: Suitable Criteria, Assurance, Level of Assurance
Information User (see Information Consumer)
Inherent Effect
The effect of uncertainty in the absence of actions & controls.
➔ See Also: Uncertainty, Actions & Controls, Residual Effect
Inherent Risk
The level of risk in the absence of actions & controls.
➔ See Also: Risk, Risk Management, Residual Risk
Injunctive Norm
Perceived behavior of what most people approve of, providing information on what one “should”
do.
➔ See Also: Norms, Descriptive Norm
Instructor
Individual who teaches.
➔ See Also: Student

Intangible Resources
Resources that refer to non-physical assets, such as knowledge, brand equity, and organizational
culture.
➔ See Also: Tangible Resources
Integrated Action & Control Model™ (also IACM™)

A structure that considers the purpose and types of actions & controls used for the governance,
management, and assurance of performance, risk, and compliance.
➔ See Also: Proactive Actions & Controls, Detective Actions & Controls, Responsive Actions &
Controls
Integrated Performance Support

A function that provides the exact information needed to solve a learner’s question at the moment
of need. The goal is to increase performance by empowering individuals with self-help resources in
the flow of work rather than interrupting work with periodic and episodic learning.
➔ See Also: Channel, Learning Activities, Student, Helpline

Integrated Plan
An integrated plan details processes and resources allocated to reliably achieve objectives,
address uncertainty, and act with integrity.
➔ See Also: Process, Resources, Principled Performance®
Integrity
The state of being whole and complete by fulfilling obligations, honoring promises, and cleaning
up the mess if a promise is broken.
➔ NOTE: One way to evaluate integrity is with the formula Integrity = Promises Kept /
Promises Made
➔ NOTE: Sometimes factors outside of the control of the organization prevent promises from
being honored. For example, an organization makes an implicit promise to every employee
that they will be gainfully employed so long as the employee adds value. However, external
factors, such as an economic downturn, might prevent the organization from honoring the
employment promise, even if the employee is adding value. To maintain integrity, then, an
organization must do its best to help the employee find gainful employment.
➔ See Also: Obligations, External Factors
Intention (Call to Action)

What the communicator wants the audience to believe, value, or do as a consequence of the
message.
➔ See Also: Communicator, Audience, Message

Internal Context (see Internal Factors)
Internal Factors (also Internal Context)

Categories of sources and forces that originate inside of the organization.
➔ See Also: External Factors
Internal Stakeholders
Stakeholders with an internal influence from within the organization; Personnel (and unions that
represent the workforce), Managers, Executives, Board members, and Owners (who are involved in
the organization).
➔ See Also: External Stakeholders, Stakeholder
Involuntary Behaviors
Automatic, often instinctual human actions informed by beliefs and values and governed by
nature.
➔ See Also: Voluntary and Habitual Behaviors
Key Compliance Indicator (also KCI)

Indicators that help govern, manage, and provide assurance about compliance related to an
objective.
Key Milestone Indicator (also KMI)

A Boolean value (yes/no) or a percentage value (% complete) that measures the degree to which a
milestone is met.
Key Performance Indicator (also KPI)

Indicators that help govern, manage, and provide assurance about performance related to an
objective.
Key Risk Indicator (also KRI)

Indicators that help govern, manage, and provide assurance about risk related to an objective.
Lagging Indicators
Indicators that provide information about past events or conditions.
➔ See Also: Indicator, Committed Value, Best Possible Value, Stretch Value
Leaders (also Leadership)

Individuals at any level of the organization who have the de facto attention and respect of the
workforce regardless of their title or position.
➔ See Also: Governing Authority, Workforce, Third Party
Leading Indicators
Indicators that provide information about future events or conditions.
➔ See Also: Indicator, Committed Value, Best Possible Value, Stretch Value
Lean (see Efficient)
Learner (see Student)
Learning Activity (also Educational Activity)

A directed collection of learning content that helps students achieve learning objectives.
➔ NOTE: Learning activities may be synchronous or asynchronous; and may be in-person or

online.
➔ See Also: Learning Content, Student, Learning Objective
Learning Content
The content in a learning activity includes text, image, audio, and video and takes the form of
lecture, discussion, debate, and demonstration.
➔ See Also: Learning Activity, Instructor, Student

Learning Objective
Statements that define an educational activity's expected goal(s). Learning objectives can be
used to structure the content of educational activities.
➔ See Also: Learning Activity, Learning Outcome

Learning Outcome
A statement that reflects what the learner will be able to do as a result of participating in the
educational activity.
➔ See Also: Learning Activity, Student, Instructor, Learning Content

Level of Assurance
A measure of the degree of confidence that an assurance provider can deliver to an information
consumer about statements an information provider makes about the subject matter.
➔ NOTE: A greater degree of Objectivity and a greater degree of Competence generally result
in a higher Level of Assurance.
➔ See Also: Absolute Assurance, Reasonable Assurance, Limited Assurance, and Lower
Assurance
Likelihood
A measure that estimates the occurrence of an event.
➔ See Also: Event, Impact, Effect, Consequence, Velocity, Frequency
Limited Assurance
A level of assurance resulting from reviews, compilations, and other activities performed by
competent personnel who are sufficiently objective about the subject matter.
➔ See Also: Level of Assurance
Lines of Accountability™ Model (also LoA)

A model that helps organizations govern, manage and provide assurance over performance, risk,
and compliance by allocating specific responsibilities to different individuals or groups within the
organization and creating a layered approach to produce and preserve value.
➔ NOTE: The GRC Capability Model segregates responsibilities so that each “line” or group
has the appropriate objectivity and competence to address the nature of the required
work.
➔ See Also: First Line, Second Line, Third Line, Fourth Line, and Fifth Line.
Lower Assurance
A more limited level of assurance resulting from activities such as self-assessments and
benchmarking performed by the personnel responsible for the subject matter.
Management (as a GRC Concept)

The act of directly guiding, controlling, and evaluating an entity by arranging and operating
resources.
➔ Manage. To engage in management.

➔ See Also: Governance (as a GRC Concept), Assurance (as a GRC Concept)
Management Actions & Controls

They are required for management to address opportunities, obstacles, and obligations.
Management actions & controls comprise most of the work performed by the organization.
➔ NOTE: Whenever possible, management actions & controls should be used by both the
governing authority and assurance personnel to avoid unnecessary complexity and
duplication.
➔ See Also: Governance Actions & Controls, Assurance Actions & Controls
Managers
(also Management or Management Team)
Personnel who manage others.
➔ NOTE: Qualifiers such as “senior managers” refer to managers with more responsibility in
scale or scope, while “junior managers” have less responsibility.
➔ See Also: Executives, Staff, Workforce
Mandatory Boundary
Obligations that an organization must address because of some legitimate authority (e.g., laws,
rules, regulations).
➔ See Also: Voluntary Boundary, Obligation
Material Misstatement
A material misstatement refers to a significant error or omission in financial statements that could
potentially influence the decisions of information consumers of those statements. It can be
caused by an error, fraud, or the misapplication of accounting principles. Material misstatements
can affect the accuracy and reliability of financial information and may cause financial statements
to be misleading or incomplete.
➔ NOTE: Materiality is determined based on the size and nature of the misstatement, as well
as its potential impact on the financial statements and the decisions of users of those
statements.
➔ See Also: Meaningful Misunderstanding, Information Producer
Maturity
The level of development, progress, or sophistication of a particular process, function, or
organization
➔ See Also: Maturity Model
Maturity Model
A structured framework that is used to assess and measure an organization's maturity or level of
development in a particular area. Maturity models typically define a series of levels, each
representing a higher level of maturity, and identify specific characteristics, practices, or
capabilities that organizations should demonstrate to achieve each level.
➔ See Also: Maturity
Meaningful Misunderstanding
Meaningful misunderstanding occurs when an information producer makes statements that
contain material errors or omissions that could affect the decisions of information users of those
statements.
➔ NOTE: The risk of meaningful misunderstanding determines the purpose and nature of
assurance and assessment activities.
➔ NOTE: Material Misstatements are a special case of Meaningful Misunderstanding where
the information producer makes a significant error or omission in financial statements that
could potentially influence the decisions of information consumers.
➔ See Also: Information Producer, Information Consumer
Means (see Resources)
Message
The content of what is communicated.
➔ See Also: Communicator, Audience, Channel, Message Cadence

Message Cadence
The velocity and frequency of sending a message.
➔ See Also: Velocity, Frequency, Message, Communicator, Intention

Mindsets
Individual perceptions about self, surroundings, and others – including perceptions about culture,
some topical area, or how to approach work.
➔ See Also: Climate
Mission
An objective that states who the organization serves, what it does, and what it hopes to achieve
today and in the long term.
➔ NOTE: The mission statement is often used to guide decision-making and priority-setting
within the organization, and serves as a clear and consistent statement of its overall
purpose and direction.
➔ See Also: Vision, Values, Purpose
Monitoring
Ongoing and periodic activities that observe actions & controls, and the information generated by
these controls, to gauge effectiveness, efficiency, responsiveness, and resilience.
➔ See Also: Actions & Controls, Information Producer, Total Performance
➔ See R1 Monitoring
Mores
More formalized and serious norms that are deeply ingrained in a culture and have moral
significance. Violating mores can lead to severe social disapproval, ostracism, or even legal
consequences (e.g., honesty, respect for elders, and adherence to religious practices).
➔ See Also: Norms
Noise
Anything that causes difficulties during the communication process.
➔ See Also: Communicator, Message, Channel, Audience

Norms
Customs, rules, or expectations that a group socially reinforces, usually through informal means.
➔ See Also: Prescriptive Norms and Proscriptive Norms

➔ See Also: Descriptive Norms and Injunctive Norms
➔ See Also: Folkways and Mores
Objective
A measurable outcome to achieve.
➔ See Also: Opportunity, Obstacle, Obligation, Indicator
Objective-Setting Criteria
The criteria used to set objectives and results in accordance with the organization’s direction.
Objectivity
The degree to which an Assurance Provider can be impartial, disinterested, independent, and free
to conduct necessary activities and to form an opinion about the subject matter.
➔ See Also: Assurance Provider, Competence and Independence
Obligation (also Boundary)

A requirement that an organization must or should address because of a promise, whether
mandatory or voluntary.
➔ See Also: Mandatory Boundary and Voluntary Boundary
Obstacle (also Threat)

An uncertain future event that may, on balance, have a negative effect on objectives.
➔ See Also: Event, Effect, Likelihood, Impact, Opportunity, Obligation
Operating Effectiveness
Evidence that actions & controls operate as intended. This is accomplished by substantive testing
of information generated by actions & controls to judge actual results against expected results.
➔ See Also: Design Effectiveness, Effective (also Sound)
Opportunity
An uncertain future event that may, on balance, have a positive effect on objectives.
➔ See Also: Event, Effect, Likelihood, Impact, Obstacle, Obligation
Organization in Scope (also Organization)

The organizational unit in scope for applying the GRC Capability Model.
➔ See Also: Scope, Governing Authority, Enterprise, Organizational Unit, Business Unit,
Department, Team
Organizational Layer (see Organizational Level)
Organizational Level (also Organizational Layer)

A description of the accountability relationship between units.
➔ See Also: Superior Level, Subordinate Level, Peer Level
Organizational Unit (also Unit)

A specific subdivision of an organization that is formed for the purpose of achieving particular
objectives.
➔ See Also: Enterprise, Business Unit, Department, Team
Peer Level
(also Peer Unit, Peer Layer, and Peer)
Organizational units that are lateral to the organization and often report to or are accountable to
the same superior unit.
➔ See Also: Superior Level, Subordinate Level
People Actions & Controls

Human factors, including structure, accountability, education, and enablement.
➔ See Also: Technology Actions & Controls, Information Actions & Controls, Financial Actions
& Controls
Performance (see Reward)
Performance Management
The act of managing processes and resources to pursue reward while addressing risk.
➔ See Also: Reward, Risk, Risk Management, Compliance Management
Physical Actions & Controls

Physical safeguards, barriers, or constraints, such as fences, locks, guards, cameras, or other
protective mechanisms, used to mitigate risk and control access to resources.
➔ See Also: Information Actions & Controls, People Actions & Controls, Financial Actions &
Controls, Technology Actions & Controls
Physical Capital
The physical assets of an organization, including manufactured goods, buildings, equipment, and
infrastructure.
➔ See Also: Resources, Financial Capital, Technology Capital, Human Capital, Information
Capital
Planned Residual Risk

The level of residual risk under planned (or desired) actions & controls.
➔ See Also: Current Residual Risk
Planned (Simulated) Stress

Scenarios that use historical, hypothetical, or simulated events to test how forces will be
addressed.
➔ See Also: Stress
Policy
A broad articulation of what the organization expects on a particular topic, that describes the
“why” or intent, considers context, sets the tone, and changes infrequently.
➔ See Also: Procedure, Prescriptive Policy, Proscriptive Policy

➔ See P2 Policies
Prescriptive Norms
Customs, rules, or expectations that encourage behavior the group deems positive (e.g., “be
honest”).
➔ See Also: Norms
Prescriptive Policy
A policy that states what to do.
➔ See Also: Proscriptive Policy, Policy
Prevent/Deter Actions & Controls

Actions & controls that decrease the likelihood of an unfavorable event by preventing or deterring
it from happening.
➔ See Also: Proactive Controls, Action & Control Types
Principled Performance®
To reliably achieve objectives, address uncertainty, and act with integrity.
➔ NOTE: “Reliably” pertains to all other parts of the definition to reliably achieve objectives;
reliably address uncertainty; and reliably act with integrity.
Proactive Actions & Controls

Actions & controls that promote/enable favorable events and prevent/deter unfavorable events.
➔ See Also: Prevent/Deter Actions & Controls, Promote/Enable Actions & Controls
Procedure
A detailed articulation of what the organization expects on a particular topic, that describes the
“how to” or instructions, guides implementation, and is audience-specific.
➔ See Also: Policy

➔ See P2 Policies
Process (also Ways)

A series of actions or steps to achieve an objective.
➔ See Also: Policy, Actions & Controls
Promote/Enable Actions & Controls

Actions & controls that increase the likelihood of a favorable event by promoting, enabling and
incentivizing it to happen.
● Directives – policy, process, and technology that encourage favorable events.

● Paragons – role models that encourage favorable events.
● Incentives – economic and non-economic rewards that encourage favorable events.
○ Economic - monetary compensation, bonuses, profit-sharing, gain-sharing
○ Appreciation - gratitude, acknowledgment
○ Status - esteemed roles, promotion, visible achievement
○ Professional Development - access to training, tuition reimbursement
○ Career Opportunities - access to career path opportunities
Proscriptive Norms
Customs, rules, or expectations that discourage behavior the group deems negative (e.g., “do not
cheat”).
➔ See Also: Norms, Culture
Proscriptive Policy
A policy that says what not to do.
➔ See Also: Policy, Prescriptive Policy
Prospect
A cause that has the potential to eventually result in benefit.
➔ See Also: Cause, Event, Consequence, Opportunity
Protector
A GRC Professional who spends substantial time producing and preserving value and serving as a
stabilizing force in their organization.
➔ NOTE: Protectors employ the Protector Mindset™ and the Protector Skillset™.
Protector Mindset™
Traits that strengthen the way that a high-performing Protector makes decisions and appraises
problems, solutions, people, and reality. These traits include being: Collaborative, Accountable,
Stable, Proactive, Visionary, and Versatile.
➔ See Also: Protector Skillset™
Protector Skillset™
Interdisciplinary skills that strengthen the way that a high-performing Protector does their job
including:
● Governance & Oversight provides methods to guide, constrain and conscribe the
organization to achieve its purpose, mission, vision, and values.
● Strategy & Performance provides methods to guide, arrange and operate resources to
achieve objectives and monitor performance.
● Risk & Decision-Support provides methods to identify and address the effect of
uncertainty on objectives, including ways to support decisions under uncertainty.
● Compliance & Ethics provides methods to identify and address mandatory and voluntary
obligations and the underlying ethical principles and values.
● Security & Continuity provides methods to identify and address threats to critical physical
and digital assets and infrastructure.
● Audit & Assurance provides methods to enhance confidence that the organization is
reliably achieving objectives, addressing uncertainty, and acting with integrity.
➔ See Also: Critical Disciplines, Protector Mindset™
Purpose
The purpose states who the organization serves, what it does, what it believes, what is stands for,
what it hopes to achieve in the near term and long term, and why all of this matters; usually
through its Mission, Vision and Values statements.
➔ See Also: Mission, Vision, Values
Reasonable Assurance
A special type and level of assurance, provided by external auditors as part of a financial audit or
examination, that subject matter conforms to suitable criteria and is free from material error.
Recovery Actions & Controls

Actions & controls that return the organization to its original state, stable state, or superior state
after harm has occurred.
➔ See Also: Action & Control Types, Corrective Actions & Controls, Responsive Actions &
Controls
Reliably
To thoughtfully, consistently, dependably, and transparently do something.
➔ See Also: Principled Performance®
Residual Effect
The effect of uncertainty in the presence of actions & controls.
➔ See Also: Inherent Effect, Effect, Actions & Controls
Residual Risk
The level of risk in the presence of actions & controls.
➔ See Also: Inherent Risk, Current Residual and Planned Residual Risk
Resilient (also Antifragile)

An aspect of Total Performance which demonstrates evidence that the organization can
withstand or recover quickly from difficult conditions and even become more robust when faced
with similar challenges.
➔ See Also: Effective, Efficient, Responsive
Resources (also Means)

A general term referring to Capital Resources that include tangible and intangible assets and
capabilities that an organization may use to achieve objectives.
➔ See Also: Tangible Resources and Intangible Resources.

➔ See Also: Human Capital, Technology Capital, Physical Capital, Information Capital,
Financial Capital
Responsive (also Agile)

An aspect of Total Performance which demonstrates evidence that the organization can respond
quickly and positively to changes and stress.
➔ See Also: Effective, Efficient, Resilient
Responsive Actions & Controls

Actions & controls that aim to compound the benefit of favorable events, and correct and recover
from the harm of unfavorable events.
➔ See Also: Compounding, and Corrective and Recovery Actions & Controls
Reward (also Performance)

A measure of the positive, favorable effect of uncertainty on objectives.
➔ See Also: Performance Management, Risk, Compliance
Risk
A measure of the negative, unfavorable effect of uncertainty on objectives.
➔ See Also: Inherent Risk and Residual Risk
Risk Appetite
The level and type of risk the organization is WILLING to address given the level and type of reward
it pursues.
➔ See Also: Risk Target, Risk Tolerance, Risk Capacity
Risk Capacity
The MAXIMUM cumulative level and type of risk that the organization can address. Anything over
the risk capacity may affect the organization’s survival.
➔ See Also: Risk Target, Risk Appetite, Risk Tolerance
Risk Management
The act of managing processes and resources to address risk while pursuing reward.
➔ See Also: Risk, Performance Management, Compliance Management
Risk Target
The level and type of risk the organization EXPECTS to address given the level and type of reward it
pursues.
➔ See Also: Risk Appetite, Risk Tolerance, Risk Capacity
Risk Tolerance
The level and type of risk the organization is UNWILLING to exceed given the level and type of
reward it pursues.
➔ See Also: Tolerance, Risk Target, Risk Appetite, Risk Tolerance, Risk Capacity
Scope
The boundaries, limitations, and extent where the GRC Capability Model is applied. The scope is
often expressed in terms of organizational unit, geographic area, or functional department.
➔ See Also: Organization in Scope
Second Line (of the Lines of Accountability™ Model)

Individuals and Teams that establish performance, risk, and compliance programs for the First Line.
The Second Line provides oversight through frameworks, standards, policies, tools, and
techniques to support performance, risk, and compliance management. The Second Line often
manages its own portfolio of objectives and associated performance, risk, and compliance. The
Second Line may provide limited assurance over First Line activities.
Sender (see Communicator)
SHARE Design Option

To outsource, joint ventures, partnerships, buy insurance, or use other financial instruments to
address the opportunity, obstacle, or obligation.
➔ NOTE: TRANSFER is a special case of SHARING where an attempt is made to give close to
100% of consequence to another party such as an insurance company.
Skill Gap
The difference between the current skill level and the target skill level.
➔ See Also: Current Skill Level and Target Skill Level

SMART Criteria
Criteria used to design/set Objectives to work with Indicators; to be specific, measurable,
achievable (yet aspirational), relevant, and time-bound.
➔ See Also: Suitable Criteria, Objective, Indicator

➔ See A2 Objectives
Sound (see Effective)
Source (see Cause)
Staff (also Team Members)

Junior-level personnel who typically do not manage others.
➔ See Also: Workforce, Executives, Managers
Stakeholder
A self-legitimizing person, group, or other entity with a direct or indirect stake in the organization's
actions because of actual or perceived impact.
➔ See Also: Internal Stakeholders, External Stakeholders, Organization in Scope

➔ See L4 Stakeholders
Stakeholder Expectation
(also Stakeholder Want, Stakeholder Need)
A general term that refers to what a stakeholder requests, wants, or expects from the
organization.
➔ See Also: Internal Stakeholders, External Stakeholders, Organization in Scope

➔ See L4 Stakeholders
Strategic Goals
Long-term objectives typically at higher levels of the organization.
➔ See Also: Objectives, Balanced Scorecard, Strategy Mapping
Stress
A significant magnitude of force applied to the organization.
➔ See Also: Planned (Simulated) Stress
Stretch Value
A value that is unlikely to be achieved, but still possible..
➔ See Targets, Appetite, Tolerance and Capacity

Student (also Learner)

Individual who learns.
➔ See Also: Instructor

Subject Matter
Identifiable statements, conditions, events, or activities for which there is evidence.
➔ See Also: Assurance, Suitable Criteria, Evaluation
Subordinate Level
(also Subordinate Unit, Subordinate Layer, and Subordinate)
Other organizational units that are accountable to the “organization”.
➔ See Also: Superior Level, Organization in Scope
Suitable Criteria
Benchmarks used to evaluate subject matter that yield consistent and meaningful results.
➔ See Also: Assurance, Evaluate, Subject Matter
Superior Level
(also Superior Unit, Superior Layer, and Superiors)
Other organizational units to which the “organization”is accountable.
➔ See Also: Subordinate Level, Organization in Scope
Tangible Resources
Resources that refer to physical assets, such as land, buildings, and equipment.
➔ See Also: Intangible Resources
Target
An expected or planned value for an indicator.
➔ See Also: Indicator, Best Possible Value, Committed Value, Stretch Value
Target Skill Level

The desired level of skill a person, or “typical” person in a group, is expected to possess.
➔ See Also: Current Skill Level and Skill Gap

Team
The smallest organizational unit. Teams may be part of a department or maybe cross-functional.
Teams may be permanent or temporary.
➔ See Also: Superior Level, Subordinate Level, Peers, Organization in Scope
Technology Actions & Controls

Hardware and software systems that facilitate other categories of actions & controls.
➔ See Also: People Actions & Controls, Information Actions & Controls, Financial Actions &
Controls
Technology Capital
Hardware, software, and related technological resources that an organization may use to achieve
its objectives.
➔ See Also: Resources, Human Capital, Financial Capital, Physical Capital, Information Capital
Third Line (of the Lines of Accountability™ Model)

Individuals and teams that provide a high level of assurance on activities performed by the First
Line and Second Line. The Third Line may include internal audit, external audit or outside experts
who are sufficiently objective and competent.
Third Party
(or member of the Extended Enterprise)
A partner that conducts substantial actions & controls on behalf of the organization.
➔ NOTE: Organizations often “outsource” actions & controls to third parties to benefit from
their competence while focusing the organization's efforts on its core competencies. Even
when an organization outsources actions & controls, it is crucial to recognize that the
organization often retains legal or reputational responsibility for any problems in the
extended enterprise.
➔ See Also: Governing Authority, Workforce
Threat (see Obstacle)
Timescale
The expected or planned time frame to achieve an objective or meet a target.
➔ See Also: Target, Objective, Indicator
Timing
A measure that estimates when an event or impact might occur.
➔ See Also: Event, Effect, Likelihood, Impact
Tolerance
A range that defines an acceptable, though not preferred, level of variation around a target the
organization is willing and able to address.
➔ See Also: Risk Tolerance
Total Performance™
A model of balanced performance that includes effectiveness (soundness), efficiency (leanness),
responsiveness (agility), and resiliency (antifragility).
➔ See Also: Effective, Efficient, Responsive, Resilient
Transfer Design Option

A special case of a sharing design option where an attempt is made to give close to 100% of
consequence to another party such as an insurance company.
➔ See Also: SHARE
Uncertain (see Uncertainty)

➔ See Also: VUCA, Volatile, Complex, Ambiguous
Uncertainty
A state of being unsure about something due to incomplete knowledge or underlying randomness
making it difficult to understand with complete confidence.
➔ See Also: VUCA, Assurance, Principled Performance®
Unit (also Organizational Unit)
Values
A statement about what the organization believes and stands for.
➔ ALSO: Principles that a person or group deems important usually because of beliefs.
➔ See Also: Mission, Vision, Purpose, Beliefs, Code of Conduct
Velocity
A measure that estimates how quickly an event or impact might occur.
➔ See Also: Frequency, Likelihood, Impact, Effect, Consequence
Vision
A statement that describes what the organization aspires to be and why it matters.
➔ NOTE: The vision is often used to inspire and motivate employees, stakeholders, and
customers and serves as a guidepost for long-term strategic planning.
➔ See Also: Mission, Values, Purpose
Volatile
The state of being turbulent and unsteady; changing rapidly and unpredictably.
➔ See Also: VUCA, Uncertain, Complex, Ambiguous
Voluntary Behaviors
Intentional human actions informed by beliefs and values and governed by free will and discipline.
➔ See Also: Habitual and Involuntary Behaviors
Voluntary Boundary
Obligations an organization chooses to address because of voluntary decisions (e.g., contracts,
agreements and values).
➔ See Also: Mandatory Boundary
VUCA
A reality that an organization must face that is volatile, uncertain, complex, and ambiguous.
➔ See Also: Volatile, Uncertain, Complex, Ambiguous
Workforce (also Personnel)

The collection of individuals the organization employs.
➔ See Also: Executives, Managers, Staff
Acknowledgments
Special thanks to all of the individuals who have contributed to the development of the GRC
Capability Model over the years. This body of work would not have been possible without their
feedback and support.
OCEG Team
● Scott Mitchell
● Carole Switzer
OCEG Community
Clark Abrahams Jose A. R. Blanco Doug Cotton
Daoud Abu-Joudom Ronald De Boer David B. Crawford
John Adamsons Robert Bordynuik Kevin Crimmins
Shahid Ahmed Oleg Boyko John Cross
Mani Akella Wayne Brody Brett Curran
Abdulaziz M. Aldomaiji Earnie Broughton Andrew Dahle
Ferry Alfian Bruce Buckley Deb Davis
Julia Allen French Caldwell Yo Delmar
Ali A. Almalki Joseph V. Carcello Joe DeVita
Sanjay Anand Mark Carey Andrea Dias
Sam Apps Glenn Carleton Rochelle C. Dichaves
Michael Atmore Anthony Chalker Lee Dittmar
Toks Azeez Robert Chastain Stephen Donovan
Vani Badhya Graham Chee Patrick Donovan
Timour Baiazitov Anthony Cheng Rory Douglas
Ted Banks Derek Cherneski Christine Doyle
Dinesh O. Bareja Brian Chevlin Mary Doyle
Brian Barnier David Childers Robert Drolet
Stephen Baruch Mandar Chitre Rocky Dwyer
Mashael M. Basakran Nick Ciancio Kip Ebel
Carole Basri Tom Cleary Kathleen Edmond
Bob Bassetti Paul Cogswell M. Mert Ekin
Mark S. Beasley Richard Cohan Mahmoud Elbagoury
Indarduth Beejah Marco Colonna Rabih ElKhatib
Ronald Berenbeim Norman Comstock Tim Elliott
Hadi Beski Brian Conrey Pete Fahrenthold
Matthew Blake Laura Cote Dave Ferguson
Sheila Fields Jörgen Jarleman Amelia McCarty

Cyndi Fleming Shaheen Javadizadeh Bruce McCuaig
Carlo Di Florio Stephanie Jenkins Andrea McElroy
John Fons Anil Jhumkhawala Paul McGreal
Christopher Fox Angela Johnson Ashish Mehta
Eugene Fredriksen Jim Jolley Robert N. Merrill
Arnold Galit Christiane Jourdain Colette Meyer
Jason Garelli Rodriguez Julio Jeffrey Miller
Russ Gates Gaurav Kapoor Bruce R. Millman
Trent Gazzaway Daniel Karrer Bob Miromonte
David Gebler Marion Keraudren Monika R. Mladenov
Richard G. Gid'Agui Piala Kinabo Tlhabano Mmusi
Leon Goldman Cary Klafter Mohammad Z. A. M. Mooraby
Allan Goldstein David Koenig Eric Moorehead
Stephen Gonc Sam Koh Paul Moxey
Royd Graham Alon Kohalny Florie Munroe
Joe Grettenberger Rick Kulevich Joe Nadivi
Luis Guadarrama Melissa Lea Andrew Neblett
Parveen Gupta Ismael R. Leal George E. Neizer
Miguel Gutierrez Tim Leech Warren Nelson
Kurnia Hadi Stephane Legay Randy Nornes
Assem H. Hamam Richard Levy Xunlez Nunez
Abdel K. Hamou-Lhadj Adlinna Liang Brin Odell
Larry Harrington Paul Liebman Gaston O. Odhiambo
Rodrigo Hayvard Sara A. Liftman Bunmi Ogundeji
David Heller Jimmy Lin James O'Keeffe
Michael Helmantoler Peter Liria Haydee Olinger
Anita Helpert Khamsavath K. Liu Alnahdi Omar
Steven Helwig Anna Luszpinska Paul C. Palmes
Catherine F. Henry Colleen Lyons Xenia L. Parker
Eric Hespenheide Pedro M. N. O. Machado Peter Parmenter
David Hess Andre Macieira Marie Patterson
Arnold Hill John MacKessy Tian Peng
Peter Hillier Worth MacMurray Deborah Penza
David Hoberg Eamonn Maguire Alice Peterson
Eric Hong Marjorie A. Maguire-Krupp Diane Pettie
Michael Horowitz Muhammad M. B. Majeed Barbara S. Phair
Matthew Hourin Dimitrios Maketas Wael G. Philops
Pieter Van Hout Norman Marks Summer M. Pistorius
Hisham Ibrahim Jorge S. Marques Judy Pokorny
Jawaid Iqbal Jay Martin Tobin Pospisil
Dennis Irwin Gabriel M. Martinez Richard Poworski
Bob Jacobson Gabe Mazzarolo Varunee Pridanonda
Mary Pruitt Bob Semple Kendall Tieck

Patrick Quinlan Roshan N. Sequeira Lou Tinto
Jennifer Racer John Serrano Kevin Tisdel
Lisa C. Ragsdale Jerry Shafran Boy M. Tjahyono
Bala Ramanan Ken Shaurette Marshall Toburen
Javvadi H. Rao Janet Sheiner Terry Todd
Michael Rasmussen William Shenkir Patricia Towers
Kelly Ray Monica Shilling Dan Twing
Peter Reichard Jay Shinde George Tziaros
F. Richard Ricketts Elizabeth Siemens Surya Vangara
Azwar Ritonga Samir Singh Ricardo Vasquez
Kim Rivera Fandhy H. Siregar Kishore Vekaria
David M. Roberts Mark Snyderman Nitish Verma
Roy Robinson Ratan Sonti Dean Wagers
Katherine Robinson Billy Spears Tom Wardell
Joel Rogers Andrea Spudich Kathy Washenberger
Johanna Rogers Faye Stallings David Wassel
Scott Roney Darla Stanley Ian L. Webster
Peter Rosenzweig Richard Steinberg Chip Weiant
Stefano Rossi Allen Stewart Hartian S. Widhanto
Mike Rost C. Karen Stopford Michael M. Wilkinson
Mary Roth Geoffrey Storms Mary K. Wills
Paul Russo Nan Stout ChunHua Yang
Karen Rutledge Martijn Van Stratum Jie Yang
Sayed Sadjady P. J. Sullivan Ibrahim Yeku
Sanghamitra Saha Dan Swanson Shirley Yoshida
Suvendu Samantaray Celia Szelwach Chet Young
Nicole Sandford Jose Tabuena Juven Zeng
Richard Sanzin Heidi Teresi Gunter Zimm
Ram Sastry Tim Tesluk Dan Zitting
James Sehloff Calvin Thompson
Appendix - Tools & Techniques
50+ pages of tools and techniques

are available to OCEG members
who hold an All Access Pass
Learn more about the All Access Pass on the OCEG website

GRC Capability Model Red Book

Uploaded by

Copyright:

Available Formats

GRC Capability Model Red Book

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

GRC Capability Model Red Book

Uploaded by

Copyright:

Available Formats

version 3.

GRC Capability Model™

Copyright © 2002 - 2023 OCEG. All rights reserved.

© 2002 - 2023 OCEG. All Rights Reserved. feedback to [email protected]

3.5 revision 2023-05-01 prepared on May 1, 2023

© 2002 - 2023 OCEG. All Rights Reserved. feedback to [email protected]

Foreword (May 2023)

This document is organized into several sections:

★ Introduction: Details about the drivers of Principled Performance and GRC.

● Read the Introduction to understand the big picture and context.

Warm Regards & Enjoy!

Scott Mitchell, Founder, OCEG

© 2002 - 2023 OCEG. All Rights Reserved. feedback to [email protected]

© 2002 - 2023 OCEG. All Rights Reserved. feedback to [email protected]

© 2002 - 2023 OCEG. All Rights Reserved (feedback to [email protected]) Page 1

The Problem: VUCA & Disconnection

● Disconnected departments that operate in silos and at cross-purposes

The Solution: Principled Performance® & GRC

This connected and integrated approach is the essence of GRC

By adopting Principled Performance and GRC, an organization moves from disconnected

© 2002 - 2023 OCEG. All Rights Reserved (feedback to [email protected]) Page 2

● Reliably (thoughtfully, consistently, dependably, and transparently)

Principled Performance is NOT synonymous with “Good” or “Good Intentions.” An organization

© 2002 - 2023 OCEG. All Rights Reserved (feedback to [email protected]) Page 3

● address uncertainty, and

“Big Picture” Perspective

● Opportunities are generally associated with reward (performance), a measure of the

© 2002 - 2023 OCEG. All Rights Reserved (feedback to [email protected]) Page 4

● Management - directly guiding, controlling, and evaluating an entity by arranging and

© 2002 - 2023 OCEG. All Rights Reserved (feedback to [email protected]) Page 5

GRC & Critical Disciplines

Thus, GRC is the “pathway” to Principled Performance representing a broad portfolio of

© 2002 - 2023 OCEG. All Rights Reserved (feedback to [email protected]) Page 6

© 2002 - 2023 OCEG. All Rights Reserved (feedback to [email protected]) Page 7

© 2002 - 2023 OCEG. All Rights Reserved (feedback to [email protected]) Page 8

Whether they're implementing a compliance program, a risk management program, a security

Produce & Preserve Value

© 2002 - 2023 OCEG. All Rights Reserved (feedback to [email protected]) Page 9

© 2002 - 2023 OCEG. All Rights Reserved (feedback to [email protected]) Page 10

© 2002 - 2023 OCEG. All Rights Reserved (feedback to [email protected]) Page 11

The Protector Mindset™

The high-performing Protector is Collaborative, Accountable, Stable, Proactive, Visionary, and

© 2002 - 2023 OCEG. All Rights Reserved (feedback to [email protected]) Page 12

© 2002 - 2023 OCEG. All Rights Reserved (feedback to [email protected]) Page 13

The Protector Skillset™

Governance & Oversight

● Set direction (mission, vision, values)

Strategy & Performance

● Set direction (mission, vision, values)

© 2002 - 2023 OCEG. All Rights Reserved (feedback to [email protected]) Page 14

● Identify opportunities, obstacles, and obligations

Risk & Decisions

● Plan for risks

Compliance & Ethics

● Identify mandatory obligations

Security & Continuity

● Identify critical physical and digital assets

© 2002 - 2023 OCEG. All Rights Reserved (feedback to [email protected]) Page 15

Audit & Assurance