®

DRIVING PRINCIPLED PERFORMANCE ®

GRC Capability Model

“Red Book” 2.0 April, 2009

OCEG Basic Member Edition

GRC Capability Model™

Open Compliance & Ethics Group (OCEG)

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 Basic Member Edition ---
DOES NOT INCLUDE Appendix C
OCEG Premium and Enterprise members may use the links to Technology
Arenas and Modules in the online version of the Model (located within each
Element) to access Appendix A of the GRC-IT Blueprint™, which identifies and
defines types of technologies that enable the GRC system. The Technology
Arenas and Modules in the Model represent a bridge between the GRC
professional and the IT professional. GRC professionals can use the Technology
Arenas and Modules as a basis for discussing technology options with their IT
counterparts. Enterprise member IT professionals can use the Technology Arenas
and Modules as a bridge from the Model into the GRC Blueprint™. While the
downloadable version of the Model available to all OCEG members provides high
level guidance on which Technology Arenas and Modules support each Element of
the Model, the GRC-IT Blueprint™ provides the definitions of these Arenas and
Modules as well as visual representation of how they relate to each other. The
GRC-IT Blueprint™ also is available as a downloadable stand-alone document.

To sign up:

For OCEG Premium Membership go to:

https://www.oceg.org/subscribe/PremiumUpgrade

For OCEG Enterprise Membership contact [email protected]

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
The continuing work of OCEG is made possible in part by the generosity of the following
organizations. Please join us in thanking these leading organizations and their representatives:

Leadership Council /Charter Members:

Leadership Council:

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 ®

DRIVING PRINCIPLED PERFORMANCE TM

GRC Capability Model™

Version 2.0
Principal Authors:
Scott L. Mitchell, OCEG Chairman and CEO
Carole Stern Switzer, Esq., OCEG President

© Copyright 2006-2009 Open Compliance & Ethics Group. All rights reserved. This
document contains copyrighted information and remains the property of Open
Compliance & Ethics Group. Unauthorized duplication or electronic transmission is
strictly prohibited. OCEG is a registered trademark of the Open Compliance & Ethics
Group.

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 LEGAL NOTICE
This is NOT Legal or Professional Advice.
This Document, including its appendices, is provided for general information purposes only. The application of law
to individual circumstances must be addressed for each unique situation. In preparing and providing this document,
neither OCEG nor any of its Contributors are engaged in rendering legal, tax or any other professional advice or
services. OCEG and its Contributors do not purport to identify all conceivable compliance requirements or
recommended controls. It is the responsibility of each organization to understand which legal; accounting and
other compliance requiremen ts apply to its activities. Users of this document are advised to seek specific legal
advice by contacting members of relevant and applicable bar associations regarding any specific legal issues. Using
the document or any part herein does not create a lawyer-client relationship or any other type of professional
relationship.

While OCEG and its Contributors attempt to provide accurate, complete and up to date content, errors or
omissions may occur. This document is offered AS IS, WHERE IS. Neither OCEG nor any Contributor makes
any representations or warranties regarding the completeness, accuracy or timeliness of the contents, and each
disclaims all implied warranties (including merchantability, fitness for a particular purpose and non-infringement)
and all liability for any loss, damage or claim, whether due to an error or omission or otherwise.

To the fullest extent permitted by applicable law, neither OCEG nor the Contributors (including their officers,
directors, partners and employees, and their affiliates, related entities and successors and assigns) warrant or
guarantee the quality, accuracy or completeness of any information on this document. Neither OCEG nor its
Contributors shall be liable for any damages or costs, including any direct, consequential, incidental, indirect,
punitive or special damages (including loss of profits, data, business or good will) in connection with use of this
product, whether or not liability is based on breach of contract, tort, strict liability, breach of warranty, failure of
essential purpose or oth erwise, and even if a party is advised of the likelihood of such damages.

This document or custom report versions of this document may contain links to third party websites. Monitoring
the vast information disseminated and accessible through those links is beyond our resources and neither OCEG
nor any Contributors attempt to do so. This Document provides links for convenience only and nothing herein
shall constitute an endorsement of the information contained in linked web sites nor guarantee its accuracy,
timeliness, or fitness for a particular purpose. OCEG and its Contributors disclaim all warranties and liability for
the content of any such other sources.

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
Table of Contents

Table of Contents ....................................................................................................................... 4

RED BOOK INITIATIVE LEADERSHIP ................................................................................ i
OCEG Leadership Council (2008)........................................................................................... i
Red Book 2.0 Initiative Leadership .......................................................................................... i
Red Book Steering Committee Co-Chairs.............................................................................. i
Steering Committee .................................................................................................................ii
Task Force and Review Panel .................................................................................................iii
Task Force Members ..............................................................................................................iii
Review Panel Members ...........................................................................................................iv
Executive Summary ................................................................................................................ viii
Corporate Misconduct and Regulatory Reform ....................................................................... viii
Striving for Principled Performance .......................................................................................... viii
GRC: An Integrated Approach to Governance, Risk Management and Compliance .............. viii
The GRC Capability Model™.................................................................................................... ix
The OCEG Framework for Principled Performance ® ....................................................... 2
The Red Book ............................................................................................................................. 2
The Burgundy Book .................................................................................................................... 2
Additional Resources Available from OCEG ............................................................................. 2
Content Domains ....................................................................................................................... 2
GRC Requirements Database..................................................................................................... 3
GRC-IT Blueprint™.................................................................................................................... 4
Changing Times: The Evolution of GRC ............................................................................... 5
Corporate Misconduct and Regulatory Reform ......................................................................... 5
Value and Stakeholders............................................................................................................... 6
The Rise of Principled Performance® .................................................................................... 6
Defining the Boundaries of Conduct .......................................................................................... 7
GRC: Governance, Risk Management, Compliance and Beyond ............................................... 8
GRC: Breaking it Apart and Pulling it All Together ........................................................ 10
The Corporate Governance Discipline: The G in GRC .......................................................... 10
The Risk Management Discipline: The R in GRC ............................................................................ 11
A Brief Detour: Sustainability .................................................................................................... 11
The Compliance Discipline: The C in GRC.............................................................................. 13
Other Critical Components of GRC ........................................................................................ 13
A Unified Framework ............................................................................................................... 14
An Integrated Approach ........................................................................................................... 15
Embedded in the Business ........................................................................................................ 16
High-Performing GRC ............................................................................................................. 16
Efficient, Effective and Responsive ............................................................................................ 17
Specific GRC Benefits ............................................................................................................... 18
Integrated GRC: A Pathway to Principled Performance .......................................................... 18
Key Roles and Accountability ................................................................................................ 19
The Role of the Board .............................................................................................................. 19
The Role of Management .......................................................................................................... 19

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 The Role of Assurance.............................................................................................................. 19
The Anatomy of the GRC Capability Model ...................................................................... 21
Universal GRC System Outcomes ....................................................................................... 24
U1. Achieve Business Objectives.......................................................................................... 24
U2. Enhance Organizational Culture .................................................................................... 24
U3. Increase Stakeholder Confidence .................................................................................. 24
U4. Prepare and Protect Organization................................................................................. 24
U5. Prevent, Detect, and Reduce Adversity and Weaknesses ............................................ 24
U6. Motivate and Inspire Desired Conduct ......................................................................... 24
U7. Improve Responsiveness and Efficiency ......................................................................... 24
U8. Optimize Economic & Social Value................................................................................ 24
Component Overview ............................................................................................................. 25
CULTURE & CONTEXT (C) ................................................................................................... 25
ORGANIZE & OVERSEE (O) ................................................................................................... 25
ASSESS & ALIGN (A) ................................................................................................................ 25
PREVENT & PROMOTE (P) ..................................................................................................... 25
DETECT & DISCERN (D) ........................................................................................................ 25
RESPOND & RESOLVE (R) ...................................................................................................... 25
MONITOR & MEASURE (M) .................................................................................................... 25
INFORM & INTEGRATE (I) ..................................................................................................... 25
How to Read the GRC Capability Model Report (1) ....................................................... 26
How to Read the GRC Capability Model Report (2) ....................................................... 27
How to Read the GRC Capability Model Report (3) ....................................................... 28
GRC Capability Model™ Version 2.0.................................................................................. 29

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
RED BOOK INITIATIVE LEADERSHIP
OCEG enjoys the expertise of an elite group of individuals and organizations who provide their
invaluable wisdom and advice as we pursue serving the knowledge and resource needs of GRC
and related professionals.

OCEG Leadership Council (2008)

Please join us in thanking these leading organizations and their representatives.

Aon • Freddie Mac Oracle •

Approva Gevity HR PETCO
Archer Daniels Midland Global Compliance Services• PricewaterhouseCoopers •
Company Grant Thornton • Qwest Communications.•
Axentis Interactive Alchemy Raytheon
Baker Hughes Kalorama Partners SAP•
CA, Inc Kraft Foods Staples
Cisco Systems • Levick Stra tegic Marketing Sun Microsystems
Compliance Initiatives Communications Temple-Inland
Corpora te Integrity Littler Mendelson • Toyota Motor Sales, U.S.A
Dell • LRN • UHY Advisors
Deloitte • Marsh• Unilever
Dow Chemical Company Metricstream • Ventura Foods
Ernst & Young • Microsoft • Wal•Mart
EthicsPoint • OpenPages XPLANE
• denotes OCEG Charter Members in 2008

Red Book 2.0 Initiative Leadership

A select group of individuals representing cross-disciplinary, cross-industry, and trans-
global perspectives committed substantial time and expertise to shaping the OCEG
Capability Model™. We would like to take this opportunity to thank each of our
contributors. OCEG accepted the input of each of the individuals in the following roles
as individual contributions, recognizing that their views and perspectives may not
represent official views of the organizations with which they are affiliated.

Red Book Steering Committee Co-Chairs

Mr. Larry Harrington, CPA, CIA
Vice President, Internal Audit, Raytheon Company
(Professional Issues Committee – IIA)
Mr. Brad Jewett
Vice President, Enterprise Risk Management, BMC Software
(Formerly during this process - Director, Enterprise Risk Management, Microsoft Corporation)
Mr. Scott Roney, Esq.,
Vice President, Compliance and Ethics, Archer Daniels Midland Company
Mr. John Steer
Partner, Allenbaugh Samini LLP
(Vice Chair US Sentencing Commission, 1999-2007)

Intro - i

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 We would like to thank the OCEG executives and staff members (present and
past) who helped to make Red Book 2.0 possible, especially:
Avi Fichman
Kelly Ray
Carole Waesche
Stephane Legay
Vinaya Mayya
Jeanna Mitchell
Lane Leskela
We appreciate all that you do to support our members and our work.
With our thanks,
Carole and Scott

Steering Committee
Steering Committee members attended several drafting and review sessions, and
individually prepared comments on each draft of the Red Book document throughout
the development process. A special thank you to Jose Tabuena, VP Integrity and
Compliance/Corporate Secretary, MedicalEdge Healthcare Group, Inc. for his
contributions to the narrative overview.

Mr. Michael Horowitz — Partner, Cadwalader Wickersham & Taft LLP and U.S. Sentencing Commission
Member
Mr. Eric Moorehead, Assistant General Counsel, United States Sentencing Commission
Mr. Richard Steinberg – CEO, Steinberg Governance Advisors, Inc. (Author, COSO Internal Control &
COSO ERM and formerly corporate governance practice leader of PricewaterhouseCoopers)
Mr. Carlo di Florio - Partner, Advisory, PricewaterhouseCoopers LLP
Mr. Lee Dittmar – Principal, Deloitte
Mr. Randy Nornes – Executive Vice President, Aon Corporation
Mr. Trent Gazzaway - Managing Partner of Corpora te Governance, Grant Thornton LLP
Mr. Norman Comstock, CIA, CISA, CISSP, CCSA, CSOXP - Managing Director, UHY Advisors TX LLC
Mr. Gaurav Kapoor – CFO and General Manager, MetricStream, Inc.
Mr. Jose Tabuena - VP Integrity and Compliance/Corporate Secretary, MedicalEdge Healthcare Group, Inc.
Mr. Mark S. Beasley - Deloitte Professor of Enterprise Risk Management and ERM Initiative Director
Professor of Accounting College of Management - COSO Board Member
Mr. David B. Crawford, CIA, CCSA - Audit Manager Emeritus, System Audit Office, The University of
Texas System
Mr. Ronald Berenbeim -Director of Ethics Research, The Conference Board
Mr. Earnie Broughton - Executive Director/Ethics Program Coordinator, USAA
Mr. David Koenig - Past Chairman of The Board of Directors, PRMIA
Ms. Melissa Lea - Chief Global Compliance Officer, SAP AG
Mr. Paul Liebman - Chief Compliance Counsel, Dell Corporation
Mr. Dave Ferguson - VP of Operations Compliance, Wal-Mart Stores, Inc.
Mr. Pete Fahrenth old -Managing Director Risk Management, Continen tal Airlines
Mr. Eugene Fredriksen – CISO, Tyco International
Mr. Abdel Krim Hamou-Lhadj, Manager, Regulatory Compliance & Quality Assurance Cognos Products – IBM
Mr. David Heller, VP Risk and Chief Ethics and Compliance Officer, Qwest Communications
Mr. Allen Stewart - Managing Director Ethics, Duke Energy
Ms. Nan Stout - Vice President, Business Ethics, Staples
Mr. Kendall Tieck - Audit Director, Business Groups,-Microsoft Corporation

Intro - ii

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 Ms. Shirley Yoshida - SVP, Internal Audit, Macy’s Inc.
Mr. Chet Young - Divisional VP Audit Compliance and Loss Prevention, Walgreen Co
Mr. Brian Chevlin - Deputy General Counsel, Unilever
Ms. Mary Doyle - Ethics & Compliance, Intel Corporation
Ms. Kathleen Edmond - Chief Ethics Officer, Best Buy
Mr. Rick Kulevich - Sr. Director, Ethics and Compliance, CDW Corporation
Mr. Jay Martin - VP CCO & Sr Deputy Gen Counsel, Baker Hughes Inc.
Mr. Xunlez Nunez - Ethics and Compliance Business Consultant, Baker Hughes, Inc.
Ms. Haydee Olinger - VP Chief Compliance Officer, McDonalds
Mr. Paul C Palmes – President, Business Standards Architects, Inc.
Ms. Xenia Ley Parker - Senior Director, Marsh & McLennan Cos
Ms. Tian Peng, CIA - Audit Manager, China National Offshore Oil Corporation Ltd-
Ms. Deborah Penza - VP Corporate Compliance, Elan Pharmaceuticals, Inc.
Ms. Janet Sheiner, Director, Ethics & Compliance, PETCO
Ms. Faye Stallings - Vice President Audit & Ethics, El Paso Corporation
Mr. Michael Rasmussen - President, Corporate Integrity
Dr. Parveen Gupta, LL.B., Ph.D.-Professor of Accounting and Chairman Accounting - Lehigh University
Prof. Mr. Sanjay Anand - Chairperson, Sox Institute, G R C Group
Mr. Robert Chastain - General Council-VP Compliance-Chief Security Officer, Pepperweed Consulting LLC
Mr. Andrew Dahle, CPA, CIA, CISA, CFE – Partner, Advisory, Pricewaterh ouseCoopers LLP
Ms. Deb Davis - Executive Vice President, Great River Compliance & Advisory Services LLC
Mr. Kip Ebel, CFE - Senior Manager, Health Sciences, Fraud Investigations & Dispute Services, Ernst &
Young LLP
Mr. David Gebler – President, Skout Group, LLC
Mr. Allan Goldstein - Retired Managing Director Risk Advisory, ARGUS Holdings Ltd
Mr. Steven Helwig - Director Professional Services, Compliance Spectrum
Mr. David Hess – Director, Internal Audit and Controls, Jefferson Wells International, Inc.
Ms. Sara A. Liftman - Senior Manager, AABS Advisory Services, Ernst & Young LLP
Mr. Worth MacMurray, Esq. – Principal, Compliance Initiatives, LLC
Mr. Bruce McCuaig - Chief Risk Officer/Principal Consultant, Paisley Consulting
Ms. Andrea McElroy - Sr. Director Compliance System Integrity, Golden Living
Mr. Robert N. Merrill, JD – Senior Manager, Fraud Investigation and Dispute Services, Ernst & Young LLP
Mr. Tom Wardell – Partner, McKenna Long & Aldridge LLP
Mr. F. Richard Ricketts, JD -Director of Finance, Workforce Development Council Snohomish County
Ms. Carole Basri - President, The Corporate Lawyering Group LLC

Task Force and Review Panel

Task Force members attended online review meetings and both Task Force and Red
Book Review Panel contributors provided their focused review of the Red Book 2.0
drafts throughout the process.

Task Force Members

Mr. Ted Banks – Compliance & Competition Consultants, LLC (formerly Chief Counsel Global
Compliance, Kraft Foods)
Mr. Dinesh O. Bareja - Program Director, CSI eSecure, Inc. (Canada)
Mr. Hadi Beski – PM, Hashem Co
Mr. Matthew Blake – Analyst, Ikobo
Mr. Wayne Brody - CCO VP Legal Affairs, Arrow Electronics, Inc
Mr. Mark Carey - Partner, Deloitte & Touche LLP
Mr. Glenn Carleton - Director National Consulting, RSM McGladrey
Mr. Nick Ciancio - Vice President Marketing, Global Compliance
Mr. Paul Cogswell – Vice President ERC, Comdata Network, Inc.
Mr. Brett Curran – Vice President GRC and Regulatory Practices, Axentis LLC

Intro - iii

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 Mr. Ronald De Boer - Senior Sales Executive GRC, SAP Nederland (Netherlands)
Mr. Stephen Donovan - Chief Counsel - International Compliance, International Paper Company
Ms. Christine Doyle - SVP Senior Compliance Director, Bank of America
Mr. Rocky Dwyer, PhD, CMA – Principal, Chief Review Services, National Defence (Canada)
Ms. Catherine Finamore Henry, CIA – Ethics Officer and VP, Business Development, SmartPros Legal &
Ethics, Ltd.
Mr. John Fons, Esq. – Attorney, John Fons Solo Practice
Mr. Christopher Fox – Senior Principal Manager, Governance Risk and Compliance, CA
Mr. Arnold Galit - VP Risk and Compliance, Ikobo, Inc
Mr. Jason Garelli - Head of Operational Risk and Sox Management, Och-Ziff Capital Management
Mr. Joe Grettenberger - Compliance Solutions Integration Manager, Quest Software
Mr. Eric Hespenheide - Internal Audit Services – Global Leader, Audit and Enterprise risk Services,
Deloitte & Touche LLP
Mr. Eric Hong – Manager, Security Consulting, A3 Security (Republic of Korea)
Mr. Jawaid Iqbal - System Analyst, Saudi Pan Gulf (Saudi Arabia)
Mr. Dennis Irwin, CIA - Internal Audit Manager, Health Care Practice, Wipfli LLP
Mr. Bob Jacobson - Managing Director National Consulting, RSM McGladrey
Ms. Colleen Lyons, MBE, CCEP – Principal, Ethical Stability™
Mr. John MacKessy – President & CEO, Prism Risk Advisors, Inc.
Mr. Eamonn Maguire - Managing Director, PricewaterhouseCoopers LLP
Mr. Paul McGreal - Prof of Law, Southern Illinois University School of La w
Mr. Ashish Mehta - IT Manager, BP (United Arab Emerates)
Mr. Jeffrey Miller - Chief Compliance Officer, Synthes
Mr. Bruce R. Millman - Shareholder, Littler
Mr. James O'K eeffe - Consulting Manager, Sycor Americas
Mr. Brin Odell - Director - Client Services, EthicsPoint
Ms. Mary Pruitt - Associate Director Firm Compliance, Americas Office of Ethics and Compliance, Ernst & Young
Mr. Azwar Ritonga - OSS Eng, TELKOM (Indonesia)
Mr. David Mace Roberts - Vice President and Gen Counsel, Elbit Systems of America LLC
Mr. Roy Robinson - Vice President Communications Education, Archer Daniels Midland Company
Mr. Sayed Sadjady - Partner, PricewaterhouseCoopers LLP
Mr. Suvendu Samantaray - Business Consultant, Infosys Consulting
Mr. William Shenkir, Ph.D., CPA - William Stamps Farish Prof Emeritus, McIntire School of Commerce,
University of Virginia
Mr. Ratan Sonti - Software Engineer, SAP
Ms. Andrea Spudich, CCEP – Principal, The Responsible Leader Group
Ms. Darla Stanley – Wal-mart Stores, Inc.
Ms. PJ Sullivan - Sr Technical Mgr-IT Compliance, Freight System, FedEx Corporation
Mr. Lou Tinto - Engagement Manager Technology Risk Management, Jefferson Wells
Ms. Patricia Towers - Senior Manager, Global Ethics & Compliance, Procter & Gamble
Ms. Juven Zeng – Consultant, Smartdot Tech

Review Panel Members

Mr. Daoud Abu-Joudom, MBA, CISA, CISM – VP, Head of IT Audit, Group Internal Audit, Arab Bank (Jordan)
Mr. John Adamsons – Coordinator, WHO
Mr. Mani Akella - Director, Technology, Consultantgurus
Ms. Julia Allen - Senior Researcher, Carnegie Mellon University
Ms. Sam Apps - Group Manager Compliance, Origin Energy Limited (Australia)
Mr. Toks Azeez - Compliance Business Consultant, Legal Department, Baker Hughes Inc
Mr. Timour Baiazitov – Head of Risk Management and Control, Severstal (Russia)
Mr. Brian Barnier – GRC, IBM Corporation
Mr. Stephen Baruch, CBCP – Disaster Preparedness, Business Continuity, Enterprise Risk Management
Mr. Bob Bassetti - Senior Manager, BearingPoint, Inc.
Mr. Indarduth Beejah – Deputy Director Internal Control, US Government (Mauritius)

Intro - iv

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 Mr. Jose Antonio Rubio Blanco - Rey Juan Carlos University (Spain)
Mr. Robert Bordynuik - Sr Security Consultant, Versatile Solutions LLC (Saudi Arabia)
Mr. Bruce Buckley -G eneral Counsel, IIR
Mr. French Caldwell - VP – Analyst, Gartner, Inc.
Dr. Joseph V. Carcello – Ernst & Young Professor and Director of Research - Corporate Gov ernance
Center, University of Tennessee
Mr. Anthony Chalker - Director, Protiviti
Mr. Derek Cherneski - Business Continuity & Security Analyst, Federal Communications Commission (Canada)
Mr. Mandar Chitre - Solution Architect, Infrastructure Management Services, Patni (India)
Mr. Tom Cleary (Australia)
Mr. Richard Cohan, FACHE, CHC, CCEP - Director of Integrity and Compliance and Chief Privacy
Officer, Providence Health & Services
Mr. Marco Colonna (Italy)
Mr. Brian Conrey, CISA - Program Manager, Controls Integrity LLC
Ms. Laura Cote - Senior Auditor, Allergan
Mr. Doug Cotton - MD Business Ethics & Compliance Program, American Airlines
Mr. Kevin Crimmins - VP GC, Software Impressions LLC
Mr. John Cross - Lecturer, California State University Fullerton
Ms. Yo Delmar, CMC, CISM - Chief Marketing Officer, Brabeion Software Corporation
Ms. Andrea Dias – Manager, ICTS Global (Brazil)
Mr. Patrick Donovan – Chief Compliance Officer, Airbus SAS (France)
Mr. Rory Douglas - Ethics Analyst
Mr. Robert Drolet - Oracle Financials and GRC Professional, OraApps Consulting, Inc.
Mr. Tim Elliott – Senior Vice-President, Operational Risk Director, Financial Intelligence Division,
Comerica Bank
Ms. Sheila Fields - Knowledge Management , HS FIDS
Ms. Cyndi Fleming - Director of IM/IT, DTSSAB (Canada)
Mr. Russ Gates – President, Dupage Consulting LLC
Mr. Leon Goldman - Chief Compliance and Privacy Officer, Beth Israel Deaconess Medical Center
Mr. Royd Graham - Corporate Controller and Senior Director of Accounting, Academy Sports + Outdoors
Mr. Luis Guadarrama - Sr Data Security Consultant (Mexico)
Mr. Richard Gudoi Gid'Agui, CIA, CGFM, CFSA, MSc. Audit(UK), MBA - Senior Lecturer / Program
Coordinator Internal Auditing, School of Accountancy, Witwatersrand University (South Africa)
Mr. Miguel Gutierrez, CISA, CISM - Director Global IT Risk & Compliance, International Information
Technology, Brink's Incorpora ted
Mr. Rodrigo Hayvard, Esq. (Chile)
Mr. Michael Helmantoler – Business Continuity, Helmantoler.net
Mr. Arnold Hill - Project Manager, Property Developmen t Division – WPC, US General Services
Administration
Mr. Peter Hillier - Principal Consultant, Hillier Security Services (Canada)
Mr. David Hoberg - Corporate Finance Manager, Voith Paper, Inc.
Mr. Matthew Hourin, - Senior Manager, Deloitte
Mr. Jörgen Jarleman - Principal, JMC Management Consulting (Sweden)
Mr. Anil Jhumkhawala – Director-Compliance, Secure Matrix I Pvt Ltd. (India)
Mr. Jim Jolley - Training and Research Manager, Office of Communication and Professional Development,
Florida Department of Revenue
Mrs. Christiane Jourdain - Business Continuity Planning Project Manager, Sussex HIS, NHS (United Kingdom)
Mr. Rodriguez Julio - Chief Compliance Officer, Banco Pastor (Spain)
Mr. Daniel Karrer - E-Loan Inc (Brazil)
Ms. Marion Keraudren
Ms. Cary Klafter - VP Legal and Corporate Affairs and Corporate Secretary, Intel Corporation
Mr. Sam Koh - Technical Manager, Vasco (Singapore)
Mr. Alon Kohalny - CAE, Municipality of Kadima-Zoran (Israel)
Mr. Richard Levy - Vice President of Engineering, Mitratech Holdings, Inc.
Ms. Adlinna Liang – Director, MetLife

Intro - v

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 Mr. Peter Liria – Director, Global Ethics & Compliance, Avaya Inc.
Ms. Anna Luszpinska – Director, Prudential Regulations Department, Bank Zachodni WBK SA (Poland)
Mr. Andre Macieira – Director, ELO Group (Brazil)
Prof. Andre Macieira- Assistant Professor, Concordia University
Ms. Marjorie A. Maguire-Krupp, CPA, CIA, CFSA – President, Coastal Empire Consulting
Mr. Jorge Soeiro Marques - Chief Risk Officer, Lusitania Seguros (Portugal)
Mr. Gabe Mazzarolo - VP – Technology, Pareto (Canada)
Ms. Amelia McCarty - VP Ethics and Compliance, Cardinal Health, Inc.
Mr. Tlhabano Mmusi - Compliance Trainee (Botswana)
Mr. Paul Moxey - Head of Corporate Governance and Risk Management, ACCA (Association of
Chartered Certified Accountants)(United Kingdom)
Ms. Florie Munroe - Vice President for Compliance, Health Quest
Mr. Joe Nadivi - CEO, SBS (Israel)
Mr. Warren Nelson - Risk Advisor, Risk & Assurance, Inland Revenue Department (New Zealand)
Mr. Peter Parmenter – Director, Internal Controls, Biomed Realty Trust, Inc.
Ms. Alice Peterson – President, Syrus Global
Ms. Diane Pettie - Vice President General Counsel & Corporate Secretary, Legal, Canexus Limited (Canada)
Ms. Judy Pokorny – Director, Utilities Consulting, Huron Consulting
Mr. Tobin Pospisil - Chief Financial Officer, Gallatin Steel Company
Mr. Richard Poworski – ITA, SGI (Canada)
Ms. Monika Rajh Mladenov – Auditor, The Court of Audit of the Republic of Slovenia (Slovenia)
Mr. Bala Ramanan, -.Sr. Consultant, Microland Ltd (India)
Mr. Javvadi H Rao, FICWA, ACA, CMA, CFM(USA) - Head of Risk Management, Agri Business Division,
ITC Ltd. (India)
Dr. Peter Reichard - Group Compliance Officer, Allianz Risk Transfer (Switzerland)
Ms. Kim Rivera - VP Associate GC, The Clorox Company
Mr. Joel Rog ers – Director, Ethics & Corporate Compliance, Kaplan EduNeeringMs. Johanna Rogers -
Chief Compliance Officer, SunGard
Mr. Peter Rosen zweig - Senior Manager, Advisory Services, Ernst & Young LLP
Mr. Stefano Rossi – Dott, Guidance SRL (Italy)
Ms. Mary Roth - Executive Director, RIMS (Risk and Insurance Management Society)
Mr. Paul Russo - Systems Engineer, BAE Systems
Ms. Karen Rutledge, -.Ethics & Compliance Specialist, PNM Resources, Inc.
Mr. Richard Sanzin - Company Secretary, Royal Automotive Club of Victoria (RACV) Limited (Australia)
Mr. Ram Sastry - Director - IT Audits
Mr. James Sehloff - Information Security Analyst, Holy Family Memorial
Mr. Bob Semple - PricewaterhouseCoopers LLP (Ireland)
Mr. Jerry Shafran - CEO, Compliance Assurance Corporation
Mr. Ken Shaurette - Engagement Manager, Jefferson Wells
Ms. Monica Shilling – Partner, Proskauer Rose LLP
Mr. Jay Shinde, Assistant Professor, Eastern Illinois University
Ms. Elizabeth Siemens - Senior Legal Advisor Governance, Cameco Corporation (Canada)
Mr. Samir Singh
Mr. Mark Snyderman - Chief Ethics & Compliance Officer & Assistant General Counsel, The Coca-Cola
Company
Ms. Barbara Stegun Phair – Partner, Abrams Fensterman Fensterman Eisman Greenberg Formato &
Einiger, LLP
Ms. C Karen Stopford - AVP Information Security, The Commerce Insurance Company, Inc.
Mr. Geoffrey Storms - Chief Internal Auditor, Cameco Corporation (Canada)
Mr. Dan Swanson - President and CEO, Dan Swanson & Associates (Canada)
Ms. Celia Szelwach - Ethics and Compliance Manager, PBS&J
Ms. Heidi Teresi - Compliance Manager, Alcatel-Lucent
Mr. Tim Tesluk - SVP, Greater China Legal & Compliance, DBS Bank (China)
Mr. Calvin Thompson - Manager, TSWCCUL (Bahamas)
Mr. Kevin Tisdel - Director of Corporate Compliance, Shaw Industries Group, Inc.

Intro - vi

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 Mr. Dan Twing – COO, EMA (South Africa)
Mr. Pieter Van Hout, Ing Mba Mbci - Essent Corporation (Netherlands)
Mr. Surya Vangara – SCSL (Trinidad and Tobago)
Mr. Kishore Vekaria - Director.Secure Keys Consulting (Mauritius)
Mr. Nitish Verma - Director
Mr. Dean Wagers -SOX Compliance, The Kroger Co.
Ms. Kathy Washenberger – IPSO, Hennepin County
Mr. David Wassel - VP, Business Development, ZeroTouchWare
Mr. Ian Lawrence Webster - Governance Officer, Performance Technologies (Bra zil)
Mr. Chip Weiant – Chair, American Center for Civic Character
Ms. Mary Karen Wills – Partner, Consulting, Argy Wiltse & Robinson
Ms. ChunHua Yang - Student, Southern Illinois University
Ms. Jie Yang, MBA (China)
Mr. Gunter Zimmermann – Consultant, Controlware Gmbh (Germany)

Intro - vii

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 Executive Summary
Problems always have solutions. And the very simple solution to the almost unimaginably
complex challenges organizations face as they do business in an increasingly complicated global
marketplace is this: Step back, get a good look at the challenges and develop an integrated
approach to managing risks and maximizing opportunities throughout the enterprise. The result:
what the Open Compliance and Ethics Group calls Principled Performance®1 . The simple step of
adopting an integrated approach to setting operational standards and making sure they’re met –
by integrating activities that are now siloed and often duplicative or contradictory – enhances
the corporation’s value by making its governance, risk management and compliance activities
more efficient and effective.

Corporate Misconduct and Regulatory Reform

The rise in incidents of corporate misconduct in recent years led to numerous reforms in
organizational legal and regulatory regimes. Yet, even with increased regulatory control,
organizations have shown themselves to remain unprepared for the wide-ranging risks they face.
A big part of the problem is too much of too many companies’ efforts to eradicate misconduct
focuses on the individuals and their supposed malicious intent rather than on the systems and
processes that should have kept the misconduct from happening in the first place. So, despite
warning signs, companies often fail to see an emerging calamity, even when it is fully predictable.
Threats that should have been recognized and avoided continue to catch them by surprise, a
state of affairs that has emphasized the importance of establishing an ethical culture and a more
integrated approach to organizational oversight, comprehensive risk management and
compliance efforts.

Striving for Principled Performance

Organizational balance of power relies on the interrelationship of management, the Board of
Directors (or other governing body) and key stakeholders. That interrelationship depends on
mutual accountabilities and an unfettered exchange of information. When the parties work
together well, they provide an authoritative set of checks and balances that enables the
organization to achieve Principled Performance, which is the outcome of clearly articulating an
enterprise’s objectives, both financial and nonfinancial, and defining the methods by which it
establishes and stays within the boundaries it will observe while driving toward those objectives.
Principled Performance is achieved by defining “right” for your company, then doing the “right”
things the “right” way — not only to create value in the traditional view, but to protect value,
address uncertainty and help the organization stay within its customized boundaries of conduct.

GRC: An Integrated Approach to Governance, Risk Management and Compliance

A number of key business processes help organizations achieve Principled Performance, and
processes under the areas of governance, risk management and compliance are particularly
critical to its success. Because there is significant overlap in the activities that underlie and
support those broad areas, addressing them and all others that contribute to Principled
Performance in an integrated fashion allows a consistent view of information and efficient
application of resources that greatly enhance the power each individual process brings to the
organization. We call that integrated approach “GRC”.

1
Principled Performance is a registered trademark of OCEG.

Intro - viii

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 GRC activities are fundamentally interconnected and dependent on similar processes, people
and technology. It is important to note that integration of these activities does not mean
consolidation. Rather, integration means applying a common vocabulary, approach and, ideally,
technology infrastructure to GRC processes. It also means coordinating the activities that
ensure a flow of consistent information throughout the organization and that enhance efficient
use of resources. By establishing an integrated GRC system of people, processes and
technologies, an organization can replicate improvements in one GRC area across other GRC
areas in the enterprise, enabling the organization to achieve Principled Performance. And once
the GRC system is in place, companies can fine-tune their efforts as they move forward,
reallocating human and capital resources to the GRC areas that their ongoing monitoring tell
them need the most attention.

The GRC Capability Model™

At the heart of the OCEG Framework is the GRC Capability Model™. Although various
standards and guidance frameworks exist that address discrete portions of governance, risk
management and compliance issues, the OCEG GRC Capability Model™ is the only one that
provides comprehensive and detailed Practices for an integrated GRC system.
Those Practices address the many Elements that make up a complete GRC system.

Figure 1 – GRC Capability Model Elements View

Applying the Elements in the GRC Capability Model™ and the Practices within them enables an
organization to:

• Achieve Business Objectives • Prevent, Detect & Reduce Adversity

• Enhance Organizational Culture • Motivate & Inspire Desired Conduct
• Increase Stakeholder Confidence • Improve Responsiveness & Efficiency
• Prepare & Protect the Organization • Optimize Economic & Social Value

Intro - ix

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 The OCEG Framework for Principled Performance®
The shortest distance between any organization and Principled Performance is application of the
guidance and resources provided by OCEG. The OCEG Framework for Principled
Performance® (commonly referred to as the OCEG Framework) is relevant to those in
oversight, strategic, operational and assurance positions. The OCEG Framework is centered on
the GRC Capability Model™ (commonly known as the Red Book), which describes key
elements of an effective GRC system that integrate the principles of good corporate
governance, risk management, compliance, ethics and internal control. The OCEG Framework
also includes the Burgundy Book, which details the assessment criteria and procedures for
evaluating GRC systems under OCEG’s GRC Capability Assessment Program™.

Here are important content and format details:

The Red Book

The Red Book contains the GRC Capability Model™, the central piece of the OCEG
Framework. It provides a comprehensive guide for anyone implementing and managing a GRC
system or some aspect of that system – including those involved in compliance, training, hotlines
and investigations. The Model also is contained in a searchable database on the OCEG site,
where OCEG enterprise members can mine the data it contains and create custom reports to
include content from the additional resources described below. Premium members may also
view the online version but do not have access to custom report creation.

As a downloadable document on the OCEG site available to all OCEG members, the Red Book
also includes a narrative overview about achieving Principled Performance through an integrated
approach to governance, risk management and compliance. This narrative also provides a basic
understanding of the principles and structure of the OCEG Framework. OCEG also makes the
narrative overview available as a separate downloadable document that can serve as a quick-
start guide to orient leadership and new GRC team members about GRC and the OCEG
Framework.

The Burgundy Book

The Burgundy Book provides procedures and assessment criteria to facilitate management and
evaluation of a GRC system. It identifies the key aspects of a GRC system that an organization
should evaluate to provide assurance of system design and baseline operations to management
and the Board and it establishes common procedures for conducting an independent assessment
of the system. The Burgundy Book’s procedures also serve as the basis for evaluations that
support an application for certification of GRC system design by OCEG. The Burgundy Book is
available for download by all OCEG enterprise members and may be purchased for download by
premium members.

Additional Resources Available from OCEG

OCEG offers additional resources to enterprise members that supplement the OCEG
Framework. The searchable and downloadable resources include:

Content Domains
Content Domains provide application guides (supplements) that offer additional information to
use with the OCEG Framework when addressing topical or industry-specific aspects of a GRC

Intro - 2

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 system. They delineate practices for applying the GRC Capability Model that are bundled either
broadly for a particular area of risk applicable to any number of entities or specifically for a
unique area of risk applicable within a particular industry. In that way, the Content Domains
address the nuances and exceptions in applying the Model to the unique activities of an
organization.

OCEG members may download GRC Content Domain materials as discrete electronic
publications based on a single industry issue or a single area of risk. Alternatively, enterprise
members may search across multiple Content Domains and download a customized
comprehensive report. The GRC Capability Model can be used as a common backbone to
support compliance and risk management of common and industry specific risk areas.

common compliance risk area industry or geography

domains specific domains
(apply to most organizations)

GRC Capability Model™ (People, Process & Technology)

GRC Requirements Database

The OCEG Requirements Database under development contains detailed information about
Requirements that are related to the Elements of the GRC Capability Model or to Content
Domains, which OCEG has identified from specific laws, rules, cases, treaties, standards and
other guidance. OCEG maps these “Related Requirements” to the specific Elements of the
Model or Domain Practices to which they relate. In that way, enterprise members can use the
OCEG resources to ensure that they are aware of relevant Requirements.

During 2009, OCEG is reviewing publications — Authority Documents — of more than 100
standards bodies and other industry organizations, as well as governments in numerous
countries, to identify additional global Requirements relevant to the Model. Given the enormity
of the task of addressing a global audience, Transnational standards and those from the following

Intro - 3

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 15 countries and regional bodies, based on their position in global affairs and OCEG member
priorities, represent the starting point for Requirements that will be added to the database:

Australia Germany Russia

Brazil India South Africa
Canada Italy United Kingdom
China Japan United States
France Mexico European Union

OCEG will provide citations to relevant portions of Related Requirements with links to the text
when available and depending upon agreements reached with issuing authorities. An example of
this format, available only through custom reports generated by Enterprise members through
use of the OCEG Requirements Database, is presented in Appendix A.

GRC-IT Blueprint™
OCEG Premium and Enterprise members may use the links to Technology Arenas and Modules
in the online version of the Model (located within each Element) to access Appendix A of the
GRC-IT Blueprint™, which identifies and defines types of technologies that enable the GRC
system. The Technology Arenas and Modules in the Model represent a bridge between the GRC
professional and the IT professional. GRC professionals can use the Technology Arenas and
Modules as a basis for discussing technology options with their IT counterparts. Enterprise
member IT professionals can use the Technology Arenas and Modules as a bridge from the
Model into the GRC Blueprint™. While the downloadable version of the Model available to all
OCEG members provides high level guidance on which Technology Arenas and Modules
support each Element of the Model, the GRC-IT Blueprint™ provides the definitions of these
Arenas and Modules as well as visual representation of how they relate to each other. The
GRC-IT Blueprint™ also is available as a downloadable stand-alone document.

Intro - 4

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 Changing Times: The Evolution of GRC
The globalization of financial markets, rapid expansion of outsourcing, and growth of layer upon
layer of regulatory oversight within governments across the globe make today’s business
environment as challenging as any has ever been. The global economic systems in which
organizations now operate have become profoundly complex and inter-related, and it is not
always clear where requirements originate and responsibilities lie for various aspects of
governance, risk management, compliance, and oversight of controls. That lack of clear
accountability has resulted in abuses of power, compliance failures and other dysfunction that
affect shareholder capital, employees and the social environment at large. When accountability
in an organization breaks down, it can have severe consequences. Not surprisingly, investors
have indicated they are willing to pay a premium for well-governed companies.

The problem that most corporate executives see when it comes to staying on top of changing
legal requirements, business circumstances and economic realities is this: There are too many
fragmented solutions to too many problems, a micro approach if you will. What they too often
don’t see is that there is a unified solution – a macro solution to a macro problem – that
addresses all the separate problems that come up as the business environment changes.
Application of OCEG’s GRC Capability Model™ is every organization’s key to developing key
systems and processes, required controls around them and assessments that help ensure that
the organization can adapt to address every business risk it faces. The bottom line: An
integrated approach to governance, risk management and compliance that’s embedded in an
organization’s day-to-day operations will maximize its performance and minimize its risk.

Corporate Misconduct and Regulatory Reform

By most accounts, the prominent lapses associated with companies that lost their way in recent
years were due in large part to corporate governance failures, including all too common and
undue pressure to meet short-term objectives and not enough pressure to build long-term
value. That lack of attention to fundamentals and appropriate oversight led to the destructive
behavior that undermined the financial market’s credibility and, in turn, inspired numerous
reforms in legal and regulatory regimes imposed on organizations.

The Sarbanes-Oxley Act of 2002 was just the start of an onslaught of regulatory and other
reforms that regulatory bodies have put in place globally in an attempt to improve corporate
governance. Public companies are not alone. Although not required to comply with the
provisions of SOX or its regulatory counterparts in other countries, reforms around the world
also have addressed various areas of private company business practices. Likewise, though the
stated goal for not-for-profits is fulfilling a mission rather than maximizing share price, they too
have faced increased regulatory oversight. But even with that increased regulatory control,
organizations have proved themselves unprepared for the wide-ranging risks they face these
days. Even with warning signs, companies still fail to see emerging calamities, even when they’re
fully predictable. Often, threats that should have been recognized and avoided still catch too
many companies by surprise.

This state of affairs emphasizes the importance of effective organizational oversight,

comprehensive risk management and a more integrated approach to controls & compliance.
Organizations have struggled to manage the myriad of governance, risk management and

Intro - 5

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 compliance requirements they face and many continue to apply fragmented approaches to those
critical functions resulting in suboptimal performance. However, some are successfully reducing
their vulnerability and managing the complexity of requirements by employing a more integrated
approach to governance, risk management and compliance.

Value and Stakeholders

To best see the path ahead — the path to integrated governance, risk management and
compliance — it’s necessary to look back to see why it’s critical to embark on the integration
journey. Organizations and business enterprises are formed and exist for a variety of reasons,
but at their core, they function to achieve a common goal or set of goals. All organizations -
whether publicly traded corporations, private entities, not-for-profits or governmental units -
exist to provide value for their stakeholders. They all must strive for strong performance to
safeguard and grow value while ensuring sustainable operations.

But while organizations exist to provide value to stakeholders, the actions they must take and
goals they must achieve to provide that value are constantly changing. In the past, it was
generally accepted that the “social responsibility” of business is a duty to maximize profits,
particularly in the case of corporations. Today, though, the free market view that business
decisions should be based solely on a narrowly defined notion of what is good for a single
category of stakeholders, namely the shareholder, is eroding. Some businesses are adopting an
emerging perspective that behaving in a different type of “socially responsible” manner reduces
legal risks, enhances employee satisfaction and generally reflects good management practices —
all things that ultimately maximize long-term shareholder value while benefiting all stakeholders
of the organization.

That emerging perspective holds that in today’s global markets, where shareholders and other
stakeholders are diverse and widely dispersed, a stakeholder is anyone who is affected by, or
who can affect, the organization. That includes internal stakeholders, or employees, and those in
the value chain, suppliers and customers, as well as external influencers such as investors,
communities, regulators and the media. Stakeholder concerns, including non-financial concerns,
have become more important as all types of stakeholders have gained credibility and influence.

That evolving approach to value, and to the holistic and comprehensive view of stakeholder
demands, is contributing to a drive toward an integrated approach to governance, risk
management and compliance and, ultimately, to what OCEG calls Principled Performance®.

The Rise of Principled Performance®

Organizational balance of power relies on the relationship between management, the Board of
Directors or other such governing body and key stakeholders. That relationship in turn,
depends on mutual accountabilities and an unfettered exchange of information. When the
parties work together, they provide an authoritative set of checks and balances that enables the
organization to achieve Principled Performance.

Principled Performance is the outcome of a clear articulation of an enterprise’s

objectives, both financial and non-financial, and application of the GRC methods by
which it establishes and stays within the boundaries it will observe while driving toward
those objectives. Principled Performance goes beyond ethical performance, economic

Intro - 6

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 performance, or corporate social responsibility. Principled Performance represents achievement
of all of the objectives an organization chooses to pursue while employing an effective, efficient,
and responsive approach to governance, risk management and compliance that supports those
objectives.

Defining the Boundaries of Conduct

All organizations must operate within defined boundaries. Outside forces, such as legal and
regulatory requirements, establish the mandated boundaries that some refer to as “externally
driven mandates.” Similarly, entities must also determine the voluntary boundaries within which
they should function. Those are often called “internally driven mandates.” A company’s Board
and management assess the organization’s voluntary boundaries — which include public socio-
economic commitments, standards, certifications, contractual and representational obligations
such as warranties and guarantees and organizational ethics and values. It is important that
organizations treat voluntary boundaries as seriously as they do the mandated boundaries, as
violations of either can carry equally significant adverse consequences.

In the course of conducting business and managing risk, an organization must understand the
internal and external obstacles that may get in the way of achieving its objectives and it must
recognize the opportunities that may transform either the objectives themselves or the business
model required to achieve the objectives. An organization must be adept at operating within
boundaries, overcoming obstacles — or preventing them from undermining its efforts — and
seizing upon opportunities to attain its objectives. But few companies have a handle on the wide
range of policies, processes, and controls needed to manage compliance with both internal and
external boundaries and its risks.

The integration of governance, risk management, and compliance (“GRC”) helps an organization
more effectively and efficiently drive performance. Governance, of course, establishes objectives
and, at a high level, the boundaries inside which the entity must operate. A strong culture of
ethical culture, as an aspect of internal governance, provides a safety net when formal controls
and structures are weak or nonexistent — while, at the same time, providing an environment
that helps the workforce reach its highest level of productivity. Risk management helps the
organization identify and address potential obstacles to achieving objectives. A healthy
Enterprise Risk Management discipline can enhance the value protection and value creation
decision making within an organization. Compliance management ensures that the boundaries
are well set, and that the organization does indeed conduct business within them through
established policies and controls.

For an organization to achieve Principled Performance it must:

• clearly define its mission, vision and values;

• define what it seeks to achieve;
• define how it will pursue those objectives while addressing risks and uncertainty, protecting
and creating value, identifying new opportunities and staying within defined boundaries of
conduct along the way;
• make these choices transparent to appropriate internal and external stakeholders; and
• do all of that using an integrated approach where the “whats” and “hows” are continuously
improved for the highest level of performance.

Intro - 7

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 It is important to note that achieving Principled Performance means each entity defining what is
“right” for it, then doing the “right” things the “right” way. Principled Performance, then, is
about enhancing the traditional shareholder view of financial performance to include desired
outcomes that are not directly or exclusively financial, but that address other stakeholder
interests that secure long-term success.

GRC: Governance, Risk Management, Compliance and Beyond

A number of key business processes help organizations achieve Principled Performance. While
there are many activities and functions that contribute, such as internal controls, audit,
assurance, quality, IT, HR and others, GRC (the acronym drawn from the three primary
contributors – governance, risk management and compliance) stands in for all of those critical
functions and represents the synergistic effect of an integrated approach; the creation of a whole
that is far more than merely the sum of its parts. Within the context of the integrated GRC
system, all the individual functions share a mutuality of interest, a common need for information
and contribution to the organization’s efforts to achieve Principled Performance.

There are many reasons an organization seeks to integrate and align its governance, risk and
compliance efforts into a GRC system. Here are a few examples:

• The global footprint of the business requires an understanding of additional laws, rules and
regulations beyond the headquartered domicile.
• The cost of complying with an increasingly complex, voluminous and ever-changing patchwork
of legal mandates is always rising.
• There is a lack of visibility into not only operational issues, but also risk and compliance
activities.
• There is unnecessary complexity and duplication of effort taking place to address risks and
requirements.
• The Board and senior management face increased accountability and liability.
• There is redundancy in some areas and possible gaps in coverage for critical risks in others.
• The cost of maintaining duplicate sets of information for different purposes and reconciling
information when necessary is high.

To address such drivers, many organizations are integrating GRC activities to achieve Principled
Performance in an effective, efficient and responsive manner. To most effectively accomplish
that, it’s important to understand the nomenclature.

Formally defined, GRC is a system of people, processes and technology that enables an
organization to:

• understand and prioritize stakeholder expectations;

• set business objectives congruent with values and risks;
• achieve objectives while optimizing risk profile and protecting value;
• operate within legal, contractual, internal, social and ethical boundaries;
• provide relevant, reliable and timely information to appropriate stakeholders; and
• enable the measurement of the performance and effectiveness of the system.

A “GRC activity,” then, is any process or activity that contributes to or is part of the system.
Processes and functions that are typically included include:
• Governance
• Strategy and Business Performance Management

Intro - 8

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 • Risk Management
• Compliance
• Internal Control
• Corporate Security
• Legal
• Information Technology
• Business Ethics
• Sustainability and Corporate Social Responsibility
• Quality Management
• Human Capital and Culture
• Audit and Assurance
• Finance

Each contributes to an organization’s ability to drive Principled Performance, and all can benefit
from improved communication, shared strategy, common processes, coordinated schedules and
integrated technology.

Processes under the areas of governance, risk management and compliance are particularly
critical to system success, so a deeper look at their definitions is helpful:

• Governance is the culture, values, mission, structure and layers of policies, processes and
measures by which organizations are directed and controlled. Governance, in this context,
includes but is not limited to the activities of the Board, for governance bodies at various levels
throughout the organization also play a critical role. The tone that is set, followed and
communicated at the top is critical to success.

• Risk, in this context, is the measure of the likelihood of something happening that will have an
effect on achieving objectives; most importantly, but not exclusively, an adverse effect. Thus,
Risk Management is the systematic application of processes and structures that enable an
organization to identify, evaluate, analyze, optimize, monitor, improve, or transfer risk while
communicating risk and risk decisions to stakeholders. The overriding goal of risk management
is to realize potential opportunities while managing adverse effects of risk.

• Compliance is the act of adhering to, and the ability to demonstrate adherence to, mandated
requirements defined by laws and regulations, as well as voluntary requirements resulting from
contractual obligations and internal policies.

There is some overlap among these functions, but they have distinct areas of focus and each has
activities dispersed throughout an organization. For example, the definition of governance
characterizes the maintenance of “culture” as a feature, even though many US-based companies
incorporate ethical culture concepts into their compliance programs as defined by the US
Federal Organizational Sentencing Guidelines.

Intro - 9

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 GRC: Breaking it Apart and Pulling it All Together
Most companies historically have approached the GRC components separately and have tacked
them on top of the business rather than embedding them into operations. Many have designed
and implemented risk assessments and compliance policies and processes within narrow risk
areas and at distinct locations, without consideration of how or when the organization has
addressed similar issues in other areas. As a result, numerous processes and controls are buried
in isolated silos, leading to complexity, duplication and major gaps. To better understand the
power of integration, it is useful to more closely examine the individual GRC components of
governance, risk management and compliance, as well as some of the significant supporting
functions that contribute to GRC goals.

The Corporate Governance Discipline: The G in GRC

The Organisation for Economic Co-operation and Development defines corporate governance
as “the system by which business corporations are directed and controlled. The governance
structure specifies the distribution of rights and responsibilities among different participants in
the corporation, such as the Board, managers, shareholders and other stakeholders, and spells
out the rules and procedures for making decisions on corporate affairs. By doing [so], it also
provides the structure through which the company objectives are set, and the means of attaining
those objectives and monitoring performance.”

Traditionally, governance processes were constrained to “what happens in the Boardroom.”

Contemporary views expand that, though, to encompass key governance activities that may take
place throughout the organization — and even those of some external stakeholders — to
support Board responsibilities, including the company’s system of internal control and oversight
of compliance. Conventional corporate governance standards attempt to balance the goals of
protecting the interests of shareholders and stakeholders with the requirement to respect the
duty of Boards and managers to direct the affairs of the organization. As owners of securities,
shareholders rely on the Board to protect their interests. The Board acts as an active monitor
for shareholders’ and stakeholders’ benefit with the goal of Board oversight to make
management accountable, and thus more effective.

The key to corporate governance is the distribution of rights and responsibilities across the
entire business. All too often, however, organizations still apply governance principles solely to
Board processes and Boardroom issues. Yet critical to good governance are the systems “below
the Board” and the distribution of rights and responsibilities that ensure tone, objectives and
expectations cascade throughout the organization and down to every individual.

In the context of GRC, effective corporate governance is supported and in layers throughout
the organization, with the emphasis on processes that affect and influence Board understanding
of critical information that allows good decision-making. Those systems and processes help the
organization:

Intro - 10

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 • understand entity vulnerabilities;
• provide insight and intelligence to the right people, at
the right time, to make the right “risk-aware” decisions;
• reduce the likelihood that unauthorized decisions will
be made;
• identify and reduce entity vulnerability to specific risks;
• reduce the likelihood and impact of undesirable events;
and
• produce evidence about effectiveness to management,
the Board and stakeholders.
The Risk Management Discipline: The R in GRC
Between the direction and authority of governance and
the requirements and boundaries of compliance lie a
plethora of obstacles and opportunities that may affect
an organization’s ability to achieve desired objectives. To
be effective, organizations need to take control of the
risks they face.
The Committee of Sponsoring Organizations (COSO)
ERM Report defines risk as “the possibility that an event
will occur and adversely affect the achievement of
objectives.”2 The COSO report further defines
enterprise risk management as “a process, effected by an
entity’s Board of directors, management and other
personnel, applied in strategy-setting and across the
enterprise, designed to identify potential events that may
affect the entity and manage [that] risk to be within [the
entity’s] risk appetite to provide reasonable assurance
regarding the achievement of entity objectives.”
The Australia and New Zealand risk management
standard3 uses a more concise, yet arguably broader
definition of risk: “The chance of something happening
that will have an impact on objectives.” It defines risk
management as “the systematic application of
management policies, procedures and practices to the
tasks of communicating, establishing the context,
identifying, analyzing, evaluating, treating, monitoring and
reviewing risk.”
A group of UK organizations in “A Risk Management
Standard” uses the definition set forth in ISO/IEC Guide 73 for risk as “the combination of the
probability of an event and its consequences.” British Standards in the forthcoming BS 31100
2
COSO ERM definition, page 16.
3
AU/NZS 4360 is the basis for the forthcoming ISO 31000 standard on enterprise risk management.
Intro - 11
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
A Brief Detour: Sustainability
The con cept of sustainability is so metimes
mingled with other, similar expressions that
have become widely used. Fo r example,
many businesspeople, authors and scholars
refer to “co rporate social responsibility” to
mean a company’s obligations to society a t
large. Oth ers p refer “sustainability”
because “responsibility” emphasizes the
benefits to groups outside the o rganization,
while “sustainability” gives equal
importan ce to the ben efits enjoyed by the
corpora tion itself. In that respect,
sustainability can be viewed as related to
business ethics, and thereby corpo rate
compliance and ethics progra ms, bu t on a
scale that emphasizes b roader so cial issu es
such as poverty, edu cation and human
rights, versus specific choices by individual
managers. Other terminology usage
includes “corpo rate responsibility,” perhaps
more commonly seen in Europe,
“environ mental so cial governan ce” and
“sustainable developmen t,” to name a few.
Sustainability addresses the wid e and
diverse range of business concerns about
the environment, wo rkers’ rights and
consumer pro tection and the impact of
business decisions on those b road social
issues – and ultimately th e decision-making
process itself and the relationship of the
issues to p rofit o r other organizational
purposes. As su ch, th e Governance role and
setting of voluntary boundaries in cludes
decisions about th e organization’s
commitment to sustainability.
 standard define risk as “something that might happen and its effect(s) on the achievement of
objectives.”4

There are other definitions to note, including one from the Institute of Internal Auditors:
“Enterprise-wide risk management is a structured, consistent and continuous process across the
whole organization for identifying, assessing, deciding on responses to and reporting on
opportunities and threats that affect the achievement of its objectives.”5

This multitude of definitions suggests that there is a divide in the risk management profession
around the concepts and definition of risk and how risk relates to uncertainty, opportunities,
threats and obstacles. The most striking difference is how authorities include or exclude various
types of risk outcomes. Some emphasize risk as the potential negative events that an
organization may experience as it pursues objectives. Others define risk as the potential
negative or positive events that may be experienced.

Some of that is not so much a debate about “risk” as it is about the context thereof. For
example, the insurance community is primarily concerned with the downside of risk. By
contrast, the financial community is concerned about upside benefits from taking risk. Personal
behavior mirrors that. When someone buys automobile or property insurance, he or she is
concerned about the potential of an adverse event. When that person utilizes a retirement
plan’s financial tools, he or she is managing risk to maximize opportunities and also to seek
better returns.

Notably, despite those differences, nearly all risk management frameworks and risk management
professionals themselves agree that opportunities, obstacles and threats must be addressed in a
holistic fashion to yield an optimal result. In that sense, the fundamental difference in how
different frameworks and organizations define risk becomes functionally irrelevant. Indeed, in
the context of GRC, most organizations have implemented at least minimal strategic planning
processes and have developed an approach to pursue opportunities. What is often lacking is an
integrated approach to:

• identifying the obstacles and threats along the way,

• assessing their potential impact,
• making risk-intelligent decisions and
• implementing governance structures to ensure that the organization appropriately pursues
opportunities in light of those obstacles and threats.

In the context of GRC, there is a need to make governance and business performance more
“risk-aware.” In relationship to corporate governance, companies struggle in determining the
appropriate risk oversight role of the Board of directors. Various functions have been proposed
with respect to the Board regarding risk, including approving the company’s risk appetite as a
component of its strategy-setting and ensuring robust risk oversight by senior management. In
other words, it is not the Board’s responsibility to identify and assess actual risks, but to
monitor line management’s competence in doing so.

4
BS 31100 public draft, July 31, 2007
5
IIA definition in the Role of Internal Auditing in ERM

Intro - 12

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 The Compliance Discipline: The C in GRC
Boards of directors in the United States have focused heavily on meeting the financial reporting
requirements of the Sarbanes-Oxley Act and are likely facing compliance fatigue. Yet financial
reporting is just one aspect of compliance, and the Sarbanes-Oxley Act is just one regulatory
scheme, and many organizations are facing increasing regulatory demands, especially as they
extend into global markets. Every country, of course, has laws and regulations for conducting
business within its borders. Neighboring and economically interdependent countries also draft
treaties and other legal instruments to govern cross-border transactions. As the focus of
business becomes increasingly global, non-government organizations concerned with the world
economy and with corporate sustainability increasingly promote principles that multiple
countries agree to abide by and thereby bind the organizations that operate within their borders
to operate under those principles.

Other branches of government, in their interpretation and enforcement of laws and regulations,
also create compliance requirements at a more granular level. In many cases, a law may tell a
company what it should be doing, but it is the enforcing agency or a court that details the how,
when, why and to what standard it’s looking to know that an organization has met both the
letter and the spirit of the law or regulation.

Compliance requirements are not solely the province of nations. Individual organizations work
together through industry and trade associations and standards bodies to create best practices
and guidance on how to execute processes, make products or deliver services. By subscribing to
those bodies’ ideas, and in many cases, publicizing adherence to particular standards or
practices, entities themselves shape both the requirements they operate under and the
expectation that they will conform to those requirements. Most directly, organizations agree to
and impose upon themselves requirements through their contracts with employees, agents,
partners, suppliers and customers.

There are more formal definitions of “compliance” as well, of course. The Australian standard
3806 defines it as “an outcome of an organization meeting its obligations” and a compliance
program as “a series of activities that, when combined, are intended to achieve compliance.”6
The United States Sentencing Commissions more narrowly defines a compliance program as
one “to prevent and detect violations of law,” although the amended organizational sentencing
guidelines added the promotion of “an organizational culture that encourages ethical conduct
and commitment to compliance” in its definition of an effective compliance and ethics program.

In the context of GRC, compliance is the act of adhering to, and the ability to demonstrate
adherence to, mandated requirements defined by laws and regulations, as well as voluntary
requirements resulting from contractual obligations and internal policies. In other words,
compliance is all about identifying requirements, legal or otherwise, and taking steps to ensure
that the organization addresses all of them.

Other Critical Components of GRC

There are certain other components of GRC that merit special attention, and the internal
control discipline is one of them. The concept of internal controls has a long history and has
been addressed in various legislative and regulatory standards. The COSO Internal Control
Report defines internal controls as “a process, effected by an entity’s Board of directors,

6
AU 3806, definitions

Intro - 13

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 management and other personnel, designed to achieve reasonable assurance regarding the
achievement of objectives in: (1) effectiveness and efficiency of operations; (2) reliability of
financial reporting; and (3) compliance with applicable laws and regulations.” In its ERM
integrated framework, COSO expanded the concept of internal control to addressing the
management of risk. Internal control is clearly a common thread among the GRC components,
and an organization should employ a system of internal controls that specify the policies,
procedures and practices that guide it in its efforts to achieve its objectives. Internal controls
inform management whether processes are being performed as intended and with the intended
outcomes.

The assurance discipline is another critical component of GRC. To maintain stakeholder

confidence, an organization must provide some level of assurance that it has appropriate
governance, risk management and compliance capabilities. The critical question is what level of
assurance the stakeholders, especially the Board and shareholders, demand. What satisfies the
request for assurance? Is a clear authoritative statement from management sufficient? Or is
independent assurance required? Does an objective internal department – such as internal audit
– suffice? Or does the required level of assurance compel review by a completely independent
third party? The answers to those questions tend to vary by stakeholder constituency, and they
may also vary over time, given the organization’s history of favorable or unfavorable findings. In
the context of GRC, an organization must provide objective, reasonable assurance that the
underlying GRC system or any aspect of the system is designed and operating effectively.

A focus on human behavior and conduct is yet another critical component of GRC. As much
focus as there is on risk assessments, policies and controls, perhaps the most significant factor in
achieving Principled Performance is understanding and addressing what motivates human
behavior. How organizations intentionally prize, cultivate and reinforce both high character and
high competence behaviors is critical. Organizations must recognize that behavior cannot be
completely controlled or even managed, but that they can influence it through leadership
example, effective two-way communications and the implementation of processes that motivate
people to follow rules and apply ethical decision-making to their actions. There is more
recognition that behavior and corporate culture have a significant impact on company
performance. Culture can be defined and it generally develops out of tangible and controllable
actions within a company. Human resource professionals, particularly in conjunction with
compliance and ethics officers, are a critical part of the GRC team, as they design and implement
procedures to educate the workforce and enhance their capabilities, appraise individual and
team performance and work to develop a culture of high competence, good character, openness
and accountability.

A Unified Framework
GRC encompasses a wide range and scope of functions, equally wide variations in approaches
taken by organizations and a vast number of existing frameworks and guidance approaches. This
presents a number of problems for those seeking to implement GRC, including the following
limitations:

1. Framework developers often create them from a particular point of view to enable a narrow
aspect of GRC.
2. Frameworks overlap in their coverage, so complete implementation of multiple frameworks
could cause confusion and duplication of effort.
3. Management often implements frameworks narrowly, in one area of the business.

Intro - 14

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 4. Frameworks from one discipline may have weaknesses that frameworks from another
discipline address more fully. For example, compliance frameworks tend to provide little
guidance around conducting risk assessments. Risk frameworks, on the other hand, provide a
great deal of guidance around risk assessments, but offer little if any linkage to compliance
requirements, with the exception of some frameworks that address IT, banking and business
continuity risks.7
5. Internal control frameworks tend to focus primarily on controls rather than incentives.
Compliance frameworks have always included powerful ideas around using incentives to
motivate positive conduct.
6. Some frameworks still leave many wondering how to translate their principles into practice.

Organizations need a clear understanding of what to do in the face of voluminous frameworks.

The good news is that the fundamental principles behind the frameworks often are similar.
Consistent principles readily emerge, but just as often the sound, practical guidance on how to
implement them is unclear or absent. So GRC professionals, particularly those who support
multinational organizations that have adopted or are required to meet a multitude of
frameworks, need to determine what is practical and identify what does not work. By pulling
together different points of view about business processes and practices into an integrated GRC
approach, a greater depth of view is gained and the best aspects of each can be used to drive
Principled Performance. That’s the goal and benefit of the OCEG Framework.

An Integrated Approach
It is important to note that “integration” does not mean “consolidation.” Rather, integration
means applying a common vocabulary, approach and, ideally, technology infrastructure to GRC
processes. It also means coordinating those activities that ensure a flow of consistent
information throughout the organization and that enhance efficient use of resources. In that
manner, an organization can replicate improvements in one GRC area across other GRC areas
in the enterprise.

The term “integration” refers to several ideas, all of which are important to establishing a GRC
system:

1. Integration of GRC disciplines. Disciplines including corporate governance, risk management,

compliance, internal control, assurance and quality management all use powerful yet separate
frameworks to conduct their work. But those frameworks are more similar than different, and
organizations can apply an integrated approach to them, using a common “backbone” to enable
their varying GRC activities.
2. Integration of GRC activities across risk categories and departments. The various risk silos –
strategic, cultural, operational, financial, compliance and external — and the departments that
handle specific risk areas — business strategy, treasury, IT, employment, environmental,
corruption, etc. — can be addressed using a common approach to cross silos, reduce the
burden on the business and bring the organization together around business objectives.

3. Integration of GRC activities with business processes. GRC activities should augment strategic
planning, product design, development, logistics, service, support and other mainline business

7
An exception to this “rule” can be seen in some industry or risk area specific risk frameworks in the IT,
banking and business continuity areas.

Intro - 15

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 processes. Management can integrate risk assessments with strategic planning, for example, and
HR can integrate education about and awareness of GRC-related topics with general skills
development programs.
Perhaps most importantly, integration provides “a single version of the truth.” That’s essential
when senior executives and the Board ask questions like:

• Are we achieving our objectives?

• How are we achieving them relative to risk?
• What are the most important risks that we face?
• How are we addressing them and who is accountable?
• Is the organization operating within defined boundaries?
• Are we experiencing any material issues?

Embedded in the Business

Clarifying GRC is not about dissecting the acronym itself, of course, just as integrating its
components is not about consolidating effort inappropriately. Rather, clarifying GRC is about
understanding the underlying business issues that have given rise to the widespread use of the
term. GRC activities must work with and be embedded in mainline business processes. In that
manner, GRC becomes part of the organizational DNA. Just as there are matched chromosome
pairs in each living thing’s DNA, wherever there are business activities and decisions, there are
related GRC activities and decisions. Just as the tens of thousands of genes contained in
chromosomes carry information throughout the organism, the GRC system consists of inter-
related yet distinct components that carry information throughout the organization. And
integration includes incorporating coordination requirements into mainstream business
processes and decision-making. The rationalization of controls and testing and the increased use
of automation reduce the burden on line-of-business operations, thus decreasing the risk of
non-compliance. An enterprise perspective is required to reduce redundancy across lines of
businesses and functions, enabling enterprise-wide oversight of key risks while enhancing
operational effectiveness and use of resources.

High-Performing GRC
A high-performing GRC system will always deliver value. Organizations typically assess the value
of an activity by determining if it’s contributing to business objectives. For that reason, in
achieving Principled Performance, it is not sufficient to focus only on the GRC activities
themselves. Rather, primary focus must be on the desired system outcomes that result from
those activities.

Each organization is unique, of course, and pursues unique business objectives. As a result, every
GRC system has a different mix of business objectives that it is expected to support and, thus, a
different mix of desired GRC system outcomes. However, surveys of experts and historical
evidence of the key system outcomes stated in mission and vision statements suggest that most
organizations share several desired outcomes that appear to be universal across GRC systems.
Among them are the desire to:

1. Meet Business Objectives

2. Enhance Leadership and Organizational Culture
3. Increase Stakeholder Confidence

Intro - 16

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 4. Prepare and Protect the Organization
5. Prevent, Detect and Reduce Adversity
6. Motivate and Inspire Desired Conduct
7. Improve Responsiveness and Efficiency
8. Optimize Economic and Social Value

Efficient, Effective and Responsive

A high-performing GRC capability will deliver those universal system outcomes while being
effective, efficient and responsive.

Effectiveness describes the quality of a system along two dimensions:

• Design effectiveness describes the degree to which a system or process is logically designed to
meet legal and other defined requirements. Does the system or process contain all the
necessary elements to thoroughly evaluate risk? Has it been designed for maximum
effectiveness? If not, what features must be added to improve the system? Design effectiveness is
very much a logical test that considers all requirements, risks and boundaries and determines if
the system is appropriately designed.

• Operating effectiveness describes the degree to which a system or process operates as

designed. If the system was designed well, does it function correctly? Does it operate the way it
was designed to? If not, how must it be managed to elevate its level of operation? Operating
effectiveness helps management understand if, given a strong design, the system is operating as
intended.

Efficiency captures the cost of the process or system — not simply the amount of money spent,
but also the cost of human capital expended.

• Financial efficiency describes the total amount of financial capital required to execute a
process.

• Human capital efficiency describes the type and level of individuals required to participate in
the process. While human capital costs can be partially captured in purely financial terms,
intangible opportunity costs must also be captured. In other words, if the program relies too
heavily on senior executive time and focus, it may represent more than just the purely financial
costs of salary, benefits and other overhead. An organization must also recognize the intangible
costs of the loss of executive time and focus on other strategic objectives such as growth,
profitability, talent retention and customer loyalty.

Responsiveness describes the system’s ability to operate quickly and flexibly in response to
changing circumstances.

• Cycle time describes the total amount of time it takes to execute a process. Cycle time is
extremely important in a few program processes. For example, it is critical to minimize the lag
time from when a problem occurs to the time it is detected. The program should also minimize
the lag time from when an issue is detected to the time it takes to respond. For other
processes, it is difficult to define clear lag time rules. For example, it is difficult to say how long it
should take to investigate a particular issue, because each issue will have its own facts and
circumstances.

Intro - 17

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 • Flexibility and adaptability describe the degree to which the system can integrate changes —
including new requirements, such as a new law, rule or regulation, and/or new business units
due to merger and acquisition activity. Those changes may be internal, as managers study the
results of past performance evaluations and make needed alterations, or they may be external.
New regulatory environments, changing market conditions or altered public perceptions and
concerns require the organization to make adjustments. A responsive system adapts quickly to
changes in the environment and develops a long-range perspective, foresees more distant
changes and prepares for them.

Specific GRC Benefits

When an organization integrates its approach to GRC by rationalizing its GRC processes and
increasing employee awareness of them, it creates opportunities for increased value through:

• reduced cost, as redundant activities are identified and streamlined or eliminated;

• reduced need and cost for reconciling information across the organization;
• reduced gaps and errors, as the integration creates a holistic system of checks and balances;
• increased quality of risk-based information on which strategic and tactical decisions are based;
• enhanced employee motivation as contribution to achieving objectives becomes clear:
• trust resulting from consistent organizational positions and actions, from oversight through
operations;
• agility driven by a clear delineation of who handles what activities in what sequence;
• more effective management of stakeholder expectations; and
• assurance that expectations and objectives are met.

Integrated GRC: A Pathway to Principled Performance

Principled Performance really does matter. GRC has emerged because traditional siloed
governance, risk and compliance approaches are not sufficient for new business realities. GRC is
widely discussed because it is relevant in all industries and sectors, all over the world, and
because it affects all functions in a modern enterprise. Executive leadership must drive the move
to GRC with direct CEO sponsorship and Board oversight. Ultimately, the aim for greater
accountability is to increase value for shareowners and other stakeholders. Principled
Performance provides the means for organizations to forge stronger relationships between the
Board, management and shareholders and stakeholders for a better-balanced governance
system. And a well-designed GRC system offers a pathway to Principled Performance.

Intro - 18

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 Key Roles and Accountability
Who should drive integration? What should it look like? To realize a high-performing GRC
system, several key players must be actively involved in the design, implementation, and
management of the system.

The Role of the Board

The Board has oversight of the system and ultimately is the primary beneficiary of it, since a
strong GRC system enables the flow of accurate information necessary to effective governance.8
In most countries, the Board must be an active monitor for shareholder and stakeholder benefit.
The Board must:

• direct the purpose and desired outcomes of the system;

• set a charter for its involvement in the system;
• vet business objectives and ensure they are congruent with values and risks;
• be knowledgeable about the design and operation of the system;
• obtain regular assurance that the system is effective;
• gain reasonable assurance that management’s representations are sound; and
• operate aspects of the system that require Board perspective and independence.

Some of those aspects are:

• overseeing senior management’s override of control activities;
• selecting, evaluating, compensating and terminating senior management; and
• addressing long-term issues that may exceed senior executive tenure.

To fulfill those responsibilities, the Board needs effective governance practices. Under US law,
good governance is essential to directors’ meeting their duty of care, which they must exercise
in good faith.

The Role of Management

Management must undertake strategic planning and implementation of the GRC system. Taken
as a whole, management must:

• design, implement and operate an effective system or some aspect of a system;

• provide regular assurance about the effectiveness of the system;
• communicate with key stakeholders about the effectiveness of the system; and
• evaluate and optimize the performance of the system.

The Role of Assurance

Management should obtain and provide regular assurance about the effectiveness and
performance of the GRC system. An independent review can open up a view of the system that
reveals not only weaknesses in design or operation, but also opportunities for further
integration and exchange of best practices from one area of the organization to another. For its

8
“Board” as used in this document refers to the highest governing authority in the organization, which
may be a board of directors, board of trustees or some other governing body of a business unit that
provides oversight independent of management. In some countries, there are multiple tiers and types of
boards. In this case, “Board” refers to that structure which represen ts shareholders or external
stakeholders.

Intro - 19

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 part, the Board is required to obtain regular assurance about the effectiveness of the system and
should use information developed independently of management to form impressions of the
system’s effectiveness. Independent review is required; internal or external personnel can
conduct independent reviews, but external personnel provide the highest level of independence.
In either case, knowledge of GRC goals and systems is required to engage in a meaningful
review.

For purposes of reviewing a GRC system, internal personnel are “independent” if they are
independent of the underlying activity on which they provide assurance. According to The
Institute of Internal Auditors, independence and objectivity are two critical components of
effective internal audit activity. Internal auditors are independent when they render impartial and
unbiased judgment in the conduct of their engagement. External personnel, such as an outside
auditor, are “independent” if certain professional standards of conduct are met. The American
Institute of Certified Public Accountants requires a member’s relationship with a client to be
analyzed to determine whether it poses an unacceptable risk to the member’s independence.
Risk is unacceptable if the relationship would compromise, or would be perceived as
compromising by an informed third party having knowledge of all relevant information, the
member’s professional judgment when rendering an attestation service to the client.

Those providing assurance (hereinafter assurance personnel), whether internal or external,

should:

• provide assurance that risks are appropriately identified, evaluated, managed and monitored;
• provide regular assurance to the Board and management that the GRC system or some aspect
of it is effectively designed to address identified risks and requirements in light of the
organization’s culture and objectives;
• provide regular assurance to the Board and management that the system or some aspect it is
effectively operating as designed.

Intro - 20

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 The Anatomy of the GRC Capability Model
To realize a high-performing GRC system, the GRC Capability Model™ — the Red Book —
provides the key Components, Elements and Practices that every organization should implement
and manage. Here are definitions of key terms used in the Red Book.

Components
Components embody integrated Elements of a high-performing GRC system. They operate in a
somewhat sequential manner; however, a user may begin to apply the Red Book at any one or
more of the various Component points as a means of maturing its existing capability. All
Components must operate constantly and consistently to realize a high-performing GRC
system.

Universal System Outcomes

Universal System Outcomes are the expected and measurable results of a high-performing GRC
system.

8 INTEGRATED COMPONENTS 8 UNIVERSAL OUTCOMES

Achieve Business Objectives

ORGANIZE &
Enhance Organizational Culture
OVERSEE
Increase Stakeholder Confidence
MONITOR & ASSESS &
MEASURE ALIGN Prepare & Protect the Organization
INFORM &
INTEGRATE
RESPOND & PREVENT & Prevent, Detect & Reduce Adversity
RESOLVE PROMOTE
Motivate & Inspire Desired Conduct
DETECT &
DISCERN Improve Responsiveness & Efficiency
Optimize Economic & Social Value

Elements
Each Element embodies a number of related Practices in a high-performing GRC system. Each
Element includes a discussion of Principles and Common Sources of Failure, as well as the
Practices that support success. Each Element also includes a listing of the Key Deliverables and
Technologies relevant to the Element, and in a custom report may include Related
Requirements pulled from the OCEG Requirements Database.

Intro - 21

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 Figure 1 – GRC Capability Model Elements View

Principles
The Principles behind each Element provide the “essence,” at a high level, of what the Element
should accomplish. The Principles reflect the consensus of the community of practice in light of
its knowledge of both common requirements and practical experience across industries.

Common Sources of Failure

The Common Sources of Failure behind each Element provide practical advice from the GRC
community of practice on the most common oversights or actions that pose significant obstacles
to achieving the desired outcomes of the Element. While they may overlap with Principles, they
are not simply the opposite of the stated Principles.

Practices
Practices are specific bundles of activity that together address the Principles described in the
Element. Practice titles are succinct to communicate the essence of the Practice and are detailed
by the Sub-practices identified within them.

Sub-Practices
Sub-practices are key observable actions that, taken together, are hallmarks of an effective
capability. While one organization may follow a 5-step process and another organization may
follow a 20-step process to accomplish the same thing, the identified Sub-practices should be
present in both. OCEG Sub-practices are generally accepted practices that help an organization
effectively and efficiently address Principles and prevalent Related Requirements. Often, external
mandates are not specific regarding business practices; rather, they articulate broad Principles
that an organization must address. Sub-practices help an organization address those Principles.

Intro - 22

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 Related Requirements
Requirements are references to specific action items required by law or by another authority
document external to OCEG such as standards, guidelines, or listing requirements.
Requirements may be included in customized versions of the Red Book produced by use of the
online custom reporting function available to OCEG Enterprise members (example set out in
Appendix A). Related Requirements include the citation and a link to the text of each
requirement, when available to OCEG.

Key Deliverables
Deliverables are documents that an organization creates, uses, transforms or supersedes while
executing the activities in the GRC Capability Model™. An organization may call a particular
Deliverable by a different title, but the purpose of the Deliverables portion of the Model is not
to dictate what things are called. The kinds of documents that will likely be used and their
contents are described in Appendix B. Because a given Deliverable may be used in a number of
Elements, each bears a reference number that is distinct from the numbering schema associated
with other parts of the Model.

Technology Modules
Technology Modules describe infrastructure, business applications and GRC specific applications
that an organization could use to enable the Practices and Sub-practices within each Element.
Each Technology Module is defined in OCEG’s GRC-IT Blueprint™ (which may be accessed
through custom search and reporting function by Enterprise members or in a downloadable
print version by Premium members). The Modules are categorized within nine key Technology
Arenas and within one of the following Technology Levels:

- Business Applications — fundamental applications and information management

tools for organizational operation,

- GRC Core Applications — applications designed and implemented for governance,

risk and compliance-specific purposes or

- Infrastructure — foundation systems for all other information management

components and applications.

Technology Modules represent the gamut of technologies useful to organizations, depending on

the maturity of the entity’s capabilities. Because organizations vary in their preferences on
technology approaches, OCEG intentionally avoids reflecting a “buy” versus “build” or “custom”
versus “composite” bias in the Technology Modules. Often useful across many Practices,
Technology Modules bear reference numbers distinct from the numbering schema associated
with other parts of the Model.

Intro - 23

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 Universal GRC System Outcomes
Universal System Outcomes are the expected and observable results of a
high-performing GRC system.

U1. Achieve Business Objectives

Organizations exist to achieve their desired business objectives. Every GRC system
must contribute to attaining those business objectives.

U2. Enhance Organizational Culture

Inspire and promote an organizational culture of performance, accountability, integrity, trust,
and open communication.

U3. Increase Stakeholder Confidence

Increase stakeholder confidence and trust in the organization.

U4. Prepare and Protect Organization

Prepare the organization to address risks and requirements; and protect the organization from
negative consequences of adverse events, noncompliance, and unethical behavior.

U5. Prevent, Detect, and Reduce Adversity and Weaknesses

Discourage, prevent, and provide consequences for misconduct; reduce the tangible and
intangible damage caused by adverse events (both those that can be controlled and those that
cannot such as natural disasters), noncompliance and unethical behavior and the likelihood of
similar events happening in the future.

U6. Motivate and Inspire Desired Conduct

Provide incentives and rewards for desirable conduct, especially in the face of challenging
circumstances.

U7. Improve Responsiveness and Efficiency

Continuously improve the responsiveness (timeliness and agility) and efficiency (speed and
quality) of all GRC system activities while improving effectiveness (ability to meet objectives and
requirements).

U8. Optimize Economic & Social Value

Optimize the allocation of human and financial capital to GRC system activities to maximize the
value generated, benefitting the organization and the society in which it operates.

Intro - 24

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 Component Overview
A GRC system is made up of integrated components that enable the organization to:
1. Understand and prioritize stakeholder expectations;
2. Optimize business objectives to be congruent with values and risks;
3. Achieve objectives while addressing risks;
4. Operate within legal, contractual, internal, social and ethical boundaries;
5. Provide relevant, reliable and timely information to appropriate stakeholders; and
6. Provide assurance that the system is effective.

CULTURE & CONTEXT (C)

Understand the current culture and the internal and external business contexts in which the
organization operates, so that the GRC system can address current realities – and identify
opportunities to affect the context to be more congruent with desired organizational outcomes.

ORGANIZE & OVERSEE (O)

Organize and oversee the GRC system so that it is integrated with and when appropriate
modifies, the existing operating model of the business and assign to management specific
responsibility, decision-making authority, and accountability to achieve system goals.

ASSESS & ALIGN (A)

Asses risks and optimize the organizational risk profile with a portfolio of initiatives, tactics, and
activities.

PREVENT & PROMOTE (P)

Promote and motivate desirable conduct, and prevent undesirable events and activities, using a
mix of controls and incentives.

DETECT & DISCERN (D)

Detect actual and potential undesirable conduct, events, GRC system weaknesses, and
stakeholder concerns using a broad network of information gathering and analysis techniques.

RESPOND & RESOLVE (R)

Respond to and recover from noncompliance and unethical conduct events, or GRC system
failures, so that the organization resolves each immediate issue and prevent or resolve similar
issues more effectively and efficiently in the future.

MONITOR & MEASURE (M)

Monitor, measure and modify the GRC system on a periodic and ongoing basis to ensure it
contributes to business objectives while being effective, efficient and responsive to the changing
environment.

INFORM & INTEGRATE (I)

Capture, document and manage GRC information so that it efficiently and accurately flows up,
down and across the extended enterprise, and to external stakeholders.

Intro - 25

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 How to Read the GRC Capability Model Report (1)

Component Pages
Component pages identify Elements of a high performing GRC capability.

Component Name

Component Description

CULTURE & CONTEXT

C
Understand the current culture and the internal and external business
C Culture & Context
contexts i n which the organization operates, so that the GRC syste m can O Organize & Oversee
address current rea lities – and identify opportunities to affect the context A Assess & Align
to be more congruent with desired organizational outcomes. P Prevent & Promote
D Detect & Discern
C1 External Business Context C4 Values & Objectives R Respond & Resolve
M Monitor & Measure
C1.1 Define the External Business Contex t C4.1 Define Mission & Vision I Inform & Integrate

C1.2 Analyze External Stakeholder and Influen cer C4.2 Define Values
Needs
C4.3 Define Business Objectives
C4.4 Define Indicators, Targets and
C2 Internal Business Context Tolerances
C4.5 Obtain Comm itment to Mission, Vision,
C2.1 Define the Internal Context Values and Objectives
C2.2 Determine Changes Needed to Alig n the C4.6 Comm unicate Mission, Vision and
Internal Context and GRC System Values

C3 Culture

C3.1 Analyze Ethical Culture

C3.2 Analyze Ethical Leadership
C3.3 Analyze Risk Cultu re
C3.4 Analyze Board and Governance Culture
C3.5 Analyze Management Style Practice within the Element
C3.6 Analyze Workforce Engagement

Element within the Component

Intro - 26

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 How to Read the GRC Capability Model Report (2)

Element Pages
Element pages identify key Principles, Sources of Failure, Practices and technologies that should
be addressed to establish and continuously improve GRC capability.

Element name

Element description

EXTERNAL BUSINESS CONTEXT

C1
Understand and, when necessary, influence the exte rnal business context i n
C1 External Business Context
which the orga nization operates . C2 Internal Business C ontext
C3 Culture
Principles Principles C4 Values & Objectives
Beliefs that underlie the Element and
01 Unders tanding the ever -changing external co ntext is critical to d esigning a GRC syst em that is r esilient to change
and can evolve wit h it . represent at a high level what its
02 Practices
Some aspects o f the external co ntext will c hange despite the organization’s best effor ts to maintain the statusshould
quo. accomplish
03 Certain aspects of external context can, and in some cases should, be influenced by the organization.
04 The organization should r ecognize that there ar e exte rnal influencers , such as the media or comm unity groups who
can shape stakeholder o pinion.

Common Sources Of Failure

01 Not considering changes in the external context, including industry, market and geopolitical forces
02 No t unders tanding exte rnal stakeholder needs and r equirements
Common Sources of Failure
03 No t unders tanding how changes in the exte rnal co ntext can affect GRC sys tem design and performa nce
04 No t identifying the r equirements to sa tisfy all exte rnal stakeholders
The most common oversights or
actions that pose significant obstacles
Practices to achieving the desired outcomes of
the Element.
C1.1 Define the External Business Contex t
C1.2 Analyze External Stakeholder and Influencer Need s

Enabling Technology Components
Bu siness A pplicati ons
GRC C or e A pplicati ons
Practices
Bundles of activity that together
address the Principles described in
C ollaboration/Knowledge Management , C ontact/Customer Relationship
Management (CR M) the Element
Corporate Social Responsibility (CSR), N ews Feeds (GRC C ontent)

Enabling Technology Components

Technology Applications or Infrastructure, applications and information
Infrastructure services that an organization could use to
A logical grouping of technology enable the Practices and Sub-practices within
types by a general description each Element.

Intro - 27

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 How to Read the GRC Capability Model Report (3)

Practice Pages

Practice Name

C1 EXTERNAL BUSINESSCONTEXT
Practice Description
C1.1 DEFINETHE EXTERNAL BUSINESSCONTEXT

Identify the relevant external business context factors.

Sub -Practices

01 Identify factors in the external business context that can affect the organizatio
’s
n ability to meet its objectives, including:
• industry forces (competitors, supply chain, labor markets, etc.);
• market forces (customer demographics, economic conditions, etc.);
• technology forces (technological shifts and breakthroughs, etc.);
• societal forces (community needs, media trends, etc.);
• regulatory environment; and
• geopolitical forces(current enforcement posture, etc.).
02 Identify reasons and opportunitiesto influence the external context.

Sub-practice

Intro - 28

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 GRC Capability Model™
Version 2.0

Intro - 29

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 Model Index
C Culture & Context 1
C1 External Business Context 3
C2 Internal Business Context 6
C3 Culture 2
C4 Values & Objectives 18
O Organize & Oversee 23
O1 Outcomes & Commitment 23
O2 Roles & Responsibilities 27
O3 Approach & Accountability 34
A Assess & Align 39
A1 Risk Identification 41
A2 Risk Analysis 49
A3 Risk Optimization 54
P Prevent & Promote 61
P1 Codes of Conduct 62
P2 Policies 69
P3 Preventive Controls 74
P4 Awareness & Education 80
P5 Human Capital Incentives 88
P6 Risk Financing/Insurance 94
P7 Stakeholder Relations & Requirements 99
D Detect & Discern 104
D1 Hotline & Notification 105
D2 Inquiry & Survey 111
D3 Detective Controls 117
R Respond & Resolve 124
R1 Internal Review & Investigation 125
R2 Third-Party Inquiries & Investigations 133
R3 Corrective Controls 139
R4 Crisis Response, Continuity and Recovery 144
R5 Remediation & Discipline 148
M Monitor & Measure 152
M1 Context Monitoring 153
M2 Performance Monitoring & Evaluation 157
M3 Systemic Improvement 164
M4 Assurance 168
I Inform & Integrate 170
I1 Information Management & Documentation 172
I2 Internal & External Communication 178
I3 Technology & Infrastructure 181
APPENDIX A - Custom Reporting Example 186
APPENDIX B - Deliverables 187
APPENDIX C - Technology Components 194
This is not legal or professional advice. driving principled
Please contact a professional regarding performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 APPENDIX B - Deliverables 187
APPENDIX C - Technology Components 194

This is not legal or professional advice. driving principled

Please contact a professional regarding 1 performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 C CULTURE & CONTEXT
C
Understand the internal and external business contexts and current culture
C Culture & Context
in which the organization operates, so that the GRC system can address O Organize & Oversee
current realities - and identify opportunities to adapt the context and A Assess & Align
culture, and to define the organization's values, to better achieve desired P Prevent & Promote
D Detect & Discern
outcomes.
R Respond & Resolve
M Monitor & Measure
C1 External Business Context I Inform & Integrate

C1.1 Define the External Business Context

C1.2 Analyze External Stakeholder and Influencer Needs

C2 Internal Business Context

C2.1 Define the Internal Context

C2.2 Determine Changes Needed to Align the Internal Context and GRC System

C3 Culture

C3.1 Analyze Ethical Culture

C3.2 Analyze Ethical Leadership
C3.3 Analyze Risk Culture
C3.4 Analyze Board Involvement
C3.5 Analyze Governance Culture and Management Style
C3.6 Analyze Workforce Engagement

C4 Values & Objectives

C4.1 Define Mission & Vision

C4.2 Define Values
C4.3 Define Business Objectives
C4.4 Define Indicators, Targets and Tolerances
C4.5 Obtain Commitment to Mission, Vision, Values and Objectives
C4.6 Communicate Mission, Vision and Values

C1 EXTERNAL BUSINESS CONTEXT

C1
This is not legal or professional advice. driving principled
Please contact a professional regarding 2 performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
Understand and, when necessary, influence the external business context in
C1 External Business Context
whichSINGLE
the USER
organization operates.
NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.Business Context
C2 Internal
 C4.6 Communicate Mission, Vision and Values

C1 EXTERNAL BUSINESS CONTEXT

C1
Understand and, when necessary, influence the external business context in
C1 External Business Context
which the organization operates. C2 Internal Business Context
C3 Culture
Principles C4 Values & Objectives

01 Understanding the ever-changing external context is critical to designing a GRC system that is resilient to
change and can evolve with it.
02 Some aspects of the external context will change despite the organization's best efforts to maintain the status
quo.
03 Certain aspects of external context can, and in some cases should, be influenced by the organization.
04 The organization should recognize that there are external influencers, such as the media or community
groups who can shape stakeholder opinion.

Common Sources Of Failure

01 Not considering changes in the external context, including industry, market and geopolitical forces
02 Not understanding external stakeholder needs and requirements
03 Not understanding how changes in the external context can affect GRC system design and performance
04 Not identifying the requirements to satisfy all external stakeholders
05 Not understanding the organization's weakness in ability to effectively and efficiently react to external
factors.

Guidelines and Practices

Red Book 2.0 - GRC Capability Model

C1.1 Define the External Business Context

C1.2 Analyze External Stakeholder and Influencer Needs

Enabling Technology Components

Technology Arenas Corporate Governance (CG)

Business Applications Brand & Reputation Management (BRM), Collaboration/Knowledge
Management (KM), Contact/Customer Relationship Management (CRM) ,
Intellectual Property (IP) Management
GRC Core Applications Corporate Compliance (CC) , Corporate Social Responsibility (CSR),
Employment Compliance Management (EC) , Environmental, Health & Safety
(EH&S) Management , Geo-Political Risk (GPR) Management , Global Trade
Compliance (GTC)/International Dealings , Legal Matter Management (LMM) ,
News Feeds (GRC Intelligence) , Operational Risk Management (ORM)
Infrastructure Identity and Access Management (IAM)
This is not legal or professional advice. driving principled
Please contact a professional regarding 3 performance ®
C1 EXTERNAL
your specific needs. BUSINESS CONTEXT © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
C1.1 DEFINE THE EXTERNAL BUSINESS CONTEXT
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 C1.2 Analyze External Stakeholder and Influencer Needs

Enabling Technology Components

Technology Arenas Corporate Governance (CG)

Business Applications
GRC Core Applications
Infrastructure
Brand & Reputation Management (BRM), Collaboration/Knowledge
Management (KM), Contact/Customer Relationship Management (CRM) ,
Intellectual Property (IP) Management
Corporate Compliance (CC) , Corporate Social Responsibility (CSR),
Employment Compliance Management (EC) , Environmental, Health & Safety
(EH&S) Management , Geo-Political Risk (GPR) Management , Global Trade
Compliance (GTC)/International Dealings , Legal Matter Management (LMM) ,
News Feeds (GRC Intelligence) , Operational Risk Management (ORM)
Identity and Access Management (IAM)

C1 EXTERNAL BUSINESS CONTEXT

C1.1 DEFINE THE EXTERNAL BUSINESS CONTEXT

Identify the relevant external business context factors.

Core Sub-practices

C1.1.01
l Identify factors in the external business context that can affect the organization’s ability to meet its objectives , including:
• industry forces (competitors, supply chain, labor markets, etc.);
• market forces (customer demographics, economic conditions, etc.);
• technology forces (technological shifts and breakthroughs, etc.);
• societal forces (community needs, media trends, etc.);
• regulatory environment; and
• geopolitical forces (current enforcement posture, etc.).

C1.1.02
l Identify reasons and opportunities to influence the external context.

C1 EXTERNAL BUSINESS CONTEXT

C1.2 ANALYZE EXTERNAL STAKEHOLDER AND INFLUENCER NEEDS

Identify key external stakeholders, and influencers of opinion, and analyze and prioritize their
needs and requirements.
Core Sub-practices

C1.2.01
l Identify key external stakeholders and influencers, including:

• shareholders;
• ratings agencies;
• creditors and other underwriters;
• customers;
• suppliers / partners;
• community;
• media; and
This is not legal or professional advice.
• government. driving principled
Please contact a professional regarding 4 performance ®
your specific C1.2.02
needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

l Analyze external stakeholder and influencer needs and perceptions for explicit or derived requirements.
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 Infrastructure Identity and Access Management (IAM)

C1 EXTERNAL BUSINESS CONTEXT

C1.1 DEFINE THE EXTERNAL BUSINESS CONTEXT

Identify the relevant external business context factors.

Core Sub-practices

C1.1.01
l Identify factors in the external business context that can affect the organization’s ability to meet its objectives , including:
• industry forces (competitors, supply chain, labor markets, etc.);
• market forces (customer demographics, economic conditions, etc.);
• technology forces (technological shifts and breakthroughs, etc.);
• societal forces (community needs, media trends, etc.);
• regulatory environment; and
• geopolitical forces (current enforcement posture, etc.).

C1.1.02
l Identify reasons and opportunities to influence the external context.

C1 EXTERNAL BUSINESS CONTEXT

C1.2 ANALYZE EXTERNAL STAKEHOLDER AND INFLUENCER NEEDS

Identify key external stakeholders, and influencers of opinion, and analyze and prioritize their
needs and requirements.
Core Sub-practices

C1.2.01
l Identify key external stakeholders and influencers, including:
• shareholders;
• ratings agencies;
• creditors and other underwriters;
• customers;
• suppliers / partners;
• community;
• media; and
• government.

C1.2.02
l Analyze external stakeholder and influencer needs and perceptions for explicit or derived requirements.

C1.2.03
l Identify opportunities where the organization can affect stakeholder and influencer perceptions and requirements.

C2 INTERNAL BUSINESS CONTEXT

This is not legal or professional advice.
Please contact a professional regarding 5
C2
driving principled
performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 C2 INTERNAL BUSINESS CONTEXT
C2
Understand the existing people, processes, technology, organizational
C1 External Business Context
structure, stakeholders and key assets that drive organizational value. C2 Internal Business Context
C3 Culture
Principles C4 Values & Objectives

01 Internal context analysis should focus on key aspects that drive organizational value.
02 The organization should design a GRC system that aligns with the internal context.
03 The organization should use the GRC system to identify and change certain aspects of the internal context to
better support organizational objectives.
04 Some aspects of the internal context will change despite the organization's best efforts to maintain the status
quo, thus the GRC system must identify triggers that will require or cause it to evolve.

Common Sources Of Failure

01 Not considering the internal context and existing operating model when designing the GRC system, thus
designing a system that stands apart from mainline operations
02 Not understanding how changes in the internal context add, change or remove risks that the GRC system
must address
03 Not understanding internal stakeholders needs

Guidelines and Practices

Red Book 2.0 - GRC Capability Model

C2.1 Define the Internal Context

C2.2 Determine Changes Needed to Align the Internal Context and GRC System

Enabling Technology Components

Technology Arenas Business Intelligence (BI) , Business Process Management (BPM) , Corporate
Governance (CG) , Enterprise Resource Management (ER) , Human Resources
Management (HRM)
Business Applications Collaboration/Knowledge Management (KM), Enterprise Asset Management
(EAM), Intellectual Property (IP) Management , Legal Entity Management (LEM)
GRC Core Applications Corporate Compliance (CC) , Corporate Social Responsibility (CSR),
Environmental, Health & Safety (EH&S) Management , Ethical
Practices/Corporate Integrity (ECI) , Geo-Political Risk (GPR) Management ,
Global Trade Compliance (GTC)/International Dealings , Information
Technology Risk & Compliance (ITRC) Management , Legal Matter Management
(LMM) , News Feeds (GRC Intelligence) , Operational Risk Management (ORM)
Infrastructure Business Continuity Management (BCM), Configuration and Change
This is not legal or professional advice.Management (CCM), Enterprise Architecture Standards (EAS) , Identity and driving principled
Please contact a professional regardingAccess Management (IAM) , Retention
6 & Storage Management (RSM) performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

C2 INTERNAL BUSINESS CONTEXT

C2.1SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
DEFINE THE INTERNAL CONTEXT
 C2.2 Determine Changes Needed to Align the Internal Context and GRC System

Enabling Technology Components

Technology Arenas
Business Applications
GRC Core Applications
Infrastructure
Business Intelligence (BI) , Business Process Management (BPM) , Corporate
Governance (CG) , Enterprise Resource Management (ER) , Human Resources
Management (HRM)
Collaboration/Knowledge Management (KM), Enterprise Asset Management
(EAM), Intellectual Property (IP) Management , Legal Entity Management (LEM)
Corporate Compliance (CC) , Corporate Social Responsibility (CSR),
Environmental, Health & Safety (EH&S) Management , Ethical
Practices/Corporate Integrity (ECI) , Geo-Political Risk (GPR) Management ,
Global Trade Compliance (GTC)/International Dealings , Information
Technology Risk & Compliance (ITRC) Management , Legal Matter Management
(LMM) , News Feeds (GRC Intelligence) , Operational Risk Management (ORM)
Business Continuity Management (BCM), Configuration and Change
Management (CCM), Enterprise Architecture Standards (EAS) , Identity and
Access Management (IAM) , Retention & Storage Management (RSM)

C2 INTERNAL BUSINESS CONTEXT

C2.1 DEFINE THE INTERNAL CONTEXT

Identify the key structures and assets that define the Internal Context.
Core Sub-practices

C2.1.01
l Identify the organizational structure:
• key business units,
• key departments,
• key job families and roles, and
• temporary and cross functional teams.

C2.1.02
l Identify key human capital assets:
• job families, positions, roles and temporary assignments that have substantial authority over key processes, information
and assets,
• contract employees and any other agents who act on behalf of the entity, and
• key personnel including senior executives and other key employees.

C2.1.03
l Identify key technology assets:
• networking infrastructure,
• computer hardware / software,
• research equipment, and
• other operational equipment.

C2.1.04
l Identify key information assets:
• confidential and trade secret data,
• customer data, and
• employee data.

C2.1.05
This is not legal or professional advice. driving principled
l Identify key physical assets:
Please contact a professional regarding
• buildings, 7 performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
• facilities, and
• operational equipment.
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 Management (CCM), Enterprise Architecture Standards (EAS) , Identity and
Access Management (IAM) , Retention & Storage Management (RSM)

C2 INTERNAL BUSINESS CONTEXT

C2.1 DEFINE THE INTERNAL CONTEXT

Identify the key structures and assets that define the Internal Context.
Core Sub-practices

C2.1.01
l Identify the organizational structure:
• key business units,
• key departments,
• key job families and roles, and
• temporary and cross functional teams.

C2.1.02
l Identify key human capital assets:
• job families, positions, roles and temporary assignments that have substantial authority over key processes, information
and assets,
• contract employees and any other agents who act on behalf of the entity, and
• key personnel including senior executives and other key employees.

C2.1.03
l Identify key technology assets:
• networking infrastructure,
• computer hardware / software,
• research equipment, and
• other operational equipment.

C2.1.04
l Identify key information assets:
• confidential and trade secret data,
• customer data, and
• employee data.

C2.1.05
l Identify key physical assets:
• buildings,
• facilities, and
• operational equipment.

C2.1.06
l Identify key business processes:
• financial,
• sales and marketing,
• manufacturing,
• supply,
• distribution and fulfillment,
• customer service,
• research and development, and
• employment.

C2.1.07
This is notllegal or professional
Identify and services .
key productsadvice. driving principled
Please contact a professional regarding 8 performance ®
C2.1.08
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
l Identify the interrelationships between and among elements of the structure, people, processes, technology, information and physical

assets to understand how the resources work together to accomplish objectives.

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 • employment.

C2.1.07
l Identify key products and services .

C2.1.08
l Identify the interrelationships between and among elements of the structure, people, processes, technology, information and physical
assets to understand how the resources work together to accomplish objectives.

C2 INTERNAL BUSINESS CONTEXT

C2.2 DETERMINE CHANGES NEEDED TO ALIGN THE INTERNAL CONTEXT AND
GRC SYSTEM

Identify possible changes to the internal context that may affect design aspects of the GRC
system or ensure alignment.
Core Sub-practices

C2.2.01
l Determine what aspects of the internal context can, and should be, changed to enable the GRC system to support
organizational objectives.

C2.2.02
l Determine how the GRC system design will align with the structure of the internal context.

C2.2.03
l Identify triggers for consideration of changes in the GRC system, in response to changes in the internal context.

C3 CULTURE
C3
Understand the existing culture including the organizational climate and
C1 External Business Context
individual mindsets about integrity, compliance, risk, and approach to C2 Internal Business Context
management. C3 Culture
C4 Values & Objectives
Principles
01 Leadership must set the tone at the top and provide consistent and repeated commitment to integrity in both
words and deeds.
02 Individuals must be convinced that leadership is genuine about its commitment to values or they will not have
any regard for the established values.
03 The GRC system can, and in some instances should, change certain aspects of the culture.
04 Some aspects of the culture will change despite the organization's best efforts to maintain the status quo, thus
the GRC system must have triggers that will tell it when to evolve to respond to cultural changes.

This is not legal or professional advice. driving principled

Common
Please Sources
contact a professional Of Failure
regarding 9 performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

01 Not considering the culture of the organization as it exists before change is attempted
02 Not realizing
SINGLE USERthat there are oftenLICENSE:
NON-COMMERCIAL multiple ZORAN10
"sub cultures" and different approaches
([email protected]). [email protected]
EMAIL risk, communication,
FOR COMMERCIAL LICENSE.
 C3 CULTURE
C3
Understand the existing culture including the organizational climate and
C1 External Business Context
individual mindsets about integrity, compliance, risk, and approach to C2 Internal Business Context
management. C3 Culture
C4 Values & Objectives
Principles
01 Leadership must set the tone at the top and provide consistent and repeated commitment to integrity in both
words and deeds.
02 Individuals must be convinced that leadership is genuine about its commitment to values or they will not have
any regard for the established values.
03 The GRC system can, and in some instances should, change certain aspects of the culture.
04 Some aspects of the culture will change despite the organization's best efforts to maintain the status quo, thus
the GRC system must have triggers that will tell it when to evolve to respond to cultural changes.

Common Sources Of Failure

01 Not considering the culture of the organization as it exists before change is attempted
02 Not realizing that there are often multiple "sub cultures" and different approaches to risk, communication,
and value attributed to acting with integrity in different geographic or functional locations of the organization
03 Not recognizing that cultural change may be very difficult and requires continuous example by leadership.

Guidelines and Practices

Red Book 2.0 - GRC Capability Model

C3.1 Analyze Ethical Culture

C3.2 Analyze Ethical Leadership
C3.3 Analyze Risk Culture
C3.4 Analyze Board Involvement
C3.5 Analyze Governance Culture and Management Style
C3.6 Analyze Workforce Engagement

Key Deliverables

Plans GRC Strategic Plan

Enabling Technology Components

Technology Arenas Corporate Governance (CG) , Enterprise Risk Management (ERM) , Human
Resources Management (HRM)
This is not legal or Applications
Business professional advice.Board Management (BM), Collaboration/Knowledge Management (KM), driving principled
Please contact a professional regardingCorporate Performance Management 10 (CPM) , Employee Evaluations & Surveys performance ®
your specific needs. (EES) , Policy & Procedure Management (P&P) © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

GRC Core Applications Corporate Social Responsibility (CSR), Ethical Practices/Corporate Integrity
SINGLE USER NON-COMMERCIAL
(ECI)LICENSE:
, GlobalZORAN10 ([email protected]).
Trade Compliance EMAILDealings
(GTC)/International [email protected] FOR COMMERCIAL LICENSE.
 Plans GRC Strategic Plan

Enabling Technology Components

Technology Arenas
Business Applications
GRC Core Applications
Corporate Governance (CG) , Enterprise Risk Management (ERM) , Human
Resources Management (HRM)
Board Management (BM), Collaboration/Knowledge Management (KM),
Corporate Performance Management (CPM) , Employee Evaluations & Surveys
(EES) , Policy & Procedure Management (P&P)
Corporate Social Responsibility (CSR), Ethical Practices/Corporate Integrity
(ECI) , Global Trade Compliance (GTC)/International Dealings

C3 CULTURE
C3.1 ANALYZE ETHICAL CULTURE

Analyze the existing climate (observable, formal elements in the organization) and individual
mindsets about the degree to which the workforce believes the organization expects and
supports responsible behavior and integrity.
Core Sub-practices

C3.1.01
l Periodically ask a sufficient sample of employees to assess the ethical climate, including questions about:
• perceptions about stated values/principles and organizational support for them,
• clarity of procedures by which potential issues can be raised, discussed and reported without fear of retaliation,
• how leaders and supervisors are demonstrating ethical fortitude and business acumen,
• misconduct observed by employees,
• types of misconduct observed,
• pressure to engage in unethical conduct or perceived rewards for unethical conduct,
• willingness of employees to report misconduct,
• satisfaction with organizational response to reports of misconduct, and
• when and how leaders and supervisors discuss expected behavior and integrity.

C3.1.02
l Identify how the organization discusses the following through multiple avenues of communication:
• the importance of integrity, values and principles in decision-making,
• the importance of asking questions and raising issues when concerns exist,
• how to report incidents and ask questions,
• assurance that incidents will receive a timely response,
• assurance that reporting incidents will not result in any retaliation,
• a commitment to anonymous reporting options, and
• an approach to ethical decision-making.

C3.1.03
l Define ethical climate objectives, measures, targets and initiatives for inclusion in the GRC system strategic plan.

C3 CULTURE
C3.2 ANALYZE ETHICAL LEADERSHIP

Analyze whether leadership sets an appropriate "tone at the top" and models behavior in both
This iswords
not legaland deeds. advice.
or professional driving principled
Please contact a professional regarding
Core Sub-practices 11 performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

C3.2.01
l Periodically
SINGLE USER ask a sufficient sample
NON-COMMERCIAL of workforce
LICENSE: to understand perceptionsEMAIL
ZORAN10 ([email protected]). [email protected]
whether the leadership:
FOR COMMERCIAL LICENSE.
 GRC Core Applications Corporate Social Responsibility (CSR), Ethical Practices/Corporate Integrity
(ECI) , Global Trade Compliance (GTC)/International Dealings

C3 CULTURE
C3.1 ANALYZE ETHICAL CULTURE

Analyze the existing climate (observable, formal elements in the organization) and individual
mindsets about the degree to which the workforce believes the organization expects and
supports responsible behavior and integrity.
Core Sub-practices

C3.1.01
l Periodically ask a sufficient sample of employees to assess the ethical climate, including questions about:
• perceptions about stated values/principles and organizational support for them,
• clarity of procedures by which potential issues can be raised, discussed and reported without fear of retaliation,
• how leaders and supervisors are demonstrating ethical fortitude and business acumen,
• misconduct observed by employees,
• types of misconduct observed,
• pressure to engage in unethical conduct or perceived rewards for unethical conduct,
• willingness of employees to report misconduct,
• satisfaction with organizational response to reports of misconduct, and
• when and how leaders and supervisors discuss expected behavior and integrity.

C3.1.02
l Identify how the organization discusses the following through multiple avenues of communication:
• the importance of integrity, values and principles in decision-making,
• the importance of asking questions and raising issues when concerns exist,
• how to report incidents and ask questions,
• assurance that incidents will receive a timely response,
• assurance that reporting incidents will not result in any retaliation,
• a commitment to anonymous reporting options, and
• an approach to ethical decision-making.

C3.1.03
l Define ethical climate objectives, measures, targets and initiatives for inclusion in the GRC system strategic plan.

C3 CULTURE
C3.2 ANALYZE ETHICAL LEADERSHIP

Analyze whether leadership sets an appropriate "tone at the top" and models behavior in both
words and deeds.
Core Sub-practices

C3.2.01
l Periodically ask a sufficient sample of workforce to understand perceptions about whether the leadership:

• communicates ethical conduct and integrity as a priority,

• models ethical conduct,
• ensure internal stakeholders are properly trained about ethics and make it a priority,
• links ethics to organizational performance metrics,
• makes ethical decisions, and
This is not legal or professional
• talks advice.
about how ethics or integrity relate to organizational objectives, initiatives, and success. driving principled
Please contact a professional regarding 12 performance ®
your specific C3.2.02
needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

l Determine if ethical conduct and integrity is considered when evaluating, promoting and selecting leaders.
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 C3 CULTURE
C3.2 ANALYZE ETHICAL LEADERSHIP

Analyze whether leadership sets an appropriate "tone at the top" and models behavior in both
words and deeds.
Core Sub-practices

C3.2.01
l Periodically ask a sufficient sample of workforce to understand perceptions about whether the leadership:
• communicates ethical conduct and integrity as a priority,
• models ethical conduct,
• ensure internal stakeholders are properly trained about ethics and make it a priority,
• links ethics to organizational performance metrics,
• makes ethical decisions, and
• talks about how ethics or integrity relate to organizational objectives, initiatives, and success.

C3.2.02
l Determine if ethical conduct and integrity is considered when evaluating, promoting and selecting leaders.

C3.2.03
l Determine if potential and newly-promoted leaders are trained about::
• ethical decision-making,
• how ethics tie in with organizational objectives, and
• how to communicate the impact of ethics on organizational performance.

C3.2.04
l Compare ethical leadership objectives, measures, targets and initiatives against results achieved.

C3 CULTURE
C3.3 ANALYZE RISK CULTURE

Analyze the existing climate and individual mindsets about how the workforce perceives risk, its
impact on their work and the organization as a whole.
Core Sub-practices

C3.3.01
l Periodically ask a sufficient sample of the workforce to assess the risk culture, including:
• whether leadership communicates risk appetite,
• whether leadership models appropriate risk-taking conduct,
• whether individuals encounter risk on the job and what types of risk, and
• whether individuals are prepared to handle risks that they face.

C3.3.02
l Define desired state of risk climate / perceptions indicators.

C3.3.03
l Define risk climate objectives, measures, targets and initiatives for inclusion in the GRC system strategic plan.
This is not legal or professional advice. driving principled
Please contact a professional regarding 13 performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

C3 CULTURE
C3.4SINGLE
ANALYZE BOARD LICENSE:
USER NON-COMMERCIAL INVOLVEMENT
ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 C3 CULTURE
C3.3 ANALYZE RISK CULTURE

Analyze the existing climate and individual mindsets about how the workforce perceives risk, its
impact on their work and the organization as a whole.
Core Sub-practices

C3.3.01
l Periodically ask a sufficient sample of the workforce to assess the risk culture, including:
• whether leadership communicates risk appetite,
• whether leadership models appropriate risk-taking conduct,
• whether individuals encounter risk on the job and what types of risk, and
• whether individuals are prepared to handle risks that they face.

C3.3.02
l Define desired state of risk climate / perceptions indicators.

C3.3.03
l Define risk climate objectives, measures, targets and initiatives for inclusion in the GRC system strategic plan.

C3 CULTURE
C3.4 ANALYZE BOARD INVOLVEMENT

Analyze the degree to which the Board is involved and engaged in the organization.
Core Sub-practices

C3.4.01
l Ask the Board:
• Do you feel comfortable raising issues?
• Do you feel comfortable challenging management?
• Do your suggestions get thoughtful consideration?
• How involved are you in strategy setting and/or vetting?
• Is the Board effective?

C3.4.02
l Ask management:
• Is the Board effective?
• Are Board members engaged?
• Do they impact the business?

C3.4.03
l Analyze Board involvement:
• passive vs. active,
• number of meetings per year,
• frequency of meeting without one or more officers, and
• extent of independent resources supplied by or made available to Board members,
• degree of cross­board involvement among board members (to what extent do board members serve on multiple boards together) .

This is not legal or professional advice. driving principled

Please contact a professional regarding 14 performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
C3 CULTURE
C3.5SINGLE
ANALYZE GOVERNANCE CULTURE AND MANAGEMENT STYLE
USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 C3 CULTURE
C3.4 ANALYZE BOARD INVOLVEMENT

Analyze the degree to which the Board is involved and engaged in the organization.
Core Sub-practices

C3.4.01
l Ask the Board:
• Do you feel comfortable raising issues?
• Do you feel comfortable challenging management?
• Do your suggestions get thoughtful consideration?
• How involved are you in strategy setting and/or vetting?
• Is the Board effective?

C3.4.02
l Ask management:
• Is the Board effective?
• Are Board members engaged?
• Do they impact the business?

C3.4.03
l Analyze Board involvement:
• passive vs. active,
• number of meetings per year,
• frequency of meeting without one or more officers, and
• extent of independent resources supplied by or made available to Board members,
• degree of cross­board involvement among board members (to what extent do board members serve on multiple boards together) .

C3 CULTURE
C3.5 ANALYZE GOVERNANCE CULTURE AND MANAGEMENT STYLE

Analyze the existing approach to governing, managing and enabling the workforce.
Core Sub-practices

C3.5.01
l Identify where management decision-making authority is delegated.

C3.5.02
l Determine how accountability and responsibility are assigned and enforced.

C3.5.03
l Understand how the Board is involved in managing the organization, if at all.

C3.5.04
l Understand the relative level of formality or informality of management.

C3.5.05
l Understand the philosophy around centralized or decentralized decision-making.

This is not legal or professional advice. driving principled

C3.5.06
Please contact a professional regarding 15 performance ®
l Understand the philosophy around enterprise, group, and individual measurement:
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
­ resistance to measurement;
­ prevalence of measurement;
­ preferences
SINGLE in types of measures
USER NON-COMMERCIAL (activities
LICENSE: versus ([email protected]).
ZORAN10 outcomes); EMAIL [email protected] FOR COMMERCIAL LICENSE.
 C3 CULTURE
C3.5 ANALYZE GOVERNANCE CULTURE AND MANAGEMENT STYLE

Analyze the existing approach to governing, managing and enabling the workforce.
Core Sub-practices

C3.5.01
l Identify where management decision-making authority is delegated.

C3.5.02
l Determine how accountability and responsibility are assigned and enforced.

C3.5.03
l Understand how the Board is involved in managing the organization, if at all.

C3.5.04
l Understand the relative level of formality or informality of management.

C3.5.05
l Understand the philosophy around centralized or decentralized decision-making.

C3.5.06
l Understand the philosophy around enterprise, group, and individual measurement:
­ resistance to measurement;
­ prevalence of measurement;
­ preferences in types of measures (activities versus outcomes);
­ what is reported (positive, negative, both);
­ outcomes of measurement (reward focused, consequence focused, balanced).

C3 CULTURE
C3.6 ANALYZE WORKFORCE ENGAGEMENT

Analyze the existing workforce culture including the degree of employee satisfaction, loyalty and
engagement.
Core Sub-practices

C3.6.01
l Assess workforce views on alignment of personal values with organizational mission and values.

C3.6.02
l Ask a sample of the workforce about satisfaction with:
• compensation,
• responsibility,
• career opportunities,
• co-workers,
• supervisors,
• senior management, and
• staff.

This is not legal or professional advice. driving principled

C3.6.03
Please contact a professional regarding 16 performance ®
l Ask a sample of the workforce about:
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
• level of commitment to the organization,
• engagement,
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
• loyalty, and
 • supervisors,
• senior management, and
• staff.

C3.6.03
l Ask a sample of the workforce about:
• level of commitment to the organization,
• engagement,
• loyalty, and
• willingness to recommend the employer to friends.

C3.6.04
l Ask a sample of the workforce about their perceptions of:
• management's commitment to competence,
• hiring policies/practices,
• training policies/practices,
• measurement policies/practices,
• performance evaluation policies/practices,
• promotion policies/practices,
• mentoring/career path coaching,
• compensation policies/practices, and
• reward/discipline policies/practices.

C3.6.05
l Periodically ask management about its commitment to the workforce including views on:
• commitment to competence,
• hiring policies/practices,
• training policies/practices,
• performance evaluation policies/practices,
• promotion policies/practices,
• mentoring/career path coaching,
• compensation policies/practices,
• reward/discipline policies/practices,
• roles/jobs and career paths, and
• termination/retirement practices.

C4 VALUES & OBJECTIVES

C4
Define what the organization wants to achieve and the values for which it
C1 External Business Context
stands. C2 Internal Business Context
C3 Culture
Principles C4 Values & Objectives

01 Absent leadership supported clearly and regularly articulated mission, vision and values, the organization will
operate on the values defined, ad hoc, by work groups or individuals according to their own beliefs and
interests.

This 02 Values
is not willprofessional
legal or
general
vary for every organization -- that said, values must include adherence to legal mandates and
advice.
principles of integrity and ethical conduct. driving principled
Please contact a professional regarding 17 performance ®
03 Whether the organization authorizes the Board or management, with Board approval, to set objectives, the
your specific needs.
Board must oversee managment's continual efforts to meet the established objectives. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

04 Align objectives to stated values.

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 C4 VALUES & OBJECTIVES
C4
Define what the organization wants to achieve and the values for which it
C1 External Business Context
stands. C2 Internal Business Context
C3 Culture
Principles C4 Values & Objectives

01 Absent leadership supported clearly and regularly articulated mission, vision and values, the organization will
operate on the values defined, ad hoc, by work groups or individuals according to their own beliefs and
interests.
02 Values will vary for every organization -- that said, values must include adherence to legal mandates and
general principles of integrity and ethical conduct.
03 Whether the organization authorizes the Board or management, with Board approval, to set objectives, the
Board must oversee managment's continual efforts to meet the established objectives.
04 Align objectives to stated values.

Common Sources Of Failure

01 Lack of continual and consistent follow through to ensure behavior meets the intent of stated objectives and
values
02 Leadership not serving as role models, or worse yet, allowing leadership to act contrary to the stated values
without consequence
03 Not enunciating the organization's values to all stakeholders, repeatedly and from all levels of leadership
04 Not addressing values and commitment to character ethics when setting and articulating measurable business
objectives
05 Not including contributions to meeting business objectives in performance evaluation

Guidelines and Practices

Red Book 2.0 - GRC Capability Model

C4.1 Define Mission & Vision

C4.2 Define Values
C4.3 Define Business Objectives
C4.4 Define Indicators, Targets and Tolerances
C4.5 Obtain Commitment to Mission, Vision, Values and Objectives
C4.6 Communicate Mission, Vision and Values

Key Deliverables

Statements of Position Mission/ Vision/ Values Statement, Statement of Organizational Objectives

Enabling Technology Components

This is not legal or professional advice. driving principled
Please contact a professional
Technology Arenas regarding 18 Governance (CG) , Enterprise Content
Business Intelligence (BI) , Corporate performance ®
your specific needs. Management (ECM) © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

Business Applications Board Management (BM), Brand & Reputation Management (BRM), Corporate
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10
Performance ([email protected]).
Management (CPM) EMAIL [email protected] FOR COMMERCIAL LICENSE.
 Statements of Position Mission/ Vision/ Values Statement, Statement of Organizational Objectives

Enabling Technology Components

Technology Arenas
Business Applications
GRC Core Applications
Business Intelligence (BI) , Corporate Governance (CG) , Enterprise Content
Management (ECM)
Board Management (BM), Brand & Reputation Management (BRM), Corporate
Performance Management (CPM)
Corporate Compliance (CC) , Corporate Social Responsibility (CSR),
Environmental, Health & Safety (EH&S) Management

C4 VALUES & OBJECTIVES

C4.1 DEFINE MISSION & VISION

Create a formal statement of the organization's mission and vision.

Core Sub-practices

C4.1.01
l Define the mission, what the organization will do.

C4.1.02
l Define the vision, what the organization will be.

C4 VALUES & OBJECTIVES

C4.2 DEFINE VALUES

Create a formal statement of the core values that the organization holds and applies to its
business decisions.
Core Sub-practices

C4.2.01
l Involve the Board or a designated sub­committee of the Board and appropriate internal stakeholders in the values development
process.

C4.2.02
l Document the statement of values either separately or as part of another document such as a charter or code of conduct.

C4.2.03
l Make the statement of values available to internal stakeholders.

C4.2.04
l Make the statement of values available to external stakeholders.

C4.2.05
l Periodically review the statement of values to consider revisions based upon internal and external business, management,
legal or cultural context changes.

C4.2.06
l Define a procedure and trigger to revisit the statement of values when merging with or acquiring a new entity.

This is not legal or professional advice. driving principled

Please contact a professional regarding 19 performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
C4 VALUES & OBJECTIVES
C4.3SINGLE
DEFINE BUSINESS OBJECTIVES
USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 GRC Core Applications Corporate Compliance (CC) , Corporate Social Responsibility (CSR),
Environmental, Health & Safety (EH&S) Management

C4 VALUES & OBJECTIVES

C4.1 DEFINE MISSION & VISION

Create a formal statement of the organization's mission and vision.

Core Sub-practices

C4.1.01
l Define the mission, what the organization will do.

C4.1.02
l Define the vision, what the organization will be.

C4 VALUES & OBJECTIVES

C4.2 DEFINE VALUES

Create a formal statement of the core values that the organization holds and applies to its
business decisions.
Core Sub-practices

C4.2.01
l Involve the Board or a designated sub­committee of the Board and appropriate internal stakeholders in the values development
process.

C4.2.02
l Document the statement of values either separately or as part of another document such as a charter or code of conduct.

C4.2.03
l Make the statement of values available to internal stakeholders.

C4.2.04
l Make the statement of values available to external stakeholders.

C4.2.05
l Periodically review the statement of values to consider revisions based upon internal and external business, management,
legal or cultural context changes.

C4.2.06
l Define a procedure and trigger to revisit the statement of values when merging with or acquiring a new entity.

C4 VALUES & OBJECTIVES

C4.3 DEFINE BUSINESS OBJECTIVES

Define a balanced set of measurable business objectives that are congruent with mission, vision
and values.
Core
This is not legal orSub-practices
professional advice. driving principled
Please contact a professional regarding 20 performance ®
your specific C4.3.01
needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
l Define high-level business objectives to be congruent with values and risks, including:

• strategic objectives,
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 C4 VALUES & OBJECTIVES
C4.3 DEFINE BUSINESS OBJECTIVES

Define a balanced set of measurable business objectives that are congruent with mission, vision
and values.
Core Sub-practices

C4.3.01
l Define high-level business objectives to be congruent with values and risks, including:
• strategic objectives,
• financial objectives,
• customer objectives,
• operational process objectives,
• learning and growth objectives,
• compliance objectives, and
• reporting objectives.

C4.3.02
l Cascade high-level business objectives to lower levels in the organization including business units, departments, teams and
individuals.

C4.3.03
l Assign accountability for achieving business objectives at each of the levels.

C4 VALUES & OBJECTIVES

C4.4 DEFINE INDICATORS, TARGETS AND TOLERANCES

Define a balanced set of leading and lagging indicators that help management understand if the
organization is meeting its business objective targets within defined tolerances.
Core Sub-practices

C4.4.01
l Use indicators (leading and lagging) to help determine what has happened or predict what will happen.

C4.4.02
l Establish targets that represent the desired indicator value within a particular timeframe.

C4.4.03
l Determine tolerances that represent acceptable upper and lower thresholds of indicator value.

C4 VALUES & OBJECTIVES

C4.5 OBTAIN COMMITMENT TO MISSION, VISION, VALUES AND OBJECTIVES

Obtain commitment from management and Board members about what the organization will
This isachieve while
not legal or living advice.
professional by its values. driving principled
Please contact a professional regarding
Core Sub-practices 21 performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

C4.5.01
l ObtainUSER
SINGLE senior management and
NON-COMMERCIAL Board member
LICENSE: ZORAN10 commitment to the mission,EMAIL
([email protected]). vision, values.
[email protected] FOR COMMERCIAL LICENSE.
 C4 VALUES & OBJECTIVES
C4.5 OBTAIN COMMITMENT TO MISSION, VISION, VALUES AND OBJECTIVES

Obtain commitment from management and Board members about what the organization will
achieve while living by its values.
Core Sub-practices

C4.5.01
l Obtain senior management and Board member commitment to the mission, vision, values.

C4.5.02
l Obtain senior management and Board member commitment to objectives.

C4 VALUES & OBJECTIVES

C4.6 COMMUNICATE MISSION, VISION AND VALUES

Communicate the mission, vision and values to internal and external stakeholders.
Core Sub-practices

C4.6.01
l Develop a template for communicating the organization's mission, vision and values, so that there is consistency in each
formal communication.

C4.6.02
l Communicate the mission, vision and values of the organization to management and workforce informally and frequently, at
meetings and in presentations by leadership.

C4.6.03
l Communicate mission, vision and values to internal and external stakeholders formally through:
• the code of conduct,
• the entity's website,
• reports and communications to shareholders & other stakeholders, and
• workplace postings.

C4.6.04
l Discuss how each group's, department's, business unit's or function's outcomes support achieving the organization's mission, vision,
values, and objectives .

O ORGANIZE & OVERSEE

O
This is not legal or professional advice. driving principled
Organize and oversee the GRC system so that it is integrated with, and ®
Please contact a professional regarding 22 C Culture &performance
Context
yourwhen
specific appropriate
needs. modifies, the
existing operating model of the business and
© 2003 - 2009 OPENOCOMPLIANCE
Organize && Oversee
ETHICS GROUP

assign to management specific responsibility, decision-making authority, A Assess & Align

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10
and accountability to achieve system goals. ([email protected]). EMAIL [email protected] FOR P Prevent
COMMERCIAL & Promote
LICENSE.
 O ORGANIZE & OVERSEE
O
Organize and oversee the GRC system so that it is integrated with, and
C Culture & Context
when appropriate modifies, the existing operating model of the business and O Organize & Oversee
assign to management specific responsibility, decision-making authority, A Assess & Align
and accountability to achieve system goals. P Prevent & Promote
D Detect & Discern
O1 Outcomes & Commitment R Respond & Resolve
M Monitor & Measure
O1.1 Define GRC System Scope I Inform & Integrate

O1.2 Define GRC System Style and Goals

O1.3 Obtain Commitment to the GRC System

O2 Roles & Responsibilities

O2.1 Define and Enable GRC System Oversight Roles and Accountability
O2.2 Define and Enable Management Roles and Accountability
O2.3 Define and Enable Leadership Roles and Accountability
O2.4 Define and Enable GRC System Operational Roles
O2.5 Define and Enable Assurance Roles and Accountability (chief audit executive, external auditor)

O3 Approach & Accountability

O3.1 Allocate Accountability to Individuals and Committees

O3.2 Define GRC System Processes and Integrate with Business Processes
O3.3 Define Measurement and Evaluation Approach
O3.4 Define Organizational Change Management Approach
O3.5 Develop, Maintain and Authorize a Business Case

O1 OUTCOMES & COMMITMENT

O1
Define the goals of the GRC system and obtain Board and management
O1 Outcomes & Commitment
commitment. O2 Roles & Responsibilities
O3 Approach &
Principles Accountability

This is not legal or professional advice. driving principled

01 The Board is responsible for establishing the purpose and goals of the GRC system.
Please contact a professional regarding 23 performance ®
02 Both the
your specific needs.Board and management must be committed to the purpose of the GRC system, and lead by example.
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
03 The GRC system is only successful if it contributes to business objectives.
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 O3.5 Develop, Maintain and Authorize a Business Case

O1 OUTCOMES & COMMITMENT

O1
Define the goals of the GRC system and obtain Board and management
O1 Outcomes & Commitment
commitment. O2 Roles & Responsibilities
O3 Approach &
Principles Accountability

01 The Board is responsible for establishing the purpose and goals of the GRC system.
02 Both the Board and management must be committed to the purpose of the GRC system, and lead by example.
03 The GRC system is only successful if it contributes to business objectives.

Common Sources Of Failure

01 Not establishing GRC system objectives and a charter that are aligned to the organization's enterprise
objectives
02 Not obtaining key senior leadership support for the program
03 Defining the GRC system as an internal enforcement agency or police department

Guidelines and Practices

Red Book 2.0 - GRC Capability Model

O1.1 Define GRC System Scope

O1.2 Define GRC System Style and Goals
O1.3 Obtain Commitment to the GRC System

Key Deliverables

Authorizations Internal Authorization, GRC System Charter

Plans GRC Strategic Plan

Enabling Technology Components

Technology Arenas Corporate Governance (CG)

Business Applications Board Management (BM), Brand & Reputation Management (BRM),
Collaboration/Knowledge Management (KM), Corporate Performance
Management (CPM) , Dashboards (GRC Workflow), Documents & Records
Management (DRM)
GRC Core Applications Accountability/Responsibility Management (ARM) , Corporate Compliance
(CC) , Corporate Social Responsibility (CSR), Environmental, Health & Safety
(EH&S) Management , Geo-Political Risk (GPR) Management , Reporting/eFiling
(REF)
This is not legal or professional advice. driving principled
Please contact a professional regarding 24 performance ®
O1 OUTCOMES & COMMITMENT
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
O1.1 DEFINE GRC SYSTEM SCOPE
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 Plans GRC Strategic Plan

Enabling Technology Components

Technology Arenas Corporate Governance (CG)

Business Applications
GRC Core Applications
Board Management (BM), Brand & Reputation Management (BRM),
Collaboration/Knowledge Management (KM), Corporate Performance
Management (CPM) , Dashboards (GRC Workflow), Documents & Records
Management (DRM)
Accountability/Responsibility Management (ARM) , Corporate Compliance
(CC) , Corporate Social Responsibility (CSR), Environmental, Health & Safety
(EH&S) Management , Geo-Political Risk (GPR) Management , Reporting/eFiling
(REF)

O1 OUTCOMES & COMMITMENT

O1.1 DEFINE GRC SYSTEM SCOPE

Define the scope of the GRC system or subsystem under consideration.

Core Sub-practices

O1.1.01
l Determine whether to define and implement the GRC system enterprise-wide or whether to address it in stages by
addressing portions such as:
• broad risk area (compliance program, financial risk program, etc.), or
• narrow risk area (internal control over financial reporting, employment compliance, fraud risk management).

O1.1.02
l If using a staged approach, prioritize and coordinate development projects to ensure integration capability.

O1 OUTCOMES & COMMITMENT

O1.2 DEFINE GRC SYSTEM STYLE AND GOALS

Define the overall style of the GRC system, what it will achieve, and how it relates to business
objectives.
Core Sub-practices

O1.2.01
l Define the mission and vision of the GRC system as a starting point for the GRC Strategic Plan.

O1.2.02
l Define the general approach to the GRC system.
• enforcing or encouraging approach.
• directive or collaborative philosophy.

O1.2.03
l Define measurable GRC system goals, indicators, thresholds and tolerances for inclusion in the GRC strategic plan that

support the following universal objectives:

• enhance organizational culture,
This is not legal or professional advice. driving principled
• increase stakeholder confidence,
Please contact a professional regarding 25 performance ®
• prepare and protect organization,
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
• prevent, detect, and reduce adversity,
• motivate and inspire desired conduct,
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
• improve responsiveness and efficiency, and
 (EH&S) Management , Geo-Political Risk (GPR) Management , Reporting/eFiling
(REF)

O1 OUTCOMES & COMMITMENT

O1.1 DEFINE GRC SYSTEM SCOPE

Define the scope of the GRC system or subsystem under consideration.

Core Sub-practices

O1.1.01
l Determine whether to define and implement the GRC system enterprise-wide or whether to address it in stages by
addressing portions such as:
• broad risk area (compliance program, financial risk program, etc.), or
• narrow risk area (internal control over financial reporting, employment compliance, fraud risk management).

O1.1.02
l If using a staged approach, prioritize and coordinate development projects to ensure integration capability.

O1 OUTCOMES & COMMITMENT

O1.2 DEFINE GRC SYSTEM STYLE AND GOALS

Define the overall style of the GRC system, what it will achieve, and how it relates to business
objectives.
Core Sub-practices

O1.2.01
l Define the mission and vision of the GRC system as a starting point for the GRC Strategic Plan.

O1.2.02
l Define the general approach to the GRC system.
• enforcing or encouraging approach.
• directive or collaborative philosophy.

O1.2.03
l Define measurable GRC system goals, indicators, thresholds and tolerances for inclusion in the GRC strategic plan that
support the following universal objectives:
• enhance organizational culture,
• increase stakeholder confidence,
• prepare and protect organization,
• prevent, detect, and reduce adversity,
• motivate and inspire desired conduct,
• improve responsiveness and efficiency, and
• optimize economic and social value.

O1.2.04
l Assign accountability for each GRC system goal, including such in delegation of authority documents where appropriate.

O1.2.05
l Describe how GRC system goals support business objectives.
This is not legal or professional advice. driving principled
Please contact a professional regarding 26 performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

O1 OUTCOMES & COMMITMENT

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 O1 OUTCOMES & COMMITMENT
O1.2 DEFINE GRC SYSTEM STYLE AND GOALS

Define the overall style of the GRC system, what it will achieve, and how it relates to business
objectives.
Core Sub-practices

O1.2.01
l Define the mission and vision of the GRC system as a starting point for the GRC Strategic Plan.

O1.2.02
l Define the general approach to the GRC system.
• enforcing or encouraging approach.
• directive or collaborative philosophy.

O1.2.03
l Define measurable GRC system goals, indicators, thresholds and tolerances for inclusion in the GRC strategic plan that
support the following universal objectives:
• enhance organizational culture,
• increase stakeholder confidence,
• prepare and protect organization,
• prevent, detect, and reduce adversity,
• motivate and inspire desired conduct,
• improve responsiveness and efficiency, and
• optimize economic and social value.

O1.2.04
l Assign accountability for each GRC system goal, including such in delegation of authority documents where appropriate.

O1.2.05
l Describe how GRC system goals support business objectives.

O1 OUTCOMES & COMMITMENT

O1.3 OBTAIN COMMITMENT TO THE GRC SYSTEM

Obtain explicit written authorization and high-level support for the GRC system.
Core Sub-practices

O1.3.01
l Obtain commitment and authorization from the Board.

O1.3.02
l Obtain commitment from senior management to support the GRC system.

O2
This is not legal or professional advice. driving principled
Please contact a professional regarding O2 ROLES & RESPONSIBILITIES
27 performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 O2 ROLES & RESPONSIBILITIES
O2
Define, and enable through decision-making authority and resources, each
O1 Outcomes & Commitment
role accountable for key aspects of the GRC system. O2 Roles & Responsibilities
O3 Approach &
Principles Accountability

01 The GRC system should be directed, designed, operated, and evaluated by a mix of the Board, management,
and individuals independent of management.
02 The organization should screen individuals serving in GRC roles for prior misconduct.
03 Individuals serving in GRC roles should receive specialized training in GRC Fundamentals.
04 Leaders and champions can help to facilitate adoption and acceptance of the GRC system.
05 Leaders and champions should be from many levels in the organization, not just senior executives.

Common Sources Of Failure

01 Not defining key roles, responsibilities, expectations or authorities
02 Not grooming leaders for GRC system responsibilities
03 Assigning accountability or responsibility for GRC to an individual who is unqualified or lacks requisite
authority

Guidelines and Practices

Red Book 2.0 - GRC Capability Model

O2.1 Define and Enable GRC System Oversight Roles and Accountability
O2.2 Define and Enable Management Roles and Accountability
O2.3 Define and Enable Leadership Roles and Accountability
O2.4 Define and Enable GRC System Operational Roles
O2.5 Define and Enable Assurance Roles and Accountability (chief audit executive, external auditor)

Key Deliverables

Descriptions Role / Job Descriptions

Plans Specialized GRC Curriculum Plan

Enabling Technology Components

Technology Arenas Corporate Governance (CG) , Enterprise Content Management (ECM) ,

Enterprise Resource Management (ER) , Human Resources Management (HRM)
Business Applications Board Management (BM), Business Activity Monitoring (BAM) ,
Collaboration/Knowledge Management (KM), Documents & Records
This is not legal or professional advice. driving principled
Management (DRM) , Employee Evaluations & Surveys (EES) , Learning &
Please contact a professional regarding 28 performance ®
Training Management (LTM)
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
GRC Core Applications Accountability/Responsibility Management (ARM) , Corporate Compliance
(CC) , Corporate Social Responsibility (CSR), Environmental, Health & Safety
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 Plans Specialized GRC Curriculum Plan

Enabling Technology Components

Technology Arenas Corporate Governance (CG) , Enterprise Content Management (ECM) ,

Business Applications
GRC Core Applications
Infrastructure
Enterprise Resource Management (ER) , Human Resources Management (HRM)
Board Management (BM), Business Activity Monitoring (BAM) ,
Collaboration/Knowledge Management (KM), Documents & Records
Management (DRM) , Employee Evaluations & Surveys (EES) , Learning &
Training Management (LTM)
Accountability/Responsibility Management (ARM) , Corporate Compliance
(CC) , Corporate Social Responsibility (CSR), Environmental, Health & Safety
(EH&S) Management , Ethical Practices/Corporate Integrity (ECI) , Global Trade
Compliance (GTC)/International Dealings , Legal Matter Management (LMM) ,
Operational Risk Management (ORM) , Reporting/eFiling (REF) , Risk Analytics
(RA)
Enterprise Architecture Standards (EAS) , Identity and Access Management
(IAM) , Physical Security (PS) , Retention & Storage Management (RSM)

O2 ROLES & RESPONSIBILITIES

O2.1 DEFINE AND ENABLE GRC SYSTEM OVERSIGHT ROLES AND
ACCOUNTABILITY

Define oversight roles, responsibilities and accountability for each aspect of the GRC system.
Core Sub-practices

O2.1.01
l Define critical attributes of oversight structures (e.g. the board) and personnel (e.g. board members), including:
• independence from management,
• objectivity in analysis,
• integrity and ethical conduct,
• diligence,
• adequate competence to conduct assigned activities including generally accepted professional credentials consistent with
role,
• transparency of practices and activities, and
• periodic additions of new oversight structure members to ensure new perspectives

O2.1.02
l Define general oversight responsibilities for:
• directing and authorizing the purpose and expected GRC system outcomes,
• setting a charter for board (and other oversight structure) involvement in the system,
• being knowledgeable about the design and operation of the system,
• obtaining regular assurance that the system is effective, and
• providing reasonable assurance that management’s representations about the organization and the system are sound using
information developed independent of management.

O2.1.03
l Define responsibility for operating aspects of the GRC system that require board perspective and independence including:

• vetting and guiding desired system outcomes to be congruent with business objectives,
• establishing risk management oversight by the board or a designated committee, which includes approval and periodic
review of risk management processes,
• establishing risk appetite and tolerances and regularly reviewing risk reports to ensure conformance with such established
levels,
This is not legal or professional advice. driving principled
Please contact• independently
a professional assessing,
regarding or vetting the assessment of, and monitoring
29 of highest priority risks, performance ®
• requiring
your specific needs. management to identify, assess and address risks as part of any significant change proposal,
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
• requiring internal or external auditor assessment of the effectiveness and performance of risk management and compliance
processes,
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 Infrastructure Enterprise Architecture Standards (EAS) , Identity and Access Management
(IAM) , Physical Security (PS) , Retention & Storage Management (RSM)

O2 ROLES & RESPONSIBILITIES

O2.1 DEFINE AND ENABLE GRC SYSTEM OVERSIGHT ROLES AND
ACCOUNTABILITY

Define oversight roles, responsibilities and accountability for each aspect of the GRC system.
Core Sub-practices

O2.1.01
l Define critical attributes of oversight structures (e.g. the board) and personnel (e.g. board members), including:
• independence from management,
• objectivity in analysis,
• integrity and ethical conduct,
• diligence,
• adequate competence to conduct assigned activities including generally accepted professional credentials consistent with
role,
• transparency of practices and activities, and
• periodic additions of new oversight structure members to ensure new perspectives

O2.1.02
l Define general oversight responsibilities for:
• directing and authorizing the purpose and expected GRC system outcomes,
• setting a charter for board (and other oversight structure) involvement in the system,
• being knowledgeable about the design and operation of the system,
• obtaining regular assurance that the system is effective, and
• providing reasonable assurance that management’s representations about the organization and the system are sound using
information developed independent of management.

O2.1.03
l Define responsibility for operating aspects of the GRC system that require board perspective and independence including:
• vetting and guiding desired system outcomes to be congruent with business objectives,
• establishing risk management oversight by the board or a designated committee, which includes approval and periodic
review of risk management processes,
• establishing risk appetite and tolerances and regularly reviewing risk reports to ensure conformance with such established
levels,
• independently assessing, or vetting the assessment of, and monitoring of highest priority risks,
• requiring management to identify, assess and address risks as part of any significant change proposal,
• requiring internal or external auditor assessment of the effectiveness and performance of risk management and compliance
processes,
• monitoring any control activities conducted by senior management,
• monitoring senior management’s override of control activities,
• providing waiver of system requirements in defined circumstances,
• selecting, evaluating, compensating and terminating senior management, and
• addressing long-term issues that may exceed senior executive tenure.

O2.1.04
l Define specific GRC responsibilities of Board members and committees.

O2.1.05
l Define job descriptions and performance evaluation criteria for oversight personnel.

O2.1.06
This is not legal or professional advice. driving principled
l Check background of personnel hired or promoted into oversight roles.
Please contact a professional regarding 30 performance ®
your specific O2.1.07
needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

l Define and deliver a specialized curriculum plan for oversight personnel that includes relevant portions of OCEG GRC
Fundamentals
SINGLE course.
USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 l Define job descriptions and performance evaluation criteria for oversight personnel.

O2.1.06
l Check background of personnel hired or promoted into oversight roles.

O2.1.07
l Define and deliver a specialized curriculum plan for oversight personnel that includes relevant portions of OCEG GRC
Fundamentals course.

O2.1.08
l Ensure that oversight personnel obtain and maintain professional credentials relevant to their GRC roles.

O2 ROLES & RESPONSIBILITIES

O2.2 DEFINE AND ENABLE MANAGEMENT ROLES AND ACCOUNTABILITY

Define management roles, responsibilities and accountability for certain aspects of the GRC
system.
Core Sub-practices

O2.2.01
l Define responsibility for operating aspects of the GRC system that require Board perspective and independence including:
• vetting and guiding business objectives to be congruent with desired system outcomes,
• independently assessing, or vetting the assessment of, and monitoring highest priority risks,
• monitoring any control activities conducted by senior management,
• monitoring senior management’s override of control activities,
• providing waiver of system requirements in defined circumstances,
• selecting, evaluating, compensating and terminating senior management, and
• addressing long-term issues that may exceed senior executive tenure.

O2.2.02
l Define specific GRC responsibilities for management roles, including:
• Chief Executive Officer is responsible for supporting or leading the implementation of the GRC system,
• Chief Financial Officer is responsible for authorizing and overseeing resource allocation and budgets, and participating in
risk assessment process,
• Chief Risk Officer is responsible for developing the risk optimization framework and aggregating and analyzing risk at the
enterprise level,
• Chief Compliance Officer is responsible for leading the compliance risk assessment process, overseeing design and
implementation of a compliance program intended to prevent, detect and correct legal noncompliance,
• Chief Ethics Officer is responsible for assessing and enhancing ethical culture through training, communication and other
controls (this is often combined with the chief compliance officer), and
• Chief Legal Officer is responsible for leading the legal risk assessment process, approving policies and controls to assure
compliance with legal requirements and to ensure no creation of liability, overseeing and sometimes conducting
investigations, ensuring protection of privilege where appropriate.
• Chief People Officer is responsible for overseeing and implementing human capital incentives and controls, ethical
leadership practices, incorporation of requirements into job descriptions and performance evaluations, internal stakeholder
communications, and, possibly, all education and learning initiatives.
• Chief Technology Officer is responsible for coordinating selection and application of technologies to support GRC
functions.

O2.2.03
l Define job descriptions and GRC related performance evaluation criteria for management in GRC roles.
This is not legal or professional advice. driving principled
O2.2.04
Please contact a professional regarding 31 performance ®
l Check background of management personnel hired or promoted into substantial authority or GRC roles.
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

O2.2.05
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
l Define and deliver a specialized curriculum plan for management in GRC roles that includes relevant portions of OCEG
 O2.2.03
l Define job descriptions and GRC related performance evaluation criteria for management in GRC roles.

O2.2.04
l Check background of management personnel hired or promoted into substantial authority or GRC roles.

O2.2.05
l Define and deliver a specialized curriculum plan for management in GRC roles that includes relevant portions of OCEG
GRC Fundamentals course.

O2.2.06
l Ensure that management obtain and maintain professional credentials relevant to their GRC responsibilities.

O2 ROLES & RESPONSIBILITIES

O2.3 DEFINE AND ENABLE LEADERSHIP ROLES AND ACCOUNTABILITY

Define individuals to serve in leadership roles to champion the GRC system or certain aspects of
the system and establish methods to ensure they possess the desired character ethics.
Core Sub-practices

O2.3.01
l Identify and select individuals at various levels of the organization to serve as leaders and champions for the GRC system.

O2.3.02
l Define responsibilities of leaders and champions to:
• break down barriers to change,
• develop buy-in for the GRC system, and
• communicate the desired outcomes of the system and how they relate to business objectives.

O2.3.03
l Establish and communicate a defined set of essential character ethics to which executive leaders have made a commitment
and require of designated leaders.

O2.3.04
l Check background of leaders and champions for any incongruence with being an ethical leader (e.g., prior misconduct) and
to ensure alignment with established character ethics required of leaders.

O2.3.05
l Regularly engage in discussions with designated leaders about the values they are expected to demonstrate and set
expectations about how these will be shared, pursued and monitored, as well as how lapses and trust-eroding events will
be redressed.

O2.3.06
l Define and deliver a specialized curriculum for leaders that includes relevant portions of OCEG GRC Fundamentals course.

O2 ROLES & RESPONSIBILITIES

O2.4 DEFINE AND ENABLE GRC SYSTEM OPERATIONAL ROLES

This isDefine
not legal the roles required
or professional advice. to deliver, operate, and execute GRC System practices. driving principled
Please contact a professional regarding
Core Sub-practices 32 performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

O2.4.01
SINGLE
Define USER NON-COMMERCIAL
roles responsible LICENSE:key
for the following ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
GRC activities:
l
 O2 ROLES & RESPONSIBILITIES
O2.4 DEFINE AND ENABLE GRC SYSTEM OPERATIONAL ROLES

Define the roles required to deliver, operate, and execute GRC System practices.
Core Sub-practices

O2.4.01
l Define roles responsible for the following key GRC activities:
• methodology, policy/procedure, standards, vocabulary development and maintenance,
• risk and requirements identification, analysis, and optimization,
• initiative implementation /project portfolio management,
• stakeholder relations,
• helpline / hotline,
• investigation and resolution,
• performance measurement,
• communications, including public relations,
• information management, and
• technology.

O2.4.02
l Define job descriptions and performance evaluation criteria relevant to each GRC operational role .

O2.4.03
l Check background of personnel hired, transferred, or promoted into GRC operational roles.

O2.4.04
l Define and deliver a specialized curriculum plan for GRC operational roles that includes relevant portions of OCEG GRC
Fundamentals course .

O2.4.05
l Monitor whether operational personnel have obtained and maintain professional credentials relevant to their GRC roles.

O2 ROLES & RESPONSIBILITIES

O2.5 DEFINE AND ENABLE ASSURANCE ROLES AND ACCOUNTABILITY (CHIEF
AUDIT EXECUTIVE, EXTERNAL AUDITOR)

Define assurance roles, responsibilities and accountability for certain aspects of the GRC system.
Core Sub-practices

O2.5.01
l Define critical attributes of assurance personnel, including:
• independence from management,
• objectivity in analysis,
• integrity,
• diligence,
• adequate competence to conduct assigned activities including generally accepted professional credentials consistent with
role, and
• direct and unfettered access to the Board for senior executive responsible for independent assurance.

O2.5.02
This is not legal or professional advice. driving principled
l Define general responsibilities for assurance personnel to provide independent assurance to the Board and management
Please contact a professional regarding 33 performance ®
that:
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
• risks and requirements (external and internal) are identified, evaluated, managed, reported and monitored via effective
methods,
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 O2 ROLES & RESPONSIBILITIES
O2.5 DEFINE AND ENABLE ASSURANCE ROLES AND ACCOUNTABILITY (CHIEF
AUDIT EXECUTIVE, EXTERNAL AUDITOR)

Define assurance roles, responsibilities and accountability for certain aspects of the GRC system.
Core Sub-practices

O2.5.01
l Define critical attributes of assurance personnel, including:
• independence from management,
• objectivity in analysis,
• integrity,
• diligence,
• adequate competence to conduct assigned activities including generally accepted professional credentials consistent with
role, and
• direct and unfettered access to the Board for senior executive responsible for independent assurance.

O2.5.02
l Define general responsibilities for assurance personnel to provide independent assurance to the Board and management
that:
• risks and requirements (external and internal) are identified, evaluated, managed, reported and monitored via effective
methods,
• they have quality information needed to make GRC system decisions and reduce the cost of control,
• the GRC system is appropriately designed to address identified risks and requirements,
• the risk management process is designed to identify, evaluate, manage, report and monitor a comprehensive set of risks to
(and requirements for) the achievement of the organization’s objectives within the organization’s values, and
• the GRC system is operating as designed.

O2.5.03
l Define job descriptions and performance evaluation criteria for assurance personnel.

O2.5.04
l Check background of personnel hired or promoted into assurance roles.

O2.5.05
l Define and deliver a specialized curriculum plan for assurance personnel that includes relevant portions of OCEG GRC
Fundamentals course.

O3 APPROACH & ACCOUNTABILITY

O3
Define an approach to embed, integrate and align the GRC system with the
O1 Outcomes & Commitment
business, and establish accountability for each aspect of the system. O2 Roles & Responsibilities
This is not legal or professional advice. O3 Approach
driving& principled
Principles
Please contact a professional regarding 34 performance ®
Accountability
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
01 Where possible, the GRC system should use people, processes, and technologies already serving other
needs.
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 O3 APPROACH & ACCOUNTABILITY
O3
Define an approach to embed, integrate and align the GRC system with the
O1 Outcomes & Commitment
business, and establish accountability for each aspect of the system. O2 Roles & Responsibilities
O3 Approach &
Principles Accountability

01 Where possible, the GRC system should use people, processes, and technologies already serving other
needs.
02 Irreconcilable conflicts of interests or legal mandates may preclude consolidating responsibilities into a single
role.
03 When consolidating responsibilities into a single role, put in place controls to make sure the consolidation
does not jeopardize any required objectivity and independence.
04 The degree of integration across risk areas and with existing business processes vary based on organizational
needs.

Common Sources Of Failure

01 Not assigning accountability for all key aspects of the GRC system
02 Not appropriately aggregating or segregating roles
03 Not integrating the GRC system with the business
04 Not identifying potential resistance to any change that the GRC system may imply or require
05 Not establishing clear reporting lines and strong inter-department knowledge sharing
06 Not developing and maintaining a business case for the GRC system with adequate resources to achieve its
goals

Guidelines and Practices

Red Book 2.0 - GRC Capability Model

O3.1 Allocate Accountability to Individuals and Committees

O3.2 Define GRC System Processes and Integrate with Business Processes
O3.3 Define Measurement and Evaluation Approach
O3.4 Define Organizational Change Management Approach
O3.5 Develop, Maintain and Authorize a Business Case

Key Deliverables

Authorizations Internal Authorization, Segregation of Duties

Plans GRC Strategic Plan

Enabling Technology Components

This is not legal or professional advice. driving principled
Technology
Please contact Arenas
a professional regardingBusiness Process Management (BPM)35 , Corporate Governance (CG) , Enterprise performance ®
your specific needs. Content Management (ECM) , Enterprise Resource Management (ER) © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

Business Applications Budget & Finance Management (BFM), Business Activity Monitoring (BAM) ,
Corporate
SINGLE USER NON-COMMERCIAL Performance
LICENSE: Management (CPM) , Documents
ZORAN10 ([email protected]). & Records FOR COMMERCIAL LICENSE.
EMAIL [email protected]
 Plans GRC Strategic Plan

Enabling Technology Components

Technology Arenas
Business Applications
GRC Core Applications
Infrastructure
Business Process Management (BPM) , Corporate Governance (CG) , Enterprise
Content Management (ECM) , Enterprise Resource Management (ER)
Budget & Finance Management (BFM), Business Activity Monitoring (BAM) ,
Corporate Performance Management (CPM) , Documents & Records
Management (DRM) , Legal Entity Management (LEM), Strategic Planning (SP)
Accountability/Responsibility Management (ARM) , Controls Management &
Monitoring (CMM) , Corporate Compliance (CC) , Corporate Social
Responsibility (CSR), Environmental, Health & Safety (EH&S) Management ,
Ethical Practices/Corporate Integrity (ECI) , Global Trade Compliance
(GTC)/International Dealings , Helpline , Hotline/Whistleblower , Legal Matter
Management (LMM) , Operational Risk Management (ORM) , Risk Analytics
(RA)
Identity and Access Management (IAM) , Information Technology Operations
(ITO) Management

O3 APPROACH & ACCOUNTABILITY

O3.1 ALLOCATE ACCOUNTABILITY TO INDIVIDUALS AND COMMITTEES

Allocate GRC roles and responsibilities to individuals and committees.

Core Sub-practices

O3.1.01
l Allocate responsibilities to individuals and committees with other primary roles, if doing so will achieve synergies and
efficiencies while ensuring required objectivity and independence.

O3.1.02
l Segregate certain roles as follows:
• roles that have an interest in uncovering misconduct and weaknesses (compliance, internal audit) from roles that have an
interest in legally protecting the organization (general counsel),
• roles that have an interest in uncovering misconduct and weaknesses (compliance, internal audit) from roles that have an
interest in quarterly business performance objectives and incentives that may compromise objectivity,
• roles that involve implementing and operating preventive and detective controls (finance, compliance) from roles that
evaluate the effectiveness of those controls and structures (internal audit), and
• roles involved in investigations of alleged misconduct and weaknesses from individuals that are alleged to have been, or
have potential to have been, involved in the alleged misconduct, and from those who have direct reporting relationships
with such individuals.

O3.1.03
l Design adequate reporting relationships that ensure required independence and objectivity are respected including assuring:
• individuals charged with managing compliance risk have direct access to the Board, and
• individuals charged with assurance have direct access to the Board.

O3.1.04
l Develop a proposed organizational structure for the GRC system that enables objective reporting of results.

O3.1.05
l Vet the proposed structure with individuals who would serve in key roles within the GRC system.

O3.1.06
This is notllegal or professional
Finalize advice.
and document GRC system structure including reporting lines in the GRC strategic plan. driving principled
Please contact a professional regarding 36 performance ®
your specific O3.1.07
needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

l Obtain approval of structural plan from appropriate authority.

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 Infrastructure Identity and Access Management (IAM) , Information Technology Operations
(ITO) Management

O3 APPROACH & ACCOUNTABILITY

O3.1 ALLOCATE ACCOUNTABILITY TO INDIVIDUALS AND COMMITTEES

Allocate GRC roles and responsibilities to individuals and committees.

Core Sub-practices

O3.1.01
l Allocate responsibilities to individuals and committees with other primary roles, if doing so will achieve synergies and
efficiencies while ensuring required objectivity and independence.

O3.1.02
l Segregate certain roles as follows:
• roles that have an interest in uncovering misconduct and weaknesses (compliance, internal audit) from roles that have an
interest in legally protecting the organization (general counsel),
• roles that have an interest in uncovering misconduct and weaknesses (compliance, internal audit) from roles that have an
interest in quarterly business performance objectives and incentives that may compromise objectivity,
• roles that involve implementing and operating preventive and detective controls (finance, compliance) from roles that
evaluate the effectiveness of those controls and structures (internal audit), and
• roles involved in investigations of alleged misconduct and weaknesses from individuals that are alleged to have been, or
have potential to have been, involved in the alleged misconduct, and from those who have direct reporting relationships
with such individuals.

O3.1.03
l Design adequate reporting relationships that ensure required independence and objectivity are respected including assuring:
• individuals charged with managing compliance risk have direct access to the Board, and
• individuals charged with assurance have direct access to the Board.

O3.1.04
l Develop a proposed organizational structure for the GRC system that enables objective reporting of results.

O3.1.05
l Vet the proposed structure with individuals who would serve in key roles within the GRC system.

O3.1.06
l Finalize and document GRC system structure including reporting lines in the GRC strategic plan.

O3.1.07
l Obtain approval of structural plan from appropriate authority.

O3 APPROACH & ACCOUNTABILITY

O3.2 DEFINE GRC SYSTEM PROCESSES AND INTEGRATE WITH BUSINESS
PROCESSES

Define GRC system processes and synchronize with existing business processes.
Core Sub-practices

O3.2.01
l Define a GRC system process model.
This is not legal or professional advice. driving principled
Please contact a professional
O3.2.02 regarding 37 performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
l Define how and when key GRC system processes will be conducted relative to existing business processes, including:

• when risk assessments will occur and integrate with existing business planning activities,
• generally
SINGLE USERhow preventive, detective
NON-COMMERCIAL LICENSE:and corrective
ZORAN10 activities will integrateEMAIL
([email protected]). with [email protected]
existing business FOR
processes,
COMMERCIAL LICENSE.
 O3 APPROACH & ACCOUNTABILITY
O3.2 DEFINE GRC SYSTEM PROCESSES AND INTEGRATE WITH BUSINESS
PROCESSES

Define GRC system processes and synchronize with existing business processes.
Core Sub-practices

O3.2.01
l Define a GRC system process model.

O3.2.02
l Define how and when key GRC system processes will be conducted relative to existing business processes, including:
• when risk assessments will occur and integrate with existing business planning activities,
• generally how preventive, detective and corrective activities will integrate with existing business processes,
• how GRC system information will be used in conjunction with business information to judge performance,
• how GRC system information (internal and external) will integrate with existing communication channels and reporting,
• when GRC system monitoring will occur and synchronize it with existing performance monitoring, and
• how technology that enables the GRC system will leverage existing business applications and infrastructure.

O3.2.03
l Create a unified calendar for key GRC system processes and related business processes.

O3 APPROACH & ACCOUNTABILITY

O3.3 DEFINE MEASUREMENT AND EVALUATION APPROACH

Define an approach to measure and evaluate the effectiveness, efficiency, and responsiveness of
the GRC system.
Core Sub-practices

O3.3.01
l Refine desired GRC system outcomes to ensure they are capable of measurement or evaluation.

O3.3.02
l Allocate accountability for achieving GRC system outcomes to key personnel.

O3.3.03
l Design reports for senior management and the Board.

O3.3.04
l Define schedule for conducting ongoing and periodic evaluation of the GRC system.

O3.3.05
l Define targets and thresholds for each measurement indicator and maturity milestones.

O3 APPROACH & ACCOUNTABILITY

This isO3.4 DEFINE
not legal ORGANIZATIONAL
or professional advice. CHANGE MANAGEMENT APPROACH driving principled
Please contact a professional regarding 38 performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
Define an approach to ready the organization for any changes that the GRC system may require
to people, processes, and technology.
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 O3 APPROACH & ACCOUNTABILITY
O3.4 DEFINE ORGANIZATIONAL CHANGE MANAGEMENT APPROACH

Define an approach to ready the organization for any changes that the GRC system may require
to people, processes, and technology.
Core Sub-practices

O3.4.01
l Identify key areas where the GRC system may significantly affect existing business units, departments, people, stakeholder
relationships, processes, and technology.

O3.4.02
l Assess the readiness of key impacted areas and the organization as a whole to integrate changes.

O3.4.03
l Define specific change management plans to address any anticipated challenges and risks.

O3 APPROACH & ACCOUNTABILITY

O3.5 DEVELOP, MAINTAIN AND AUTHORIZE A BUSINESS CASE

Develop a business case for the GRC system and obtain authorization from senior management
and the Board.
Core Sub-practices

O3.5.01
l Create a strategic plan and business case that summarizes:
• the desired outcomes of the GRC system,
• why it is needed and how it adds value,
• how it will be structured,
• how it will be resourced with people, funding and technology (and how much),
• how it relates to business objectives and the existing operational model,
• when system components, elements, processes, practices, and enabling technology will be implemented,
• how performance will be measured, and
• how assurance will be provided.

O3.5.02
l Obtain authorization from senior management and the Board.

O3.5.03
l Obtain funding for the approach.

This is not legal or professional advice.

A ASSESS & ALIGN
A
driving principled
Please contact a professional regarding 39 performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

Assess risks and optimize the organizational risk profile with a portfolio of
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
C Culture & Context
 A ASSESS & ALIGN
A
Assess risks and optimize the organizational risk profile with a portfolio of
C Culture & Context
initiatives, tactics, and activities. O Organize & Oversee
A Assess & Align
A1 Risk Identification P Prevent & Promote
D Detect & Discern
A1.1 Identify Affected Business Objectives and Operations R Respond & Resolve
A1.2 Identify Changes in Internal and External Factors that Drive Risk M Monitor & Measure
A1.3 Identify Integrity and Ethical Culture Risks I Inform & Integrate
A1.4 Identify Compliance Risks
A1.5 Identify Operational Risks
A1.6 Identify Economic Risks
A1.7 Identify Risks that May Afford Opportunities
A1.8 Identify Risk Trends and Interrelatedness
A1.9 Categorize Risks
A1.10 Assign Accountability to Monitor Changes in Underlying Factors

A2 Risk Analysis

A2.1 Analyze Inherent Risk

A2.2 Analyze Current Approaches to Risk Optimization
A2.3 Determine Current Residual Risk
A2.4 Prioritize Risks

A3 Risk Optimization

A3.1 Evaluate Risk Optimization Tactics and Activities

A3.2 Determine Planned Residual Risk
A3.3 Determine Optimizing Activities
A3.4 Develop Key Risk Indicators
A3.5 Develop Risk Optimization Plan

A1 RISK IDENTIFICATION
A1
Identify events, forces, and factors that may affect the achievement of
This is not legal or professional advice. A1 Risk driving principled
Identification
business objectives, including those arising from noncompliance with
Please contact a professional regarding 40 A2 Risk performance ®
Analysis
requirements
your specific needs. established by law, standards, internal policies or other© 2003 - 2009 OPENA3 Risk Optimization
COMPLIANCE & ETHICS GROUP

mandatory or voluntary boundaries.

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 A3.5 Develop Risk Optimization Plan

A1 RISK IDENTIFICATION
A1
Identify events, forces, and factors that may affect the achievement of
A1 Risk Identification
business objectives, including those arising from noncompliance with A2 Risk Analysis
requirements established by law, standards, internal policies or other A3 Risk Optimization
mandatory or voluntary boundaries.

Principles
01 Given limited resources, the risk identification process should focus on key business objectives, assets, and
operations.
02 Bottom-up participation from the workforce and line managers helps to gather information about what "really
happens" in the business and the risks that the workforce and agents actually face.
03 Categorizing risks can help to structure the identification process and ensure that the organization identifies
risks uniformly across departments and silos.
04 Risks rarely fall into singular categories, but rather tend to be multi-faceted, so management should use
multiple techniques to identify all relevant risks.

Common Sources Of Failure

01 Not identifying risks by failing to identify and consider all:
• products or services offered,
• geographies and locations in which the organization operates,
• legal requirements related to operations,
• contractual or voluntary obligations made by the business,
• risks related to failures in integrity and ethical culture
• internal and external factors, forces, events or trends, including opportunity for natural disasters or other
uncontrollable events,or
• risks arising in the extended enterprise
02 Not evaluating risks faced by peers (based on industry, revenues, workforce size, and geography) currently or
in the past
03 Not identifying new or changing risks in a timely manner
04 Not understanding weaknesses in the capability to react to various types of external factors
05 Not considering identification of opportunities as part of risk identification
06 Not recognizing that cultural weaknesses can present great risk

Guidelines and Practices

Red Book 2.0 - GRC Capability Model

A1.1 Identify Affected Business Objectives and Operations

A1.2 Identify Changes in Internal and External Factors that Drive Risk
A1.3 Identify Integrity and Ethical Culture Risks
A1.4 Identify Compliance Risks
A1.5 Identify Operational Risks
This is not legal or professional advice. driving principled
A1.6 Identify Economic Risks
Please contact a professional regarding 41 performance ®
yourA1.7
specificIdentify
needs. Risks that May Afford Opportunities © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
A1.8 Identify Risk Trends and Interrelatedness
A1.9 Categorize
SINGLE USERRisks
NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 A1.4 Identify Compliance Risks
A1.5 Identify Operational Risks
A1.6 Identify Economic Risks
A1.7 Identify Risks that May Afford Opportunities
A1.8 Identify Risk Trends and Interrelatedness
A1.9 Categorize Risks
A1.10 Assign Accountability to Monitor Changes in Underlying Factors

Key Deliverables

Matrices Prioritized Risk Matrix

Enabling Technology Components

Technology Arenas
Business Applications
GRC Core Applications
Infrastructure
Assurance & Audit Management (AAM) , Business Intelligence (BI) , Enterprise
Content Management (ECM) , Enterprise Resource Management (ER) ,
Enterprise Risk Management (ERM) , Human Resources Management (HRM)
Contract Management (CM), Documents & Records Management (DRM) , Legal
Entity Management (LEM), Loss Management (LM), Project Portfolio
Management (PPM) , Quality Management & Monitoring (QMM)
Accountability/Responsibility Management (ARM) , Crisis Management (CMT) ,
Enterprise Risk Assessment (ERA) , Environmental Monitoring & Reporting
(EMR) , Finance & Treasury Risk (FTR) Management , Financial Assurance &
Audit (FAA) , Fraud Detection & Prevention (FDP) , Geo-Political Risk (GPR)
Management , Helpline , Hotline/Whistleblower , Information Technology
Audit (ITA) , Information Technology Risk & Compliance (ITRC) Management ,
Insurance & Claims Management (ICM) , Legal Matter Management (LMM) ,
News Feeds (GRC Intelligence) , Operational Assurance & Audit (OAA) ,
Operational Risk Management (ORM) , Risk Analytics (RA)
Identity and Access Management (IAM) , Physical Security (PS) , Retention &
Storage Management (RSM) , Systems Log Management (SLM)

A1 RISK IDENTIFICATION
A1.1 IDENTIFY AFFECTED BUSINESS OBJECTIVES AND OPERATIONS

Identify key business objectives and operations that may be affected by risks.
Core Sub-practices

A1.1.01
l Review business objectives.

A1.1.02
l Identify the key:

• lines of business,
• projects,
• physical and information assets,
• people and jobs at all levels of the organization,
• business processes,
• infrastructures, and
• technologies.
This is not legal or professional advice. driving principled
Please contact a professional regarding 42 performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

A1 RISK IDENTIFICATION
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 Infrastructure Identity and Access Management (IAM) , Physical Security (PS) , Retention &
Storage Management (RSM) , Systems Log Management (SLM)

A1 RISK IDENTIFICATION
A1.1 IDENTIFY AFFECTED BUSINESS OBJECTIVES AND OPERATIONS

Identify key business objectives and operations that may be affected by risks.
Core Sub-practices

A1.1.01
l Review business objectives.

A1.1.02
l Identify the key:
• lines of business,
• projects,
• physical and information assets,
• people and jobs at all levels of the organization,
• business processes,
• infrastructures, and
• technologies.

A1 RISK IDENTIFICATION
A1.2 IDENTIFY CHANGES IN INTERNAL AND EXTERNAL FACTORS THAT DRIVE
RISK

Imagine and identify potential adverse events arising from changes in internal and external
factors that affect risk.
Core Sub-practices

A1.2.01
l Identify and analyze potential events that would change internal factors that affect risk, including changes in:
• people / personnel,
• processes,
• technology,
• information, and
• infrastructure.

A1.2.02
l Identify and analyze potential events that would change external factors that affect risk, including changes in:
• economic context,
• natural environment,
• political events,
• social mores and expectations, and
• technological advances.

A1 RISK IDENTIFICATION
This isA1.3 IDENTIFY
not legal INTEGRITY
or professional advice. AND ETHICAL CULTURE RISKS driving principled
Please contact a professional regarding 43 performance ®
your specific
Imagineneeds.
and identify situations where individuals working alone or with others will
© 2003 attempt
- 2009 to & ETHICS GROUP
OPEN COMPLIANCE

break the rules - whether the rules are mandated by an external source or internal, voluntary
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
policies.
 A1 RISK IDENTIFICATION
A1.3 IDENTIFY INTEGRITY AND ETHICAL CULTURE RISKS

Imagine and identify situations where individuals working alone or with others will attempt to
break the rules - whether the rules are mandated by an external source or internal, voluntary
policies.
Core Sub-practices

A1.3.01
l Identify areas in the cultural analysis that indicate weaknesses.

A1.3.02
l Identify opportunities and scenarios for financial fraud.

A1.3.03
l Identify opportunities and scenarios for operational fraud.

A1.3.04
l Identify opportunities and scenarios for corruption and self-dealing.

A1.3.05
l Identify opportunities and scenarios for intimidating or harassing behavior.

A1.3.06
l Identify opportunities and scenarios for criminal mischief or retribution.

A1 RISK IDENTIFICATION
A1.4 IDENTIFY COMPLIANCE RISKS

Imagine and identify situations where risks arise due to noncompliance with externally
mandated requirements or organizational commitments under contracts, voluntary
agreements, and internal policies.
Core Sub-practices

A1.4.01
l Identify key legal compliance areas that apply to the organization, such as:
• employment,
• information management, privacy and security,
• environmental, health and safety,
• foreign corrupt practices,
• antitrust,
• government contracting, and
• regulated industry requirements.

A1.4.02
l Identify explicit and derived legal requirements that apply to the organization, including those contained in:

• laws, rules and regulations,

• administrative
This is not legal rulings,
or professional advice. driving principled
Please contact• judicial rulings, regarding
a professional 44 performance ®
• contracts,
your specific needs. and © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
• settlement or consent orders and integrity agreements.
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 A1 RISK IDENTIFICATION
A1.4 IDENTIFY COMPLIANCE RISKS

Imagine and identify situations where risks arise due to noncompliance with externally
mandated requirements or organizational commitments under contracts, voluntary
agreements, and internal policies.
Core Sub-practices

A1.4.01
l Identify key legal compliance areas that apply to the organization, such as:
• employment,
• information management, privacy and security,
• environmental, health and safety,
• foreign corrupt practices,
• antitrust,
• government contracting, and
• regulated industry requirements.

A1.4.02
l Identify explicit and derived legal requirements that apply to the organization, including those contained in:
• laws, rules and regulations,
• administrative rulings,
• judicial rulings,
• contracts, and
• settlement or consent orders and integrity agreements.

A1.4.03
l Identify other explicit and derived external requirements potentially applicable to the organization, including those
contained in:
• safe harbor standards,
• international, national and industry standards,
• trade association commitments,
• stock exchange listing commitments,
• prosecution, enforcement, penalty and sentencing guidelines,
• customary practices in the industry, and
• customary practices in the geography and national culture.

A1.4.04
l Identify explicit and derived internal requirements set forth in:
• mission, vision, values,
• code of conduct,
• policies, and
• established procedures.

A1 RISK IDENTIFICATION
A1.5 IDENTIFY OPERATIONAL RISKS

This isImagine
not legal orand identify
professional situations where risk results from inadequate or failed internal processes,driving principled
advice.
Pleasepeople,
contact a and technologies.
professional regarding 45 performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
Core Sub-practices

A1.5.01
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 A1 RISK IDENTIFICATION
A1.5 IDENTIFY OPERATIONAL RISKS

Imagine and identify situations where risk results from inadequate or failed internal processes,
people, and technologies.
Core Sub-practices

A1.5.01
l Identify risks from misalignment of people, processes, and technology.

A1.5.02
l Identify events that could give rise to information management or technology risk.

A1.5.03
l Identify risks from inadequate resources, documentation, or education.

A1 RISK IDENTIFICATION
A1.6 IDENTIFY ECONOMIC RISKS

Imagine and identify situations where financial risk could surface.

Core Sub-practices

A1.6.01
l Identify events that give rise to market risk.

A1.6.02
l Identify events that give rise to credit risk.

A1.6.03
l Identify events that give rise to liquidity risk.

A1.6.04
l Identify events that give rise to interest rate risk.

A1 RISK IDENTIFICATION
A1.7 IDENTIFY RISKS THAT MAY AFFORD OPPORTUNITIES

Identify areas where effective management of a risk will afford the organization strategic or
tactical opportunities.
Core Sub-practices

A1.7.01
l Identify opportunities for:

• better coordination of business functions,

• facilitating
This is not legal businessadvice.
or professional efficiencies, driving principled
Please contact• improvements
a professional to quality, and
regarding 46 performance ®
• improved
your specific needs. information on business activities that can result in improved management. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

A1.7.02
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 A1 RISK IDENTIFICATION
A1.7 IDENTIFY RISKS THAT MAY AFFORD OPPORTUNITIES

Identify areas where effective management of a risk will afford the organization strategic or
tactical opportunities.
Core Sub-practices

A1.7.01
l Identify opportunities for:
• better coordination of business functions,
• facilitating business efficiencies,
• improvements to quality, and
• improved information on business activities that can result in improved management.

A1.7.02
l Identify key business areas where opportunities may be presented such as:
• new product development,
• sales and distribution,
• import-export processes,
• financial controls, and
• controls surrounding kickback and bribery requirements.

A1 RISK IDENTIFICATION
A1.8 IDENTIFY RISK TRENDS AND INTERRELATEDNESS

Identify the trend of each risk and how risks relate to each other.
Core Sub-practices

A1.8.01
l Identify how the occurrence and magnitude of each risk has trended in the organization.

A1.8.02
l Identify how the occurrence and magnitude of each risk has trended in peers and the industry.

A1.8.03
l Identify instances of changed expectations of risk occurrence or magnitude from repeated incidents or correlated risks.

A1 RISK IDENTIFICATION
A1.9 CATEGORIZE RISKS

Identify the type and order of magnitude estimate of impact for each identified risk.
Core Sub-practices

A1.9.01
This is notllegal or professional
Identify the types ofadvice.
impact from each risk, such as risk of: driving principled
Please contact a professional
• physical regarding
injury to people, 47 performance ®
your specific •needs.
physical injury to facilities or other physical assets, © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

• business Interruption (including, lost “qualified to do business” status, delisting, and debarment),
• civil or
SINGLE criminal
USER liability, fines,LICENSE:
NON-COMMERCIAL penalties and restitution
ZORAN10 orders,
([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 A1 RISK IDENTIFICATION
A1.9 CATEGORIZE RISKS

Identify the type and order of magnitude estimate of impact for each identified risk.
Core Sub-practices

A1.9.01
l Identify the types of impact from each risk, such as risk of:
• physical injury to people,
• physical injury to facilities or other physical assets,
• business Interruption (including, lost “qualified to do business” status, delisting, and debarment),
• civil or criminal liability, fines, penalties and restitution orders,
• reputational damage,
• business quality or reliability, or
• economic loss.

A1.9.02
l Identify risks that require crisis response planning.

A1.9.03
l Identify risks that present significant vulnerability to the organization based on trends, likelihood, correlated effects, or
degree of impact.

A1.9.04
l For each identified significant risk, identify the roles or jobs that are in a position to affect the likelihood or impact of the
risk.

A1.9.05
l Begin development of the prioritized risk matrix by documenting the identified risks and their related attributes:
• risk category,
• related requirements,
• nature of impacts, and
• related roles.

A1 RISK IDENTIFICATION
A1.10 ASSIGN ACCOUNTABILITY TO MONITOR CHANGES IN UNDERLYING
FACTORS

Assign accountability for monitoring the underlying conditions and sources of risks.
Core Sub-practices

A1.10.01
l Assign responsibility to monitor and identify changes to internal factors that affect risks, including:

• mergers and acquisitions,

• new product development,
• expansion into new markets,
• new contracts or voluntary commitments,
• key personnel or management changes, and
This is not legal or professional advice. driving principled
• business process changes.
Please contact a professional regarding 48 performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
A1.10.02
l Assign responsibility to monitor and identify changes to external factors that affect risks, including:
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
• macroeconomic events and cycles,
 A1 RISK IDENTIFICATION
A1.10 ASSIGN ACCOUNTABILITY TO MONITOR CHANGES IN UNDERLYING
FACTORS

Assign accountability for monitoring the underlying conditions and sources of risks.
Core Sub-practices

A1.10.01
l Assign responsibility to monitor and identify changes to internal factors that affect risks, including:
• mergers and acquisitions,
• new product development,
• expansion into new markets,
• new contracts or voluntary commitments,
• key personnel or management changes, and
• business process changes.

A1.10.02
l Assign responsibility to monitor and identify changes to external factors that affect risks, including:
• macroeconomic events and cycles,
• new laws, rules, regulations,
• shifts in regulatory climate,
• natural or health hazards,
• political events and changes,
• shifts in societal attitudes and perceptions, and
• shifts in stakeholder attitudes, perceptions and expectations.

A2 RISK ANALYSIS
A2
Define the current risk profile by analyzing the inherent risk and residual
A1 Risk Identification
risk after considering current risk optimizing activities. A2 Risk Analysis
A3 Risk Optimization
Principles
01 Use top-down analysis and input from senior executives to scope risk analysis activities, but rely on bottom-
up information from individuals "on the ground" to ensure that operational reality drives risk analysis.
02 Use risk criteria to determine if current residual risk is acceptable or unacceptable.
03 Document risk analysis so others can use it for other purposes such as audit and assurance activities.
04 Analyze inherent risk so that management can rationalize current and future resource allocation based on the
underlying level of risk, and so that risks are not over-managed or under-managed.

Common Sources Of Failure

This is not legal or professional advice. driving principled
01contact
Please Not using consistentregarding
a professional methodologies to analyze and categorize similar risks across various risk silos performance ®
49
your02 Notneeds.
specific using both top-down and bottom-up risk analysis techniques © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

03 Not using both quantitative and qualitative risk analysis techniques

SINGLE
04 Not USERboth
analyzing NON-COMMERCIAL LICENSE:
the inherent and ZORAN10
current ([email protected]).
residual risk EMAIL [email protected] FOR COMMERCIAL LICENSE.
 A2 RISK ANALYSIS
A2
Define the current risk profile by analyzing the inherent risk and residual
A1 Risk Identification
risk after considering current risk optimizing activities. A2 Risk Analysis
A3 Risk Optimization
Principles
01 Use top-down analysis and input from senior executives to scope risk analysis activities, but rely on bottom-
up information from individuals "on the ground" to ensure that operational reality drives risk analysis.
02 Use risk criteria to determine if current residual risk is acceptable or unacceptable.
03 Document risk analysis so others can use it for other purposes such as audit and assurance activities.
04 Analyze inherent risk so that management can rationalize current and future resource allocation based on the
underlying level of risk, and so that risks are not over-managed or under-managed.

Common Sources Of Failure

01 Not using consistent methodologies to analyze and categorize similar risks across various risk silos
02 Not using both top-down and bottom-up risk analysis techniques
03 Not using both quantitative and qualitative risk analysis techniques
04 Not analyzing both the inherent and current residual risk

Guidelines and Practices

Red Book 2.0 - GRC Capability Model

A2.1 Analyze Inherent Risk

A2.2 Analyze Current Approaches to Risk Optimization
A2.3 Determine Current Residual Risk
A2.4 Prioritize Risks

Key Deliverables

Matrices Prioritized Risk Matrix

Enabling Technology Components

Technology Arenas Business Intelligence (BI) , Enterprise Risk Management (ERM)

Business Applications Contract Management (CM), Enterprise Asset Management (EAM), Learning &
Training Management (LTM) , Loss Management (LM)
GRC Core Applications Audit Analytics (AA), Crisis Management (CMT) , Enterprise Risk Assessment
(ERA) , Environmental Monitoring & Reporting (EMR) , Finance & Treasury Risk
(FTR) Management , Financial Assurance & Audit (FAA) , Fraud Detection &
This is not legal or professional advice.Prevention (FDP) , Geo-Political Risk (GPR) Management , Information driving principled
Please contact a professional regardingTechnology Audit (ITA) , Information 50 Technology Risk & Compliance (ITRC) performance ®
your specific needs. Management , Insurance & Claims Management (ICM) , Legal Matter
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

Management (LMM) , News Feeds (GRC Intelligence) , Operational Assurance

SINGLE USER NON-COMMERCIAL LICENSE:
& Audit (OAA)ZORAN10 ([email protected]).
, Operational Risk Management (ORM) EMAIL [email protected] FOR COMMERCIAL LICENSE.
, Risk Analytics (RA)
 Matrices Prioritized Risk Matrix

Enabling Technology Components

Technology Arenas Business Intelligence (BI) , Enterprise Risk Management (ERM)

Business Applications
GRC Core Applications
Infrastructure
Contract Management (CM), Enterprise Asset Management (EAM), Learning &
Training Management (LTM) , Loss Management (LM)
Audit Analytics (AA), Crisis Management (CMT) , Enterprise Risk Assessment
(ERA) , Environmental Monitoring & Reporting (EMR) , Finance & Treasury Risk
(FTR) Management , Financial Assurance & Audit (FAA) , Fraud Detection &
Prevention (FDP) , Geo-Political Risk (GPR) Management , Information
Technology Audit (ITA) , Information Technology Risk & Compliance (ITRC)
Management , Insurance & Claims Management (ICM) , Legal Matter
Management (LMM) , News Feeds (GRC Intelligence) , Operational Assurance
& Audit (OAA) , Operational Risk Management (ORM) , Risk Analytics (RA)
Systems Log Management (SLM)

A2 RISK ANALYSIS
A2.1 ANALYZE INHERENT RISK

Analyze the inherent vulnerability to the organization from likelihood and impact of risks
without consideration of current controls, incentives and other risk optimization activities.
Core Sub-practices

A2.1.01
l Analyze the likelihood that a risk will materialize including identification of likely:
• single vs. multiple events, and
• short-term vs. long-term events.

A2.1.02
l Analyze likely speed of onset and momentum once the risk occurs.

A2.1.03
l Analyze inherent relationship with other risks.

A2.1.04
l Use history of the organization and peers (based on industry, geography, business activities, and workforce scale and
footprint) to analyze vulnerability considering likelihood and impact.

A2.1.05
l Augment the prioritized risk matrix with a synopsis of the inherent risk analysis.

A2 RISK ANALYSIS
A2.2 ANALYZE CURRENT APPROACHES TO RISK OPTIMIZATION

Identify the current approaches to optimize risk by mitigating the negative impact of risks and
identifying opportunities presented by risks.
Core Sub-practices

A2.2.01
This is not legal or professional advice. driving principled
l Identify
Please contact and evaluate
a professional current application of risk optimization 51
regarding tactics to: performance ®
• ACCEPT
your specific needs. the risk at the current residual level, © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
• AVOID the risk and cease activities (or change requirements) that give rise to the risk,
• SHARE
SINGLE theNON-COMMERCIAL
USER impact or optimization ofZORAN10
LICENSE: the risk ([email protected]).
with other entities, includingEMAIL
use of risk financing, or
[email protected] FORSHIFT the risk LICENSE.
COMMERCIAL to
 Infrastructure Systems Log Management (SLM)

A2 RISK ANALYSIS
A2.1 ANALYZE INHERENT RISK

Analyze the inherent vulnerability to the organization from likelihood and impact of risks
without consideration of current controls, incentives and other risk optimization activities.
Core Sub-practices

A2.1.01
l Analyze the likelihood that a risk will materialize including identification of likely:
• single vs. multiple events, and
• short-term vs. long-term events.

A2.1.02
l Analyze likely speed of onset and momentum once the risk occurs.

A2.1.03
l Analyze inherent relationship with other risks.

A2.1.04
l Use history of the organization and peers (based on industry, geography, business activities, and workforce scale and
footprint) to analyze vulnerability considering likelihood and impact.

A2.1.05
l Augment the prioritized risk matrix with a synopsis of the inherent risk analysis.

A2 RISK ANALYSIS
A2.2 ANALYZE CURRENT APPROACHES TO RISK OPTIMIZATION

Identify the current approaches to optimize risk by mitigating the negative impact of risks and
identifying opportunities presented by risks.
Core Sub-practices

A2.2.01
l Identify and evaluate current application of risk optimization tactics to:
• ACCEPT the risk at the current residual level,
• AVOID the risk and cease activities (or change requirements) that give rise to the risk,
• SHARE the impact or optimization of the risk with other entities, including use of risk financing, or SHIFT the risk to
another business partner (via joint ventures or risk financing structures),
• REDUCE likelihood of the risk by implementing incentives, controls and other activities that prevent or reduce the
probability that undesirable activities occur, or
• REDUCE impact by more quickly detecting and responding to undesirable activity, or otherwise preventing risks from
accelerating into high impact levels.

A2.2.02
l Identify and evaluate current risk optimization activities including use of:

• incentives for desired conduct,

• preventive, detective and corrective controls to address undesired conduct or events,
• issue identification and management ,
This is not legal or professional advice. driving principled
• monitoring activities,
Please contact a professional regarding 52 performance ®
• policies and procedures,
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
• education and awareness programs, and
• risk financing.
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 A2 RISK ANALYSIS
A2.2 ANALYZE CURRENT APPROACHES TO RISK OPTIMIZATION

Identify the current approaches to optimize risk by mitigating the negative impact of risks and
identifying opportunities presented by risks.
Core Sub-practices

A2.2.01
l Identify and evaluate current application of risk optimization tactics to:
• ACCEPT the risk at the current residual level,
• AVOID the risk and cease activities (or change requirements) that give rise to the risk,
• SHARE the impact or optimization of the risk with other entities, including use of risk financing, or SHIFT the risk to
another business partner (via joint ventures or risk financing structures),
• REDUCE likelihood of the risk by implementing incentives, controls and other activities that prevent or reduce the
probability that undesirable activities occur, or
• REDUCE impact by more quickly detecting and responding to undesirable activity, or otherwise preventing risks from
accelerating into high impact levels.

A2.2.02
l Identify and evaluate current risk optimization activities including use of:
• incentives for desired conduct,
• preventive, detective and corrective controls to address undesired conduct or events,
• issue identification and management ,
• monitoring activities,
• policies and procedures,
• education and awareness programs, and
• risk financing.

A2.2.03
l Identify and evaluate who, or what department, is accountable for managing each risk optimization approach in:
• mainline business functions, departments and staff,
• risk management, ethics and compliance departments and staff,
• assurance departments and staff, and
• oversight (Board).

A2.2.04
l Identify any gaps and unnecessary overlaps in risk optimization approaches.

A2.2.05
l Augment the prioritized risk matrix with a synopsis of the current approach to optimization of each risk.

A2 RISK ANALYSIS
A2.3 DETERMINE CURRENT RESIDUAL RISK

Determine the level of risk remaining after application of currently applied optimization
approaches to risk.
Core Sub-practices
This is not legal or professional advice. driving principled
Please contactA2.3.01
a professional regarding performance ®
53
your specific Analyze
l needs. the effect of current approaches on the likelihood and magnitude of impact of each risk or category of risk.
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

A2.3.02
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 A2 RISK ANALYSIS
A2.3 DETERMINE CURRENT RESIDUAL RISK

Determine the level of risk remaining after application of currently applied optimization
approaches to risk.
Core Sub-practices

A2.3.01
l Analyze the effect of current approaches on the likelihood and magnitude of impact of each risk or category of risk.

A2.3.02
l Determine the cost to maintain current approaches.

A2.3.03
l Determine current level of residual risk.

A2.3.04
l Augment prioritized risk matrix with analysis of the current residual risk.

A2 RISK ANALYSIS
A2.4 PRIORITIZE RISKS

Evaluate inherent and residual risks based on risk criteria, and the effectiveness, efficiency and
responsiveness of current optimizing activities so that priorities can be established.
Core Sub-practices

A2.4.01
l Identify risks that call for high prioritization for improved or additional optimization, including:
• when current residual risk is unacceptable based on the organization’s risk appetite,
• when current residual risk is unacceptable and immediate action is required,
• when current optimizing activities are ineffective, inconsistently effective, or inefficient,
• when an inherently high risk requires optimizing activities that must be constantly monitored, and
• when risks require crisis response plans such as workplace violence, natural disasters, and significant reputational issues.

A2.4.02
l Augment the priority risk matrix with the prioritization analysis, specifically identifying key risks based on either
classification of the risk as inherently high or high vulnerability as a residual risk.

A3 RISK OPTIMIZATION
A3
This is not legal or professional advice. driving principled
Evaluate
Please and implement
contact a professional regarding selected risk optimization options. performance ®
54 A1 Risk Identification
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
A2 Risk Analysis
Principles A3 Risk Optimization
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 A3 RISK OPTIMIZATION
A3
Evaluate and implement selected risk optimization options.
A1 Risk Identification
A2 Risk Analysis
Principles A3 Risk Optimization

01 Priority risks should include both inherently high risks and unacceptably high residual risks.
02 A layered approach may result in a more efficient use of resources and more effective risk optimization.
03 Where appropriate, embed optimizing activities in mainline business planning and processes.

Common Sources Of Failure

01 Not prioritizing or prioritizing every risk as high resulting in resources disproportionately allocated given the
actual level of risk
02 Not monitoring inherently high risks, regardless of the current residual risk level, so that the organization
will not be exposed to catastrophic impact
03 Selecting a single optimizing option when a multifaceted, multilayered approach may be more appropriate
04 Not assigning accountability for implementing or maintaining optimizing activities and assuming it will just get
done
05 Not obtaining authorization and funding resulting in ineffective or nonexistent optimizing activities
06 Not adequately considering the need for ongoing and pervasive approaches to controlling ethical and
behavioral risks

Guidelines and Practices

Red Book 2.0 - GRC Capability Model

A3.1 Evaluate Risk Optimization Tactics and Activities

A3.2 Determine Planned Residual Risk
A3.3 Determine Optimizing Activities
A3.4 Develop Key Risk Indicators
A3.5 Develop Risk Optimization Plan

Key Deliverables

Matrices Prioritized Risk Matrix

Plans Risk Optimization Plan

Enabling Technology Components

Technology Arenas Business Intelligence (BI) , Enterprise Risk Management (ERM) , Security
Management (SM)
Business
This is not legal or Applications
professional advice.Budget & Finance Management (BFM), Documents & Records Management driving principled
Please contact a professional regarding(DRM) , Project Portfolio Management55 (PPM) , Strategic Planning (SP) performance ®
your specific
GRCneeds.
Core Applications Crisis Management (CMT) , Geo-Political Risk (GPR) Management , Information © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

Privacy Management (IPM) , Information Technology Risk & Compliance (ITRC)

SINGLE USER NON-COMMERCIAL Management
LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 Plans Risk Optimization Plan

Enabling Technology Components

Technology Arenas
Business Applications
GRC Core Applications
Infrastructure
Business Intelligence (BI) , Enterprise Risk Management (ERM) , Security
Management (SM)
Budget & Finance Management (BFM), Documents & Records Management
(DRM) , Project Portfolio Management (PPM) , Strategic Planning (SP)
Crisis Management (CMT) , Geo-Political Risk (GPR) Management , Information
Privacy Management (IPM) , Information Technology Risk & Compliance (ITRC)
Management
Business Continuity Management (BCM), Configuration and Change
Management (CCM), Disaster Recovery (DR)

A3 RISK OPTIMIZATION
A3.1 EVALUATE RISK OPTIMIZATION TACTICS AND ACTIVITIES

Evaluate risk optimization tactics and activities when the current residual risk is unacceptable
or when current optimizing activities can be improved to perform more efficiently and
effectively.
Core Sub-practices

A3.1.01
l Evaluate and select risk optimization tactics including decisions to:
• ACCEPT the risk at the current residual level (which may be a change in risk appetite),
• AVOID the risk and cease activities (or change requirements) that give rise to the risk,
• SHARE the impact or optimization of the risk with other entities, including use of risk financing, or SHIFT the risk to
another business partner (via joint ventures or risk financing structures),
• REDUCE likelihood of the risk by implementing incentives, controls and other activities that prevent or reduce the
probability that undesirable activities occur, or
• REDUCE impact by more quickly detecting and responding to undesirable activity, or otherwise preventing risks from
accelerating into high impact levels.

A3.1.02
l Evaluate and select specific risk optimization activities, including:
• incentives for desired conduct,
• preventive, detective and corrective controls to address undesired conduct or events,
• issue identification and management ,
• monitoring activities,
• policies and procedures,
• education and awareness programs, and
• risk financing.

A3.1.03
l Design a layered approach to avoid "single response bias" in optimizing key risks.

A3.1.04
l Identify areas where optimizing tactics and activities can address more than one risk.

A3.1.05
l Design optimizing activities so that they generate information that can be used for monitoring.

A3.1.06
This is not legal or professional advice. driving principled
l If the primary risk optimization option for a particular risk will take some time to implement, define interim risk
Please contact a professional regarding 56 performance ®
optimization options including consideration of delaying the action that presents the risk.
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

A3.1.07
SINGLE USER
Estimate theNON-COMMERCIAL LICENSE:
cost associated with ZORAN10
planned ([email protected]).
risk optimization EMAIL [email protected]
activities and determine FOR COMMERCIAL
if the cost is appropriate LICENSE.
given the
l
 Infrastructure Business Continuity Management (BCM), Configuration and Change
Management (CCM), Disaster Recovery (DR)

A3 RISK OPTIMIZATION
A3.1 EVALUATE RISK OPTIMIZATION TACTICS AND ACTIVITIES

Evaluate risk optimization tactics and activities when the current residual risk is unacceptable
or when current optimizing activities can be improved to perform more efficiently and
effectively.
Core Sub-practices

A3.1.01
l Evaluate and select risk optimization tactics including decisions to:
• ACCEPT the risk at the current residual level (which may be a change in risk appetite),
• AVOID the risk and cease activities (or change requirements) that give rise to the risk,
• SHARE the impact or optimization of the risk with other entities, including use of risk financing, or SHIFT the risk to
another business partner (via joint ventures or risk financing structures),
• REDUCE likelihood of the risk by implementing incentives, controls and other activities that prevent or reduce the
probability that undesirable activities occur, or
• REDUCE impact by more quickly detecting and responding to undesirable activity, or otherwise preventing risks from
accelerating into high impact levels.

A3.1.02
l Evaluate and select specific risk optimization activities, including:
• incentives for desired conduct,
• preventive, detective and corrective controls to address undesired conduct or events,
• issue identification and management ,
• monitoring activities,
• policies and procedures,
• education and awareness programs, and
• risk financing.

A3.1.03
l Design a layered approach to avoid "single response bias" in optimizing key risks.

A3.1.04
l Identify areas where optimizing tactics and activities can address more than one risk.

A3.1.05
l Design optimizing activities so that they generate information that can be used for monitoring.

A3.1.06
l If the primary risk optimization option for a particular risk will take some time to implement, define interim risk
optimization options including consideration of delaying the action that presents the risk.

A3.1.07
l Estimate the cost associated with planned risk optimization activities and determine if the cost is appropriate given the
prioritization of the risk and the level of risk optimization achieved.

A3 RISK OPTIMIZATION
A3.2 DETERMINE PLANNED RESIDUAL RISK
This is not legal or professional advice. driving principled
PleaseAnalyze
contact a professional regarding 57
the anticipated effect that planned optimizing activities will have on likelihood and performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
impact to determine planned residual risk.
Core Sub-practices
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 A3 RISK OPTIMIZATION
A3.2 DETERMINE PLANNED RESIDUAL RISK

Analyze the anticipated effect that planned optimizing activities will have on likelihood and
impact to determine planned residual risk.
Core Sub-practices

A3.2.01
l Assess the planned residual risk anticipated when the proposed risk optimization options are put in place.

A3.2.02
l If planned residual risk is not acceptable, reconsider optimizing options.

A3.2.03
l If planned residual risk is acceptable, implement the selected risk optimization activities.

A3.2.04
l Analyze the costs and benefits of planned optimizing activities.

A3 RISK OPTIMIZATION
A3.3 DETERMINE OPTIMIZING ACTIVITIES

Identify current and planned optimizing activities that specifically address inherently high risks
and that, should they cease to perform effectively, will expose the organization to unacceptable
levels of risk.
Core Sub-practices

A3.3.01
l Identify optimizing activities that currently are in place or are planned to address inherently high risks.

A3.3.02
l Design additional monitoring activities to ensure that these optimizing activities continue to be effective and operate
according to plan.

A3.3.03
l Augment the prioritized risk matrix with the planned risk optimization activities and planned residual risk analysis.

A3.3.04
l Include these risks and optimizing activities in assurance plans.

A3 RISK OPTIMIZATION
A3.4 DEVELOP KEY RISK INDICATORS

Develop risk indicators that inform management when key risk events have occurred, are
This isimminent, or will potentially
not legal or professional advice. occur. driving principled
Please contact a professional
Core Sub-practices regarding 58 performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

A3.4.01
IdentifyUSER
l SINGLE risk NON-COMMERCIAL
indicators for eachLICENSE:
key risk,ZORAN10
or category of key risk.
([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 A3 RISK OPTIMIZATION
A3.4 DEVELOP KEY RISK INDICATORS

Develop risk indicators that inform management when key risk events have occurred, are
imminent, or will potentially occur.
Core Sub-practices

A3.4.01
l Identify risk indicators for each key risk, or category of key risk.

A3.4.02
l Identify thresholds for each indicator that trigger:
• escalation / reporting,
• compensating controls, or
• reevaluation of optimization approaches.

A3.4.03
l Assign accountability to periodically, or continuously, monitor each established risk indicator.

A3.4.04
l Design management reports and dashboards to inform appropriate personnel about risk indicator values and changes.

A3.4.05
l Provide objectives and indicators for key risks to executive management for consideration in enterprise strategic planning.

A3 RISK OPTIMIZATION
A3.5 DEVELOP RISK OPTIMIZATION PLAN

Develop an implementation and management plan for optimizing activities.

Core Sub-practices

A3.5.01
l Identify opportunities to consolidate risk-optimizing activities into fewer actions.

A3.5.02
l Identify opportunities to embed risk-optimizing activities into business processes.

A3.5.03
l Identify opportunities to leverage existing programs, projects, processes, and resources (people, budgets, and technology)
before creating new structures.

A3.5.04
l Define initiatives that address related risk optimizing activities in a coordinated fashion.

A3.5.05
l Establish a timeline to implement each initiative.

A3.5.06
Assign
This is notllegal accountabilityadvice.
or professional for each initiative and for monitoring events that may require changes to initiatives. driving principled
Please contact a professional regarding 59 performance ®
A3.5.07
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
l Obtain approval for each initiative.

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 A3 RISK OPTIMIZATION
A3.5 DEVELOP RISK OPTIMIZATION PLAN

Develop an implementation and management plan for optimizing activities.

Core Sub-practices

A3.5.01
l Identify opportunities to consolidate risk-optimizing activities into fewer actions.

A3.5.02
l Identify opportunities to embed risk-optimizing activities into business processes.

A3.5.03
l Identify opportunities to leverage existing programs, projects, processes, and resources (people, budgets, and technology)
before creating new structures.

A3.5.04
l Define initiatives that address related risk optimizing activities in a coordinated fashion.

A3.5.05
l Establish a timeline to implement each initiative.

A3.5.06
l Assign accountability for each initiative and for monitoring events that may require changes to initiatives.

A3.5.07
l Obtain approval for each initiative.

P PREVENT & PROMOTE

P
Promote and motivate desirable conduct, and prevent undesirable events
C Culture & Context
and activities, using a mix of controls and incentives. O Organize & Oversee
A Assess & Align
P1 Codes of Conduct P Prevent & Promote
D Detect & Discern
P1.1 Develop the Code of Conduct R Respond & Resolve
P1.2 Implement and Manage the Code of Conduct M Monitor & Measure
P1.3 Develop and Implement Ethical Decision-Making Guidelines I Inform & Integrate

P2 Policies

P2.1 Establish Policy Structure

This is not P2.2

legal orDevelop Policies
professional advice. driving principled
P2.3a professional
Please contact Implement regarding
and Manage Policies 60 performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

P3 Preventive Controls
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 P PREVENT & PROMOTE
P
Promote and motivate desirable conduct, and prevent undesirable events
C Culture & Context
and activities, using a mix of controls and incentives. O Organize & Oversee
A Assess & Align
P1 Codes of Conduct P Prevent & Promote
D Detect & Discern
P1.1 Develop the Code of Conduct R Respond & Resolve
P1.2 Implement and Manage the Code of Conduct M Monitor & Measure
P1.3 Develop and Implement Ethical Decision-Making Guidelines I Inform & Integrate

P2 Policies

P2.1 Establish Policy Structure

P2.2 Develop Policies
P2.3 Implement and Manage Policies

P3 Preventive Controls

P3.1 Establish Preventive Process Controls

P3.2 Establish Preventive Human Capital Controls
P3.3 Establish Preventive Technology Controls
P3.4 Establish Preventive Physical Controls

P4 Awareness & Education

P4.1 Define an Awareness and Education Plan

P4.2 Define a Curriculum Plan
P4.3 Develop or Acquire Content
P4.4 Implement Education
P4.5 Provide Helpline
P4.6 Provide Integrated Support

P5 Human Capital Incentives

P5.1 Foster Ethical Leadership

P5.2 Develop Incentive Based Evaluation and Promotion Decisions
P5.3 Develop Compensation Plans that Consider Conduct Expectations
P5.4 Develop Reward Programs

P6 Risk Financing/Insurance
This is not P6.1
legal orAssess
professional advice. Need and Options
Risk Financing driving principled
Please contact a professional regarding 61 performance ®
P6.2 Set Risk Financing Objectives
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
P6.3 Design Risk Financing Strategy
P6.4 Implement Risk Financing Strategy
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 P5.4 Develop Reward Programs

P6 Risk Financing/Insurance

P6.1 Assess Risk Financing Need and Options

P6.2 Set Risk Financing Objectives
P6.3 Design Risk Financing Strategy
P6.4 Implement Risk Financing Strategy

P7 Stakeholder Relations & Requirements

P7.1 Understand Stakeholders

P7.2 Develop Stakeholder Relations Plans
P7.3 Identify and Track Activity by Requirement Issuing Authorities
P7.4 Comment on Planned or Proposed Items
P7.5 Propose Mandates, Standards or Guidance

P1 CODES OF CONDUCT
P1
Implement a code or codes of conduct and ethical decision guidelines for
P1 Codes of Conduct
the Board, the workforce and the extended enterprise. P2 Policies
P3 Preventive Controls
Principles P4 Awareness & Education
P5 Human Capital Incentives
01 It is critical to have in place all codes of conduct mandated for specific positions or purposes. P6 Risk Financing/Insurance
02 Using the code development process to mold champions and secure commitment and buy-in can help to drive P7 Stakeholder Relations &
its acceptance and strengthen the overall GRC system. Requirements
03 There is an opportunity to include decision guidelines so people can act responsibly and with integrity when
the code, policies or applicable law are not specific.
04 Expecting internal stakeholders and the extended enterprise to performing according to the code is only
reasonable if the Board and senior management have committed to live by and model the code.

Common Sources Of Failure

01 Not drafting the code in language (both type and level) appropriate to its audience
02 Not communicating the code to all who are expected to abide by it
03 Not documenting receipt of the code
04 Not measuring understanding of the code's content
05 Not adapting the code for local culture, norms, and needs
06 Not addressing key ethical risks in addition to compliance-driven content

Guidelines and Practices

Red Book 2.0 - GRC Capability Model

This is not legal or professional advice. driving principled

P1.1 Develop the Code of Conduct
Please contact a professional regarding 62 performance ®
P1.2 Implement and Manage the Code of Conduct
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
P1.3 Develop and Implement Ethical Decision-Making Guidelines

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 P7.5 Propose Mandates, Standards or Guidance

P1 CODES OF CONDUCT
P1
Implement a code or codes of conduct and ethical decision guidelines for
P1 Codes of Conduct
the Board, the workforce and the extended enterprise. P2 Policies
P3 Preventive Controls
Principles P4 Awareness & Education
P5 Human Capital Incentives
01 It is critical to have in place all codes of conduct mandated for specific positions or purposes. P6 Risk Financing/Insurance
02 Using the code development process to mold champions and secure commitment and buy-in can help to drive P7 Stakeholder Relations &
its acceptance and strengthen the overall GRC system. Requirements
03 There is an opportunity to include decision guidelines so people can act responsibly and with integrity when
the code, policies or applicable law are not specific.
04 Expecting internal stakeholders and the extended enterprise to performing according to the code is only
reasonable if the Board and senior management have committed to live by and model the code.

Common Sources Of Failure

01 Not drafting the code in language (both type and level) appropriate to its audience
02 Not communicating the code to all who are expected to abide by it
03 Not documenting receipt of the code
04 Not measuring understanding of the code's content
05 Not adapting the code for local culture, norms, and needs
06 Not addressing key ethical risks in addition to compliance-driven content

Guidelines and Practices

Red Book 2.0 - GRC Capability Model

P1.1 Develop the Code of Conduct

P1.2 Implement and Manage the Code of Conduct
P1.3 Develop and Implement Ethical Decision-Making Guidelines

Key Deliverables

Reports Findings and Recommendations Report

Statements of Position Code of Conduct, Ethical Decisions Guidelines

Enabling Technology Components

Technology Arenas Business Process Management (BPM) , Corporate Governance (CG) , Enterprise
Content Management (ECM) , Security Management (SM)
Business Applications Documents & Records Management (DRM) , Email Management (EM), Employee
This is not legal or professional advice.Evaluations & Surveys (EES) , Policy & Procedure Management (P&P) , Supply driving principled
Please contact a professional regardingChain & Procurement Management63 (SCM) performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
GRC Core Applications Controls Management & Monitoring (CMM) , Corporate Compliance (CC) ,
Corporate Social Responsibility (CSR), Environmental, Health & Safety (EH&S)
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
Management , Ethical Practices/Corporate Integrity (ECI) , Global Trade
 Statements of Position Code of Conduct, Ethical Decisions Guidelines

Enabling Technology Components

Technology Arenas
Business Applications
GRC Core Applications
Infrastructure
Business Process Management (BPM) , Corporate Governance (CG) , Enterprise
Content Management (ECM) , Security Management (SM)
Documents & Records Management (DRM) , Email Management (EM), Employee
Evaluations & Surveys (EES) , Policy & Procedure Management (P&P) , Supply
Chain & Procurement Management (SCM)
Controls Management & Monitoring (CMM) , Corporate Compliance (CC) ,
Corporate Social Responsibility (CSR), Environmental, Health & Safety (EH&S)
Management , Ethical Practices/Corporate Integrity (ECI) , Global Trade
Compliance (GTC)/International Dealings , Helpline , Hotline/Whistleblower ,
Information Privacy Management (IPM) , Operational Risk Management (ORM) ,
Risk Analytics (RA)
Business Continuity Management (BCM), Configuration and Change
Management (CCM), Identity and Access Management (IAM) , Physical Security
(PS) , Retention & Storage Management (RSM)

P1 CODES OF CONDUCT
P1.1 DEVELOP THE CODE OF CONDUCT

Work with appropriate stakeholders to develop a code of conduct that addresses the
organizational mission, vision, values, key policies and expected business conduct.
Core Sub-practices

P1.1.01
l Define a repeatable methodology for developing the code of conduct.

P1.1.02
l Develop the code of conduct with the participation of stakeholders representing various levels of authority within the
organization.

P1.1.03
l Develop all codes of conduct required by legal or other mandates or one code that addresses all such requirements.

P1.1.04
l Identify stakeholders (including those whose behavior may affect the entity's integrity) who are target recipients of the code
of conduct.

P1.1.05
l Establish procedures for globalization and localization of the code of conduct that consider local issues while preserving
management's intended message.

P1.1.06
l Correlate the code of conduct to sources of requirements, principles, and values.

P1.1.07
l If there is more than one code of conduct, ensure consistency of language and intent between like content.

P1.1.08
l Have appropriate experts review the code of conduct and implementation approach for compliance with mandates.

P1.1.09
This is not legal or professional advice. driving principled
l Have
Please contact relevant policy
a professional owners approve code of conduct and implementation approach to confirm adherence to principles. performance ®
regarding 64
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
P1.1.10
l Prioritize the subjects addressed in the code of conduct based on risk analysis.
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 Management (CCM), Identity and Access Management (IAM) , Physical Security
(PS) , Retention & Storage Management (RSM)

P1 CODES OF CONDUCT
P1.1 DEVELOP THE CODE OF CONDUCT

Work with appropriate stakeholders to develop a code of conduct that addresses the
organizational mission, vision, values, key policies and expected business conduct.
Core Sub-practices

P1.1.01
l Define a repeatable methodology for developing the code of conduct.

P1.1.02
l Develop the code of conduct with the participation of stakeholders representing various levels of authority within the
organization.

P1.1.03
l Develop all codes of conduct required by legal or other mandates or one code that addresses all such requirements.

P1.1.04
l Identify stakeholders (including those whose behavior may affect the entity's integrity) who are target recipients of the code
of conduct.

P1.1.05
l Establish procedures for globalization and localization of the code of conduct that consider local issues while preserving
management's intended message.

P1.1.06
l Correlate the code of conduct to sources of requirements, principles, and values.

P1.1.07
l If there is more than one code of conduct, ensure consistency of language and intent between like content.

P1.1.08
l Have appropriate experts review the code of conduct and implementation approach for compliance with mandates.

P1.1.09
l Have relevant policy owners approve code of conduct and implementation approach to confirm adherence to principles.

P1.1.10
l Prioritize the subjects addressed in the code of conduct based on risk analysis.

P1.1.11
l Include an endorsing statement from the Board and senior management.

P1.1.12
l Address the goals and philosophy of the code of conduct and how they align with the overall mission, vision, and values of
the organization.

P1.1.13
l At a minimum, provide for the code of conduct to address:

• compliance with all applicable laws and regulations,

• conflicts of interest,
• proper use of organizational property, information and opportunities,
This is not legal
• fairortreatment
professional advice. dealings,
in business driving principled
Please contact a professionaltimeliness
• transparency, regardingand accuracy of public disclosures 65
and regulatory reporting, performance ®
your specific •needs.
prompt internal reporting of violations, © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

• accountability for adherence to the code provisions,

• substance
SINGLE USER abuse,
NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 • compliance with all applicable laws and regulations,
• conflicts of interest,
• proper use of organizational property, information and opportunities,
• fair treatment in business dealings,
• transparency, timeliness and accuracy of public disclosures and regulatory reporting,
• prompt internal reporting of violations,
• accountability for adherence to the code provisions,
• substance abuse,
• political contributions and activities,
• the importance of ethical values and principles in decision making,
• the importance of asking questions and raising issues when concerns exist,
• how to report misconduct,
• how to report incidents and ask questions, and
• a guarantee of non-retaliation for reporting incidents.

P1.1.14
l Define a procedure to waive and depart from the code of conduct.

P1 CODES OF CONDUCT
P1.2 IMPLEMENT AND MANAGE THE CODE OF CONDUCT

Distribute and manage a code of conduct to ensure that all relevant stakeholders receive the
code of conduct, certify that they will follow it that the practices and principles are honored,
observed, and enforced, and that it continues to be relevant.
Core Sub-practices

P1.2.01
l Develop a launch plan to distribute the code of conduct.

P1.2.02
l Before implementing the code of conduct, train help desk personnel and others who are designated to answer questions
about the content of the code of conduct.

P1.2.03
l Distribute the code of conduct to all targeted stakeholders.

P1.2.04
l Confirm that targeted stakeholders received the code of conduct.

P1.2.05
l Design and deliver training and communication for continual reinforcement of the code of conduct.

P1.2.06
l Ensure that the code of conduct is disclosed to the public and available to external stakeholders (e.g., post on the internet).

P1.2.07
l Disclose, report or file the code of conduct as required by legal mandates.

P1.2.08
l Periodically re-evaluate and define events that trigger re-evaluation of the code of conduct, including changes in laws,
operating conditions and policies.

This is not legal or professional advice.

P1.2.09 driving principled
Please contact a professional regarding 66 of the code of conduct, including identification of specific performance ®
l Define a methodology for the periodic review and modification
your specific personnel
needs. to monitor legal factors and internal factors that may necessitate modifications. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

P1.2.10
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 l Periodically re-evaluate and define events that trigger re-evaluation of the code of conduct, including changes in laws,
operating conditions and policies.

P1.2.09
l Define a methodology for the periodic review and modification of the code of conduct, including identification of specific
personnel to monitor legal factors and internal factors that may necessitate modifications.

P1.2.10
l Include code of conduct related criteria in standard individual performance evaluation criteria.

P1.2.11
l Determine scope of code of conduct application in extended enterprise.

P1.2.12
l Be prepared to produce evidence of knowledge or awareness, support and understanding of the code of conduct.

P1.2.13
l Ensure that critical stakeholders understand the code of conduct (via some form of assessment, certification,
communication, and/or training).

P1.2.14
l Make adherence to the code of conduct, or to a similar code, a condition of doing business for key suppliers and other
partners.

P1 CODES OF CONDUCT
P1.3 DEVELOP AND IMPLEMENT ETHICAL DECISION-MAKING GUIDELINES

Work with appropriate stakeholders to develop and implement guidelines on how to choose a
course of action consistent with the organization's mission, vision, values, key policies and
expected business conduct when the circumstances are not explicitly covered by the code of
conduct, policies, or procedures.
Core Sub-practices

P1.3.01
l Develop the ethical decision guidelines with participation of stakeholders representing various levels of authority within the
organization.

P1.3.02
l Develop the ethical decision guidelines with participation of stakeholders representing a variety of the cultures (sub-
cultures) that exist across the organization.

P1.3.03
l Identify the ethical and cultural factors to be considered in reaching a decision about a course of conduct, including:
- congruence with the organization's mission, vision and values;
- compliance with the organization's requirements;
- consideration of all relevant viewpoints;
- completeness of all facts needed to reach a decision;
- consistency with prior organization behavior and anticipated future decisions under analogous circumstances;
- comfort with others broadly knowing which individual made the decision;
- consideration of likely implications to and reactions of stakeholders, influencers or the public; and
- criticism is anticipated and preempted through clear and cogent explanation.

This is not legal or professional advice.

P1.3.04 driving principled
Please contact a professional regarding 67
l Include an endorsing statement from the Board and senior management. performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
P1.3.05
Make the
l SINGLE ethical
USER decision guidelines
NON-COMMERCIAL accessible
LICENSE: ZORAN10to the workforce and the extended
([email protected]). enterprise together
EMAIL [email protected] with any LICENSE.
FOR COMMERCIAL
 P1 CODES OF CONDUCT
P1.3 DEVELOP AND IMPLEMENT ETHICAL DECISION-MAKING GUIDELINES

Work with appropriate stakeholders to develop and implement guidelines on how to choose a
course of action consistent with the organization's mission, vision, values, key policies and
expected business conduct when the circumstances are not explicitly covered by the code of
conduct, policies, or procedures.
Core Sub-practices

P1.3.01
l Develop the ethical decision guidelines with participation of stakeholders representing various levels of authority within the
organization.

P1.3.02
l Develop the ethical decision guidelines with participation of stakeholders representing a variety of the cultures (sub-
cultures) that exist across the organization.

P1.3.03
l Identify the ethical and cultural factors to be considered in reaching a decision about a course of conduct, including:
- congruence with the organization's mission, vision and values;
- compliance with the organization's requirements;
- consideration of all relevant viewpoints;
- completeness of all facts needed to reach a decision;
- consistency with prior organization behavior and anticipated future decisions under analogous circumstances;
- comfort with others broadly knowing which individual made the decision;
- consideration of likely implications to and reactions of stakeholders, influencers or the public; and
- criticism is anticipated and preempted through clear and cogent explanation.

P1.3.04
l Include an endorsing statement from the Board and senior management.

P1.3.05
l Make the ethical decision guidelines accessible to the workforce and the extended enterprise together with any
supplemental resources and information on how to engage someone for further guidance.

P1.3.06
l Provide awareness and education on how to obtain, apply and secure additional guidance in connection with the ethical
decision guidelines simultaneously and consistent with communications and education on code(s) of conduct, policies, and
procedures.

P1.3.07
l Establish procedures for globalization and localization of the ethical decision-making guidelines that consider local issues
and language needs while preserving management’s intended decision factors.

This is not legal or professional advice.

P2 POLICIES
P2
driving principled
Please contact a professional regarding 68 performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

Develop,implement and manage policies which address risks and

P1 Codes
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL of Conduct
LICENSE.
requirements.
 P2 POLICIES
P2
Develop,implement and manage policies which address risks and
P1 Codes of Conduct
requirements. P2 Policies
P3 Preventive Controls
Principles P4 Awareness & Education
P5 Human Capital Incentives
01 The policy development process can mold champions and secure buy-in. P6 Risk Financing/Insurance
02 Policies can both prohibit certain conduct and promote desired behavior. P7 Stakeholder Relations &
03 Ethical decision guidelines help people decide what to do in the absence of an explicit policy or procedure. Requirements

04 Having evidence that formal policies are communicated and enforced protects the organization when
violations occur.

Common Sources Of Failure

01 Not formalizing or documenting policies and assuring they are known and accessible to employees(i.e.,
allowing "secret policies" that are only uncovered once violated)
02 Not establishing a plan implementing policies, so they just "sit on the shelf"
03 Not synchronizing all copies with authoritative "master" policies
04 Not ensuring that policies neither "under-control" nor "over-control" risks
05 Not sufficiently communicating or training about new, current, and revised policies
06 Not periodically reviewing and revising policies
07 Not auditing for compliance with policies

Guidelines and Practices

Red Book 2.0 - GRC Capability Model

P2.1 Establish Policy Structure

P2.2 Develop Policies
P2.3 Implement and Manage Policies

Key Deliverables

Matrices Policies and Related Procedures Matrix

Enabling Technology Components

Technology Arenas Enterprise Content Management (ECM) , Security Management (SM)

Business Applications Documents & Records Management (DRM) , Learning & Training Management
(LTM) , Policy & Procedure Management (P&P) , Supply Chain & Procurement
Management (SCM)
This is not legal or professional advice. driving principled
GRC aCore Applications
regardingCorporate Compliance (CC) , Corporate Social Responsibility (CSR),
Please contact professional 69 performance ®
your specific needs. Environmental, Health & Safety (EH&S) Management , Environmental Monitoring
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
& Reporting (EMR) , Global Trade Compliance (GTC)/International Dealings ,
Helpline , Hotline/Whistleblower , Information Privacy Management (IPM) ,
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 Matrices Policies and Related Procedures Matrix

Enabling Technology Components

Technology Arenas Enterprise Content Management (ECM) , Security Management (SM)

Business Applications
GRC Core Applications
Infrastructure
Documents & Records Management (DRM) , Learning & Training Management
(LTM) , Policy & Procedure Management (P&P) , Supply Chain & Procurement
Management (SCM)
Corporate Compliance (CC) , Corporate Social Responsibility (CSR),
Environmental, Health & Safety (EH&S) Management , Environmental Monitoring
& Reporting (EMR) , Global Trade Compliance (GTC)/International Dealings ,
Helpline , Hotline/Whistleblower , Information Privacy Management (IPM) ,
Information Technology Risk & Compliance (ITRC) Management , Insurance &
Claims Management (ICM) , Legal Matter Management (LMM) , Operational Risk
Management (ORM) , Reporting/eFiling (REF) , Risk Analytics (RA)
Business Continuity Management (BCM), Configuration and Change
Management (CCM), Disaster Recovery (DR) , Enterprise Architecture
Standards (EAS) , Identity and Access Management (IAM) , Information
Technology Operations (ITO) Management , Retention & Storage Management
(RSM)

P2 POLICIES
P2.1 ESTABLISH POLICY STRUCTURE

Establish an organizing structure for identifying and creating policies that support the GRC
system.
Core Sub-practices

P2.1.01
l Develop a list of policies required by applicable mandates, standards, and voluntary commitments.

P2.1.02
l Develop a list of desired policies based on internal decisions.

P2.1.03
l Develop a list of existing policies.

P2.1.04
l Determine redundancies and overlaps in existing policies.

P2.1.05
l Conduct gap analysis against existing policies.

P2.1.06
l Establish methodology to update policy needs analysis.

P2 POLICIES
P2.2 DEVELOP POLICIES

Develop a mix of preventative and directive policies to address requirements, risks, and other
This is not legal or professional advice. driving principled
program objectives.
Please contact a professional regarding 70 performance ®
your specificCore
needs.Sub-practices © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

P2.2.01
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 Technology Operations (ITO) Management , Retention & Storage Management
(RSM)

P2 POLICIES
P2.1 ESTABLISH POLICY STRUCTURE

Establish an organizing structure for identifying and creating policies that support the GRC
system.
Core Sub-practices

P2.1.01
l Develop a list of policies required by applicable mandates, standards, and voluntary commitments.

P2.1.02
l Develop a list of desired policies based on internal decisions.

P2.1.03
l Develop a list of existing policies.

P2.1.04
l Determine redundancies and overlaps in existing policies.

P2.1.05
l Conduct gap analysis against existing policies.

P2.1.06
l Establish methodology to update policy needs analysis.

P2 POLICIES
P2.2 DEVELOP POLICIES

Develop a mix of preventative and directive policies to address requirements, risks, and other
program objectives.
Core Sub-practices

P2.2.01
l Ensure that only individuals with appropriate authority issue and modify policies.

P2.2.02
l Define the objective of each policy.

P2.2.03
l Define the target audience for each policy.

P2.2.04
l Have appropriate experts approve policies that must satisfy mandates.

P2.2.05
l Understand business model elements that are affected by each policy.

P2.2.06
Define
This is notllegal when to review,
or professional revisit, modify, or expire each policy.
advice. driving principled
Please contact a professional regarding 71 performance ®
P2.2.07
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
l Define resources needed for roll-out/implementation/enforcement of each policy.

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
P2.2.08
 P2 POLICIES
P2.2 DEVELOP POLICIES

Develop a mix of preventative and directive policies to address requirements, risks, and other
program objectives.
Core Sub-practices

P2.2.01
l Ensure that only individuals with appropriate authority issue and modify policies.

P2.2.02
l Define the objective of each policy.

P2.2.03
l Define the target audience for each policy.

P2.2.04
l Have appropriate experts approve policies that must satisfy mandates.

P2.2.05
l Understand business model elements that are affected by each policy.

P2.2.06
l Define when to review, revisit, modify, or expire each policy.

P2.2.07
l Define resources needed for roll-out/implementation/enforcement of each policy.

P2.2.08
l Determine which policies to impose through extended enterprise or to require partners to address directly.

P2.2.09
l Translate or localize policies when determined to be necessary.

P2.2.10
l Map or identify interrelated or dependent policies so that management may understand how changing one may affect
another.

P2.2.11
l Design templates for various types of policies.

P2 POLICIES
P2.3 IMPLEMENT AND MANAGE POLICIES

Implement, communicate, and manage policies to ensure that they operate and continue to be
relevant.
Core Sub-practices

P2.3.01
This is not legal or professional advice. driving principled
l Determine how to make each policy available to each target audience.
Please contact a professional regarding 72 performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
P2.3.02
l Determine whether training or testing of target audience is required for each policy.
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 P2 POLICIES
P2.3 IMPLEMENT AND MANAGE POLICIES

Implement, communicate, and manage policies to ensure that they operate and continue to be
relevant.
Core Sub-practices

P2.3.01
l Determine how to make each policy available to each target audience.

P2.3.02
l Determine whether training or testing of target audience is required for each policy.

P2.3.03
l Deliver policies to target audiences.

P2.3.04
l Confirm and document target audience receipt of policies.

P2.3.05
l Define what awareness, education, and support practices should be in place for each policy and each target audience.

P2.3.06
l Define methods for assessing knowledge of the existence and understanding of each policy by target audiences.

P2.3.07
l Define procedure to notify help desk of any additions, modifications, or expiration of policies.

P2.3.08
l Establish a method to assess periodically the effectiveness of each policy in meeting the requirement or objective it is meant
to address.

P3 PREVENTIVE CONTROLS
P3
Establish process, human capital, technology and physical control activities
P1 Codes of Conduct
to prevent and/or reduce the likelihood and impact of adverse events and P2 Policies
misconduct. P3 Preventive Controls
P4 Awareness & Education
Principles P5 Human Capital Incentives
P6 Risk Financing/Insurance
01 Required procedures should apply throughout the extended enterprise as necessary to address risk. P7 Stakeholder Relations &
Requirements
02 Established procedures should go beyond those that are mandated, to include additional procedures that
enable the organization to meet business objectives.
This is not legal or professional advice. driving principled
03contact
Physical safety of workforce
regardingand other stakeholders, including the surrounding community is paramount.
Please a professional 73 performance ®
04 The organization
your specific needs. should use physical controls to guard critical assets or to reduce the likelihood that loss will
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
occur.
05 TheSINGLE
organization should design technology controls in such a way that unauthorized human intervention is
USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
not possible.
 P3 PREVENTIVE CONTROLS
P3
Establish process, human capital, technology and physical control activities
P1 Codes of Conduct
to prevent and/or reduce the likelihood and impact of adverse events and P2 Policies
misconduct. P3 Preventive Controls
P4 Awareness & Education
Principles P5 Human Capital Incentives
P6 Risk Financing/Insurance
01 Required procedures should apply throughout the extended enterprise as necessary to address risk. P7 Stakeholder Relations &
Requirements
02 Established procedures should go beyond those that are mandated, to include additional procedures that
enable the organization to meet business objectives.
03 Physical safety of workforce and other stakeholders, including the surrounding community is paramount.
04 The organization should use physical controls to guard critical assets or to reduce the likelihood that loss will
occur.
05 The organization should design technology controls in such a way that unauthorized human intervention is
not possible.
06 The organization should identify the common points of failure in processes and controls and address them
through common technology approaches wherever possible.
07 Employing ethical people in key GRC roles is essential to success of the GRC system.
08 Removing the opportunity for self-dealing or conflict of interest will reduce instances of noncompliance or
criminal activity that require management actions.

Common Sources Of Failure

01 Not adapting controls to address mandates of different jurisdictions
02 Not being able to identify or track out-of-date, inaccurate, conflicting and inconsistent controls
03 Not ensuring that procedures, technology and physical controls neither "under-control" nor "over-control"
risks
04 Not communicating and training about established procedures for high risk areas and those for which
employees have direct responsibility such as physical security of data contained in laptops, paper files, or
other storage within the employees' control.
05 Not establishing procedures simply because a formal policy is not required
06 Not developing controls to address key risks unless they are legally mandated
07 Not allocating sufficient resources to provide effective technology and physical controls
08 Not field testing adequately to identify weaknesses in technology and physical controls (drills)
09 Not identifying events which could be prevented or mitigated with physical controls
10 Not identifying ways that a preventive control can be violated, circumvented or manipulated
11 Not coordinating technology control selection throughout enterprise or across risk areas
12 Not informing the workforce about the implementation of human capital controls
13 Not applying controls consistently and not making the reason for any exceptions clear to those subject to the
controls

Guidelines and Practices

This is not legal or professional advice. driving principled
Please contact a professional regarding
Red Book 2.0 - GRC Capability Model 74 performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

P3.1 Establish Preventive Process Controls

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
P3.2 Establish Preventive Human Capital Controls
 controls

Guidelines and Practices

Red Book 2.0 - GRC Capability Model

P3.1 Establish Preventive Process Controls

P3.2 Establish Preventive Human Capital Controls
P3.3 Establish Preventive Technology Controls
P3.4 Establish Preventive Physical Controls

Key Deliverables

Authorizations External Authorizations, Segregation of Duties

Descriptions Role / Job Descriptions, GRC Technology Data Model Descriptions
Matrices Policies and Related Procedures Matrix, Prioritized Risk Matrix, Risk / Control Matrix
Plans Risk Optimization Plan
Reports Findings and Recommendations Report

Enabling Technology Components

Technology Arenas
Business Applications
GRC Core Applications
Infrastructure
Business Process Management (BPM) , Enterprise Content Management (ECM) ,
Enterprise Resource Management (ER) , Enterprise Risk Management (ERM) ,
Security Management (SM)
Brand & Reputation Management (BRM), Business Activity Monitoring (BAM) ,
Business Rules (BR) Engines , Contract Management (CM), Documents &
Records Management (DRM) , Email Management (EM), Legal Entity
Management (LEM), Policy & Procedure Management (P&P) , Quality
Management & Monitoring (QMM) , Supply Chain & Procurement Management
(SCM) , Transaction Management (TM)
Accountability/Responsibility Management (ARM) , Controls Management &
Monitoring (CMM) , Corporate Social Responsibility (CSR), Crisis Management
(CMT) , Environmental, Health & Safety (EH&S) Management , Finance &
Treasury Risk (FTR) Management , Fraud Detection & Prevention (FDP) , Geo-
Political Risk (GPR) Management , Global Trade Compliance
(GTC)/International Dealings , Information Privacy Management (IPM) ,
Information Technology Risk & Compliance (ITRC) Management , Insurance &
Claims Management (ICM) , Operational Assurance & Audit (OAA) , Risk
Analytics (RA) , Transaction Monitoring (TRM)
Business Continuity Management (BCM), Configuration and Change
Management (CCM), Disaster Recovery (DR) , Enterprise Architecture
Standards (EAS) , Identity and Access Management (IAM) , Information
Technology Operations (ITO) Management , Physical Security (PS) , Retention &
Storage Management (RSM)

P3 PREVENTIVE CONTROLS
P3.1 ESTABLISH PREVENTIVE PROCESS CONTROLS

Establish preventive process control activities and procedures to reduce the likelihood and/or
impact of adverse events, noncompliance and misconduct.
This is not legal
Core orSub-practices
professional advice. driving principled
Please contact a professional regarding 75 performance ®
your specific P3.1.01
needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

l Establish preventive process control activities that are required under mandates or voluntary commitments including:
SINGLE Approvals
¡ USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 Storage Management (RSM)

P3 PREVENTIVE CONTROLS
P3.1 ESTABLISH PREVENTIVE PROCESS CONTROLS

Establish preventive process control activities and procedures to reduce the likelihood and/or
impact of adverse events, noncompliance and misconduct.
Core Sub-practices

P3.1.01
l Establish preventive process control activities that are required under mandates or voluntary commitments including:
¡ Approvals

¡ Authorizations

¡ Pre-Submission Reviews

¡ Quality Reviews

P3.1.02
l For each preventive process control activity:
¡ Define who will perform the activity

¡ Define when and how often the activity will be performed

¡ Identify individuals with appropriate authority to modify or override preventive process control activities

P3.1.03
l For each preventive process control activity, establish appropriate awareness, education, and support for responsible
personnel.

P3.1.04
l Determine the need to assess or certify responsible personnel to ensure that they are able to perform preventive process
control activities.

P3.1.05
l Establish a method to periodically assess the effectiveness of each preventive process control activity.

P3.1.06
l For each procedure, define a testing approach and related monitoring activities to ensure that the procedure is operating
effectively within defined tolerances.

P3.1.07
l Define procedures and accountability for exceptions to preventive process control activities.

P3.1.08
l Determine which preventive process control activities should be established throughout the extended enterprise.

P3.1.09
l Establish procedures to manage changes to preventive process control activities including:
¡ Notifying help desk of any change to a procedure

¡ Updating related awareness and education module

¡ Updating related skill assessments and certifications

¡ Maintaining revision history

P3.1.10
l Update the prioritized risk matrix to reflect:

¡ implemented preventive process controls,

revised current residual risk analysis, and

This is not legal ¡or professional advice. driving principled
performance against planned residual risk.
Please contact a ¡professional regarding 76 performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 P3.1.10
l Update the prioritized risk matrix to reflect:
¡ implemented preventive process controls,

¡ revised current residual risk analysis, and

¡ performance against planned residual risk.

P3 PREVENTIVE CONTROLS
P3.2 ESTABLISH PREVENTIVE HUMAN CAPITAL CONTROLS

Establish preventive human capital controls to reduce the likelihood and/or impact of adverse
events, noncompliance and misconduct.
Core Sub-practices

P3.2.01
l Define job/role descriptions for all key roles.

P3.2.02
l Define which duties should be segregated to prevent conflicts of interest.

P3.2.03
l Confirm that individuals understand that a particular responsibility is segregated from another.

P3.2.04
l Incorporate GRC expectations into appropriate job/role descriptions as determined during assignment of accountability for
GRC responsibilities.

P3.2.05
l Define a methodology to check the backgrounds of employees, executives and personnel being hired or promoted into positions

of substantial authority and to evaluate their past conduct, including:

• determinations of any history of violations of the law or unethical conduct,

• how recently any violations or instances of unethical conduct have occurred,

• how any violations or conduct are related to the area of concern for the proposed position of authority,

• any patterns of violations or unethical conduct,

• any conflicts of interest, and

• compatibility of personal values with organizational values.

P3.2.06
l Obtain approval from legal counsel (employment) regarding the background check methodology and criteria.

P3.2.07
l Conduct background checks for individuals hired, promoted, or transferred into roles with substantial authority and d ocument result of background checks for candidates in employment file.

P3.2.08
l Document consent to background check by each candidate.

P3.2.09
l Consistently use interviewing checklists that probe for indicators of behavior consistent with entity values/principles, as well as ethical and unethical behavior and decision-making.

P3.2.10
This is not legal or professional advice. driving principled
l Augment or revise the prioritized risk matrix and risk optimization plan to reflect:
Please contact a professional regarding 77 performance ®
your specific •needs.
implemented human capital controls, © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

• revised current residual risk analysis, and

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 l Consistently use interviewing checklists that probe for indicators of behavior consistent with entity values/principles, as well as ethical and unethical behavior and decision-making.

P3.2.10
l Augment or revise the prioritized risk matrix and risk optimization plan to reflect:

• implemented human capital controls,

• revised current residual risk analysis, and

• performance against planned residual risk.

P3 PREVENTIVE CONTROLS
P3.3 ESTABLISH PREVENTIVE TECHNOLOGY CONTROLS

Establish preventive technology controls to reduce the likelihood and/or impact of adverse
events, noncompliance and misconduct.
Core Sub-practices

P3.3.01
l Create a common vocabulary to describe the types of technology controls.

P3.3.02
l Establish preventive technology controls including:
¡ Application access controls which limit access to systems, applications and information repositories

¡ Physical access controls which limit access to physical technology components such as networks, servers and

workstations
¡ Configuration controls which prevent or restrict changes to hardware, system and application configurations

¡ Master data controls which prevent or restrict changes to information stored in data sources

P3.3.03
l Update the prioritized risk matrix and risk optimization plan to reflect:
¡ implemented preventive technology controls,

¡ revised current residual risk analysis, and

¡ performance against planned residual risk.

P3 PREVENTIVE CONTROLS
P3.4 ESTABLISH PREVENTIVE PHYSICAL CONTROLS

Establish preventive physical controls to reduce the likelihood and/or impact of adverse events,
noncompliance and misconduct.
Core Sub-practices

P3.4.01
l Establish preventive physical controls to meet mandated requirements.

P3.4.02
l Establish preventive physical controls to protect human health and safety.

P3.4.03
Establish preventive physical controls to protect environmental conditions.
This is notllegal or professional advice. driving principled
Please contact a professional regarding
P3.4.04 78 performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
l Establish preventive physical controls to protect key physical assets including facilities and equipment.

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
P3.4.05
 P3 PREVENTIVE CONTROLS
P3.4 ESTABLISH PREVENTIVE PHYSICAL CONTROLS

Establish preventive physical controls to reduce the likelihood and/or impact of adverse events,
noncompliance and misconduct.
Core Sub-practices

P3.4.01
l Establish preventive physical controls to meet mandated requirements.

P3.4.02
l Establish preventive physical controls to protect human health and safety.

P3.4.03
l Establish preventive physical controls to protect environmental conditions.

P3.4.04
l Establish preventive physical controls to protect key physical assets including facilities and equipment.

P3.4.05
l Establish preventive physical controls to protect key information assets, including security of laptops, jump drives and other
sata storage devices used by employees.

P3.4.06
l Update the prioritized risk matrix and risk optimization plan to reflect:
¡ implemented preventive physical controls,

¡ revised current residual risk analysis, and

¡ performance against planned residual risk.

P4 AWARENESS & EDUCATION

P4
Educate the Board, management, the workforce and the extended
P1 Codes of Conduct
enterprise about expected conduct and increase the skills and motivation P2 Policies
needed to help the organization achieve Principled Performance. P3 Preventive Controls
P4 Awareness & Education
Principles P5 Human Capital Incentives
P6 Risk Financing/Insurance
01 Awareness, education and ongoing support enables individuals to: P7 Stakeholder Relations &
• know what is expected, Requirements
• reduce the likelihood of errors and criminal behavior, and
• be comfortable about reporting misconduct or GRC system flaws.
02 A strong education program is not a one-time effort; it requires repeated, consistent messaging in language
that the target audiences understand.
This is not legal or professional advice. driving principled
03 Qualified professionals should design and deliver education.
Please contact a professional regarding 79 performance ®
04 The ability to seek guidance, including anonymous requests for guidance, prior to or at decision-making time,
your specific needs.in an effective GRC system.
is critical © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

05 Questions can be a source of information that will enable GRC system improvements or identification of
inappropriate
SINGLE USERconduct.
NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 P4 AWARENESS & EDUCATION
P4
Educate the Board, management, the workforce and the extended
P1 Codes of Conduct
enterprise about expected conduct and increase the skills and motivation P2 Policies
needed to help the organization achieve Principled Performance. P3 Preventive Controls
P4 Awareness & Education
Principles P5 Human Capital Incentives
P6 Risk Financing/Insurance
01 Awareness, education and ongoing support enables individuals to: P7 Stakeholder Relations &
• know what is expected, Requirements
• reduce the likelihood of errors and criminal behavior, and
• be comfortable about reporting misconduct or GRC system flaws.
02 A strong education program is not a one-time effort; it requires repeated, consistent messaging in language
that the target audiences understand.
03 Qualified professionals should design and deliver education.
04 The ability to seek guidance, including anonymous requests for guidance, prior to or at decision-making time,
is critical in an effective GRC system.
05 Questions can be a source of information that will enable GRC system improvements or identification of
inappropriate conduct.

Common Sources Of Failure

01 Not matching the rigor of the messaging or education structure to the nature of the risk or significance of the
underlying objective
02 Not keeping content current, fresh and relevant
03 Not establishing curriculum that is tied to knowledge requirements of specific roles
04 Not providing access to education and other supporting information at the right "points of need"
05 Not offering multiple paths to ask questions and obtain guidance, allowing for anonymity when appropriate
06 Not obtaining evidence of completion and understanding of curriculum

Guidelines and Practices

Red Book 2.0 - GRC Capability Model

P4.1 Define an Awareness and Education Plan

P4.2 Define a Curriculum Plan
P4.3 Develop or Acquire Content
P4.4 Implement Education
P4.5 Provide Helpline
P4.6 Provide Integrated Support

Key Deliverables
This is not legal or professional advice. driving principled
Descriptions Helpline FAQ Descriptions
Please contact a professional regarding 80 performance ®
Matrices
your specific needs. Prioritized Risk Matrix © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
Plans Awareness and Education Plan, Risk Optimization Plan
Reports Findings and Recommendations
SINGLE USER NON-COMMERCIAL Report
LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 P4.6 Provide Integrated Support

Key Deliverables

Descriptions Helpline FAQ Descriptions

Matrices Prioritized Risk Matrix
Plans Awareness and Education Plan, Risk Optimization Plan
Reports Findings and Recommendations Report

Enabling Technology Components

Technology Arenas
Business Applications
GRC Core Applications
Infrastructure
Business Process Management (BPM) , Corporate Governance (CG) , Enterprise
Content Management (ECM) , Enterprise Resource Management (ER) ,
Enterprise Risk Management (ERM) , Human Resources Management (HRM)
Brand & Reputation Management (BRM), Collaboration/Knowledge
Management (KM), Documents & Records Management (DRM) , Learning &
Training Management (LTM) , Policy & Procedure Management (P&P)
Corporate Compliance (CC) , Corporate Social Responsibility (CSR), Crisis
Management (CMT) , Environmental, Health & Safety (EH&S) Management ,
Environmental Monitoring & Reporting (EMR) , Ethical Practices/Corporate
Integrity (ECI) , Geo-Political Risk (GPR) Management , Global Trade
Compliance (GTC)/International Dealings , Helpline , Hotline/Whistleblower ,
Information Privacy Management (IPM) , Legal Matter Management (LMM) ,
News Feeds (GRC Intelligence) , Operational Risk Management (ORM)
Retention & Storage Management (RSM)

P4 AWARENESS & EDUCATION

P4.1 DEFINE AN AWARENESS AND EDUCATION PLAN

Develop a plan to inform and educate the Board, management, the workforce and the extended
enterprise about their GRC responsibilities and expected conduct.
Core Sub-practices

P4.1.01
l Define a plan to make each target population generally aware of the GRC system and their responsibilities and expected
conduct and as part of the plan:
• consider scope of awareness required in extended enterprise,
• consider the existing level of skill when designing plan,
• categorize content – general awareness versus specific, in-depth training,
• ensure people only get training relevant to their function/position, and
• ensure the approach to education considers cultural differences, generational differences, and learning style differences in
the target populations.

P4.1.02
l Develop materials describing the primary elements of the GRC system including the underlying mission, vision, and values
of the organization.

P4.1.03
l Determine which target audiences require more specific education about particular aspects of the GRC system or about
specific policies and procedures.

This is not legal or professional advice. driving principled

Please contact a professional regarding 81 performance ®
your specific needs.
P4 AWARENESS & EDUCATION © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

P4.2 DEFINE A CURRICULUM PLAN

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 Infrastructure Retention & Storage Management (RSM)

P4 AWARENESS & EDUCATION

P4.1 DEFINE AN AWARENESS AND EDUCATION PLAN

Develop a plan to inform and educate the Board, management, the workforce and the extended
enterprise about their GRC responsibilities and expected conduct.
Core Sub-practices

P4.1.01
l Define a plan to make each target population generally aware of the GRC system and their responsibilities and expected
conduct and as part of the plan:
• consider scope of awareness required in extended enterprise,
• consider the existing level of skill when designing plan,
• categorize content – general awareness versus specific, in-depth training,
• ensure people only get training relevant to their function/position, and
• ensure the approach to education considers cultural differences, generational differences, and learning style differences in
the target populations.

P4.1.02
l Develop materials describing the primary elements of the GRC system including the underlying mission, vision, and values
of the organization.

P4.1.03
l Determine which target audiences require more specific education about particular aspects of the GRC system or about
specific policies and procedures.

P4 AWARENESS & EDUCATION

P4.2 DEFINE A CURRICULUM PLAN

Develop a job specific curriculum and appropriate training program for the Board, senior
management, the workforce and the extended enterprise to fulfill their GRC responsibilities.
Core Sub-practices

P4.2.01
l Identify legally required education courses including:
• who must be trained,
• what the content must cover,
• how much time must be devoted to the course and how it will be measured, and
• what methods may be used.

P4.2.02
l For each course that contains legal and/or policy content, map the objective to specific legal and/or policy requirements.

P4.2.03
l Define the competence required of specific roles and positions.

P4.2.04
l Map the series of required and desired courses for each role and position.
This is not legal or professional advice. driving principled
P4.2.05
Please contact a professional regarding 82 performance ®
l Conduct a needs assessment that identifies high risk and mandatory training needs, and develop a training plan for each job
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
or job family that details:
• learning objectives,
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
• training modules,
 P4 AWARENESS & EDUCATION
P4.2 DEFINE A CURRICULUM PLAN

Develop a job specific curriculum and appropriate training program for the Board, senior
management, the workforce and the extended enterprise to fulfill their GRC responsibilities.
Core Sub-practices

P4.2.01
l Identify legally required education courses including:
• who must be trained,
• what the content must cover,
• how much time must be devoted to the course and how it will be measured, and
• what methods may be used.

P4.2.02
l For each course that contains legal and/or policy content, map the objective to specific legal and/or policy requirements.

P4.2.03
l Define the competence required of specific roles and positions.

P4.2.04
l Map the series of required and desired courses for each role and position.

P4.2.05
l Conduct a needs assessment that identifies high risk and mandatory training needs, and develop a training plan for each job
or job family that details:
• learning objectives,
• training modules,
• target duration of training module,
• timeline for conducting training,
• timeline and method(s) for assessing knowledge and/or skill, and
• frequency for each course, including any "refresh" courses.

P4.2.06
l Define the timeframe for training newly hired, promoted, or transferred individuals for their new roles.

P4.2.07
l For each learning object, select appropriate training mode, media, and synchronicity based on:
• current skill level of the target audience,
• target skill level of the target audience,
• total population size and geographic distribution of the audience, and
• existing resources and technical capability to deliver training.

P4 AWARENESS & EDUCATION

P4.3 DEVELOP OR ACQUIRE CONTENT

Develop or acquire content that does not exist in the curriculum or education plan and modify
any content that needs updating in current learning objects.
This is not legal or professional advice. driving principled
Core Sub-practices
Please contact a professional regarding 83 performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
P4.3.01
l Inventory all standardized awareness messages, capturing critical information on each and compare to desired
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
communications in awareness and education plan.
 P4 AWARENESS & EDUCATION
P4.3 DEVELOP OR ACQUIRE CONTENT

Develop or acquire content that does not exist in the curriculum or education plan and modify
any content that needs updating in current learning objects.
Core Sub-practices

P4.3.01
l Inventory all standardized awareness messages, capturing critical information on each and compare to desired
communications in awareness and education plan.

P4.3.02
l Inventory all live, online, and self-paced courses and related training vendors, capturing critical information on each and
compare to desired courses in master curriculum.

P4.3.03
l Prepare content development plan to fill gaps in inventory.

P4.3.04
l Use qualified individuals to develop training modules including, as appropriate, learning professionals and subject matter
experts with relevant training and experience.

P4.3.05
l Tailor content to an understanding of the target audience's general ability and readiness to learn.

P4 AWARENESS & EDUCATION

P4.4 IMPLEMENT EDUCATION

Implement and manage the education program to ensure that each target audience achieves
learning objectives and can transfer knowledge and skills to their jobs.
Core Sub-practices

P4.4.01
l Integrate GRC training into existing job training wherever possible.

P4.4.02
l Use appropriate technology to develop, deliver, and measure education and awareness.

P4.4.03
l Prepare helpdesk to support questions regarding training access and content.

P4.4.04
l Distribute communications and deliver courses in accordance with plan to target audiences.

P4.4.05
l Deliver training to potential and newly promoted leaders about:

• responsible decision making,

• how integrity and responsible business conduct tie in with organizational objectives, and
This is not legal or to
• how professional advice.
communicate about integrity and its impact on organizational performance. driving principled
Please contact a professional regarding 84 performance ®
your specific P4.4.06
needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

l Deliver training for all employees about responsible decision-making.

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 P4 AWARENESS & EDUCATION
P4.4 IMPLEMENT EDUCATION

Implement and manage the education program to ensure that each target audience achieves
learning objectives and can transfer knowledge and skills to their jobs.
Core Sub-practices

P4.4.01
l Integrate GRC training into existing job training wherever possible.

P4.4.02
l Use appropriate technology to develop, deliver, and measure education and awareness.

P4.4.03
l Prepare helpdesk to support questions regarding training access and content.

P4.4.04
l Distribute communications and deliver courses in accordance with plan to target audiences.

P4.4.05
l Deliver training to potential and newly promoted leaders about:
• responsible decision making,
• how integrity and responsible business conduct tie in with organizational objectives, and
• how to communicate about integrity and its impact on organizational performance.

P4.4.06
l Deliver training for all employees about responsible decision-making.

P4.4.07
l Confirm that training was delivered/attended and completed.

P4.4.08
l Assess knowledge, competency, and skills when required and for training that addresses significant risks.

P4.4.09
l Measure training progress against training plan.

P4.4.10
l Augment or revise the prioritized risk matrix and risk optimization plan to reflect:
• implemented awareness and education initiatives,
• revised current residual risk analysis, and
• performance against planned residual risk.

P4 AWARENESS & EDUCATION

P4.5 PROVIDE HELPLINE

Establish ways for the workforce and other stakeholders to seek guidance about future conduct
and ask general questions about GRC responsibilities, including the option for anonymity in
This islocations
not legal or where that
professional is required or allowed.
advice. driving principled
Please contact a professional
Core regarding
Sub-practices 85 performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

P4.5.01
l DefineUSER
SINGLE the helpline approach and
NON-COMMERCIAL policy,
LICENSE: including
ZORAN10 the preference for posingEMAIL
([email protected]). questions to a supervisor
[email protected] FOR (or other internal
COMMERCIAL LICENSE.
 P4 AWARENESS & EDUCATION
P4.5 PROVIDE HELPLINE

Establish ways for the workforce and other stakeholders to seek guidance about future conduct
and ask general questions about GRC responsibilities, including the option for anonymity in
locations where that is required or allowed.
Core Sub-practices

P4.5.01
l Define the helpline approach and policy, including the preference for posing questions to a supervisor (or other internal
route) first or to the helpline first (this may differ based on type of issue).

P4.5.02
l Define whether helpline (for questions) and hotline (for reporting concerns) are combined or separate.

P4.5.03
l Determine whether a caller must or may remain anonymous or be assured of confidentiality, which in some circumstances
may create an atmosphere of greater trust and openness.

P4.5.04
l Establish a process to determine if a question is driven by observations of (or belief that there has been) noncompliance or
undesirable conduct, including:
• if concerns or allegations about noncompliance or misconduct are expressed either directly or after probing about the
reason for a question, determine if the allegations or concerns are specific and credible enough to act on,
• obtain as much information as possible to assist in the process of categorizing the issue within established investigation
tiers, and
• after gaining basic information, redirect to hotline process if an issue has been identified that constitutes a report.

P4.5.05
l Provide helpline personnel with a list of frequently asked questions and answers.

P4.5.06
l Staff the helpline with personnel who are well trained to respond to, or seek assistance to answer, a variety of anticipated
inquiries related to the GRC system and requirements.

P4.5.07
l Establish a method to log questions and responses, indicating final resolution.

P4 AWARENESS & EDUCATION

P4.6 PROVIDE INTEGRATED SUPPORT

Establish ways for the workforce to get questions about GRC requirements answered within
their usual work environment.
Core Sub-practices

P4.6.01
l Ensure that supervisors and GRC system personnel embedded in the business can answer questions about authority,

responsibilities, and issues related to compliance, ethics, and undertaking risks.

This is not legal or professional advice. driving principled
Please contact a professional regarding
P4.6.02 86 performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
l Inform employees about who is available within their work location to answer questions about authority, responsibilities,

and issues related to compliance, ethics and undertaking risks.

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 P4 AWARENESS & EDUCATION
P4.6 PROVIDE INTEGRATED SUPPORT

Establish ways for the workforce to get questions about GRC requirements answered within
their usual work environment.
Core Sub-practices

P4.6.01
l Ensure that supervisors and GRC system personnel embedded in the business can answer questions about authority,
responsibilities, and issues related to compliance, ethics, and undertaking risks.

P4.6.02
l Inform employees about who is available within their work location to answer questions about authority, responsibilities,
and issues related to compliance, ethics and undertaking risks.

P4.6.03
l Develop and make available "self help" materials that employees and other agents can use to answer questions without
requiring human interaction.

P4.6.04
l Provide self-service resources (electronic or otherwise) to help individuals answer their questions.

P5 HUMAN CAPITAL INCENTIVES

P5
Implement human capital incentives that reward and motivate desired
P1 Codes of Conduct
conduct. P2 Policies
P3 Preventive Controls
Principles P4 Awareness & Education
P5 Human Capital Incentives
01 Incentives can be as important as preventive controls in driving desired conduct. P6 Risk Financing/Insurance
02 A mix of incentives and preventive controls will reduce the instances of noncompliance or criminal activity P7 Stakeholder Relations &
that require management actions. Requirements
03 When management makes leadership choices, it should consider whether people view the individual as a role
model.
04 Application of values in observable business conduct should be measurable and measured.

Common Sources Of Failure

01 Not establishing incentives that motivate the desired behavior
02 Not being consistent in providing rewards for desired conduct
03 Not convincing employees that management views integrity and responsible conduct as values that are equal
in importance to strong financial performance
This is not legal or professional advice. driving principled
04contact
Not considering evidence of an individual's ethical conduct and consistency with organizational values in
Please a professional regarding
hiring/promotion/compensation decisions 87 performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

Guidelines and Practices

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 P5 HUMAN CAPITAL INCENTIVES
P5
Implement human capital incentives that reward and motivate desired
P1 Codes of Conduct
conduct. P2 Policies
P3 Preventive Controls
Principles P4 Awareness & Education
P5 Human Capital Incentives
01 Incentives can be as important as preventive controls in driving desired conduct. P6 Risk Financing/Insurance
02 A mix of incentives and preventive controls will reduce the instances of noncompliance or criminal activity P7 Stakeholder Relations &
that require management actions. Requirements
03 When management makes leadership choices, it should consider whether people view the individual as a role
model.
04 Application of values in observable business conduct should be measurable and measured.

Common Sources Of Failure

01 Not establishing incentives that motivate the desired behavior
02 Not being consistent in providing rewards for desired conduct
03 Not convincing employees that management views integrity and responsible conduct as values that are equal
in importance to strong financial performance
04 Not considering evidence of an individual's ethical conduct and consistency with organizational values in
hiring/promotion/compensation decisions

Guidelines and Practices

Red Book 2.0 - GRC Capability Model

P5.1 Foster Ethical Leadership

P5.2 Develop Incentive Based Evaluation and Promotion Decisions
P5.3 Develop Compensation Plans that Consider Conduct Expectations
P5.4 Develop Reward Programs

Key Deliverables

Matrices Prioritized Risk Matrix

Plans Risk Optimization Plan
Reports Findings and Recommendations Report

Enabling Technology Components

Technology Arenas Corporate Governance (CG) , Enterprise Content Management (ECM) ,

Enterprise Resource Management (ER) , Enterprise Risk Management (ERM) ,
This is not legal or professional advice.Human Resources Management (HRM) driving principled
Business
Please contact Applications
a professional regardingCorporate Performance Management 88 (CPM) , Employee Evaluations & Surveys performance ®
your specific needs. (EES) , Policy & Procedure Management (P&P) © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

GRC Core Applications Accountability/Responsibility Management (ARM) , Ethical Practices/Corporate

Integrity
SINGLE USER NON-COMMERCIAL (ECI)ZORAN10
LICENSE: , Fraud ([email protected]).
Detection & Prevention (FDP) , Global
EMAIL Trade Compliance
[email protected] FOR COMMERCIAL LICENSE.
 Reports Findings and Recommendations Report

Enabling Technology Components

Technology Arenas Corporate Governance (CG) , Enterprise Content Management (ECM) ,

Business Applications
GRC Core Applications
Enterprise Resource Management (ER) , Enterprise Risk Management (ERM) ,
Human Resources Management (HRM)
Corporate Performance Management (CPM) , Employee Evaluations & Surveys
(EES) , Policy & Procedure Management (P&P)
Accountability/Responsibility Management (ARM) , Ethical Practices/Corporate
Integrity (ECI) , Fraud Detection & Prevention (FDP) , Global Trade Compliance
(GTC)/International Dealings , Helpline , Hotline/Whistleblower , Insurance &
Claims Management (ICM)

P5 HUMAN CAPITAL INCENTIVES

P5.1 FOSTER ETHICAL LEADERSHIP

Foster and promote leadership that sets an appropriate "tone at the top" and models behavior
in both words and deeds.
Core Sub-practices

P5.1.01
l Consider ethical conduct when evaluating, promoting, and selecting leaders for GRC system responsibilities.

P5.1.02
l Deliver training to potential and newly-promoted leaders about:
• ethical decision-making,
• how ethics ties in with organizational objectives, and
• how to communicate ethics and its impact on organizational performance.

P5.1.03
l Define ethical leadership objectives, measures, targets, and initiatives in the strategic plan.

P5.1.04
l Identify and cultivate potential leaders to create "leadership supply chain.".

P5 HUMAN CAPITAL INCENTIVES

P5.2 DEVELOP INCENTIVE BASED EVALUATION AND PROMOTION DECISIONS

Conduct performance reviews at all levels of the organization that include criteria related to
GRC system performance - and use these same criteria for promoting individuals.
Core Sub-practices

P5.2.01
l Build ethical considerations into:

• job descriptions,
• hiring decisions,
• employee performance evaluation,
• promotion decisions,
• compensation
This is not legal andadvice.
or professional bonus decisions, driving principled
Please contact• termination criteria,
a professional and
regarding 89 performance ®
• disciplinary
your specific needs. actions. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

P5.2.02
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 (GTC)/International Dealings , Helpline , Hotline/Whistleblower , Insurance &
Claims Management (ICM)

P5 HUMAN CAPITAL INCENTIVES

P5.1 FOSTER ETHICAL LEADERSHIP

Foster and promote leadership that sets an appropriate "tone at the top" and models behavior
in both words and deeds.
Core Sub-practices

P5.1.01
l Consider ethical conduct when evaluating, promoting, and selecting leaders for GRC system responsibilities.

P5.1.02
l Deliver training to potential and newly-promoted leaders about:
• ethical decision-making,
• how ethics ties in with organizational objectives, and
• how to communicate ethics and its impact on organizational performance.

P5.1.03
l Define ethical leadership objectives, measures, targets, and initiatives in the strategic plan.

P5.1.04
l Identify and cultivate potential leaders to create "leadership supply chain.".

P5 HUMAN CAPITAL INCENTIVES

P5.2 DEVELOP INCENTIVE BASED EVALUATION AND PROMOTION DECISIONS

Conduct performance reviews at all levels of the organization that include criteria related to
GRC system performance - and use these same criteria for promoting individuals.
Core Sub-practices

P5.2.01
l Build ethical considerations into:
• job descriptions,
• hiring decisions,
• employee performance evaluation,
• promotion decisions,
• compensation and bonus decisions,
• termination criteria, and
• disciplinary actions.

P5.2.02
l Conduct performance evaluations for key jobs/roles with GRC related duties.

P5.2.03
l Include GRC related criteria in performance evaluations including:
• understanding of values,
• incidents of ethical or alleged unethical conduct, and
• compliance responsibilities related to the position.
This is not legal or professional advice. driving principled
P5.2.04
Please contact a professional regarding 90 performance ®
l Consider ethical conduct as a positive factor (and unethical conduct as a negative factor) when evaluating and promoting
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
employees and when selecting leaders.

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
P5.2.05
 P5 HUMAN CAPITAL INCENTIVES
P5.2 DEVELOP INCENTIVE BASED EVALUATION AND PROMOTION DECISIONS

Conduct performance reviews at all levels of the organization that include criteria related to
GRC system performance - and use these same criteria for promoting individuals.
Core Sub-practices

P5.2.01
l Build ethical considerations into:
• job descriptions,
• hiring decisions,
• employee performance evaluation,
• promotion decisions,
• compensation and bonus decisions,
• termination criteria, and
• disciplinary actions.

P5.2.02
l Conduct performance evaluations for key jobs/roles with GRC related duties.

P5.2.03
l Include GRC related criteria in performance evaluations including:
• understanding of values,
• incidents of ethical or alleged unethical conduct, and
• compliance responsibilities related to the position.

P5.2.04
l Consider ethical conduct as a positive factor (and unethical conduct as a negative factor) when evaluating and promoting
employees and when selecting leaders.

P5.2.05
l Define a promotion process that considers an individual's support for and achievement of GRC objectives.

P5 HUMAN CAPITAL INCENTIVES

P5.3 DEVELOP COMPENSATION PLANS THAT CONSIDER CONDUCT
EXPECTATIONS

Design compensation plans and bonus structures that align with desired conduct and do not
reward undesirable conduct.
Core Sub-practices

P5.3.01
l Develop compensation and bonus structures that include consideration and reward for compliance and ethical conduct in
any role.

P5.3.02
l Avoid compensation or bonus incentives that encourage misconduct in any role.
This is not legal or professional advice. driving principled
P5.3.03
Please contact a professional regarding 91 performance ®
l Analyze compensation and bonus plans for jobs/roles that relate to revenue generation or financial roles/responsibilities,
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
confirming that they do not induce noncompliant or unethical behavior.

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
P5.3.04
 P5 HUMAN CAPITAL INCENTIVES
P5.3 DEVELOP COMPENSATION PLANS THAT CONSIDER CONDUCT
EXPECTATIONS

Design compensation plans and bonus structures that align with desired conduct and do not
reward undesirable conduct.
Core Sub-practices

P5.3.01
l Develop compensation and bonus structures that include consideration and reward for compliance and ethical conduct in
any role.

P5.3.02
l Avoid compensation or bonus incentives that encourage misconduct in any role.

P5.3.03
l Analyze compensation and bonus plans for jobs/roles that relate to revenue generation or financial roles/responsibilities,
confirming that they do not induce noncompliant or unethical behavior.

P5.3.04
l Analyze compensation and bonus plans for key roles including roles with substantial authority confirming that they do not
induce noncompliant or unethical behavior.

P5.3.05
l Analyze discretionary budgets or allowances for all roles, confirming that they do not induce noncompliant or unethical
behavior.

P5 HUMAN CAPITAL INCENTIVES

P5.4 DEVELOP REWARD PROGRAMS

Establish a reward program for all employees and other stakeholders that recognizes individuals
and organizational units for exhibiting desired conduct.
Core Sub-practices

P5.4.01
l Develop awards and other incentives to reward model conduct and leadership.

P5.4.02
l Develop incentives that encourage reporting of misconduct or GRC system flaws.

P5.4.03
l Develop awards and other incentives to recognize organizational units and extended enterprise partners for exemplary
management of the GRC system or group conduct.

P5.4.04
l Develop awards and other incentives for suggestions that improve the GRC system.

P5.4.05
This is not legal or professional advice. driving principled
l Develop awards and other incentives for contributions by individuals or organizational or extended enterprise units that
Please contact a professional regarding
result in reduced compliance failures, enforcement actions or92other external challenges to the organization. performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

P5.4.06
l Augment
SINGLE and/or
USER revise the prioritized
NON-COMMERCIAL LICENSE: risk matrix
ZORAN10 and, as needed, the risk optimization
([email protected]). plan, to reflect:
EMAIL [email protected] FOR COMMERCIAL LICENSE.
 P5 HUMAN CAPITAL INCENTIVES
P5.4 DEVELOP REWARD PROGRAMS

Establish a reward program for all employees and other stakeholders that recognizes individuals
and organizational units for exhibiting desired conduct.
Core Sub-practices

P5.4.01
l Develop awards and other incentives to reward model conduct and leadership.

P5.4.02
l Develop incentives that encourage reporting of misconduct or GRC system flaws.

P5.4.03
l Develop awards and other incentives to recognize organizational units and extended enterprise partners for exemplary
management of the GRC system or group conduct.

P5.4.04
l Develop awards and other incentives for suggestions that improve the GRC system.

P5.4.05
l Develop awards and other incentives for contributions by individuals or organizational or extended enterprise units that
result in reduced compliance failures, enforcement actions or other external challenges to the organization.

P5.4.06
l Augment and/or revise the prioritized risk matrix and, as needed, the risk optimization plan, to reflect:
• implemented human capital incentives,
• resulting current residual risk analysis, and
• performance against planned residual risk analysis.

P5.4.07
l Reward by at least acknowledging members of the workforce for the successful completion of on the job training and self-
initiated continuous learning and improvement.

P6 RISK FINANCING/INSURANCE
P6
Develop or acquire risk-sharing and financing instruments, including
P1 Codes of Conduct
insurance, indemnifications, reserves, captives, and legal entities for P2 Policies
appropriately reducing or removing the potential impact of risks. P3 Preventive Controls
P4 Awareness & Education
Principles P5 Human Capital Incentives
P6 Risk Financing/Insurance
P7 Stakeholder Relations &
This 01 Use
is not financial
legal methods such
or professional as indemnification, insurance, establishment of reserves, or creation of legal
advice. driving principled
entities. Requirements
Please contact a professional regarding 93 performance ®
your02 Finance
specific risks simultaneously with consideration of internal controls, or choices about reduction or©avoidance
needs. 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
of risk.
03 Risk financing is typically helpful for low likelihood and high impact risks that, should they materialize, would
SINGLE
require USER NON-COMMERCIAL
financial resources beyond LICENSE: ZORAN10 ([email protected]).
the organization's means. EMAIL [email protected] FOR COMMERCIAL LICENSE.
 P6 RISK FINANCING/INSURANCE
P6
Develop or acquire risk-sharing and financing instruments, including
P1 Codes of Conduct
insurance, indemnifications, reserves, captives, and legal entities for P2 Policies
appropriately reducing or removing the potential impact of risks. P3 Preventive Controls
P4 Awareness & Education
Principles P5 Human Capital Incentives
P6 Risk Financing/Insurance
01 Use financial methods such as indemnification, insurance, establishment of reserves, or creation of legal P7 Stakeholder Relations &
entities. Requirements
02 Finance risks simultaneously with consideration of internal controls, or choices about reduction or avoidance
of risk.
03 Risk financing is typically helpful for low likelihood and high impact risks that, should they materialize, would
require financial resources beyond the organization's means.

Common Sources Of Failure

01 Not appropriately weighing cost versus benefit of coverage (i.e., over-insure)
02 Not fulfilling all obligations needed to maintain financing arrangements
03 Not considering the financial resilience of other financing parties (e.g., obtaining insurance from an entity that
is not solvent)

Guidelines and Practices

Red Book 2.0 - GRC Capability Model

P6.1 Assess Risk Financing Need and Options

P6.2 Set Risk Financing Objectives
P6.3 Design Risk Financing Strategy
P6.4 Implement Risk Financing Strategy

Key Deliverables

Matrices Prioritized Risk Matrix

Plans Risk Optimization Plan

Enabling Technology Components

Technology Arenas Enterprise Risk Management (ERM)

Business Applications Legal Entity Management (LEM), Loss Management (LM), Transaction
Management (TM)
GRC Core Applications Crisis Management (CMT) , Environmental, Health & Safety (EH&S)
This is not legal or professional advice.Management , Environmental Monitoring & Reporting (EMR) , Finance & driving principled
Please contact a professional regardingTreasury Risk (FTR) Management ,94 Geo-Political Risk (GPR) Management , performance ®
your specific needs. Insurance & Claims Management (ICM) , Operational Assurance & Audit
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
(OAA) , Operational Risk Management (ORM) , Risk Analytics (RA)
Infrastructure Physical
SINGLE USER NON-COMMERCIAL Security
LICENSE: (PS) ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
ZORAN10
 Plans Risk Optimization Plan

Enabling Technology Components

Technology Arenas Enterprise Risk Management (ERM)

Business Applications
GRC Core Applications
Infrastructure
Legal Entity Management (LEM), Loss Management (LM), Transaction
Management (TM)
Crisis Management (CMT) , Environmental, Health & Safety (EH&S)
Management , Environmental Monitoring & Reporting (EMR) , Finance &
Treasury Risk (FTR) Management , Geo-Political Risk (GPR) Management ,
Insurance & Claims Management (ICM) , Operational Assurance & Audit
(OAA) , Operational Risk Management (ORM) , Risk Analytics (RA)
Physical Security (PS)

P6 RISK FINANCING/INSURANCE
P6.1 ASSESS RISK FINANCING NEED AND OPTIONS

Assess the need or desire for financing risk and the options available.
Core Sub-practices

P6.1.01
l Review risk assessment findings to determine which risks should be addressed solely by financing options.

P6.1.02
l Review residual risk after application of determined internal controls to identify risks that require financing as back up for
the applied controls.

P6.1.03
l Identify options for types of risk financing appropriate to each identified risk.

P6 RISK FINANCING/INSURANCE
P6.2 SET RISK FINANCING OBJECTIVES

Set the risk sharing objectives and limits for the given risk or portfolio of risk.
Core Sub-practices

P6.2.01
l Determine available options for particular risk sharing instruments or approaches.

P6.2.02
l Determine any mandates or policies that preclude use of a particular risk-sharing instrument or approach for particular
types of risks.

P6 RISK FINANCING/INSURANCE
P6.3 DESIGN RISK FINANCING STRATEGY

This isDesign
not legal a
orportfolio
professionalof risk-sharing instruments and approaches.
advice. driving principled
Please contact a professional regarding
Core Sub-practices 95 performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
P6.3.01
Select risks
l SINGLE USER to be insured.
NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 Infrastructure Physical Security (PS)

P6 RISK FINANCING/INSURANCE
P6.1 ASSESS RISK FINANCING NEED AND OPTIONS

Assess the need or desire for financing risk and the options available.
Core Sub-practices

P6.1.01
l Review risk assessment findings to determine which risks should be addressed solely by financing options.

P6.1.02
l Review residual risk after application of determined internal controls to identify risks that require financing as back up for
the applied controls.

P6.1.03
l Identify options for types of risk financing appropriate to each identified risk.

P6 RISK FINANCING/INSURANCE
P6.2 SET RISK FINANCING OBJECTIVES

Set the risk sharing objectives and limits for the given risk or portfolio of risk.
Core Sub-practices

P6.2.01
l Determine available options for particular risk sharing instruments or approaches.

P6.2.02
l Determine any mandates or policies that preclude use of a particular risk-sharing instrument or approach for particular
types of risks.

P6 RISK FINANCING/INSURANCE
P6.3 DESIGN RISK FINANCING STRATEGY

Design a portfolio of risk-sharing instruments and approaches.

Core Sub-practices

P6.3.01
l Select risks to be insured.

P6.3.02
l Select risks to be self-insured or subject to captive insurance company.

P6.3.03
l Select risks to be contractually transferred.

P6.3.04
This is not legal or professional advice. driving principled
l Select risks to be transferred to other organizational structures (subsidiary, joint venture, LLP, LLC, etc.).
Please contact a professional regarding 96 performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 P6 RISK FINANCING/INSURANCE
P6.3 DESIGN RISK FINANCING STRATEGY

Design a portfolio of risk-sharing instruments and approaches.

Core Sub-practices

P6.3.01
l Select risks to be insured.

P6.3.02
l Select risks to be self-insured or subject to captive insurance company.

P6.3.03
l Select risks to be contractually transferred.

P6.3.04
l Select risks to be transferred to other organizational structures (subsidiary, joint venture, LLP, LLC, etc.).

P6 RISK FINANCING/INSURANCE
P6.4 IMPLEMENT RISK FINANCING STRATEGY

Implement the risk sharing instruments or structures and acquire insurance.

Core Sub-practices

P6.4.01
l Construct indemnification, assignment, warranty or other contractual language that transfers or allocates risk to other party
to contracts.

P6.4.02
l Acquire insurance or establish self-insurance structures.

P6.4.03
l Define appropriate deductibles / retention levels.

P6.4.04
l Define appropriate limits / payouts.

P6.4.05
l Assign accountability for maintaining compliance with requirements of each approach.

P6.4.06
l Form organizational structures and transfer risks.

P6.4.07
l Augment or revise the prioritized risk matrix and risk optimization plan to reflect:
• implemented risk financing, insurance nad structural controls,
• revised current residual risk analysis, and
• performance against planned residual risk.

This is not legal or professional advice. driving principled

Please contact a professional regarding 97 performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 P6 RISK FINANCING/INSURANCE
P6.4 IMPLEMENT RISK FINANCING STRATEGY

Implement the risk sharing instruments or structures and acquire insurance.

Core Sub-practices

P6.4.01
l Construct indemnification, assignment, warranty or other contractual language that transfers or allocates risk to other party
to contracts.

P6.4.02
l Acquire insurance or establish self-insurance structures.

P6.4.03
l Define appropriate deductibles / retention levels.

P6.4.04
l Define appropriate limits / payouts.

P6.4.05
l Assign accountability for maintaining compliance with requirements of each approach.

P6.4.06
l Form organizational structures and transfer risks.

P6.4.07
l Augment or revise the prioritized risk matrix and risk optimization plan to reflect:
• implemented risk financing, insurance nad structural controls,
• revised current residual risk analysis, and
• performance against planned residual risk.

P7 STAKEHOLDER RELATIONS &

REQUIREMENTS
P7
P1 Codes of Conduct
Interact with stakeholders to shape expectations, affect requirements, and P2 Policies
P3 Preventive Controls
influence perspectives that can have an impact on the organization. P4 Awareness & Education
P5 Human Capital Incentives
Principles P6 Risk Financing/Insurance
P7 Stakeholder Relations &
01 Issuers are more likely to establish reasonable mandates and standards when they understand the implications Requirements
to individual businesses, the industry, the economy and the community at large.
02 Leveraging key champions helps to build relationships of trust and confidence.
This is not legal or professional advice. driving principled
03 Involvement in developing mandates and standards offers the opportunity to show where integrated or
Please contact a professional regarding 98
aligned approaches can reduce the burden of compliance and generate more reliable, useful information. performance ®
your04specific needs.
Demonstrating
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
respect and building trust and confidence are essential to maintaining favorable relationships.

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 P7 STAKEHOLDER RELATIONS &
REQUIREMENTS
P7
P1 Codes of Conduct
Interact with stakeholders to shape expectations, affect requirements, and P2 Policies
P3 Preventive Controls
influence perspectives that can have an impact on the organization. P4 Awareness & Education
P5 Human Capital Incentives
Principles P6 Risk Financing/Insurance
P7 Stakeholder Relations &
01 Issuers are more likely to establish reasonable mandates and standards when they understand the implications Requirements
to individual businesses, the industry, the economy and the community at large.
02 Leveraging key champions helps to build relationships of trust and confidence.
03 Involvement in developing mandates and standards offers the opportunity to show where integrated or
aligned approaches can reduce the burden of compliance and generate more reliable, useful information.
04 Demonstrating respect and building trust and confidence are essential to maintaining favorable relationships.

Common Sources Of Failure

01 Not identifying individuals with proper skills to serve as the "face of the organization"
02 Not identifying the key individuals with power and/or influence within each stakeholder constituency and
knowing what motivates them (individually and collectively)
03 Not communicating sufficiently with stakeholders before they develop requirements that apply to the
organization
04 Not providing full information, both good and bad, relevant to stakeholder views of the organization and
decisions about requirements

Guidelines and Practices

Red Book 2.0 - GRC Capability Model

P7.1 Understand Stakeholders

P7.2 Develop Stakeholder Relations Plans
P7.3 Identify and Track Activity by Requirement Issuing Authorities
P7.4 Comment on Planned or Proposed Items
P7.5 Propose Mandates, Standards or Guidance

Key Deliverables

Plans Communication and Reporting Plan

Reports Filings

Enabling Technology Components

This is not legal or professional advice. driving principled
Technology Arenas Corporate Governance (CG) , Enterprise Risk Management (ERM)
Please contact a professional regarding 99 performance ®
Business
your specific needs. Applications Contact/Customer Relationship Management (CRM) , Documents & Records
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
Management (DRM)
GRC Core Applications Corporate Compliance (CC) , Corporate Social Responsibility (CSR),
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 Reports Filings

Enabling Technology Components

Technology Arenas Corporate Governance (CG) , Enterprise Risk Management (ERM)

Business Applications
GRC Core Applications
Contact/Customer Relationship Management (CRM) , Documents & Records
Management (DRM)
Corporate Compliance (CC) , Corporate Social Responsibility (CSR),
Employment Compliance Management (EC) , Environmental, Health & Safety
(EH&S) Management , Ethical Practices/Corporate Integrity (ECI) , Information
Privacy Management (IPM) , Legal Matter Management (LMM) , News Feeds
(GRC Intelligence) , Reporting/eFiling (REF)

P7 STAKEHOLDER RELATIONS & REQUIREMENTS

P7.1 UNDERSTAND STAKEHOLDERS

Research and analyze the organizations and key individuals involved within various stakeholder
constituencies in order to understand their concerns and how best to relate to them.
Core Sub-practices

P7.1.01
l Develop an inventory of key stakeholder organizations and categorize by type, including:
• government oversight and regulatory agencies,
• investors,
• insurers and underwriters,
• ratings agencies and exchanges,
• suppliers, extended enterprise partners,
• customers,
• communities of operations, and
• employees, agents, unions.

P7.1.02
l Assemble and review available information about each key stakeholder organization including:
• mission, vision and values,
• any statements or documents about relationship with your organization,
• key individuals important to the relationship, and
• any information about ethical conduct or noncompliance issues or concerns.

P7.1.03
l Assign ownership for responsibility to keep information about each key stakeholder group current and to inform
stakeholder relations executives of any relevant changes.

P7 STAKEHOLDER RELATIONS & REQUIREMENTS

P7.2 DEVELOP STAKEHOLDER RELATIONS PLANS

Develop stakeholder relations plans, including communications plans, for each stakeholder
constituency.
Core Sub-practices

This is not legal or professional advice.

P7.2.01 driving principled
Please contact a professional regarding
l Identify circumstances and processes where communications 100
to each stakeholder type may be required. performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
P7.2.02
Develop
l SINGLE a high-level
USER communication
NON-COMMERCIAL plan
LICENSE: that aligns
ZORAN10 with existing entity channels
([email protected]). of communication
EMAIL [email protected] andCOMMERCIAL
FOR which may LICENSE.
be
 Privacy Management (IPM) , Legal Matter Management (LMM) , News Feeds
(GRC Intelligence) , Reporting/eFiling (REF)

P7 STAKEHOLDER RELATIONS & REQUIREMENTS

P7.1 UNDERSTAND STAKEHOLDERS

Research and analyze the organizations and key individuals involved within various stakeholder
constituencies in order to understand their concerns and how best to relate to them.
Core Sub-practices

P7.1.01
l Develop an inventory of key stakeholder organizations and categorize by type, including:
• government oversight and regulatory agencies,
• investors,
• insurers and underwriters,
• ratings agencies and exchanges,
• suppliers, extended enterprise partners,
• customers,
• communities of operations, and
• employees, agents, unions.

P7.1.02
l Assemble and review available information about each key stakeholder organization including:
• mission, vision and values,
• any statements or documents about relationship with your organization,
• key individuals important to the relationship, and
• any information about ethical conduct or noncompliance issues or concerns.

P7.1.03
l Assign ownership for responsibility to keep information about each key stakeholder group current and to inform
stakeholder relations executives of any relevant changes.

P7 STAKEHOLDER RELATIONS & REQUIREMENTS

P7.2 DEVELOP STAKEHOLDER RELATIONS PLANS

Develop stakeholder relations plans, including communications plans, for each stakeholder
constituency.
Core Sub-practices

P7.2.01
l Identify circumstances and processes where communications to each stakeholder type may be required.

P7.2.02
l Develop a high-level communication plan that aligns with existing entity channels of communication and which may be
adapted to specific circumstances and requirements.

P7.2.03
l Define communication/message interdependencies and how each fits into the overall landscape of other entity
communications/messages.

P7.2.04
This is not legal or professional advice. driving principled
l Determine which role(s) may authorize initiating communications with each stakeholder type or stakeholder group.
Please contact a professional regarding 101 performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
P7.2.05
l Determine who establishes and approves the content and design of communications for each stakeholder type or individual
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
stakeholder groups.
 P7 STAKEHOLDER RELATIONS & REQUIREMENTS
P7.2 DEVELOP STAKEHOLDER RELATIONS PLANS

Develop stakeholder relations plans, including communications plans, for each stakeholder
constituency.
Core Sub-practices

P7.2.01
l Identify circumstances and processes where communications to each stakeholder type may be required.

P7.2.02
l Develop a high-level communication plan that aligns with existing entity channels of communication and which may be
adapted to specific circumstances and requirements.

P7.2.03
l Define communication/message interdependencies and how each fits into the overall landscape of other entity
communications/messages.

P7.2.04
l Determine which role(s) may authorize initiating communications with each stakeholder type or stakeholder group.

P7.2.05
l Determine who establishes and approves the content and design of communications for each stakeholder type or individual
stakeholder groups.

P7.2.06
l Determine who delivers, responds to, and interacts with (i.e., the “face of the organization”) each stakeholder type or individual
stakeholder groups.

P7.2.07
l Identify other participants in any process where stakeholder relations are important, including likely coalitions and their
expected positions that may influence stakeholder views and be prepared to respond.

P7 STAKEHOLDER RELATIONS & REQUIREMENTS

P7.3 IDENTIFY AND TRACK ACTIVITY BY REQUIREMENT ISSUING AUTHORITIES

Determine which government agencies, standards organizations, and other entities that issue
mandates, standards or guidance have significant effect on the organization's GRC requirements
and track their activities.
Core Sub-practices

P7.3.01
l Document the issuing authorities of key mandates, standards, and guidelines.

P7.3.02
l Learn each authority’s internal procedures for developing mandates, standards, and guidance.

P7.3.03
This is not legal or professional advice. driving principled
l Establish procedures to identify when an authority is planning to propose rules, standards, and guidance before publication.
Please contact a professional regarding 102 performance ®
your specific P7.3.04
needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

l Establish procedures to track and review proposed rules, standards, and guidance.
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 P7 STAKEHOLDER RELATIONS & REQUIREMENTS
P7.3 IDENTIFY AND TRACK ACTIVITY BY REQUIREMENT ISSUING AUTHORITIES

Determine which government agencies, standards organizations, and other entities that issue
mandates, standards or guidance have significant effect on the organization's GRC requirements
and track their activities.
Core Sub-practices

P7.3.01
l Document the issuing authorities of key mandates, standards, and guidelines.

P7.3.02
l Learn each authority’s internal procedures for developing mandates, standards, and guidance.

P7.3.03
l Establish procedures to identify when an authority is planning to propose rules, standards, and guidance before publication.

P7.3.04
l Establish procedures to track and review proposed rules, standards, and guidance.

P7.3.05
l Build relationships of trust and respect with key personnel within issuing authorities by creating a reputation for providing valuable
assistance and reliable, truthful information.

P7 STAKEHOLDER RELATIONS & REQUIREMENTS

P7.4 COMMENT ON PLANNED OR PROPOSED ITEMS

Actively participate in the development of mandates, standards, and guidance through various
comment pathways.
Core Sub-practices

P7.4.01
l Meet with issuing authorities to understand and discuss planned items and provide organization viewpoint.

P7.4.02
l Provide the issuing authority any relevant data or information that the organization has or may assemble, that enables the
authority to make a well-reasoned decision.

P7.4.03
l Participate where appropriate in hearings and provide testimony regarding formal or planned proposals.

P7.4.04
l Provide issuing authority explanatory documents, proposed language or amendments to language, and alternative drafts.

P7.4.05
l Prepare formal written comments on proposed items made available for public comment, which include data and other
information that enables the authority to make well-reasoned review and changes to the proposal if appropriate.

This is not legal or professional advice.

P7.4.06 driving principled
Please contact a professional regarding ®
l Provide data and other information to the issuing authority that103
counters arguments raised by those with different views and performance
your specific interests
needs. than the organization. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

P7.4.07
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 P7 STAKEHOLDER RELATIONS & REQUIREMENTS
P7.4 COMMENT ON PLANNED OR PROPOSED ITEMS

Actively participate in the development of mandates, standards, and guidance through various
comment pathways.
Core Sub-practices

P7.4.01
l Meet with issuing authorities to understand and discuss planned items and provide organization viewpoint.

P7.4.02
l Provide the issuing authority any relevant data or information that the organization has or may assemble, that enables the
authority to make a well-reasoned decision.

P7.4.03
l Participate where appropriate in hearings and provide testimony regarding formal or planned proposals.

P7.4.04
l Provide issuing authority explanatory documents, proposed language or amendments to language, and alternative drafts.

P7.4.05
l Prepare formal written comments on proposed items made available for public comment, which include data and other
information that enables the authority to make well-reasoned review and changes to the proposal if appropriate.

P7.4.06
l Provide data and other information to the issuing authority that counters arguments raised by those with different views and
interests than the organization.

P7.4.07
l Form formal or informal coalitions with entities that share the organization's viewpoint.

P7 STAKEHOLDER RELATIONS & REQUIREMENTS

P7.5 PROPOSE MANDATES, STANDARDS OR GUIDANCE

Actively propose development of mandates, standards, and guidance to issuing authorities.

Core Sub-practices

P7.5.01
l Meet with issuing authorities to discuss the need for and benefit of proposed items in terms that meet the interests of the
authority.

P7.5.02
l Develop and make available to the issuing authority any relevant data or information that the organization has or may
assemble, that enables the authority to make a well-reasoned decision about developing the desired item.

This is not legal or professional advice. driving principled

Please contact a professional regarding
your specific needs.
104
D DETECT & DISCERN
Dperformance ®
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 D DETECT & DISCERN
D
Detect actual and potential undesirable conduct, events, GRC system
C Culture & Context
weaknesses, and stakeholder concerns using a broad network of information O Organize & Oversee
gathering and analysis techniques. A Assess & Align
P Prevent & Promote
D1 Hotline & Notification D Detect & Discern
R Respond & Resolve
D1.1 Capture Notifications M Monitor & Measure
D1.2 Filter and Route Notifications I Inform & Integrate
D1.3 Adhere to Hotline and Data Protection Requirements

D2 Inquiry & Survey

D2.1 Establish Multiple Pathways to Obtain Workforce and Stakeholder Views

D2.2 Establish an Organization-Wide Integrated Approach to Surveys
D2.3 Establish an Integrated Approach to Self-Assessments
D2.4 Gather information through observations and conversations
D2.5 Report Information and Findings

D3 Detective Controls

D3.1 Establish Detective Process Controls

D3.2 Establish Detective Human Capital Controls
D3.3 Establish Detective Physical Controls
D3.4 Establish Detective Technology Controls
D3.5 Consolidate and Analyze Control Findings

D1 HOTLINE & NOTIFICATION

D1
Provide multiple pathways to report suspicions or incidents of
D1 Hotline & Notification
noncompliance or unethical conduct, or to identify concerns about GRC D2 Inquiry & Survey
system weaknesses. D3 Detective Controls

Principles
This is not legal or professional advice. driving principled
01 Encourage stakeholders to raise issues directly with the organization rather than via external channels.
Please contact a professional regarding 105 performance ®
02 Design
your specific the capability so stakeholders can trust, without fear
needs.are promptly and objectively assessed and addressed. of reprisal, that their concerns are taken
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
seriously,
03 Promote notification pathways that are appropriate for the local customs and culture.
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 D3.5 Consolidate and Analyze Control Findings

D1 HOTLINE & NOTIFICATION

D1
Provide multiple pathways to report suspicions or incidents of
D1 Hotline & Notification
noncompliance or unethical conduct, or to identify concerns about GRC D2 Inquiry & Survey
system weaknesses. D3 Detective Controls

Principles
01 Encourage stakeholders to raise issues directly with the organization rather than via external channels.
02 Design the capability so stakeholders can trust, without fear of reprisal, that their concerns are taken
seriously, are promptly and objectively assessed and addressed.
03 Promote notification pathways that are appropriate for the local customs and culture.
04 Accommodate for capturing reports made via informal methods and unstructured channels.

Common Sources Of Failure

01 Not establishing sufficient easy to use notification pathways consistent with local customs and culture
02 Not informing workforce and stakeholders of all notification pathways
03 Not convincing the workforce that the non-retaliation policy is real
04 Not training management and supervisory personnel to handle and record complaints that may never be
"called in"
05 Not defining consistent escalation paths for all notification pathways
06 Not encouraging stakeholders to notify about suspicions and GRC system weaknesses, not just observed
misconduct
07 Not taking a concern or issue seriously because it is raised by an individual who frequently makes
notifications

Guidelines and Practices

Red Book 2.0 - GRC Capability Model

D1.1 Capture Notifications

D1.2 Filter and Route Notifications
D1.3 Adhere to Hotline and Data Protection Requirements

Key Deliverables

Authorizations External Authorizations, Internal Authorization

Plans Communication and Reporting Plan

Enabling Technology Components

This is not legal or professional
Technology Arenas advice.Business Process Management (BPM) , Enterprise Content Management (ECM) , driving principled
Please contact a professional regardingEnterprise Risk Management (ERM)106 performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
Business Applications Business Activity Monitoring (BAM) , Business Rules (BR) Engines ,
Collaboration/Knowledge Management (KM), Dashboards (GRC Workflow)
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 Plans Communication and Reporting Plan

Enabling Technology Components

Technology Arenas
Business Applications
GRC Core Applications
Business Process Management (BPM) , Enterprise Content Management (ECM) ,
Enterprise Risk Management (ERM)
Business Activity Monitoring (BAM) , Business Rules (BR) Engines ,
Collaboration/Knowledge Management (KM), Dashboards (GRC Workflow)
Accountability/Responsibility Management (ARM) , Crisis Management (CMT) ,
Environmental Monitoring & Reporting (EMR) , Fraud Detection & Prevention
(FDP) , Geo-Political Risk (GPR) Management , Global Trade Compliance
(GTC)/International Dealings , Helpline , Hotline/Whistleblower , Legal Matter
Management (LMM) , Operational Risk Management (ORM) , Risk Analytics
(RA)

D1 HOTLINE & NOTIFICATION

D1.1 CAPTURE NOTIFICATIONS

Implement a notification system that will alert the organization to incidents or suspicions of
legal noncompliance, violations of company policies, and concerns about perceived unethical
conduct or GRC system weaknesses.
Core Sub-practices

D1.1.01
l Use multiple channels:
• in person,
• phone,
• mail,
• email, and
• web.

D1.1.02
l Make some channels available 24 hours per day/7 days per week/365 days per year.

D1.1.03
l Define the notification approach and policy, including the preference for reporting to a supervisor (or other internal route)
first or to the hotline first (this may differ based on type of issue and local custom and law).

D1.1.04
l Define which channels will be delivered using internal and/or external resources.

D1.1.05
l Define procedures for protecting the anonymity of notifiers in jurisdictions where that is required or allowed.

D1.1.06
l Make the notification pathways available and accessible to multiple stakeholders:
• employees,
• agents (contract employees acting on behalf of the entity),
• suppliers and customers, and
• public

D1.1.07
l Communicate the availability of the notification pathways to the workforce and other stakeholders.
This is not legal or professional advice. driving principled
Please contactD1.1.08
a professional regarding 107 performance ®
l Define
your specific needs. procedures for reducing abandonment of initiated notifications, including: © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
• limiting or disallowing hold time on phone notifications,
• providing
SINGLE USERmultiple language capability,
NON-COMMERCIAL and
LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 Management (LMM) , Operational Risk Management (ORM) , Risk Analytics
(RA)

D1 HOTLINE & NOTIFICATION

D1.1 CAPTURE NOTIFICATIONS

Implement a notification system that will alert the organization to incidents or suspicions of
legal noncompliance, violations of company policies, and concerns about perceived unethical
conduct or GRC system weaknesses.
Core Sub-practices

D1.1.01
l Use multiple channels:
• in person,
• phone,
• mail,
• email, and
• web.

D1.1.02
l Make some channels available 24 hours per day/7 days per week/365 days per year.

D1.1.03
l Define the notification approach and policy, including the preference for reporting to a supervisor (or other internal route)
first or to the hotline first (this may differ based on type of issue and local custom and law).

D1.1.04
l Define which channels will be delivered using internal and/or external resources.

D1.1.05
l Define procedures for protecting the anonymity of notifiers in jurisdictions where that is required or allowed.

D1.1.06
l Make the notification pathways available and accessible to multiple stakeholders:
• employees,
• agents (contract employees acting on behalf of the entity),
• suppliers and customers, and
• public

D1.1.07
l Communicate the availability of the notification pathways to the workforce and other stakeholders.

D1.1.08
l Define procedures for reducing abandonment of initiated notifications, including:
• limiting or disallowing hold time on phone notifications,
• providing multiple language capability, and
• training intended recipients of notifications to treat reporting individuals with respect.

D1.1.09
l Define procedures for protecting the confidentiality of all reported information during intake.

D1.1.10
l Obtain requisite internal and external approvals or licenses of the defined approach.

D1.1.11
This is not legal or professional advice. driving principled
l Consistent with local custom and law, create a policy, either separately or as part of the code of conduct, that requires
Please contact a professional regarding 108 performance ®
employees to use one of the notification pathways if they observe or know of misconduct.
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

D1.1.12
SINGLE
DefineUSER NON-COMMERCIAL
a policy, LICENSE:
either separately or as ZORAN10 ([email protected]).
part of the EMAIL
code of conduct, stating that [email protected]
the FOR
organization will COMMERCIAL
not LICENSE.
retaliate against
l
 l Obtain requisite internal and external approvals or licenses of the defined approach.

D1.1.11
l Consistent with local custom and law, create a policy, either separately or as part of the code of conduct, that requires
employees to use one of the notification pathways if they observe or know of misconduct.

D1.1.12
l Define a policy, either separately or as part of the code of conduct, stating that the organization will not retaliate against
individuals who notify the organization about misconduct or GRC system flaws.

D1.1.13
l Document the inquiry or issue using a system or method that allows for subsequent analysis.

D1.1.14
l Train personnel (particularly those supervisory personnel expected to receive notifications through the open door
policy) on how to handle notifications they receive.

D1 HOTLINE & NOTIFICATION

D1.2 FILTER AND ROUTE NOTIFICATIONS

Vet and route notifications for handling, regardless of the pathway through which a given
notification is received.
Core Sub-practices

D1.2.01
l Create uniform procedures to manage notifications, including:
• taxonomy and uniform vocabulary for types of incidents or concern,
• uniform notification forms or data entry fields,
• issue routing and escalation protocols,
• single ultimate repository for all notifications, and
• methods by which recipients of notifications outside of hotline process enter information into the repository for
processing.

D1.2.02
l Define procedures to efficiently review and confirm the validity of notifications.

D1.2.03
l Define information retention requirements associated with all notification pathways.

D1.2.04
l Track the issue as it flows through the resolution process.

D1.2.05
l Establish a procedure to deliver feedback to the notifier so that he or she understands that the issue is being processed or
has been resolved.

D1 HOTLINE & NOTIFICATION

D1.3 ADHERE TO HOTLINE AND DATA PROTECTION REQUIREMENTS

This is not legal or professional advice. driving principled

Ensure that the hotline pathway for notification complies with specific requirements established
Please contact a professional regarding 109 performance ®
in the locale where the notice originates and where the organization operates.
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

Core Sub-practices
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 D1 HOTLINE & NOTIFICATION
D1.3 ADHERE TO HOTLINE AND DATA PROTECTION REQUIREMENTS

Ensure that the hotline pathway for notification complies with specific requirements established
in the locale where the notice originates and where the organization operates.
Core Sub-practices

D1.3.01
l Define whether hotline (for reporting concerns) and helpline (for questions) are combined or separate.

D1.3.02
l Determine whether an anonymous reporting system is required, allowed, or not allowed in a given location or
circumstance, and design hotline accordingly.

D1.3.03
l Understand data protection and privacy requirements globally applicable to your organization and design the approach so
that the hotline complies with all applicable mandates.

D1.3.04
l Establish separate hotlines, or routing approaches, as needed to comply with different legal requirements based on locale of
the notifier and of the organization.

D2 INQUIRY & SURVEY

D2
Periodically seek input to understand perceptions of risk, progress toward
D1 Hotline & Notification
objectives, and the occurrence of undesirable events and activities. D2 Inquiry & Survey
D3 Detective Controls
Principles
01 Create opportunities to ask various stakeholders about concerns, and organizational culture to increase the
likelihood of internally discovering issues.
02 Make workforce and stakeholders feel their views are valued by considering all feedback and taking
appropriate corrective actions.
03 Use the information gained to address issues, build workforce confidence and belief in the organization's
commitment to values, and improve GRC systems.
04 Communicate the importance of stakeholder feedback.
05 Avoid any actual or perceived connection between an individual's response and his/her performance
assessment.

Common Sources Of Failure

01 Not gathering views and information from all relevant target audiences and coordinating efforts to avoid
survey/self-assessment
This is not fatigue
legal or professional advice. driving principled
Please
02contact a professional
Not defining regarding
the important questions to ask based on risk assessment,
110 timing and target audiences performance ®
your03specific
Notneeds.
consolidating, comparing and reconciling information obtained from various methods © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

04 Not flowing information gained into appropriate aspects of GRC system including risk assessments, issue
management
SINGLE USERorNON-COMMERCIAL
investigation, or system improvement
LICENSE: processes
ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 D2 INQUIRY & SURVEY
D2
Periodically seek input to understand perceptions of risk, progress toward
D1 Hotline & Notification
objectives, and the occurrence of undesirable events and activities. D2 Inquiry & Survey
D3 Detective Controls
Principles
01 Create opportunities to ask various stakeholders about concerns, and organizational culture to increase the
likelihood of internally discovering issues.
02 Make workforce and stakeholders feel their views are valued by considering all feedback and taking
appropriate corrective actions.
03 Use the information gained to address issues, build workforce confidence and belief in the organization's
commitment to values, and improve GRC systems.
04 Communicate the importance of stakeholder feedback.
05 Avoid any actual or perceived connection between an individual's response and his/her performance
assessment.

Common Sources Of Failure

01 Not gathering views and information from all relevant target audiences and coordinating efforts to avoid
survey/self-assessment fatigue
02 Not defining the important questions to ask based on risk assessment, timing and target audiences
03 Not consolidating, comparing and reconciling information obtained from various methods
04 Not flowing information gained into appropriate aspects of GRC system including risk assessments, issue
management or investigation, or system improvement processes

Guidelines and Practices

Red Book 2.0 - GRC Capability Model

D2.1 Establish Multiple Pathways to Obtain Workforce and Stakeholder Views

D2.2 Establish an Organization-Wide Integrated Approach to Surveys
D2.3 Establish an Integrated Approach to Self-Assessments
D2.4 Gather information through observations and conversations
D2.5 Report Information and Findings

Key Deliverables

Plans Communication and Reporting Plan

Reports Findings and Recommendations Report

Enabling Technology Components

This is not legal or professional advice. driving principled
Technology Arenas Enterprise Content Management (ECM)
Please contact a professional regarding 111 performance ®
Business Applications Documents & Records Management (DRM) , Employee Evaluations & Surveys
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
(EES)
GRC Core Applications Environmental Monitoring & Reporting (EMR) , Helpline ,
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 Reports Findings and Recommendations Report

Enabling Technology Components

Technology Arenas Enterprise Content Management (ECM)

Business Applications Documents & Records Management (DRM) , Employee Evaluations & Surveys
(EES)
GRC Core Applications Environmental Monitoring & Reporting (EMR) , Helpline ,
Hotline/Whistleblower , Legal Matter Management (LMM)

D2 INQUIRY & SURVEY

D2.1 ESTABLISH MULTIPLE PATHWAYS TO OBTAIN WORKFORCE AND
STAKEHOLDER VIEWS

Define opportunities for obtaining workforce and stakeholder views about risk, the GRC system,
conduct and organizational commitment to its stated values.
Core Sub-practices

D2.1.01
l Use key meetings or conversations with target audiences (employee council, analyst briefings, customer / business partner
advisory groups, lessons learned sessions, knowledge sharing sessions, government relations meetings, ratings agency
reviews, audits) to gain information.

D2.1.02
l Institute opportunities for formal individual workforce conversations.

D2.1.03
l Encourage informal conversations and establish an open door policy.

D2 INQUIRY & SURVEY

D2.2 ESTABLISH AN ORGANIZATION-WIDE INTEGRATED APPROACH TO
SURVEYS

Establish a survey approach that reduces the burden on survey subjects and provides a
consolidated view of information obtained from the workforce and other stakeholders.
Core Sub-practices

D2.2.01
l Define key surveys and target audiences.

D2.2.02
l Inventory existing surveys and analyze timing and content.

D2.2.03
l Map desired surveys to existing surveys for content and audiences.

D2.2.04
l Determine opportunities to consolidate or retire surveys.

D2.2.05
This is not legal or professional advice. driving principled
l Determine gaps in existing surveys as against desired surveys.
Please contact a professional regarding 112 performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
D2.2.06
l Develop additional necessary surveys.
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 GRC Core Applications Environmental Monitoring & Reporting (EMR) , Helpline ,
Hotline/Whistleblower , Legal Matter Management (LMM)

D2 INQUIRY & SURVEY

D2.1 ESTABLISH MULTIPLE PATHWAYS TO OBTAIN WORKFORCE AND
STAKEHOLDER VIEWS

Define opportunities for obtaining workforce and stakeholder views about risk, the GRC system,
conduct and organizational commitment to its stated values.
Core Sub-practices

D2.1.01
l Use key meetings or conversations with target audiences (employee council, analyst briefings, customer / business partner
advisory groups, lessons learned sessions, knowledge sharing sessions, government relations meetings, ratings agency
reviews, audits) to gain information.

D2.1.02
l Institute opportunities for formal individual workforce conversations.

D2.1.03
l Encourage informal conversations and establish an open door policy.

D2 INQUIRY & SURVEY

D2.2 ESTABLISH AN ORGANIZATION-WIDE INTEGRATED APPROACH TO
SURVEYS

Establish a survey approach that reduces the burden on survey subjects and provides a
consolidated view of information obtained from the workforce and other stakeholders.
Core Sub-practices

D2.2.01
l Define key surveys and target audiences.

D2.2.02
l Inventory existing surveys and analyze timing and content.

D2.2.03
l Map desired surveys to existing surveys for content and audiences.

D2.2.04
l Determine opportunities to consolidate or retire surveys.

D2.2.05
l Determine gaps in existing surveys as against desired surveys.

D2.2.06
l Develop additional necessary surveys.

D2.2.07
l Define maximum number of surveys that an individual should receive in any quarter.

This is not legal or professional advice.

D2.2.08 driving principled
Please contact a professional regarding
l Establish an integrated calendar of surveys.
113 performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

D2.2.09
l Determine
SINGLE USERappropriate methods
NON-COMMERCIAL to increase
LICENSE: survey
ZORAN10 response rates and candor
([email protected]). [email protected]
EMAIL each survey: FOR COMMERCIAL LICENSE.
 D2 INQUIRY & SURVEY
D2.2 ESTABLISH AN ORGANIZATION-WIDE INTEGRATED APPROACH TO
SURVEYS

Establish a survey approach that reduces the burden on survey subjects and provides a
consolidated view of information obtained from the workforce and other stakeholders.
Core Sub-practices

D2.2.01
l Define key surveys and target audiences.

D2.2.02
l Inventory existing surveys and analyze timing and content.

D2.2.03
l Map desired surveys to existing surveys for content and audiences.

D2.2.04
l Determine opportunities to consolidate or retire surveys.

D2.2.05
l Determine gaps in existing surveys as against desired surveys.

D2.2.06
l Develop additional necessary surveys.

D2.2.07
l Define maximum number of surveys that an individual should receive in any quarter.

D2.2.08
l Establish an integrated calendar of surveys.

D2.2.09
l Determine appropriate methods to increase survey response rates and candor for each survey:
- method of delivery of survey (electronic, telephone, paper),
- opportunity to respond anonymously,
- incentive or reward for participating, or
- mandating completion.

D2 INQUIRY & SURVEY

D2.3 ESTABLISH AN INTEGRATED APPROACH TO SELF-ASSESSMENTS

Establish a self-assessment approach that integrates assessment of GRC system-related

responsibilities and outcomes with other self-assessments imposed on management.
Core Sub-practices

D2.3.01
l Define key self-assessments and target audiences.
This is not legal or professional advice. driving principled
Please contact a professional regarding
D2.3.02 114 performance ®
your specific
l
needs.
Inventory existing self-assessment requirements and analyze timing and content. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

D2.3.03
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 D2 INQUIRY & SURVEY
D2.3 ESTABLISH AN INTEGRATED APPROACH TO SELF-ASSESSMENTS

Establish a self-assessment approach that integrates assessment of GRC system-related

responsibilities and outcomes with other self-assessments imposed on management.
Core Sub-practices

D2.3.01
l Define key self-assessments and target audiences.

D2.3.02
l Inventory existing self-assessment requirements and analyze timing and content.

D2.3.03
l Map desired self-assessments to existing ones for content coverage.

D2.3.04
l Determine opportunities to consolidate or retire self-assessments.

D2.3.05
l Determine gaps in existing self-assessments to address GRC assessment needs.

D2.3.06
l Develop additional necessary self-assessment questions.

D2.3.07
l Establish an integrated calendar of self-assessments.

D2 INQUIRY & SURVEY

D2.4 GATHER INFORMATION THROUGH OBSERVATIONS AND CONVERSATIONS

Establish informal methods of gathering views through observations, group meetings, focus
groups and individual conversations.
Core Sub-practices

D2.4.01
l Determine opportunities to gather views through existing scheduled meetings with various stakeholder groups.

D2.4.02
l Coordinate the scheduling of any focus groups or other meetings established for the purpose of discussing GRC issues.

D2.4.03
l Establish a method for information gathered by management during conversations and informal interactions with members
of workforce or other stakeholders about their views to be captured.

D2.4.04
l Establish methods to observe workforce behavior and glean information about attitudes and beliefs regarding organizational
commitment to values and the GRC system.
This is not legal or professional advice. driving principled
Please contact a professional regarding 115 performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

D2 INQUIRY & SURVEY

D2.5SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
REPORT INFORMATION AND FINDINGS
 D2 INQUIRY & SURVEY
D2.4 GATHER INFORMATION THROUGH OBSERVATIONS AND CONVERSATIONS

Establish informal methods of gathering views through observations, group meetings, focus
groups and individual conversations.
Core Sub-practices

D2.4.01
l Determine opportunities to gather views through existing scheduled meetings with various stakeholder groups.

D2.4.02
l Coordinate the scheduling of any focus groups or other meetings established for the purpose of discussing GRC issues.

D2.4.03
l Establish a method for information gathered by management during conversations and informal interactions with members
of workforce or other stakeholders about their views to be captured.

D2.4.04
l Establish methods to observe workforce behavior and glean information about attitudes and beliefs regarding organizational
commitment to values and the GRC system.

D2 INQUIRY & SURVEY

D2.5 REPORT INFORMATION AND FINDINGS

Provide information and findings from all methods of inquiry to management.

Core Sub-practices

D2.5.01
l Analyze information and findings to identify and refer any issues requiring immediate attention.

D2.5.02
l Analyze information and findings to identify and refer information relevant to risk analysis and optimization choices.

D2.5.03
l Analyze information and findings to identify and refer for improvement any GRC system weaknesses.

D2.5.04
l Document inquiries or issues using a system or method that allows for subsequent tracking and further analysis.

D3 DETECTIVE CONTROLS
D3
This is not legal or professional advice. driving principled
Establish
Please process,regarding
contact a professional human
capital, technology 116 and physical control activities performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE&&Notification
D1 Hotline ETHICS GROUP
to detect adverse events and conduct, as well as weaknesses in the GRC D2 Inquiry & Survey
system. D3 Detective Controls
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 D3 DETECTIVE CONTROLS
D3
Establish process, human capital, technology and physical control activities
D1 Hotline & Notification
to detect adverse events and conduct, as well as weaknesses in the GRC D2 Inquiry & Survey
system. D3 Detective Controls

Principles
01 Detective controls should detect actual adverse events and indications of opportunity for potential adverse
events (e.g., the lock on the safe is not locked).
02 Define dashboards, alerts and reports at an appropriate level of detail/abstraction for the scope of
responsibility of the intended audience to minimize the cost of finding information and increase ability to
respond efficiently.

Common Sources Of Failure

01 Not designing and implementing detective controls based on the priorities and timing in the risk optimization
plan
02 Not establishing a broad network of information sources to identify potential adverse events and weaknesses
03 Not capturing and analyzing information generated by preventive controls and other activities

Guidelines and Practices

Red Book 2.0 - GRC Capability Model

D3.1 Establish Detective Process Controls

D3.2 Establish Detective Human Capital Controls
D3.3 Establish Detective Physical Controls
D3.4 Establish Detective Technology Controls
D3.5 Consolidate and Analyze Control Findings

Key Deliverables

Descriptions Exit Interview Checklist

Internal Standards Control Taxonomy
Reports Filings, Findings and Recommendations Report

Enabling Technology Components

Technology Arenas Enterprise Risk Management (ERM) , Security Management (SM)

Business Applications Business Activity Monitoring (BAM) , Business Rules (BR) Engines , Corporate
Performance Management (CPM) , Dashboards (GRC Workflow), Documents &
This is not legal or professional advice.Records Management (DRM) , Legal Entity Management (LEM), Loss driving principled
Please contact a professional regardingManagement (LM), Quality Management
117 & Monitoring (QMM) performance ®
your specific
GRCneeds.
Core Applications Controls Management & Monitoring (CMM) , Crisis Management (CMT) © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
, Fraud
Detection & Prevention (FDP) , Geo-Political Risk (GPR) Management , Global
Trade
SINGLE USER NON-COMMERCIAL Compliance
LICENSE: (GTC)/International
ZORAN10 Dealings ,EMAIL
([email protected]). Hotline/Whistleblower
[email protected] FOR , COMMERCIAL LICENSE.
 Reports Filings, Findings and Recommendations Report

Enabling Technology Components

Technology Arenas Enterprise Risk Management (ERM) , Security Management (SM)

Business Applications
GRC Core Applications
Infrastructure
Business Activity Monitoring (BAM) , Business Rules (BR) Engines , Corporate
Performance Management (CPM) , Dashboards (GRC Workflow), Documents &
Records Management (DRM) , Legal Entity Management (LEM), Loss
Management (LM), Quality Management & Monitoring (QMM)
Controls Management & Monitoring (CMM) , Crisis Management (CMT) , Fraud
Detection & Prevention (FDP) , Geo-Political Risk (GPR) Management , Global
Trade Compliance (GTC)/International Dealings , Hotline/Whistleblower ,
Information Privacy Management (IPM) , Information Technology Risk &
Compliance (ITRC) Management , Operational Assurance & Audit (OAA) ,
Operational Risk Management (ORM) , Risk Analytics (RA) , Transaction
Monitoring (TRM)
Business Continuity Management (BCM), Configuration and Change
Management (CCM), Disaster Recovery (DR) , Enterprise Architecture
Standards (EAS) , Identity and Access Management (IAM) , Physical Security (PS) ,
Retention & Storage Management (RSM) , Systems Log Management (SLM)

D3 DETECTIVE CONTROLS
D3.1 ESTABLISH DETECTIVE PROCESS CONTROLS

Establish process control activities and procedures that detect adverse events, noncompliance
and misconduct.
Core Sub-practices

D3.1.01
l Establish detective process control activities based on analysis of financial transactions by frequency, size, location and other
factors that may indicate unethical, fraudulent or noncompliant conduct.

D3.1.02
l Establish detective controls based on monitoring of movement and use of physical assets that may indicate unethical,
fraudulent or noncompliant conduct.

D3.1.03
l As warranted by the risk analysis, define appropriate continuous monitoring controls.

D3 DETECTIVE CONTROLS
D3.2 ESTABLISH DETECTIVE HUMAN CAPITAL CONTROLS

Establish human capital control activities and procedures that detect adverse events,
noncompliance and misconduct.
Core Sub-practices

D3.2.01
l Use a performance review checklist for individuals that:
¡ asks whether the individual has observed misconduct while employed,
This is not legal or inquires
professional advice. of misconduct or opportunities for misconduct,
into suspicions driving principled
¡
Please contact a professional regarding 118
¡ inquires into feelings about the effectiveness of the GRC system and any apparent weaknesses,
performance ®
your specific needs.determines feelings toward the organization, management and immediate supervisors, and© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
¡

¡ determines belief in the organization’s commitment to stated values and policies.

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 Retention & Storage Management (RSM) , Systems Log Management (SLM)

D3 DETECTIVE CONTROLS
D3.1 ESTABLISH DETECTIVE PROCESS CONTROLS

Establish process control activities and procedures that detect adverse events, noncompliance
and misconduct.
Core Sub-practices

D3.1.01
l Establish detective process control activities based on analysis of financial transactions by frequency, size, location and other
factors that may indicate unethical, fraudulent or noncompliant conduct.

D3.1.02
l Establish detective controls based on monitoring of movement and use of physical assets that may indicate unethical,
fraudulent or noncompliant conduct.

D3.1.03
l As warranted by the risk analysis, define appropriate continuous monitoring controls.

D3 DETECTIVE CONTROLS
D3.2 ESTABLISH DETECTIVE HUMAN CAPITAL CONTROLS

Establish human capital control activities and procedures that detect adverse events,
noncompliance and misconduct.
Core Sub-practices

D3.2.01
l Use a performance review checklist for individuals that:
¡ asks whether the individual has observed misconduct while employed,

¡ inquires into suspicions of misconduct or opportunities for misconduct,

¡ inquires into feelings about the effectiveness of the GRC system and any apparent weaknesses,

¡ determines feelings toward the organization, management and immediate supervisors, and

¡ determines belief in the organization’s commitment to stated values and policies.

D3.2.02
l Use an exit interview checklist for individuals that:
¡ verifies all organization assets are returned

¡ asks whether the individual observed or suspected any compliance failure, unethical conduct, unequal or

bias response or discipline for misconduct, uncontrolled risks

¡ inquires into feelings about the effectiveness of the GRC system and any apparent weaknesses,

¡ determines feelings of the departing individual toward the organization, management and immediate supervisors, and

¡ advises how to report concerns or issues after separation.

D3.2.03
l Augment or revise the prioritized risk matrix and risk optimization plan to reflect:
¡ implemented human capital controls,

¡ revised current residual risk analysis, and

¡ performance against planned residual risk.

This is not legal or professional advice. driving principled

Please contact a professional regarding 119 performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 D3 DETECTIVE CONTROLS
D3.2 ESTABLISH DETECTIVE HUMAN CAPITAL CONTROLS

Establish human capital control activities and procedures that detect adverse events,
noncompliance and misconduct.
Core Sub-practices

D3.2.01
l Use a performance review checklist for individuals that:
¡ asks whether the individual has observed misconduct while employed,

¡ inquires into suspicions of misconduct or opportunities for misconduct,

¡ inquires into feelings about the effectiveness of the GRC system and any apparent weaknesses,

¡ determines feelings toward the organization, management and immediate supervisors, and

¡ determines belief in the organization’s commitment to stated values and policies.

D3.2.02
l Use an exit interview checklist for individuals that:
¡ verifies all organization assets are returned

¡ asks whether the individual observed or suspected any compliance failure, unethical conduct, unequal or

bias response or discipline for misconduct, uncontrolled risks

¡ inquires into feelings about the effectiveness of the GRC system and any apparent weaknesses,

¡ determines feelings of the departing individual toward the organization, management and immediate supervisors, and

¡ advises how to report concerns or issues after separation.

D3.2.03
l Augment or revise the prioritized risk matrix and risk optimization plan to reflect:
¡ implemented human capital controls,

¡ revised current residual risk analysis, and

¡ performance against planned residual risk.

D3 DETECTIVE CONTROLS
D3.3 ESTABLISH DETECTIVE PHYSICAL CONTROLS

Install physical controls necessary to provide surveillance of physical preventive controls and
areas where noncompliance or unethical conduct can be physically observed.
Core Sub-practices

D3.3.01
l Establish surveillance mechanisms (cameras or personnel) in high security or threat areas (e.g., hazardous materials storage, server
locations, remote parking lots, etc.) to detect tampering, violence, theft, etc.

D3.3.02
l Establish mechanisms (electronic or human) to monitor entry/exit in high security areas.

D3.3.03
l Provide necessary protection of privacy and notification of surveillance where required or determined by policy to be
appropriate.
This is not legal or professional advice. driving principled
D3.3.04
Please contact a professional regarding 120 performance ®
l Establish silent, audible, and/or visual alarm systems to communicate the detection of breaches of preventive controls and emergencies.
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

D3.3.05
SINGLE USER
Establish NON-COMMERCIAL
mechanisms to track theLICENSE:
locationZORAN10 ([email protected]).
of high­value EMAIL
assets or inventory to detect [email protected]
their FOR COMMERCIAL
unauthorized movement (e.g., RFIDLICENSE.
l
 D3 DETECTIVE CONTROLS
D3.3 ESTABLISH DETECTIVE PHYSICAL CONTROLS

Install physical controls necessary to provide surveillance of physical preventive controls and
areas where noncompliance or unethical conduct can be physically observed.
Core Sub-practices

D3.3.01
l Establish surveillance mechanisms (cameras or personnel) in high security or threat areas (e.g., hazardous materials storage, server
locations, remote parking lots, etc.) to detect tampering, violence, theft, etc.

D3.3.02
l Establish mechanisms (electronic or human) to monitor entry/exit in high security areas.

D3.3.03
l Provide necessary protection of privacy and notification of surveillance where required or determined by policy to be
appropriate.

D3.3.04
l Establish silent, audible, and/or visual alarm systems to communicate the detection of breaches of preventive controls and emergencies.

D3.3.05
l Establish mechanisms to track the location of high­value assets or inventory to detect their unauthorized movement (e.g., RFID
systems).

D3.3.06
l Use mechanisms to detect the presence or absence of environmental conditions outside acceptable targets or thresholds (e.g., smoke
alarms, chemical sniffers, emissions monitors, water quality monitoring systems, refrigeration thermostats, vacuum seal pressure
sensors, etc.).

D3.3.07
l Establish mechanisms to detect the presence or absence of workforce and visitors on organizational premises to determine the need to
attempt rescue of such individuals,contact family, or other responses.

D3.3.08
l Use mechanisms (electronic or manual badges) to distinguish between workforce, visitors, and unknown individuals on organizational
premises so people or systems may detect inappropriate or unauthorized presence or activities.

D3 DETECTIVE CONTROLS
D3.4 ESTABLISH DETECTIVE TECHNOLOGY CONTROLS

Implement and monitor automated detective technology controls to promptly identify actual or
potential misconduct.
Core Sub-practices

D3.4.01
l Monitor detective technology control indicators to identify actual or potential misconduct or noncompliance, including
those applied to:
• physical
This is not legal access andadvice.
or professional surveillance, driving principled
Please contact• system access controls,
a professional regarding 121 performance ®
• master
your specific needs. data controls, © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
• transaction controls,
• operational
SINGLE controls,
USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 D3 DETECTIVE CONTROLS
D3.4 ESTABLISH DETECTIVE TECHNOLOGY CONTROLS

Implement and monitor automated detective technology controls to promptly identify actual or
potential misconduct.
Core Sub-practices

D3.4.01
l Monitor detective technology control indicators to identify actual or potential misconduct or noncompliance, including
those applied to:
• physical access and surveillance,
• system access controls,
• master data controls,
• transaction controls,
• operational controls,
• audit trails and log analysis,
• testing activities,
• performance reporting, and
• initiative progress, status and risk reporting.

D3.4.02
l Respond to alerts, notifications, and indications of threshold variances.

D3 DETECTIVE CONTROLS
D3.5 CONSOLIDATE AND ANALYZE CONTROL FINDINGS

Consolidate and analyze all information gathered through various means of detection to identify
patterns of misconduct, adverse events and other weaknesses that would otherwise go
unnoticed.
Core Sub-practices

D3.5.01
l Perform analysis on gathered data.

D3.5.02
l Document issues using a system or method that allows for subsequent tracking and further analysis.

D3.5.03
l Complete official required forms or reports.

D3.5.04
l Deliver forms, reports, and undocumented information and analysis (if any) according to reporting responsibilities.

D3.5.05
l Engage appropriate Respond and Resolve elements for identified issues.

D3.5.06
Compare
This is notllegal results of advice.
or professional analysis with internal benchmarks (another department, business unit, etc.). driving principled
Please contact a professional regarding 122 performance ®
D3.5.07
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
l Compare results of analysis with external benchmarks (peer organization, industry index, etc.).

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 D3 DETECTIVE CONTROLS
D3.5 CONSOLIDATE AND ANALYZE CONTROL FINDINGS

Consolidate and analyze all information gathered through various means of detection to identify
patterns of misconduct, adverse events and other weaknesses that would otherwise go
unnoticed.
Core Sub-practices

D3.5.01
l Perform analysis on gathered data.

D3.5.02
l Document issues using a system or method that allows for subsequent tracking and further analysis.

D3.5.03
l Complete official required forms or reports.

D3.5.04
l Deliver forms, reports, and undocumented information and analysis (if any) according to reporting responsibilities.

D3.5.05
l Engage appropriate Respond and Resolve elements for identified issues.

D3.5.06
l Compare results of analysis with internal benchmarks (another department, business unit, etc.).

D3.5.07
l Compare results of analysis with external benchmarks (peer organization, industry index, etc.).

R RESPOND & RESOLVE

R
Respond to and recover from noncompliance and unethical conduct events,
C Culture & Context
or GRC system failures, so that the organization resolves each immediate O Organize & Oversee
issue and prevents or resolves similar issues more effectively and efficiently A Assess & Align
in the future. P Prevent & Promote
D Detect & Discern
R1 Internal Review & Investigation R Respond & Resolve
M Monitor & Measure
R1.1 Define the Inquiry and Investigation Process I Inform & Integrate

R1.2 Prepare to Investigate

R1.3 Conduct Investigations

This is not R1.4

legal orReport Resultsadvice.
professional of Investigations driving principled
Please contact a professional regarding 123 performance ®
R2 Third-Party
your specific needs. Inquiries & Investigations © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

R2.1 Prepare for and Address Third Party Inquiries

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 R RESPOND & RESOLVE
R
Respond to and recover from noncompliance and unethical conduct events,
C Culture & Context
or GRC system failures, so that the organization resolves each immediate O Organize & Oversee
issue and prevents or resolves similar issues more effectively and efficiently A Assess & Align
in the future. P Prevent & Promote
D Detect & Discern
R1 Internal Review & Investigation R Respond & Resolve
M Monitor & Measure
R1.1 Define the Inquiry and Investigation Process I Inform & Integrate

R1.2 Prepare to Investigate

R1.3 Conduct Investigations
R1.4 Report Results of Investigations

R2 Third-Party Inquiries & Investigations

R2.1 Prepare for and Address Third Party Inquiries

R2.2 Prepare to Identify Third Party Investigations
R2.3 Prepare to Manage Third Party Investigations
R2.4 Prepare to Select Internal Team for Third-Party Investigation
R2.5 Prepare to Respond to Specific Third-Party Investigations

R3 Corrective Controls

R3.1 Establish Corrective Process Controls

R3.2 Establish Corrective Human Capital Controls
R3.3 Establish Corrective Technology Controls
R3.4 Establish Corrective Physical Controls
R3.5 Monitor and Report Corrective Controls

R4 Crisis Response, Continuity and Recovery

R4.1 Develop Crisis Response and Continuity Plans

R4.2 Identify Crisis Readiness and Response Teams
R4.3 Test Plans and Procedures
R4.4 Coordinate Plans

R5 Remediation & Discipline

R5.1 Remediate the GRC System

R5.2 Discipline Individuals
This is not R5.3
legal orDisclose
professional
Issueadvice.
Resolution driving principled
Please contact a professional regarding 124 performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 R5.1 Remediate the GRC System
R5.2 Discipline Individuals
R5.3 Disclose Issue Resolution

R1 INTERNAL REVIEW & INVESTIGATION

R1
Review and be prepared to investigate allegations or indications of
R1 Internal Review &
misconduct or GRC system failures to understand the facts, circumstances, Investigation
root causes and appropriate resolution. R2 Third-Party Inquiries &
Investigations
Principles R3 Corrective Controls
R4 Crisis Response,
01 People need to have confidence in the process so that they will report incidents and cooperate in Continuity and Recovery
investigations. R5 Remediation & Discipline
02 The process must be nimble enough to address regional and situational differences in meeting legal mandates.
03 The Board and senior management should never be blind-sided, but instead must know, in a timely fashion,
about an issue that can significantly affect the organization.
04 Information from the issue resolution process should flow seamlessly into processes for identifying and
correcting GRC systemic weaknesses.

Common Sources Of Failure

01 Not establishing sufficient channels of various types for reporting of incidents and concerns
02 Not having a tiered approach for responding to issues that have different levels of potential impact on the
organization
03 Not having appropriate procedures in place to timely:
• Capture and validate incidents,
• Categorize incidents in a defined taxonomy,
• Escalate incidents for priority investigation,
• Identify need for in-house or external legal investigation,
• Ensure appropriate confidentiality of information and determine privilege,
• Ensure appropriate protection of anonymity and non-retaliation for reporters,
• Preserve records and other evidence (document hold),
• Complete required reporting or provide notice to outside parties, and
• Determine the need and timing to suspend any business operations
04 Not having investigators with the right skills, knowledge and authority
05 Not informing interviewees about legal representation and potential use of information
06 Not coming to a conclusion about the root cause(s) of the problem

Guidelines and Practices

Red Book 2.0 - GRC Capability Model

R1.1 Define the Inquiry and Investigation Process

R1.2 Prepare to Investigate
R1.3 Conduct Investigations
R1.4 Report Results of Investigations
This is not legal or professional advice. driving principled
Please contact a professional regarding 125 performance ®
yourKey
specificDeliverables
needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

Plans Investigation Management Plan

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 R5.3 Disclose Issue Resolution

R1 INTERNAL REVIEW & INVESTIGATION

R1
Review and be prepared to investigate allegations or indications of
R1 Internal Review &
misconduct or GRC system failures to understand the facts, circumstances, Investigation
root causes and appropriate resolution. R2 Third-Party Inquiries &
Investigations
Principles R3 Corrective Controls
R4 Crisis Response,
01 People need to have confidence in the process so that they will report incidents and cooperate in Continuity and Recovery
investigations. R5 Remediation & Discipline
02 The process must be nimble enough to address regional and situational differences in meeting legal mandates.
03 The Board and senior management should never be blind-sided, but instead must know, in a timely fashion,
about an issue that can significantly affect the organization.
04 Information from the issue resolution process should flow seamlessly into processes for identifying and
correcting GRC systemic weaknesses.

Common Sources Of Failure

01 Not establishing sufficient channels of various types for reporting of incidents and concerns
02 Not having a tiered approach for responding to issues that have different levels of potential impact on the
organization
03 Not having appropriate procedures in place to timely:
• Capture and validate incidents,
• Categorize incidents in a defined taxonomy,
• Escalate incidents for priority investigation,
• Identify need for in-house or external legal investigation,
• Ensure appropriate confidentiality of information and determine privilege,
• Ensure appropriate protection of anonymity and non-retaliation for reporters,
• Preserve records and other evidence (document hold),
• Complete required reporting or provide notice to outside parties, and
• Determine the need and timing to suspend any business operations
04 Not having investigators with the right skills, knowledge and authority
05 Not informing interviewees about legal representation and potential use of information
06 Not coming to a conclusion about the root cause(s) of the problem

Guidelines and Practices

Red Book 2.0 - GRC Capability Model

R1.1 Define the Inquiry and Investigation Process

R1.2 Prepare to Investigate
R1.3 Conduct Investigations
R1.4 Report Results of Investigations

Key Deliverables
This is not legal or professional advice. driving principled
Please contact a professional regarding
Plans Investigation Management Plan 126 performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
Reports Filings, Findings and Recommendations Report

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 R1.4 Report Results of Investigations

Key Deliverables

Plans Investigation Management Plan

Reports Filings, Findings and Recommendations Report

Enabling Technology Components

Technology Arenas Enterprise Content Management (ECM)

Business Applications
GRC Core Applications
Infrastructure
Business Activity Monitoring (BAM) , Documents & Records Management
(DRM) , Email Management (EM), Loss Management (LM)
Audit Analytics (AA), Crisis Management (CMT) , Discovery (eDiscovery) ,
Enterprise Risk Assessment (ERA) , Environmental Monitoring & Reporting
(EMR) , Fraud Detection & Prevention (FDP) , Global Trade Compliance
(GTC)/International Dealings , Information Technology Audit (ITA) , Insurance
& Claims Management (ICM) , Legal Matter Management (LMM) , Operational
Assurance & Audit (OAA) , Operational Risk Management (ORM) , Risk
Analytics (RA)
Retention & Storage Management (RSM)

R1 INTERNAL REVIEW & INVESTIGATION

R1.1 DEFINE THE INQUIRY AND INVESTIGATION PROCESS

Establish procedures for inquiring further into, and investigating, complaints or reports about
compliance or ethical issues, as well as for issues detected during ongoing monitoring or periodic
evaluation of the GRC system.
Core Sub-practices

R1.1.01
l Establish a core team to process issues that are identified by complaints, expressions of concern, or other methods
(additional parties may be involved on a case-by-case basis to address specific types of issues as they arise).

R1.1.02
l Define a procedure to ensure that alleged perpetrators are not involved in the processing of the issue and are removed
from involvement at any point at which they are identified as potential targets of an investigation.

R1.1.03
l Develop and use taxonomies for classifying reported or identified issues and their severity level.

R1.1.04
l Establish an initial screening process to separate issues that can be quickly resolved from those that may need investigation.

R1.1.05
l Define issue management methodology including these key steps:

• recording and categorizing an issue or question (routing of questions for answers) upon intake,
• confirmation / validation of an issue,
• analysis of an issue,
• investigation of an issue,
• escalation of an issue,
• resolution of issue, and
• referral for remediation / discipline of individuals.
This is not legal or professional advice. driving principled
Please contact a professional
R1.1.06 regarding 127 performance ®
your specific needs.
l Define policies and procedures for determining when and how to protect the confidentiality and anonymity of notifiers in
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

accordance with applicable legal mandates.

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 Infrastructure Retention & Storage Management (RSM)

R1 INTERNAL REVIEW & INVESTIGATION

R1.1 DEFINE THE INQUIRY AND INVESTIGATION PROCESS

Establish procedures for inquiring further into, and investigating, complaints or reports about
compliance or ethical issues, as well as for issues detected during ongoing monitoring or periodic
evaluation of the GRC system.
Core Sub-practices

R1.1.01
l Establish a core team to process issues that are identified by complaints, expressions of concern, or other methods
(additional parties may be involved on a case-by-case basis to address specific types of issues as they arise).

R1.1.02
l Define a procedure to ensure that alleged perpetrators are not involved in the processing of the issue and are removed
from involvement at any point at which they are identified as potential targets of an investigation.

R1.1.03
l Develop and use taxonomies for classifying reported or identified issues and their severity level.

R1.1.04
l Establish an initial screening process to separate issues that can be quickly resolved from those that may need investigation.

R1.1.05
l Define issue management methodology including these key steps:
• recording and categorizing an issue or question (routing of questions for answers) upon intake,
• confirmation / validation of an issue,
• analysis of an issue,
• investigation of an issue,
• escalation of an issue,
• resolution of issue, and
• referral for remediation / discipline of individuals.

R1.1.06
l Define policies and procedures for determining when and how to protect the confidentiality and anonymity of notifiers in
accordance with applicable legal mandates.

R1.1.07
l Define policies and procedures for protecting the confidentiality of all reported information that aligns to applicable legal
mandates.

R1.1.08
l Define "investigation tiers" that identify who will address issues of particular scope and type.

R1.1.09
l Define categories of issues that are escalated to the Board or a Board committee immediately upon validation, such as those
that are at the “crisis” level due to impact on the organization and/or allegations of senior management wrongdoing.

R1.1.10
l Define categories of issues that are significant enough to be escalated to senior management and/or outside counsel
immediately upon validation, due to the material nature of the potential effect on the organization.

R1.1.11
This is not legal or professional advice. driving principled
l Define categories of issues that are serious enough to be addressed in special investigations by designated investigators
Please contact a professional regarding 128 performance ®
immediately upon validation, due to nature of the potential effect on the organization, for which specific procedures are
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
established.

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
R1.1.12
 immediately upon validation, due to the material nature of the potential effect on the organization.

R1.1.11
l Define categories of issues that are serious enough to be addressed in special investigations by designated investigators
immediately upon validation, due to nature of the potential effect on the organization, for which specific procedures are
established.

R1.1.12
l Define categories of issues that are anticipated in the course of business and which may be addressed based on
recommendations of initial investigators by line management using specifically established procedures.

R1.1.13
l Define template plans for standard and special investigations of common issues within each investigation tier addressing :
• processing rules,
• provision of counsel rules,
• privilege rules,
• record retention rules,
• escalation rules,
• internal and external reporting rules, and
• investigation management rules (need for outside legal counsel or special in-house investigators).

R1.1.14
l Periodically conduct review of reported data to determine trends, trouble spots, and controls in need of revisions, looking
for concentrated patterns by:
• geography,
• specific location,
• job/role,
• employee level,
• employee type (exempt vs. nonexempt vs. temporary), and
• supervisor.

R1 INTERNAL REVIEW & INVESTIGATION

R1.2 PREPARE TO INVESTIGATE

Prepare to undertake the activities of the investigation phase of the issue resolution process.
Core Sub-practices

R1.2.01
l Define the scope of the planned investigation.

R1.2.02
l Place issue into a particular investigation tier.

R1.2.03
l Determine whether there is an obligation to immediately disclose the issue to the Board, independent auditors or
regulatory agencies.

R1.2.04
l Determine if investigation will be conducted under privilege in accordance with established tier rules.

R1.2.05
l Define the investigation team, roles/responsibilities for each team member and the team leader taking into account the
This is not legal orand
topic professional advice.
scope of the investigation. driving principled
Please contact a professional regarding 129 performance ®
your specific R1.2.06
needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

l Define the need for outside assistance in accordance with established tier rules, including:
• counsel,
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 R1.2.05
l Define the investigation team, roles/responsibilities for each team member and the team leader taking into account the
topic and scope of the investigation.

R1.2.06
l Define the need for outside assistance in accordance with established tier rules, including:
• counsel,
• accountants,
• forensic experts , and
• technical consultants.

R1.2.07
l Document a finding of no self-interest (or conflict) in the outcome on the part of any team member.

R1.2.08
l Define internal management that is responsible for oversight of the investigation.

R1.2.09
l Prepare investigation management plan (documents to obtain, interviews to conduct, data to analyze, anticipated reports
and audience, budget, and rules of evidence to follow).

R1.2.10
l Initiate any requisite document holds in accordance with established tier rules.

R1.2.11
l If necessary, inform management of the need to suspend any relevant business processes (trading, etc.) in accordance with
established tier rules.

R1.2.12
l Define which stakeholders will be informed about the results of the investigation and by what methods.

R1.2.13
l Define a procedure for preserving privilege as necessary during and after completion of the investigation in accordance with
established tier rules.

R1.2.14
l Identify possible facts, events or circumstances that, if discovered, may require expansion of the original scope of the
investigation and arrange for timely review of any discovered.

R1.2.15
l Define a procedure and protocols to coordinate the investigation with other departments in accordance with established
tier rules, including:
• public relations,
• investor relations,
• marketing,
• HR and human capital management, and
• business unit and line management.

R1 INTERNAL REVIEW & INVESTIGATION

R1.3 CONDUCT INVESTIGATIONS

Conduct investigations consistent with the plan and communicate with relevant stakeholders
This is not legal or professional advice. driving principled
while maintaining appropriate privileged status.
Please contact a professional regarding 130 performance ®
your specificCore
needs.Sub-practices © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

R1.3.01
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 R1 INTERNAL REVIEW & INVESTIGATION
R1.3 CONDUCT INVESTIGATIONS

Conduct investigations consistent with the plan and communicate with relevant stakeholders
while maintaining appropriate privileged status.
Core Sub-practices

R1.3.01
l Notify employees who will be interview subjects.

R1.3.02
l Remind individuals involved whether as the notifier, accused or interviewee, that legal counsel and investigators represent
the entity and not them individually.

R1.3.03
l Request and obtain documents, electronic data and other information.

R1.3.04
l Respond to document requests.

R1.3.05
l Analyze documents, data, and interview information to draw conclusions.

R1.3.06
l Determine which conclusions should be documented and which should be presented verbally.

R1.3.07
l Track list of items being maintained as privileged.

R1.3.08
l Track information that will be released as non-privileged, indicating that the release is intentional and controlled.

R1.3.09
l Identify root cause(s) of issue requiring investigation.

R1 INTERNAL REVIEW & INVESTIGATION

R1.4 REPORT RESULTS OF INVESTIGATIONS

Communicate investigation results to appropriate management, oversight bodies and, as

appropriate, to other stakeholders and regulators.
Core Sub-practices

R1.4.01
l Communicate results and recommendations to appropriate management, oversight bodies and other stakeholders in
accordance with established tier rules.

R1.4.02
l Communicate any findings of material impact (or potential thereof) to the audit committee of the Board.
This is not legal or professional advice. driving principled
R1.4.03
Please contact a professional regarding 131 performance ®
If required,
your specific needs.
l or determined appropriate under established tier rules, file external reports and disclosures with regulatory
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
agencies.
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
R1.4.04
 R1 INTERNAL REVIEW & INVESTIGATION
R1.4 REPORT RESULTS OF INVESTIGATIONS

Communicate investigation results to appropriate management, oversight bodies and, as

appropriate, to other stakeholders and regulators.
Core Sub-practices

R1.4.01
l Communicate results and recommendations to appropriate management, oversight bodies and other stakeholders in
accordance with established tier rules.

R1.4.02
l Communicate any findings of material impact (or potential thereof) to the audit committee of the Board.

R1.4.03
l If required, or determined appropriate under established tier rules, file external reports and disclosures with regulatory
agencies.

R1.4.04
l Document rationale of those with requisite authority for any recommendation not being pursued.

R2 THIRD-PARTY INQUIRIES &

INVESTIGATIONS
R2
R1 Internal Review &
Manage and respond to external inquiries and investigations. Investigation
R2 Third-Party Inquiries &
Investigations
Principles R3 Corrective Controls
R4 Crisis Response,
01 A culture of cooperation with third-party inquiries and investigations can help to control the scope and the
ultimate impact on the organization. Continuity and Recovery
R5 Remediation & Discipline
02 The fact that there is an ongoing external investigation, and its ultimate findings, should not be a surprise to
the Board and management.
03 Cooperation does not mean capitulation and the organization may protect itself and its information during an
external investigation.
04 Being prepared to respond to an investigation will minimize its business disruption.

Common Sources Of Failure

01 Not having an effective system for responding to external inquiries before they become hostile investigations
02 Not being prepared for surprise investigations that involve the sudden appearance of investigators onsite and
seizing of documents or premises
This 03 Not
is not having
legal the right people
or professional in the organization aware of a third party investigation soon enough to afford full
advice. driving principled
protection to the organization
Please contact a professional regarding 132 performance ®
04 Not determining
your specific needs. the appropriate level of cooperation in conjunction with the advice of counsel and other
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
advisors
05 Not keeping track of all information provided to external investigators
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 R2 THIRD-PARTY INQUIRIES &
INVESTIGATIONS
R2
R1 Internal Review &
Manage and respond to external inquiries and investigations. Investigation
R2 Third-Party Inquiries &
Investigations
Principles R3 Corrective Controls
R4 Crisis Response,
01 A culture of cooperation with third-party inquiries and investigations can help to control the scope and the
ultimate impact on the organization. Continuity and Recovery
R5 Remediation & Discipline
02 The fact that there is an ongoing external investigation, and its ultimate findings, should not be a surprise to
the Board and management.
03 Cooperation does not mean capitulation and the organization may protect itself and its information during an
external investigation.
04 Being prepared to respond to an investigation will minimize its business disruption.

Common Sources Of Failure

01 Not having an effective system for responding to external inquiries before they become hostile investigations
02 Not being prepared for surprise investigations that involve the sudden appearance of investigators onsite and
seizing of documents or premises
03 Not having the right people in the organization aware of a third party investigation soon enough to afford full
protection to the organization
04 Not determining the appropriate level of cooperation in conjunction with the advice of counsel and other
advisors
05 Not keeping track of all information provided to external investigators
06 Not appreciating that inquiries may be precursors to civil or criminal investigations

Guidelines and Practices

Red Book 2.0 - GRC Capability Model

R2.1 Prepare for and Address Third Party Inquiries

R2.2 Prepare to Identify Third Party Investigations
R2.3 Prepare to Manage Third Party Investigations
R2.4 Prepare to Select Internal Team for Third-Party Investigation
R2.5 Prepare to Respond to Specific Third-Party Investigations

Key Deliverables

Plans Investigation Management Plan

Reports Filings, Findings and Recommendations Report

ThisEnabling Technology
is not legal or professional advice. Components driving principled
Please contact a professional regarding 133 performance ®
your specific needs. Arenas
Technology © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
Assurance & Audit Management (AAM) , Enterprise Content Management
(ECM)
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
Business Applications Documents & Records Management (DRM) , Email Management (EM), Loss
 Reports Filings, Findings and Recommendations Report

Enabling Technology Components

Technology Arenas
Business Applications
GRC Core Applications
Infrastructure
Assurance & Audit Management (AAM) , Enterprise Content Management
(ECM)
Documents & Records Management (DRM) , Email Management (EM), Loss
Management (LM)
Audit Analytics (AA), Discovery (eDiscovery) , Enterprise Risk Assessment
(ERA) , Environmental Monitoring & Reporting (EMR) , Financial Assurance &
Audit (FAA) , Fraud Detection & Prevention (FDP) , Global Trade Compliance
(GTC)/International Dealings , Information Technology Audit (ITA) , Insurance
& Claims Management (ICM) , Legal Matter Management (LMM)
Retention & Storage Management (RSM)

R2 THIRD-PARTY INQUIRIES & INVESTIGATIONS

R2.1 PREPARE FOR AND ADDRESS THIRD PARTY INQUIRIES

Identify and respond to questions from third parties.

Core Sub-practices

R2.1.01
l Establish multiple pathways for intake of third party questions including, but not limited to, an anonymous helpline.

R2.1.02
l Establish procedures to screen incoming third party questions, including:
• determine if initial questions are part of an ongoing investigation,
• refer inquiries to in-house or external counsel, and
• assign non-investigative question to appropriate person for timely response or discussion (or refusal to provide
information).

R2.1.03
l Establish accepted answers to expected questions that may be provided without further review or approval, via helpline or
otherwise.

R2.1.04
l Establish a list of types of questions requiring referral to in-house legal counsel or that will not be answered without a
decision by counsel.

R2 THIRD-PARTY INQUIRIES & INVESTIGATIONS

R2.2 PREPARE TO IDENTIFY THIRD PARTY INVESTIGATIONS

Establish methods to ensure the right people know about initiated third party investigations.
Core Sub-practices

R2.2.01
l Establish procedures to ensure that questions posed to the organization via a helpline or other method, that are identified

as part of or precursor to a third party investigation are forwarded to appropriate personnel responsible for vetting such
investigations.
This is not legal or professional advice. driving principled
Please contact a professional regarding
R2.2.02 134 performance ®
your specific needs.
l Establish policies and procedures to require internal reporting of knowledge of non-standard third party inquiries, or
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

investigations, to appropriate management personnel.

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 Infrastructure Retention & Storage Management (RSM)

R2 THIRD-PARTY INQUIRIES & INVESTIGATIONS

R2.1 PREPARE FOR AND ADDRESS THIRD PARTY INQUIRIES

Identify and respond to questions from third parties.

Core Sub-practices

R2.1.01
l Establish multiple pathways for intake of third party questions including, but not limited to, an anonymous helpline.

R2.1.02
l Establish procedures to screen incoming third party questions, including:
• determine if initial questions are part of an ongoing investigation,
• refer inquiries to in-house or external counsel, and
• assign non-investigative question to appropriate person for timely response or discussion (or refusal to provide
information).

R2.1.03
l Establish accepted answers to expected questions that may be provided without further review or approval, via helpline or
otherwise.

R2.1.04
l Establish a list of types of questions requiring referral to in-house legal counsel or that will not be answered without a
decision by counsel.

R2 THIRD-PARTY INQUIRIES & INVESTIGATIONS

R2.2 PREPARE TO IDENTIFY THIRD PARTY INVESTIGATIONS

Establish methods to ensure the right people know about initiated third party investigations.
Core Sub-practices

R2.2.01
l Establish procedures to ensure that questions posed to the organization via a helpline or other method, that are identified
as part of or precursor to a third party investigation are forwarded to appropriate personnel responsible for vetting such
investigations.

R2.2.02
l Establish policies and procedures to require internal reporting of knowledge of non-standard third party inquiries, or
investigations, to appropriate management personnel.

R2.2.03
l Establish monitoring of external sources to identify onset of a third party investigation when possible.

R2 THIRD-PARTY INQUIRIES & INVESTIGATIONS

R2.3 PREPARE TO MANAGE THIRD PARTY INVESTIGATIONS

This isEstablish
not legal or policies,
professionalprocedures,
advice. and responsibility for managing various types of third party driving principled
Please contact a professional regarding
investigations. 135 performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
Core Sub-practices
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 R2.3 PREPARE TO MANAGE THIRD PARTY INVESTIGATIONS

Establish policies, procedures, and responsibility for managing various types of third party
investigations.
Core Sub-practices

R2.3.01
l Establish an inventory of the types of possible third party investigations and assign management responsibility for each type
(overall or within specific areas of risk concern and/or part of the organization), including:
• compliance audit of organization as a vendor;
• routine regulatory investigations,
• regulatory investigations that relate to possible civil or criminal violations,
• private party investigations related to litigation or legal claims,
• external stakeholder investigations including investors, lenders, underwriters, listing agents,
• grand jury investigations, and
• physical site or document seizures by government enforcement agents.

R2.3.02
l Determine and document organizational rights and procedural safeguards in the context of each anticipated type of
investigation based on investigating authority and legal basis of the investigation, taking privilege and confidentiality needs
into account.

R2.3.03
l Establish policies and procedures to follow at the onset of each identified type of investigation including:
• procedures for establishing an internal response team and team leader,
• procedures for responding to interview requests and subpoenas,
• procedures for responding to document requests and subpoenas,
• procedures for responding to information that former employees or other stakeholders have been contacted for
interviews or documents, and
• procedures for responding to sudden on site presence of investigators demanding documents or seizure of the premises.

R2.3.04
l Establish procedures to disclose the existence of a particular type of investigation to the Board, independent auditors,
regulatory agencies, creditors or insurers whenever there is an obligation to do so under agreements, contracts or
established policies and procedures, and ensure disclosure meets any timing requirements.

R2.3.05
l Establish procedures to quickly inform senior management and the Board or audit committee of any investigation the
outcome of which may be material to the organization, implicate wrongdoing by any member of management, indicate
criminal wrongdoing by anyone in the organization, or lead to potential reputational damage, taking privilege and
confidentiality needs into account.

R2.3.06
l Establish procedures to inform those responsible for managing the public relations and stakeholder relations of the
organization about investigations as soon as possible and, to the extent necessary, within the context of a privileged
discussion.

R2.3.07
l Prepare methods for determining privilege, privacy and confidentiality issues that may need to be addressed with
investigators.

R2.3.08
l Prepare methods for determining conflicts of interest of individuals involved in the investigation from either the

organization or the investigating body.

This is not legal or professional advice. driving principled
Please contact a professional regarding 136 performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

R2 THIRD-PARTY INQUIRIES & INVESTIGATIONS

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 R2.3.08
l Prepare methods for determining conflicts of interest of individuals involved in the investigation from either the
organization or the investigating body.

R2 THIRD-PARTY INQUIRIES & INVESTIGATIONS

R2.4 PREPARE TO SELECT INTERNAL TEAM FOR THIRD-PARTY INVESTIGATION

Establish procedures for selecting the team of individuals that will represent the organization
during a specific investigation.
Core Sub-practices

R2.4.01
l Establish initial lists of the people (roles) responsible for implementing or overseeing procedures set for each type of
investigation, considering that:
• different people may be identified for investigations into different risk areas or parts of the organization,
• different people may head up the team depending on the type of investigation, and
• some investigations will need to be completely managed by external legal counsel.

R2.4.02
l Establish a list of outside counsel selected or approved in advance to be consulted when the need for counsel in a particular
type of investigation arises and establish procedures to engage such counsel if the need arises.

R2.4.03
l Utilize established rules, policies and procedure for the type of investigation to determine which people within the
organization will be responsible for overseeing the organization’s role in the investigation, dealing directly with
investigators, and leading the internal investigation team.

R2.4.04
l Establish procedures to screen all selected team members to ensure no conflict of interest or bias in the type of
investigation and continually revisit as information arises.

R2.4.05
l Establish policies that ensure team members have clear authority and that their authority will be expressed to all personnel
who may have to respond to their requests for information, documents, or interviews.

R2.4.06
l Establish policies and procedures that ensure team members are relieved of other duties as necessary to provide time
required to participate effectively in the investigation.

R2 THIRD-PARTY INQUIRIES & INVESTIGATIONS

R2.5 PREPARE TO RESPOND TO SPECIFIC THIRD-PARTY INVESTIGATIONS

Establish procedures for developing a response to a specific investigation.

Core Sub-practices

R2.5.01
l Establish procedures to determine whether there is an obligation to immediately disclose the existence of a specific

investigation to the Board, independent auditors, regulatory agencies, creditors or insurers under agreements, contracts or
established
This is not legal policies advice.
or professional and procedures. driving principled
Please contact a professional regarding 137 performance ®
R2.5.02
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
l Prepare a standard response management plan for each type of investigation, which may be modified based on specific

investigation facts and circumstances, which addresses procedures to:

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 R2 THIRD-PARTY INQUIRIES & INVESTIGATIONS
R2.5 PREPARE TO RESPOND TO SPECIFIC THIRD-PARTY INVESTIGATIONS

Establish procedures for developing a response to a specific investigation.

Core Sub-practices

R2.5.01
l Establish procedures to determine whether there is an obligation to immediately disclose the existence of a specific
investigation to the Board, independent auditors, regulatory agencies, creditors or insurers under agreements, contracts or
established policies and procedures.

R2.5.02
l Prepare a standard response management plan for each type of investigation, which may be modified based on specific
investigation facts and circumstances, which addresses procedures to:
• collect or identify all requested documents and data and initiate document holds to stop any routine destruction or
removal,
• document exactly what is provided to the third party,
• track information that will be released as non-privileged, indicating that the release is intentional and controlled,
• track list of released items being maintained as privileged,
• determine individuals who will need to be interviewed to fulfill investigation requests, both current personnel of the
organization and former employees or agents,
• determine if any requests for information will be refused and develop that response under legal review,
• determine the need to negotiate confidentiality agreements regarding certain information to be delivered to the third
party and whether the organization needs to seek to provide any privileged information under seal,
• inform individuals involved in the investigation as witnesses, interviewees or otherwise, that in-house and outside counsel
represent only the organization and not them individually, and document that they understand, and
• internally and externally communicate investigation results and recommended actions.

R3 CORRECTIVE CONTROLS
R3
Establish process, human capital, technology and physical control activities
R1 Internal Review &
to correct undesirable consequences that result from adverse events, Investigation
activities and conduct. R2 Third-Party Inquiries &
Investigations
Principles R3 Corrective Controls
R4 Crisis Response,
01 A well designed system of controls should include corrective controls to stop, slow and recover from an Continuity and Recovery
adverse event. R5 Remediation & Discipline
02 Corrective controls should provide feedback about how to improve the prevention and detection of future
adverse events.

Common Sources Of Failure

This is not legal or professional advice. driving principled
Please contact a professional regarding 138 performance ®
01 Not correcting both the immediate adverse impact as well as the root cause of the adverse impact.
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
02 Excessive reliance on discretionary controls that require human intervention or decision which increases
vulnerability
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 R3 CORRECTIVE CONTROLS
R3
Establish process, human capital, technology and physical control activities
R1 Internal Review &
to correct undesirable consequences that result from adverse events, Investigation
activities and conduct. R2 Third-Party Inquiries &
Investigations
Principles R3 Corrective Controls
R4 Crisis Response,
01 A well designed system of controls should include corrective controls to stop, slow and recover from an Continuity and Recovery
adverse event. R5 Remediation & Discipline
02 Corrective controls should provide feedback about how to improve the prevention and detection of future
adverse events.

Common Sources Of Failure

01 Not correcting both the immediate adverse impact as well as the root cause of the adverse impact.
02 Excessive reliance on discretionary controls that require human intervention or decision which increases
vulnerability
03 Not establishing an audit trail to track when corrective control activities are performed

Guidelines and Practices

Red Book 2.0 - GRC Capability Model

R3.1 Establish Corrective Process Controls

R3.2 Establish Corrective Human Capital Controls
R3.3 Establish Corrective Technology Controls
R3.4 Establish Corrective Physical Controls
R3.5 Monitor and Report Corrective Controls

Key Deliverables

Matrices Risk / Control Matrix

Plans Corrective Control Activity Plan
Reports Corrective Action Report

Enabling Technology Components

Technology Arenas Assurance & Audit Management (AAM) , Security Management (SM)
Business Applications Brand & Reputation Management (BRM), Loss Management (LM), Policy &
Procedure Management (P&P) , Quality Management & Monitoring (QMM) ,
Strategic Planning (SP) , Supply Chain & Procurement Management (SCM) ,
This is not legal or professional advice.Transaction Management (TM) driving principled
Please contact a professional regarding
GRC Core Applications Controls Management & Monitoring 139(CMM) , Crisis Management (CMT) , performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
Environmental Monitoring & Reporting (EMR) , Financial Assurance & Audit
(FAA) , Geo-Political Risk (GPR) Management , Information Technology Audit
SINGLE USER NON-COMMERCIAL (ITA)LICENSE: ZORAN10
, Information ([email protected]).
Technology Risk & Compliance EMAIL [email protected]
(ITRC) Management FOR
, COMMERCIAL LICENSE.
 Reports Corrective Action Report

Enabling Technology Components

Technology Arenas
Business Applications
GRC Core Applications
Infrastructure
Assurance & Audit Management (AAM) , Security Management (SM)
Brand & Reputation Management (BRM), Loss Management (LM), Policy &
Procedure Management (P&P) , Quality Management & Monitoring (QMM) ,
Strategic Planning (SP) , Supply Chain & Procurement Management (SCM) ,
Transaction Management (TM)
Controls Management & Monitoring (CMM) , Crisis Management (CMT) ,
Environmental Monitoring & Reporting (EMR) , Financial Assurance & Audit
(FAA) , Geo-Political Risk (GPR) Management , Information Technology Audit
(ITA) , Information Technology Risk & Compliance (ITRC) Management ,
Transaction Monitoring (TRM)
Business Continuity Management (BCM), Configuration and Change
Management (CCM), Disaster Recovery (DR) , Identity and Access Management
(IAM) , Physical Security (PS) , Systems Log Management (SLM)

R3 CORRECTIVE CONTROLS
R3.1 ESTABLISH CORRECTIVE PROCESS CONTROLS

Establish corrective process control activities to stop, slow and recover from adverse events,
and deter future adverse events.
Core Sub-practices

R3.1.01
l Establish process control activities that stop and/or slow the adverse event.

R3.1.02
l Establish process control activities that restore the system to a stable state.

R3.1.03
l Establish process control activities that deter future potential adverse events.

R3 CORRECTIVE CONTROLS
R3.2 ESTABLISH CORRECTIVE HUMAN CAPITAL CONTROLS

Establish corrective human capital controls that stop, slow and recover from adverse events,
and deter future adverse events.
Core Sub-practices

R3.2.01
l Establish controls to suspend the authority of personnel involved in or related to adverse events.

R3.2.02
l Establish controls to modify or override reporting structures once adverse events are detected.

R3.2.03
l Establish procedures to assemble corrective action teams once adverse events are detected.
This is not legal or professional advice. driving principled
Please contact a professional regarding 140 performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

R3 CORRECTIVE CONTROLS
R3.3SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
ESTABLISH CORRECTIVE TECHNOLOGY CONTROLS
 Management (CCM), Disaster Recovery (DR) , Identity and Access Management
(IAM) , Physical Security (PS) , Systems Log Management (SLM)

R3 CORRECTIVE CONTROLS
R3.1 ESTABLISH CORRECTIVE PROCESS CONTROLS

Establish corrective process control activities to stop, slow and recover from adverse events,
and deter future adverse events.
Core Sub-practices

R3.1.01
l Establish process control activities that stop and/or slow the adverse event.

R3.1.02
l Establish process control activities that restore the system to a stable state.

R3.1.03
l Establish process control activities that deter future potential adverse events.

R3 CORRECTIVE CONTROLS
R3.2 ESTABLISH CORRECTIVE HUMAN CAPITAL CONTROLS

Establish corrective human capital controls that stop, slow and recover from adverse events,
and deter future adverse events.
Core Sub-practices

R3.2.01
l Establish controls to suspend the authority of personnel involved in or related to adverse events.

R3.2.02
l Establish controls to modify or override reporting structures once adverse events are detected.

R3.2.03
l Establish procedures to assemble corrective action teams once adverse events are detected.

R3 CORRECTIVE CONTROLS
R3.3 ESTABLISH CORRECTIVE TECHNOLOGY CONTROLS

Establish corrective technology controls that stop, slow and recover from adverse events, and
deter future adverse events.
Core Sub-practices

R3.3.01
l Establish controls to eliminate or restrict access to appropriate technology once adverse events are detected.

R3.3.02
l Establish controls to suspend appropriate processing activities once adverse events are detected.

This is not legal or professional advice. driving principled

Please contactR3.3.03
a professional regarding 141 performance ®
your specific Establish
l needs. controls to hold and archive appropriate information and documents once adverse events are detected.
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 R3 CORRECTIVE CONTROLS
R3.3 ESTABLISH CORRECTIVE TECHNOLOGY CONTROLS

Establish corrective technology controls that stop, slow and recover from adverse events, and
deter future adverse events.
Core Sub-practices

R3.3.01
l Establish controls to eliminate or restrict access to appropriate technology once adverse events are detected.

R3.3.02
l Establish controls to suspend appropriate processing activities once adverse events are detected.

R3.3.03
l Establish controls to hold and archive appropriate information and documents once adverse events are detected.

R3 CORRECTIVE CONTROLS
R3.4 ESTABLISH CORRECTIVE PHYSICAL CONTROLS

Establish corrective physical controls that stop, slow and recover from adverse events, and
deter future adverse events.
Core Sub-practices

R3.4.01
l Establish controls that secure and restrict access to appropriate physical assets once adverse events are detected.

R3.4.02
l Establish controls to lock down appropriate buildings and facilities once adverse events are detected.

R3.4.03
l Establish controls to "harden" physical infrastructure once adverse events are detected including:
> barriers,
> reinforcements, and
> containment.

R3.4.04
l Establish controls to stop or slow the impact of adverse events on physical assets (e.g., fire extinguishers).

R3 CORRECTIVE CONTROLS
R3.5 MONITOR AND REPORT CORRECTIVE CONTROLS

Monitor and report the progress of corrective control activities.

Core Sub-practices
This is not legal or professional advice. driving principled
Please contact a professional regarding
R3.5.01 142 performance ®
your specific needs. a monitoring approach and responsible party to ensure that corrective control activities
l Establish are performed.
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

R3.5.02
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 R3 CORRECTIVE CONTROLS
R3.5 MONITOR AND REPORT CORRECTIVE CONTROLS

Monitor and report the progress of corrective control activities.

Core Sub-practices

R3.5.01
l Establish a monitoring approach and responsible party to ensure that corrective control activities are performed.

R3.5.02
l Establish reports and identify relevant recipients to be notified when corrective control activities are performed and
concluded.

R4 CRISIS RESPONSE, CONTINUITY AND

RECOVERY
R4
R1 Internal Review &
Plan for and respond to crisis issues, business disruption and other Investigation
R2 Third-Party Inquiries &
significant events. Investigations
R3 Corrective Controls
Principles R4 Crisis Response,
Continuity and Recovery
01 Protecting individuals from physical harm is essential. R5 Remediation & Discipline
02 Having a broad view of where interruption could arise is critical.
03 Business, IT, emergency management, public affairs, communications, and continuity personnel should design
integrated plans.
04 Constant, clear and redundant communication is essential to successful crisis management.

Common Sources Of Failure

01 Not establishing plans to address reasonably anticipated types of crises
02 Not testing crisis management plans
03 Not involving all relevant internal and external roles in the planning stage
04 Not communicating appropriate information to relevant stakeholders during implementation of a crisis plan

Guidelines and Practices

Red Book 2.0 - GRC Capability Model

R4.1 Develop Crisis Response and Continuity Plans

This R4.2
is not Identify
legal or Crisis Readiness
professional and Response Teams
advice. driving principled
R4.3
Please Testa Plans
contact and Procedures
professional regarding 143 performance ®
yourR4.4
specific needs. Plans
Coordinate © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

Key Deliverables
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 R4 CRISIS RESPONSE, CONTINUITY AND
RECOVERY
R4
R1 Internal Review &
Plan for and respond to crisis issues, business disruption and other Investigation
R2 Third-Party Inquiries &
significant events. Investigations
R3 Corrective Controls
Principles R4 Crisis Response,
Continuity and Recovery
01 Protecting individuals from physical harm is essential. R5 Remediation & Discipline
02 Having a broad view of where interruption could arise is critical.
03 Business, IT, emergency management, public affairs, communications, and continuity personnel should design
integrated plans.
04 Constant, clear and redundant communication is essential to successful crisis management.

Common Sources Of Failure

01 Not establishing plans to address reasonably anticipated types of crises
02 Not testing crisis management plans
03 Not involving all relevant internal and external roles in the planning stage
04 Not communicating appropriate information to relevant stakeholders during implementation of a crisis plan

Guidelines and Practices

Red Book 2.0 - GRC Capability Model

R4.1 Develop Crisis Response and Continuity Plans

R4.2 Identify Crisis Readiness and Response Teams
R4.3 Test Plans and Procedures
R4.4 Coordinate Plans

Key Deliverables

Plans Crisis, Continuity and Recovery Plan

Reports Findings and Recommendations Report

Enabling Technology Components

Technology Arenas Enterprise Risk Management (ERM) , Human Resources Management (HRM) ,
Security Management (SM)
Business Applications Documents & Records Management (DRM) , Loss Management (LM), Strategic
Planning (SP)
This is not legal or professional advice. driving principled
GRC aCore Applications
regardingAccountability/Responsibility Management (ARM) , Crisis Management (CMT) ,
Please contact professional 144 performance ®
your specific needs. Environmental, Health & Safety (EH&S) Management , Global Trade Compliance
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
(GTC)/International Dealings , Information Privacy Management (IPM) ,
Information Technology Audit (ITA) , Legal Matter Management (LMM) ,
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 Reports Findings and Recommendations Report

Enabling Technology Components

Technology Arenas
Business Applications
GRC Core Applications
Infrastructure
Enterprise Risk Management (ERM) , Human Resources Management (HRM) ,
Security Management (SM)
Documents & Records Management (DRM) , Loss Management (LM), Strategic
Planning (SP)
Accountability/Responsibility Management (ARM) , Crisis Management (CMT) ,
Environmental, Health & Safety (EH&S) Management , Global Trade Compliance
(GTC)/International Dealings , Information Privacy Management (IPM) ,
Information Technology Audit (ITA) , Legal Matter Management (LMM) ,
Operational Assurance & Audit (OAA) , Operational Risk Management (ORM) ,
Risk Analytics (RA)
Business Continuity Management (BCM), Disaster Recovery (DR) , Identity and
Access Management (IAM) , Information Technology Operations (ITO)
Management , Physical Security (PS)

R4 CRISIS RESPONSE, CONTINUITY AND RECOVERY

R4.1 DEVELOP CRISIS RESPONSE AND CONTINUITY PLANS

Develop the plans for responding to various types of crises and recovering from business
disruption.
Core Sub-practices

R4.1.01
l Identify the types of crises that might arise and create a list of specific examples of ones deemed to be either likely or of
significant impact if they were to occur, including events with crisis level impacts on:
• a physical plant or infrastructure such as weather disasters, accidents or intentional harm to structures,
• access to data such as physical disruption to servers or technology failure,
• protection of confidential or personally identifiable information such as theft or breach of confidential or personally
identifiable data,
• ability to operate such as technology or power interruptions, political upheaval,
• public confidence in products or services,
• reputation,
• workforce such as health crises, and
• the enterprise, the community or individuals from violent criminal conduct.

R4.1.02
l Develop business impact analysis for each listed type of crisis by:
• refining internal and external context and risk analysis,
• analyzing implications of loss, delay, inability to access or serve key people, systems, processes, suppliers, customers, and
business partners, and
• analyzing anticipated information loss based on archive/back-up strategies for systems and processes.

R4.1.03
l Address business continuity and recovery goals for each type of crisis by:
• determining recovery time objectives,
• prioritizing key business processes and critical functions,
• selecting and documenting business continuity strategies for interim operations and recovery plans,
• documenting information systems interim operations and recovery plans, and
• documenting facilities interim responses and recovery.
This is not legal or professional advice. driving principled
R4.1.04
Please contact a professional regarding 145 performance ®
Establish
your specific needs.
l detailed response and recovery plans for each type of crisis that include the following: © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
• in the case of a physical crisis, policies and procedures for coordination with first responders from local authorities on
plans, procedures, and communication protocols so they can facilitate safety, rescue and emergency operations,
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 Access Management (IAM) , Information Technology Operations (ITO)
Management , Physical Security (PS)

R4 CRISIS RESPONSE, CONTINUITY AND RECOVERY

R4.1 DEVELOP CRISIS RESPONSE AND CONTINUITY PLANS

Develop the plans for responding to various types of crises and recovering from business
disruption.
Core Sub-practices

R4.1.01
l Identify the types of crises that might arise and create a list of specific examples of ones deemed to be either likely or of
significant impact if they were to occur, including events with crisis level impacts on:
• a physical plant or infrastructure such as weather disasters, accidents or intentional harm to structures,
• access to data such as physical disruption to servers or technology failure,
• protection of confidential or personally identifiable information such as theft or breach of confidential or personally
identifiable data,
• ability to operate such as technology or power interruptions, political upheaval,
• public confidence in products or services,
• reputation,
• workforce such as health crises, and
• the enterprise, the community or individuals from violent criminal conduct.

R4.1.02
l Develop business impact analysis for each listed type of crisis by:
• refining internal and external context and risk analysis,
• analyzing implications of loss, delay, inability to access or serve key people, systems, processes, suppliers, customers, and
business partners, and
• analyzing anticipated information loss based on archive/back-up strategies for systems and processes.

R4.1.03
l Address business continuity and recovery goals for each type of crisis by:
• determining recovery time objectives,
• prioritizing key business processes and critical functions,
• selecting and documenting business continuity strategies for interim operations and recovery plans,
• documenting information systems interim operations and recovery plans, and
• documenting facilities interim responses and recovery.

R4.1.04
l Establish detailed response and recovery plans for each type of crisis that include the following:
• in the case of a physical crisis, policies and procedures for coordination with first responders from local authorities on
plans, procedures, and communication protocols so they can facilitate safety, rescue and emergency operations,
• in the case of potential allegations of criminal conduct, procedures for interactions with police or prosecution authorities,
• in the case of a data management disruption or failure, disaster recovery plans,
• an identified communications plan and team, including legal, public relations and investor relations as appropriate,
• policies and procedures to direct public disclosures and communications through identified organization representatives,
and involve legal, public relations and investor relations as appropriate,
• procedures for establishment of crisis response headquarters away from danger/crisis area,
• policies and procedures that prioritize physical safety of employees and family member communications,
• procedures to evaluate pursuing contractual or other legal rights to demand indemnification or file claims for insurance,
and
• procedures to analyze response effectiveness and performance after action.

This is not legal or professional advice. driving principled

Please contact a professional regarding 146 performance ®
your specific needs.
R4 CRISIS RESPONSE, CONTINUITY AND RECOVERY © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

R4.2 IDENTIFY CRISIS READINESS AND RESPONSE TEAMS

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 • procedures to analyze response effectiveness and performance after action.

R4 CRISIS RESPONSE, CONTINUITY AND RECOVERY

R4.2 IDENTIFY CRISIS READINESS AND RESPONSE TEAMS

Define personnel who will be responsible for crisis preparedness and those who will be deployed
as crisis response teams for each type of identified crisis.
Core Sub-practices

R4.2.01
l For each type of crisis, identify the personnel who will have responsibility for maintaining readiness and monitoring for signs
of impending crisis.

R4.2.02
l For each type of crisis, identify a preliminary response team in each location, amending to stay fresh as necessary to address
personnel changes.

R4.2.03
l Identify leadership that is accountable for communicating with the workforce, families and external stakeholders for each
type of crisis.

R4.2.04
l Determine succession authorities in the event that an individual with established authority is unavailable when a crisis
arises.

R4 CRISIS RESPONSE, CONTINUITY AND RECOVERY

R4.3 TEST PLANS AND PROCEDURES

Test and evaluate the various crisis plans and procedures.

Core Sub-practices

R4.3.01
l For each type of crisis, define a preparedness exercise plan, including:
• scope of the exercise,
• frequency of the exercise,
• accountability for the preparedness exercise,
• who will be involved, including any personnel new to the crisis management team, and
• how the practice response will be evaluated.

R4.3.02
l Select appropriate preparedness exercise type including:
• tabletop scenarios,
• simulations, and
• activation exercises.

R4.3.03
l Conduct exercises according to plan.

This is not legal or professional advice. driving principled

Please contactR4.3.04
a professional regarding 147 performance ®
l needs. performance against the plan and effectiveness of the response.
your specific Evaluate © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 R4 CRISIS RESPONSE, CONTINUITY AND RECOVERY
R4.3 TEST PLANS AND PROCEDURES

Test and evaluate the various crisis plans and procedures.

Core Sub-practices

R4.3.01
l For each type of crisis, define a preparedness exercise plan, including:
• scope of the exercise,
• frequency of the exercise,
• accountability for the preparedness exercise,
• who will be involved, including any personnel new to the crisis management team, and
• how the practice response will be evaluated.

R4.3.02
l Select appropriate preparedness exercise type including:
• tabletop scenarios,
• simulations, and
• activation exercises.

R4.3.03
l Conduct exercises according to plan.

R4.3.04
l Evaluate performance against the plan and effectiveness of the response.

R4 CRISIS RESPONSE, CONTINUITY AND RECOVERY

R4.4 COORDINATE PLANS

Coordinate the various continuity and response plans in anticipation of business disruption that
may span more than one facility.
Core Sub-practices

R4.4.01
l Correlate local, regional and national plans.

R4.4.02
l Coordinate and rationalize recovery time objectives across plans of individual functions, departments, business units or
facilities with projected resource availability.

R4.4.03
l Rationalize recovery time objectives with information systems recovery capabilities.

R5
This is not legal or professional advice. driving principled
Please contact a professional regarding R5 REMEDIATION
148 & DISCIPLINE performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 R5 REMEDIATION & DISCIPLINE
R5
Resolve substantiated issues by fixing any weaknesses in the GRC system
R1 Internal Review &
and disciplining appropriate individuals. Investigation
R2 Third-Party Inquiries &
Principles Investigations
R3 Corrective Controls
01 The assurance that each reported issue/incident is resolved is essential to maintain support for the GRC R4 Crisis Response,
system throughout all levels of the organization.
Continuity and Recovery
02 Disciplinary measures that are applied consistently and objectively serve as deterrents and drive support for R5 Remediation & Discipline
the GRC system throughout the workforce.

Common Sources Of Failure

01 Not ensuring that relevant people are aware the issue has been redressed
02 Not establishing a process to record and ascertain history regarding discipline
03 Not establishing expectations regarding discipline for various types of conduct
04 Not providing timely notification about resolution of the investigation
05 Not making changes to aspects of the GRC system that contributed to or allowed the incident or issue to
occur

Guidelines and Practices

Red Book 2.0 - GRC Capability Model

R5.1 Remediate the GRC System

R5.2 Discipline Individuals
R5.3 Disclose Issue Resolution

Key Deliverables

Matrices Prioritized Risk Matrix

Reports Filings, Findings and Recommendations Report

Enabling Technology Components

Technology Arenas Enterprise Risk Management (ERM) , Human Resources Management (HRM) ,
Security Management (SM)
Business Applications Loss Management (LM)
GRC Core Applications Accountability/Responsibility Management (ARM) , Controls Management &
Monitoring (CMM) , Corporate Social Responsibility (CSR), Enterprise Risk
Assessment (ERA) , Risk Analytics (RA)
This is not legal or professional advice.Business Continuity Management (BCM), Configuration and Change
Infrastructure driving principled
Please contact a professional regardingManagement (CCM), Disaster Recovery
149 (DR) performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

R5 REMEDIATION & DISCIPLINE

R5.1SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
REMEDIATE THE GRC SYSTEM
 Reports Filings, Findings and Recommendations Report

Enabling Technology Components

Technology Arenas
Business Applications
GRC Core Applications
Infrastructure
Enterprise Risk Management (ERM) , Human Resources Management (HRM) ,
Security Management (SM)
Loss Management (LM)
Accountability/Responsibility Management (ARM) , Controls Management &
Monitoring (CMM) , Corporate Social Responsibility (CSR), Enterprise Risk
Assessment (ERA) , Risk Analytics (RA)
Business Continuity Management (BCM), Configuration and Change
Management (CCM), Disaster Recovery (DR)

R5 REMEDIATION & DISCIPLINE

R5.1 REMEDIATE THE GRC SYSTEM

Resolve each reported issue/incident, document the outcome, and propose appropriate changes
to the GRC system to avoid similar issues in the future.
Core Sub-practices

R5.1.01
l Propose changes to the GRC system to remediate points of failure that contributed to the issue or incident.

R5.1.02
l Document results including: • outcome categories, • root cause, • resolution, and • remediation.

R5.1.03
l Resolve reported issues/incidents using corrective action processes.

R5.1.04
l Revise the prioritized risk matrix to reflect the effect of detected issues and remediation activities on:
• identified current optimization activities, and
• likelihood and probability analysis of current and planned residual risk.

R5 REMEDIATION & DISCIPLINE

R5.2 DISCIPLINE INDIVIDUALS

Discipline individuals for misconduct.

Core Sub-practices

R5.2.01
l Define and enforce a procedure and criteria for consistent discipline given type of misconduct.

R5.2.02
l Administer appropriate discipline under applicable policies, procedures, laws, and regulations.

R5.2.03
l Track discipline decisions and include in workforce files and extended enterprise relationship records.

R5.2.04
This is not legal or professional advice. driving principled
l Periodically report to the Board on material disciplinary measures taken (and underlying facts and circumstances).
Please contact a professional regarding 150 performance ®
your specific R5.2.05
needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

l Periodically review past disciplinary actions to ensure consistency.

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 Infrastructure Business Continuity Management (BCM), Configuration and Change
Management (CCM), Disaster Recovery (DR)

R5 REMEDIATION & DISCIPLINE

R5.1 REMEDIATE THE GRC SYSTEM

Resolve each reported issue/incident, document the outcome, and propose appropriate changes
to the GRC system to avoid similar issues in the future.
Core Sub-practices

R5.1.01
l Propose changes to the GRC system to remediate points of failure that contributed to the issue or incident.

R5.1.02
l Document results including: • outcome categories, • root cause, • resolution, and • remediation.

R5.1.03
l Resolve reported issues/incidents using corrective action processes.

R5.1.04
l Revise the prioritized risk matrix to reflect the effect of detected issues and remediation activities on:
• identified current optimization activities, and
• likelihood and probability analysis of current and planned residual risk.

R5 REMEDIATION & DISCIPLINE

R5.2 DISCIPLINE INDIVIDUALS

Discipline individuals for misconduct.

Core Sub-practices

R5.2.01
l Define and enforce a procedure and criteria for consistent discipline given type of misconduct.

R5.2.02
l Administer appropriate discipline under applicable policies, procedures, laws, and regulations.

R5.2.03
l Track discipline decisions and include in workforce files and extended enterprise relationship records.

R5.2.04
l Periodically report to the Board on material disciplinary measures taken (and underlying facts and circumstances).

R5.2.05
l Periodically review past disciplinary actions to ensure consistency.

R5 REMEDIATION & DISCIPLINE

R5.3 DISCLOSE ISSUE RESOLUTION

This isWhen
not legalrequired or appropriate,
or professional advice. disclose findings and resolution of investigations to stakeholders. driving principled
Please contact a professional regarding 151 performance ®
Core Sub-practices
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

R5.3.01
SINGLE USER NON-COMMERCIAL
As required, disclose results ofLICENSE: ZORAN10
investigations to([email protected]).
external stakeholders. EMAIL [email protected] FOR COMMERCIAL LICENSE.
l
 R5 REMEDIATION & DISCIPLINE
R5.3 DISCLOSE ISSUE RESOLUTION

When required or appropriate, disclose findings and resolution of investigations to stakeholders.

Core Sub-practices

R5.3.01
l As required, disclose results of investigations to external stakeholders.

R5.3.02
l Establish procedures to voluntarily disclose results and resolution of investigations to internal and external stakeholders as
appropriate, including:
• regulatory agencies,
• enforcement authorities,
• investors / underwriters,
• customers, and
• workforce.

R5.3.03
l Provide single point of communication with external stakeholders.

R5.3.04
l Inform stakeholders about resulting changes to the GRC system.

M MONITOR & MEASURE

M
Monitor, measure and modify the GRC system on a periodic and ongoing
C Culture & Context
basis to ensure it contributes to business objectives while being effective, O Organize & Oversee
efficient and responsive to the changing environment. A Assess & Align
P Prevent & Promote
M1 Context Monitoring D Detect & Discern
R Respond & Resolve
M1.1 Monitor External Context M Monitor & Measure
M1.2 Monitor Internal Context I Inform & Integrate

M2 Performance Monitoring & Evaluation

M2.1 Monitor and Evaluate GRC System Design

M2.2 Review and Reconsider Risks
M2.3 Identify Relevant Risk Optimizing Activities
M2.4 Analyze Potential for Failure
This is not M2.5
legal or Identify Monitoring
professional advice.Information driving principled
Please contact a professional regarding
M2.6 Perform Monitoring Activities 152 performance ®
your specific needs.Analyze and Report Monitoring Results
M2.7 © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

SINGLE USER Improvement

M3 Systemic NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 M MONITOR & MEASURE
M
Monitor, measure and modify the GRC system on a periodic and ongoing
C Culture & Context
basis to ensure it contributes to business objectives while being effective, O Organize & Oversee
efficient and responsive to the changing environment. A Assess & Align
P Prevent & Promote
M1 Context Monitoring D Detect & Discern
R Respond & Resolve
M1.1 Monitor External Context M Monitor & Measure
M1.2 Monitor Internal Context I Inform & Integrate

M2 Performance Monitoring & Evaluation

M2.1 Monitor and Evaluate GRC System Design

M2.2 Review and Reconsider Risks
M2.3 Identify Relevant Risk Optimizing Activities
M2.4 Analyze Potential for Failure
M2.5 Identify Monitoring Information
M2.6 Perform Monitoring Activities
M2.7 Analyze and Report Monitoring Results

M3 Systemic Improvement

M3.1 Develop Improvement Plan

M3.2 Implement Improvement Initiatives

M4 Assurance

M4.1 Plan Assurance Assessment

M4.2 Perform Assurance Assessment

M1 CONTEXT MONITORING
M1
Monitor and analyze changes in the internal and external context to
M1 Context Monitoring
determine if GRC system changes are required. M2 Performance Monitoring &
Evaluation
ThisPrinciples
is not legal or professional advice. driving
M3 Systemic principled
Improvement
Please contact a professional regarding 153 performance ®
M4 Assurance
your01specific
The needs. 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
GRC system must be flexible enough to respond rapidly to changes in the external and internal©context
in which it must operate.
02 Failure to USER
SINGLE recognize and respond LICENSE:
NON-COMMERCIAL to context changes
ZORAN10 may result in failure of critical
([email protected]). EMAILGRC system controls.
[email protected] FOR COMMERCIAL LICENSE.
 M4.2 Perform Assurance Assessment

M1 CONTEXT MONITORING
M1
Monitor and analyze changes in the internal and external context to
M1 Context Monitoring
determine if GRC system changes are required. M2 Performance Monitoring &
Evaluation
Principles M3 Systemic Improvement
M4 Assurance
01 The GRC system must be flexible enough to respond rapidly to changes in the external and internal context
in which it must operate.
02 Failure to recognize and respond to context changes may result in failure of critical GRC system controls.
03 The GRC system will be most effective if the organization identifies and evaluates anticipated changes in
context in time to plan system alterations.

Common Sources Of Failure

01 Not sufficiently monitoring the external and internal context for changes that could render the GRC system
ineffective
02 Not taking a sufficiently broad view of which external events may apply to the organization
03 Not monitoring inherently high risks because of a belief that controls will not fail or that the occurrence is
unlikely
04 Not assigning clear accountability for tracking each aspect to identify and analyze changes
05 Not responding to an identified change quickly enough

Guidelines and Practices

Red Book 2.0 - GRC Capability Model

M1.1 Monitor External Context

M1.2 Monitor Internal Context

Key Deliverables

Matrices Prioritized Risk Matrix

Plans Risk Optimization Plan
Reports Findings and Recommendations Report

Enabling Technology Components

Technology Arenas Business Intelligence (BI) , Business Process Management (BPM) , Enterprise
Content Management (ECM) , Enterprise Resource Management (ER) , Human
Resources Management (HRM)
Business Applications Brand & Reputation Management (BRM), Collaboration/Knowledge
Management (KM), Contact/Customer Relationship Management (CRM) ,
This is not legal or professional advice. driving principled
Contract Management (CM), Corporate Performance Management (CPM) ,
Please contact a professional regarding 154 performance ®
Dashboards (GRC Workflow), Email Management (EM), Employee Evaluations &
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
Surveys (EES) , Enterprise Asset Management (EAM), Legal Entity Management
(LEM), Project Portfolio Management (PPM) , Strategic Planning (SP) , Supply
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 Reports Findings and Recommendations Report

Enabling Technology Components

Technology Arenas
Business Applications
GRC Core Applications
Infrastructure
Business Intelligence (BI) , Business Process Management (BPM) , Enterprise
Content Management (ECM) , Enterprise Resource Management (ER) , Human
Resources Management (HRM)
Brand & Reputation Management (BRM), Collaboration/Knowledge
Management (KM), Contact/Customer Relationship Management (CRM) ,
Contract Management (CM), Corporate Performance Management (CPM) ,
Dashboards (GRC Workflow), Email Management (EM), Employee Evaluations &
Surveys (EES) , Enterprise Asset Management (EAM), Legal Entity Management
(LEM), Project Portfolio Management (PPM) , Strategic Planning (SP) , Supply
Chain & Procurement Management (SCM)
Controls Management & Monitoring (CMM) , Corporate Social Responsibility
(CSR), Discovery (eDiscovery) , Environmental Monitoring & Reporting (EMR) ,
Ethical Practices/Corporate Integrity (ECI) , Fraud Detection & Prevention
(FDP) , Geo-Political Risk (GPR) Management , Global Trade Compliance
(GTC)/International Dealings , Information Privacy Management (IPM) , News
Feeds (GRC Intelligence) , Operational Risk Management (ORM) , Risk
Analytics (RA) , Transaction Monitoring (TRM)
Enterprise Architecture Standards (EAS) , Identity and Access Management
(IAM) , Retention & Storage Management (RSM) , Systems Log Management
(SLM)

M1 CONTEXT MONITORING
M1.1 MONITOR EXTERNAL CONTEXT

Continually monitor changes in the external environment that may have a direct, indirect or
cumulative effect on the organization.
Core Sub-practices

M1.1.01
l Monitor stakeholder groups for changes in views and key individuals.

M1.1.02
l Monitor market conditions.

M1.1.03
l Monitor industry participants and competitors for risk and compliance issues.

M1.1.04
l Monitor other peers as defined by similar workforce size, similar business activities, and similar geographic scope for risk
and compliance issues.

M1.1.05
l Monitor geopolitical changes in all relevant areas of operation.

M1.1.06
l Monitor changes in external requirements including those from:

• laws, rules and regulations,

• administrative guidelines and rulings,
• significant judicial rulings,
This is not legal or professional
• regulatory advice.
guidance, driving principled
Please contact a professional regarding
• prosecutorial guidance, 155 performance ®
your specific •needs.
legal interpretations,
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

• consent orders and integrity agreements, and

SINGLE USER NON-COMMERCIAL
• enforcement activities, LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 (IAM) , Retention & Storage Management (RSM) , Systems Log Management
(SLM)

M1 CONTEXT MONITORING
M1.1 MONITOR EXTERNAL CONTEXT

Continually monitor changes in the external environment that may have a direct, indirect or
cumulative effect on the organization.
Core Sub-practices

M1.1.01
l Monitor stakeholder groups for changes in views and key individuals.

M1.1.02
l Monitor market conditions.

M1.1.03
l Monitor industry participants and competitors for risk and compliance issues.

M1.1.04
l Monitor other peers as defined by similar workforce size, similar business activities, and similar geographic scope for risk
and compliance issues.

M1.1.05
l Monitor geopolitical changes in all relevant areas of operation.

M1.1.06
l Monitor changes in external requirements including those from:
• laws, rules and regulations,
• administrative guidelines and rulings,
• significant judicial rulings,
• regulatory guidance,
• prosecutorial guidance,
• legal interpretations,
• consent orders and integrity agreements, and
• enforcement activities,
• contracts,
• standards, and
• trade association commitments.

M1.1.07
l Monitor changes in customary practices in the industry, and cultural differences in the relevant locations.

M1.1.08
l Notify individuals responsible for relevant risk optimization activities about context changes, including those that require
immediate consideration.

M1.1.09
l Individuals responsible for risk analysis and optimization activities augment or revise the prioritized risk matrix and risk

optimization plan to reflect, as appropriate:

• changes in the form of additional, altered or eliminated risks and requirements,
• revised inherent risk analysis,
• current residual risk analysis,
• categorization and prioritization,
• risk
This is not legal oroptimization
professional strategy,
advice. driving principled
• risk optimization activities, and
Please contact a professional regarding 156 performance ®
• planned
your specific needs. residual risk. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 • revised inherent risk analysis,
• current residual risk analysis,
• categorization and prioritization,
• risk optimization strategy,
• risk optimization activities, and
• planned residual risk.

M1 CONTEXT MONITORING
M1.2 MONITOR INTERNAL CONTEXT

Continually monitor changes in the internal environment that may have a direct, indirect or
cumulative effect on the organization.
Core Sub-practices

M1.2.01
l Monitor significant changes in business strategy such as:
• changes in business objectives, values and strategy,
• new product development,
• expansion into new markets, and
• mergers and acquisitions.

M1.2.02
l Monitor changes in personnel.

M1.2.03
l Monitor changes in processes.

M1.2.04
l Monitor changes in technology.

M1.2.05
l Monitor changes in culture including any significant variance of culture metrics in business units, departments, jobs, or
locations.

M1.2.06
l Notify individuals responsible for relevant risk optimization activities about context changes, including those that require
immediate consideration.

M1.2.07
l Individuals responsible for risk analysis and optimization activities augment or revise the prioritized risk matrix and risk
optimization plan to reflect, as appropriate:
• changes in the form of additional, altered or eliminated risks and requirements,
• revised inherent risk analysis,
• current residual risk analysis,
• categorization and prioritization,
• risk optimization strategy,
• risk optimization activities, and
• planned residual risk.

This is not legal or professional advice. driving principled

M2 performance ®
Please contact a professional regarding 157
your specific needs. M2 PERFORMANCE MONITORING & © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

EVALUATION
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 M2 PERFORMANCE MONITORING &
EVALUATION
M2
M1 Context Monitoring
Monitor and periodically evaluate the performance of the GRC system to M2 Performance Monitoring &
Evaluation
ensure that it is designed and operated to be effective, efficient, and M3 Systemic Improvement
responsive to the changing external and internal context. M4 Assurance

Principles
01 Continual monitoring and periodic evaluation enables management and the Board to determine if the GRC
system operates effectively over time.
02 Monitoring provides evidence to support assertions about the effectiveness of the GRC system.
03 The monitoring effort should be congruent with level of risk.
04 Evaluation of GRC system design and operation is part of the GRC management responsibility to assure
timely system corrections and improvements.

Common Sources Of Failure

01 Only considering what is effective to prevent or detect noncompliant conduct that would give rise to
criminal or civil liability
02 Not measuring performance indicators
03 Not measuring the efficiency and responsiveness of the GRC system
04 Not periodically re-evaluating the design of the GRC system to ensure it is appropriate to optimize identified
risks
05 Not considering the full range of information that may indicate GRC systemic weaknesses

Guidelines and Practices

Red Book 2.0 - GRC Capability Model

M2.1 Monitor and Evaluate GRC System Design

M2.2 Review and Reconsider Risks
M2.3 Identify Relevant Risk Optimizing Activities
M2.4 Analyze Potential for Failure
M2.5 Identify Monitoring Information
M2.6 Perform Monitoring Activities
M2.7 Analyze and Report Monitoring Results

Key Deliverables

Plans GRC Strategic Plan, Risk Optimization Plan

This is not
Reports Findings andadvice.
legal or professional Recommendations Report driving principled
Please contact a professional regarding 158 performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
Enabling Technology Components
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
Technology Arenas Business Intelligence (BI) , Corporate Governance (CG) , Enterprise Risk
 M2.7 Analyze and Report Monitoring Results

Key Deliverables

Plans GRC Strategic Plan, Risk Optimization Plan

Reports Findings and Recommendations Report

Enabling Technology Components

Technology Arenas
Business Applications
GRC Core Applications
Infrastructure
Business Intelligence (BI) , Corporate Governance (CG) , Enterprise Risk
Management (ERM) , Security Management (SM)
Business Activity Monitoring (BAM) , Collaboration/Knowledge Management
(KM), Corporate Performance Management (CPM) , Employee Evaluations &
Surveys (EES) , Enterprise Asset Management (EAM), Loss Management (LM),
Policy & Procedure Management (P&P) , Project Portfolio Management (PPM) ,
Quality Management & Monitoring (QMM) , Strategic Planning (SP) , Supply
Chain & Procurement Management (SCM)
Controls Management & Monitoring (CMM) , Corporate Compliance (CC) ,
Corporate Social Responsibility (CSR), Environmental, Health & Safety (EH&S)
Management , Environmental Monitoring & Reporting (EMR) , Ethical
Practices/Corporate Integrity (ECI) , Geo-Political Risk (GPR) Management ,
Helpline , Hotline/Whistleblower , Insurance & Claims Management (ICM) ,
Legal Matter Management (LMM) , Operational Risk Management (ORM) ,
Reporting/eFiling (REF) , Risk Analytics (RA)
Disaster Recovery (DR) , Information Technology Operations (ITO)
Management , Systems Log Management (SLM)

M2 PERFORMANCE MONITORING & EVALUATION

M2.1 MONITOR AND EVALUATE GRC SYSTEM DESIGN

Establish a schedule for periodic re-evaluation of the appropriateness of the GRC system design
in light of the identified requirements and key risks.
Core Sub-practices

M2.1.01
l Define aspects of the GRC system design to be periodically re-evaluated, including:
• effectiveness in preventing and detecting conduct or events that violate mandated or voluntarily established requirements,
• efficiency of the controls established as part of the system,
• appropriateness of the selected controls relative to the level of risk, and
• responsiveness of the system.

M2.1.02
l Select appropriate monitoring methods for each aspect of the GRC system based on identified goals, assurance level and
privilege status, such as:
• technologies to flag incidents of non-conformance to established procedures,
• periodic review of samples of reports, forms, or other required documentation,
• periodic review of established metrics and performance indicators, and
• periodic review of testing controls information.

This isM2
notPERFORMANCE
legal or professional advice.
MONITORING & EVALUATION driving principled
PleaseM2.2
contactREVIEW
a professionalAND
regarding
RECONSIDER RISKS 159 performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

Review any previously assessed or newly identified risks and reconsider, or assess for the first
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 Infrastructure Disaster Recovery (DR) , Information Technology Operations (ITO)
Management , Systems Log Management (SLM)

M2 PERFORMANCE MONITORING & EVALUATION

M2.1 MONITOR AND EVALUATE GRC SYSTEM DESIGN

Establish a schedule for periodic re-evaluation of the appropriateness of the GRC system design
in light of the identified requirements and key risks.
Core Sub-practices

M2.1.01
l Define aspects of the GRC system design to be periodically re-evaluated, including:
• effectiveness in preventing and detecting conduct or events that violate mandated or voluntarily established requirements,
• efficiency of the controls established as part of the system,
• appropriateness of the selected controls relative to the level of risk, and
• responsiveness of the system.

M2.1.02
l Select appropriate monitoring methods for each aspect of the GRC system based on identified goals, assurance level and
privilege status, such as:
• technologies to flag incidents of non-conformance to established procedures,
• periodic review of samples of reports, forms, or other required documentation,
• periodic review of established metrics and performance indicators, and
• periodic review of testing controls information.

M2 PERFORMANCE MONITORING & EVALUATION

M2.2 REVIEW AND RECONSIDER RISKS

Review any previously assessed or newly identified risks and reconsider, or assess for the first
time, their priority based on the best information currently available.
Core Sub-practices

M2.2.01
l Analyze information from prevent, detect and respond activities including completed and ongoing investigations.

M2.2.02
l Analyze information from human capital control activities.

M2.2.03
l Analyze information from context monitoring.

M2 PERFORMANCE MONITORING & EVALUATION

M2.3 IDENTIFY RELEVANT RISK OPTIMIZING ACTIVITIES

Review the related risk optimizing activities in place to address high priority risks.
Core Sub-practices

This is not legal or professional advice.

M2.3.01 driving principled
Please contact a professional regarding
l Identify the key risk optimizing activities whose failures may 160not be detected in a timely manner (single points of failure). performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

M2.3.02
IdentifyUSER
l SINGLE the risk optimizing activities
NON-COMMERCIAL LICENSE:whose failure
ZORAN10 might trigger the failure of
([email protected]). other
EMAIL risk optimizingFOR
[email protected] activities (points LICENSE.
COMMERCIAL of
 M2 PERFORMANCE MONITORING & EVALUATION
M2.3 IDENTIFY RELEVANT RISK OPTIMIZING ACTIVITIES

Review the related risk optimizing activities in place to address high priority risks.
Core Sub-practices

M2.3.01
l Identify the key risk optimizing activities whose failures may not be detected in a timely manner (single points of failure).

M2.3.02
l Identify the risk optimizing activities whose failure might trigger the failure of other risk optimizing activities (points of
cascading failure).

M2.3.03
l Identify the risk optimizing activities that may compensate for failures in other key optimizing activities (key compensating
activities).

M2.3.04
l Identify other related risk optimizing activities.

M2 PERFORMANCE MONITORING & EVALUATION

M2.4 ANALYZE POTENTIAL FOR FAILURE

Analyze the potential that risk-optimizing activities will fail and the ways in which they might
fail.
Core Sub-practices

M2.4.01
l Analyze the relative complexity of the control as controls that are more complex typically have a higher degree of potential
failure.

M2.4.02
l Analyze the skills required to perform a control and the availability of these skills, as skills shortages will quickly affect these
controls.

M2.4.03
l Analyze the degree of automation versus manual execution of the control as:
• Manual controls are more prone to human error than automated controls, and
• Automated controls are more prone to voluminous and repeated error if there is a systemic issue.

M2.4.04
l Analyze prior failures associated with controls.

M2 PERFORMANCE MONITORING & EVALUATION

M2.5 IDENTIFY MONITORING INFORMATION
This is not legal or professional advice. driving principled
PleaseIdentify
contact a professional regarding 161
the information to use to support the evaluation of the performance of the risk performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
optimizing activity(s) and/or the overall performance of the GRC system.
Core Sub-practices
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 M2 PERFORMANCE MONITORING & EVALUATION
M2.5 IDENTIFY MONITORING INFORMATION

Identify the information to use to support the evaluation of the performance of the risk
optimizing activity(s) and/or the overall performance of the GRC system.
Core Sub-practices

M2.5.01
l Identify persuasive information that can be used to conclude that a risk optimizing activity is effective, efficient and
responsive.

M2.5.02
l Consider direct information from monitoring the external and internal environments.

M2.5.03
l Consider direct information about substantiated incidents and general patterns of misconduct.

M2.5.04
l Consider direct information from testing controls.

M2.5.05
l Consider indirect information generated by business processes for operational purposes.

M2.5.06
l Ensure that information is sufficient, relevant, reliable, and timely obtained.

M2.5.07
l Determine what information may be reviewed by samples and what information requires complete review.

M2.5.08
l Determine what information must be considered that is not contained in reviewable documents or date, and determine
methods for reviewing such information such as interviews or surveys.

M2 PERFORMANCE MONITORING & EVALUATION

M2.6 PERFORM MONITORING ACTIVITIES

Perform monitoring activities to support the evaluation of the performance of the system.
Core Sub-practices

M2.6.01
l Review identified documents and samples of data.

M2.6.02
l Conduct identified interviews and surveys.

M2.6.03
l Consolidate information from different sources to enable comparison and analysis.

This is not legal or professional advice. driving principled

Please contact a professional regarding 162 performance ®
your specific needs.
M2 PERFORMANCE MONITORING & EVALUATION © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

M2.7 ANALYZE AND REPORT MONITORING RESULTS

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 M2 PERFORMANCE MONITORING & EVALUATION
M2.6 PERFORM MONITORING ACTIVITIES

Perform monitoring activities to support the evaluation of the performance of the system.
Core Sub-practices

M2.6.01
l Review identified documents and samples of data.

M2.6.02
l Conduct identified interviews and surveys.

M2.6.03
l Consolidate information from different sources to enable comparison and analysis.

M2 PERFORMANCE MONITORING & EVALUATION

M2.7 ANALYZE AND REPORT MONITORING RESULTS

Analyze the results of monitoring activities to identify instant weaknesses and opportunities for
systemic improvements.
Core Sub-practices

M2.7.01
l Identify and analyze reasons for conflicting information.

M2.7.02
l Determine validity and reliability of information.

M2.7.03
l Determine if misconduct or control failures are occurring beyond established acceptable tolerances.

M2.7.04
l Determine if a number of instances of misconduct or control failures relate to a particular location, supervisor or manager,
or individual.

M2.7.05
l Determine if a number of control failures relate to a particular process, human capital, technology, or physical control.

M2.7.06
l Report on the results and general proposed responses to appropriate internal and external stakeholders.

This is not legal or professional advice.

M3 SYSTEMIC IMPROVEMENT
M3
driving principled
Please contact a professional regarding 163 performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
Use information from periodic monitoring as well as ongoing detection
M1 Context Monitoring
activities
SINGLEto identify
USER opportunities
NON-COMMERCIAL for([email protected]).
LICENSE: ZORAN10 GRC system improvements. EMAIL [email protected] FOR COMMERCIAL LICENSE.
 M3 SYSTEMIC IMPROVEMENT
M3
Use information from periodic monitoring as well as ongoing detection
M1 Context Monitoring
activities to identify opportunities for GRC system improvements. M2 Performance Monitoring &
Evaluation
Principles M3 Systemic Improvement
M4 Assurance
01 Continual improvement is the hallmark of a mature and high performing GRC system.
02 Improvement efforts allow for implementation of innovations as they become available.
03 Budgeting for regular improvement activities enables continual GRC system maturation and efficiency.
04 Ensure all improvements address root causes and not just symptoms.

Common Sources Of Failure

01 Not acting on identified improvement opportunities
02 Not identifying root causes behind GRC system failures
03 Not having a sufficiently broad network of intelligence to identify opportunities for improvement
04 Not establishing clear ownership of improvement projects

Guidelines and Practices

Red Book 2.0 - GRC Capability Model

M3.1 Develop Improvement Plan

M3.2 Implement Improvement Initiatives

Key Deliverables

Matrices Prioritized Risk Matrix

Plans GRC Strategic Plan, Risk Optimization Plan
Reports Findings and Recommendations Report

Enabling Technology Components

Technology Arenas Business Process Management (BPM)

Business Applications Budget & Finance Management (BFM), Contact/Customer Relationship
Management (CRM) , Corporate Performance Management (CPM) , Policy &
Procedure Management (P&P) , Project Portfolio Management (PPM) , Quality
Management & Monitoring (QMM) , Strategic Planning (SP) , Transaction
Management (TM)
GRC Core Applications Controls Management & Monitoring (CMM) , Corporate Compliance (CC) ,
This is not legal or professional advice.Corporate Social Responsibility (CSR), Environmental, Health & Safety (EH&S) driving principled
Please contact a professional regardingManagement , Ethical Practices/Corporate
164 Integrity (ECI) , Information performance ®
your specific needs. Technology Audit (ITA) , Information Technology Risk & Compliance (ITRC)
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
Management , Operational Assurance & Audit (OAA) , Transaction Monitoring
(TRM)
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 Reports Findings and Recommendations Report

Enabling Technology Components

Technology Arenas Business Process Management (BPM)

Business Applications
GRC Core Applications
Infrastructure
Budget & Finance Management (BFM), Contact/Customer Relationship
Management (CRM) , Corporate Performance Management (CPM) , Policy &
Procedure Management (P&P) , Project Portfolio Management (PPM) , Quality
Management & Monitoring (QMM) , Strategic Planning (SP) , Transaction
Management (TM)
Controls Management & Monitoring (CMM) , Corporate Compliance (CC) ,
Corporate Social Responsibility (CSR), Environmental, Health & Safety (EH&S)
Management , Ethical Practices/Corporate Integrity (ECI) , Information
Technology Audit (ITA) , Information Technology Risk & Compliance (ITRC)
Management , Operational Assurance & Audit (OAA) , Transaction Monitoring
(TRM)
Business Continuity Management (BCM), Configuration and Change
Management (CCM), Disaster Recovery (DR) , Enterprise Architecture
Standards (EAS) , Information Technology Operations (ITO) Management

M3 SYSTEMIC IMPROVEMENT
M3.1 DEVELOP IMPROVEMENT PLAN

Develop a prioritized plan for implementing improvements to the program.

Core Sub-practices

M3.1.01
l Develop portfolio of improvement initiatives.

M3.1.02
l Communicate improvement plan to management.

M3.1.03
l Define any recommendations from investigation outcome reports that are not in improvement plan and provide explanation
(s).

M3.1.04
l Obtain authorization to execute improvement plan.

M3 SYSTEMIC IMPROVEMENT
M3.2 IMPLEMENT IMPROVEMENT INITIATIVES

Implement the specific action plans and initiatives intended to improve the program.
Core Sub-practices

M3.2.01
l Adapt existing priorities and plans to accommodate additions.

M3.2.02
Enhance change management and program management capability as needed for additional initiatives.
This is notllegal or professional advice. driving principled
Please contact a professional regarding
M3.2.03 165 performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
l Engage resources for initiatives.

M3.2.04
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 Management (CCM), Disaster Recovery (DR) , Enterprise Architecture
Standards (EAS) , Information Technology Operations (ITO) Management

M3 SYSTEMIC IMPROVEMENT
M3.1 DEVELOP IMPROVEMENT PLAN

Develop a prioritized plan for implementing improvements to the program.

Core Sub-practices

M3.1.01
l Develop portfolio of improvement initiatives.

M3.1.02
l Communicate improvement plan to management.

M3.1.03
l Define any recommendations from investigation outcome reports that are not in improvement plan and provide explanation
(s).

M3.1.04
l Obtain authorization to execute improvement plan.

M3 SYSTEMIC IMPROVEMENT
M3.2 IMPLEMENT IMPROVEMENT INITIATIVES

Implement the specific action plans and initiatives intended to improve the program.
Core Sub-practices

M3.2.01
l Adapt existing priorities and plans to accommodate additions.

M3.2.02
l Enhance change management and program management capability as needed for additional initiatives.

M3.2.03
l Engage resources for initiatives.

M3.2.04
l Manage initiatives pursuant to project plans.

M3.2.05
l Periodically report on project and portfolio status.

M3.2.06
l Confirm that initiatives were complete as defined in the improvement plan.

M3.2.07
l Assess whether targeted improvements are achieved.

M3.2.08
l Document changes to the GRC system, including changes, if any, to the GRC strategic plan, prioritized risk matrix, and the

risk optimization plan.

This is not legal or professional advice. driving principled
Please contact a professional regarding 166 performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 M3 SYSTEMIC IMPROVEMENT
M3.2 IMPLEMENT IMPROVEMENT INITIATIVES

Implement the specific action plans and initiatives intended to improve the program.
Core Sub-practices

M3.2.01
l Adapt existing priorities and plans to accommodate additions.

M3.2.02
l Enhance change management and program management capability as needed for additional initiatives.

M3.2.03
l Engage resources for initiatives.

M3.2.04
l Manage initiatives pursuant to project plans.

M3.2.05
l Periodically report on project and portfolio status.

M3.2.06
l Confirm that initiatives were complete as defined in the improvement plan.

M3.2.07
l Assess whether targeted improvements are achieved.

M3.2.08
l Document changes to the GRC system, including changes, if any, to the GRC strategic plan, prioritized risk matrix, and the
risk optimization plan.

M4 ASSURANCE
M4
Provide assurance to management and the Board that the GRC system is
M1 Context Monitoring
reliable, effective, efficient and responsive. M2 Performance Monitoring &
Evaluation
Principles M3 Systemic Improvement
M4 Assurance
01 Management and the Board need independent reasonable assurance about the effectiveness of the GRC
system.
02 Management and the Board should obtain reasonable assurance that the GRC system is effective to detect
and prevent conduct that is not in accordance with mandates and voluntary commitments of the organization.
03 Either internal auditors or external auditors or evaluators can provide assurance.
This 04
is not legal
The or professional
degree advice.
of assurance desired may vary at different times and for different purposes. driving principled
Please contact a professional regarding
05 The degree of assurance increases as the level of independence167 and capability of the assessors changes, and is performance ®
your specific needs.
further enhanced by the use of independent, objective standards or agreed upon procedures for review.© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

Common Sources Of Failure

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 M4 ASSURANCE
M4
Provide assurance to management and the Board that the GRC system is
M1 Context Monitoring
reliable, effective, efficient and responsive. M2 Performance Monitoring &
Evaluation
Principles M3 Systemic Improvement
M4 Assurance
01 Management and the Board need independent reasonable assurance about the effectiveness of the GRC
system.
02 Management and the Board should obtain reasonable assurance that the GRC system is effective to detect
and prevent conduct that is not in accordance with mandates and voluntary commitments of the organization.
03 Either internal auditors or external auditors or evaluators can provide assurance.
04 The degree of assurance desired may vary at different times and for different purposes.
05 The degree of assurance increases as the level of independence and capability of the assessors changes, and is
further enhanced by the use of independent, objective standards or agreed upon procedures for review.

Common Sources Of Failure

01 Not using objective, skilled assurance personnel with experience in the subject matter of the assessment
02 Not ensuring independence of assurance personnel
03 Not ensuring assurance personnel have no stake in activities for which they are providing assurance
04 Not using risk assessment to focus the assurance effort
05 Not having consistent high quality information as a basis for assurance opinions

Guidelines and Practices

Red Book 2.0 - GRC Capability Model

M4.1 Plan Assurance Assessment

M4.2 Perform Assurance Assessment

Key Deliverables

Reports Findings and Recommendations Report

Enabling Technology Components

Technology Arenas Assurance & Audit Management (AAM) , Corporate Governance (CG) , Security
Management (SM)
Business Applications Loss Management (LM), Policy & Procedure Management (P&P)
GRC Core Applications Audit Analytics (AA), Controls Management & Monitoring (CMM) , Discovery
(eDiscovery) , Enterprise Risk Assessment (ERA) , Environmental Monitoring &
This is not legal or professional advice.Reporting (EMR) , Finance & Treasury Risk (FTR) Management , Financial driving principled
Please contact a professional regardingAssurance & Audit (FAA) , Fraud Detection
168 & Prevention (FDP) , performance ®
your specific needs. Hotline/Whistleblower , Information Technology Audit (ITA) , Legal Matter
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

Management (LMM) , Operational Assurance & Audit (OAA) , Transaction

SINGLE USER NON-COMMERCIAL Monitoring
LICENSE:(TRM)
ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 Reports Findings and Recommendations Report

Enabling Technology Components

Technology Arenas
Business Applications
GRC Core Applications
Infrastructure
Assurance & Audit Management (AAM) , Corporate Governance (CG) , Security
Management (SM)
Loss Management (LM), Policy & Procedure Management (P&P)
Audit Analytics (AA), Controls Management & Monitoring (CMM) , Discovery
(eDiscovery) , Enterprise Risk Assessment (ERA) , Environmental Monitoring &
Reporting (EMR) , Finance & Treasury Risk (FTR) Management , Financial
Assurance & Audit (FAA) , Fraud Detection & Prevention (FDP) ,
Hotline/Whistleblower , Information Technology Audit (ITA) , Legal Matter
Management (LMM) , Operational Assurance & Audit (OAA) , Transaction
Monitoring (TRM)
Physical Security (PS) , Systems Log Management (SLM)

M4 ASSURANCE
M4.1 PLAN ASSURANCE ASSESSMENT

Determine scope, procedures and criteria required to provide desired level of assurance.
Core Sub-practices

M4.1.01
l Determine scope of review.

M4.1.02
l Determine level of assurance desired.

M4.1.03
l Based on schedule, cost and objectives, determine whether to define standards, procedure and criteria or to use objective,
independently issued standards or agreed upon procedures for review, and if so, identify them.

M4.1.04
l Identify parties to perform assessment that supports the assurance.

M4 ASSURANCE
M4.2 PERFORM ASSURANCE ASSESSMENT

Perform procedures, evaluate results against criteria and deliver report.

Core Sub-practices

M4.2.01
l Review monitoring reports and changes to the GRC system previously undertaken by management as part of the assurance
process.

M4.2.02
l Prepare an assurance report and recommendations for management and the Board.

This is not legal or professional advice. driving principled

Please contact a professional regarding 169 performance ®
your specific needs.

I
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

I INFORM & INTEGRATE

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 Infrastructure Physical Security (PS) , Systems Log Management (SLM)

M4 ASSURANCE
M4.1 PLAN ASSURANCE ASSESSMENT

Determine scope, procedures and criteria required to provide desired level of assurance.
Core Sub-practices

M4.1.01
l Determine scope of review.

M4.1.02
l Determine level of assurance desired.

M4.1.03
l Based on schedule, cost and objectives, determine whether to define standards, procedure and criteria or to use objective,
independently issued standards or agreed upon procedures for review, and if so, identify them.

M4.1.04
l Identify parties to perform assessment that supports the assurance.

M4 ASSURANCE
M4.2 PERFORM ASSURANCE ASSESSMENT

Perform procedures, evaluate results against criteria and deliver report.

Core Sub-practices

M4.2.01
l Review monitoring reports and changes to the GRC system previously undertaken by management as part of the assurance
process.

M4.2.02
l Prepare an assurance report and recommendations for management and the Board.

I INFORM & INTEGRATE

I
Capture, document and manage GRC information so that it efficiently and
C Culture & Context
accurately flows up, down and across the extended enterprise, and to O Organize & Oversee
external stakeholders. A Assess & Align
P Prevent & Promote
I1 Information Management & Documentation D Detect & Discern
This is not legal or professional advice. driving
R Respond principled
& Resolve
Please contact
I1.1a professional regarding
Develop a GRC Information Management Classification170
Structure M Monitor performance
& Measure ®
your specific needs.
I1.2 Develop GRC Information Collection Policies & Procedures © 2003 - 2009 OPENI COMPLIANCE
Inform & Integrate
& ETHICS GROUP

I1.3 Develop GRC Information Access, Use and Transfer Policies & Procedures
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
I1.4 Develop GRC Information Storage & Disposition Policy & Procedures
 I INFORM & INTEGRATE
I
Capture, document and manage GRC information so that it efficiently and
C Culture & Context
accurately flows up, down and across the extended enterprise, and to O Organize & Oversee
external stakeholders. A Assess & Align
P Prevent & Promote
I1 Information Management & Documentation D Detect & Discern
R Respond & Resolve
I1.1 Develop a GRC Information Management Classification Structure M Monitor & Measure
I1.2 Develop GRC Information Collection Policies & Procedures I Inform & Integrate
I1.3 Develop GRC Information Access, Use and Transfer Policies & Procedures
I1.4 Develop GRC Information Storage & Disposition Policy & Procedures

I2 Internal & External Communication

I2.1 Develop Reporting Plan

I2.2 Develop Communication Plan

I3 Technology & Infrastructure

I3.1 Assess Technology Needs and Gaps

I3.2 Develop GRC Technology Portion of GRC Strategic Plan

I1 INFORMATION MANAGEMENT &

DOCUMENTATION
I1
I1 Information Management &
Implement and manage an integrated record management system so that Documentation
I2 Internal & External
GRC information is relevant, reliable, timely, secure and available. Communication
I3 Technology & Infrastructure
Principles
01 Information should be reconciled and consistent across the organization to allow for efficient and accurate
flow of information across the organization and to external stakeholders.
02 It is not necessary to have a single record management system across the organization, if management designs
and operates multiple systems to allow the efficient reconciliation, consolidation and exchange of
information.

This 03 Consistent
is not definitions of
legal or professional terms and taxonomies ensure that different parts of the organization do not have
advice. driving principled
different understandings of information, or are not operating on conflicting sets of information.
Please contact a professional regarding 171 performance ®
04 Data hoarding
your specific needs. or failure to transfer relevant and necessary information to all parts of the organization that
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
need the information is damaging.
05 The organization uses commercially reasonable organizational, technical and physical measures as necessary
forSINGLE USER NON-COMMERCIAL
the adequate protection of all LICENSE:
personalZORAN10 ([email protected]).
data acquired through the conduct of EMAIL [email protected] FOR COMMERCIAL LICENSE.
its business.
 I3.2 Develop GRC Technology Portion of GRC Strategic Plan

I1 INFORMATION MANAGEMENT &

DOCUMENTATION
I1
I1 Information Management &
Implement and manage an integrated record management system so that Documentation
I2 Internal & External
GRC information is relevant, reliable, timely, secure and available. Communication
I3 Technology & Infrastructure
Principles
01 Information should be reconciled and consistent across the organization to allow for efficient and accurate
flow of information across the organization and to external stakeholders.
02 It is not necessary to have a single record management system across the organization, if management designs
and operates multiple systems to allow the efficient reconciliation, consolidation and exchange of
information.
03 Consistent definitions of terms and taxonomies ensure that different parts of the organization do not have
different understandings of information, or are not operating on conflicting sets of information.
04 Data hoarding or failure to transfer relevant and necessary information to all parts of the organization that
need the information is damaging.
05 The organization uses commercially reasonable organizational, technical and physical measures as necessary
for the adequate protection of all personal data acquired through the conduct of its business.

Common Sources Of Failure

01 Not reconciling disparate information as it becomes available to the organization
02 Not using common definitions of terms and taxonomies to create, exchange and store information
03 Not enforcing a uniform information management system or systems from which information can be easily
combined, compared or shared
04 Not having consistent policies and procedures regarding the retention and retrieval of information.
05 Not informing outsourcing partners or suppliers of record management requirements
06 Not considering additional controls that may be needed when information is maintained outside the
organization

Guidelines and Practices

Red Book 2.0 - GRC Capability Model

I1.1 Develop a GRC Information Management Classification Structure

I1.2 Develop GRC Information Collection Policies & Procedures
I1.3 Develop GRC Information Access, Use and Transfer Policies & Procedures
I1.4 Develop GRC Information Storage & Disposition Policy & Procedures

Key Deliverables

Plans Crisis, Continuity and Recovery Plan, GRC Information Management Plan
This is not legal or professional advice. driving principled
Please contact a professional regarding 172 performance ®
yourEnabling
specific needs. Technology Components © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

Technology Arenas
SINGLE USER Business
NON-COMMERCIAL Process
LICENSE: Management
ZORAN10 (BPM) , Enterprise EMAIL
([email protected]). Content Management (ECM)
[email protected] FOR COMMERCIAL LICENSE.
 I1.4 Develop GRC Information Storage & Disposition Policy & Procedures

Key Deliverables

Plans Crisis, Continuity and Recovery Plan, GRC Information Management Plan

Enabling Technology Components

Technology Arenas
Business Applications
GRC Core Applications
Infrastructure
Business Process Management (BPM) , Enterprise Content Management (ECM)
Board Management (BM), Business Rules (BR) Engines ,
Collaboration/Knowledge Management (KM), Contact/Customer Relationship
Management (CRM) , Contract Management (CM), Documents & Records
Management (DRM) , Email Management (EM), Employee Evaluations & Surveys
(EES) , Enterprise Asset Management (EAM), Intellectual Property (IP)
Management , Loss Management (LM), Policy & Procedure Management (P&P) ,
Project Portfolio Management (PPM) , Quality Management & Monitoring
(QMM) , Strategic Planning (SP)
Audit Analytics (AA), Corporate Compliance (CC) , Corporate Social
Responsibility (CSR), Discovery (eDiscovery) , Enterprise Risk Assessment
(ERA) , Environmental, Health & Safety (EH&S) Management , Environmental
Monitoring & Reporting (EMR) , Financial Assurance & Audit (FAA) , Fraud
Detection & Prevention (FDP) , Global Trade Compliance (GTC)/International
Dealings , Hotline/Whistleblower , Information Privacy Management (IPM) ,
Information Technology Audit (ITA) , Information Technology Risk &
Compliance (ITRC) Management , Insurance & Claims Management (ICM) , Legal
Matter Management (LMM) , Operational Assurance & Audit (OAA) ,
Operational Risk Management (ORM) , Reporting/eFiling (REF) , Risk Analytics
(RA)
Configuration and Change Management (CCM), Enterprise Architecture
Standards (EAS) , Information Technology Operations (ITO) Management ,
Retention & Storage Management (RSM) , Systems Log Management (SLM)

I1 INFORMATION MANAGEMENT & DOCUMENTATION

I1.1 DEVELOP A GRC INFORMATION MANAGEMENT CLASSIFICATION
STRUCTURE

Determine the definitions, classifications and procedures necessary to identify and manage GRC
information in the organization and extended enterprise, as part of an Information Management
Plan.
Core Sub-practices

I1.1.01
l Define GRC system records (GRC Records).

I1.1.02
l Define and maintain a classification schema and methodology.

I1.1.03
l Define an ongoing process for information inventory and classification including characteristics such as:

• type,
• privacy requirement,
• confidentiality requirement,
This is not legal or professional advice. driving principled
• preservation requirement,
Please contact a professional regarding 173 performance ®
• retention requirement,
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
• disposition requirement,
• availability requirement,
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
• operational/strategic value,
 Standards (EAS) , Information Technology Operations (ITO) Management ,
Retention & Storage Management (RSM) , Systems Log Management (SLM)

I1 INFORMATION MANAGEMENT & DOCUMENTATION

I1.1 DEVELOP A GRC INFORMATION MANAGEMENT CLASSIFICATION
STRUCTURE

Determine the definitions, classifications and procedures necessary to identify and manage GRC
information in the organization and extended enterprise, as part of an Information Management
Plan.
Core Sub-practices

I1.1.01
l Define GRC system records (GRC Records).

I1.1.02
l Define and maintain a classification schema and methodology.

I1.1.03
l Define an ongoing process for information inventory and classification including characteristics such as:
• type,
• privacy requirement,
• confidentiality requirement,
• preservation requirement,
• retention requirement,
• disposition requirement,
• availability requirement,
• operational/strategic value,
• data owner,
• source of information (data base/application, email, Excel, etc.),
• associated business processes, and
• associated policies.

I1.1.04
l Periodically consider changes to the classification structure, and its underlying definitions and classifications, to reduce
future reconciliation needs.

I1 INFORMATION MANAGEMENT & DOCUMENTATION

I1.2 DEVELOP GRC INFORMATION COLLECTION POLICIES & PROCEDURES

Establish the policies and procedures necessary to collect GRC information from sources within
and outside the organization and extended enterprise, as part of an Information Management
Plan.
Core Sub-practices

I1.2.01
l Define rules and procedures to meet requirements regarding collecting and creating information.

I1.2.02
l Define policies and procedures regarding information ownership.
This is not legal or professional advice. driving principled
Please contact a professional regarding
I1.2.03 174 performance ®
your specific
l
needs.
Define a procedure and schedules or triggers for reconciling disparate information. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

I1.2.04USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
SINGLE
 I1 INFORMATION MANAGEMENT & DOCUMENTATION
I1.2 DEVELOP GRC INFORMATION COLLECTION POLICIES & PROCEDURES

Establish the policies and procedures necessary to collect GRC information from sources within
and outside the organization and extended enterprise, as part of an Information Management
Plan.
Core Sub-practices

I1.2.01
l Define rules and procedures to meet requirements regarding collecting and creating information.

I1.2.02
l Define policies and procedures regarding information ownership.

I1.2.03
l Define a procedure and schedules or triggers for reconciling disparate information.

I1.2.04
l Reconcile disparate information upon scheduled or triggering events.

I1 INFORMATION MANAGEMENT & DOCUMENTATION

I1.3 DEVELOP GRC INFORMATION ACCESS, USE AND TRANSFER POLICIES &
PROCEDURES

Establish the policies and procedures necessary to access, use and transfer GRC information in
the organization and extended enterprise, as part of an Information Management Plan.
Core Sub-practices

I1.3.01
l Define rules and procedures to meet requirements regarding managing access, authorization and authentication, including:
• evaluation of the level of access required,
• data owner approval,
• administration of access (add, change, remove),
• password requirements,
• authentication method, and
• access to physical storage locations.

I1.3.02
l Appropriately define, mark, handle and store privileged documents, deliverables, and artifacts.

I1.3.03
l Define rules and procedures to meet requirements regarding the transfer of information.

I1.3.04
l Define procedures for notification, containment and response to a breach of information management access and use
procedures.

I1.3.05
This is not legal or professional advice. driving principled
l Define data and security models for all systems designed to enable the processes and meet requirements.
Please contact a professional regarding 175 performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 I1 INFORMATION MANAGEMENT & DOCUMENTATION
I1.3 DEVELOP GRC INFORMATION ACCESS, USE AND TRANSFER POLICIES &
PROCEDURES

Establish the policies and procedures necessary to access, use and transfer GRC information in
the organization and extended enterprise, as part of an Information Management Plan.
Core Sub-practices

I1.3.01
l Define rules and procedures to meet requirements regarding managing access, authorization and authentication, including:
• evaluation of the level of access required,
• data owner approval,
• administration of access (add, change, remove),
• password requirements,
• authentication method, and
• access to physical storage locations.

I1.3.02
l Appropriately define, mark, handle and store privileged documents, deliverables, and artifacts.

I1.3.03
l Define rules and procedures to meet requirements regarding the transfer of information.

I1.3.04
l Define procedures for notification, containment and response to a breach of information management access and use
procedures.

I1.3.05
l Define data and security models for all systems designed to enable the processes and meet requirements.

I1 INFORMATION MANAGEMENT & DOCUMENTATION

I1.4 DEVELOP GRC INFORMATION STORAGE & DISPOSITION POLICY &
PROCEDURES

Establish the policies and procedures necessary to store GRC information in the organization
and extended enterprise in accordance with requirements and recovery objectives, as part of an
Information Management Plan.
Core Sub-practices

I1.4.01
l Define rules and procedures to meet requirements regarding maintaining stored information.

I1.4.02
l Define the rules and procedures to meet requirements regarding retention, destruction, restoration, and disposition of
information.

I1.4.03
Determine
This is notllegal off site media
or professional advice.storage and media rotation requirements. driving principled
Please contact a professional regarding 176 performance ®
your specific I1.4.04
needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
l Define information back up schedules (source, frequency).

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 I1 INFORMATION MANAGEMENT & DOCUMENTATION
I1.4 DEVELOP GRC INFORMATION STORAGE & DISPOSITION POLICY &
PROCEDURES

Establish the policies and procedures necessary to store GRC information in the organization
and extended enterprise in accordance with requirements and recovery objectives, as part of an
Information Management Plan.
Core Sub-practices

I1.4.01
l Define rules and procedures to meet requirements regarding maintaining stored information.

I1.4.02
l Define the rules and procedures to meet requirements regarding retention, destruction, restoration, and disposition of
information.

I1.4.03
l Determine off site media storage and media rotation requirements.

I1.4.04
l Define information back up schedules (source, frequency).

I1.4.05
l Define rules and procedures to meet requirements regarding systematic disposition of information.

I1.4.06
l Define rules and procedures to meet requirements regarding manual deletion of information.

I1.4.07
l Define a procedure for the disposition of data on recycled media/hardware.

I1.4.08
l Define rules and procedures to meet requirements regarding identifying and halting destruction of information.

I1.4.09
l Regularly test the restoration of data from back-up storage media.

I1.4.10
l Define procedures for containment and response to a breach of information storage and disposition procedures.

I2 INTERNAL & EXTERNAL

COMMUNICATION
I2
I1 Information Management &
This is not legal or professional advice. driving principled
Deliver Documentation
Please contact a relevant, reliable, and timely information to the right audiences as
professional regarding 177 ®
I2 Internal &performance
External
yourrequired by mandates or as needed to perform responsibilities and © 2003 - 2009 OPENCommunication
specific needs. COMPLIANCE & ETHICS GROUP

effectively shape attitudes. I3 Technology & Infrastructure

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 I2 INTERNAL & EXTERNAL
COMMUNICATION
I2
I1 Information Management &
Deliver relevant, reliable, and timely information to the right audiences as Documentation
I2 Internal & External
required by mandates or as needed to perform responsibilities and Communication
effectively shape attitudes. I3 Technology & Infrastructure

Principles
01 Effective flow of information throughout the organization enables decision-making and improves
performance.
02 The organization should be able to deliver consistent information to those who need it, when they need to
know it.
03 The organization must be able to meet its mandatory reporting obligations and to provide reliable and
understandable information to stakeholders.
04 Not all communication takes place through formal reports and informal communication may have more
impact.

Common Sources Of Failure

01 Not knowing (or communicating) requirements for timing and content of mandated external reports
02 Not establishing clear policies, procedures and triggers for immediate escalation or routine reporting of
information within the organization or to external stakeholders
03 Not getting the right information to the right people at the right time
04 Not maintaining a complete and accurate record of how communication was managed

Guidelines and Practices

Red Book 2.0 - GRC Capability Model

I2.1 Develop Reporting Plan

I2.2 Develop Communication Plan

Key Deliverables

Plans Communication and Reporting Plan

Enabling Technology Components

Technology Arenas Business Intelligence (BI) , Corporate Governance (CG) , Enterprise Content
Management (ECM) , Enterprise Resource Management (ER) , Enterprise Risk
Management (ERM) , Human Resources Management (HRM)
This is not legal or professional
Business Applications advice.
Brand & Reputation Management (BRM), Business Activity Monitoring (BAM) , driving principled
Please contact a professional regardingCollaboration/Knowledge Management 178 (KM), Contact/Customer Relationship performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
Management (CRM) , Corporate Performance Management (CPM) , Dashboards
(GRC Workflow), Documents & Records Management (DRM) , Email
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10
Management ([email protected]).
(EM), Employee Evaluations & Surveys EMAIL [email protected]
(EES) FOR COMMERCIAL LICENSE.
, Intellectual Property
 Plans Communication and Reporting Plan

Enabling Technology Components

Technology Arenas
Business Applications
GRC Core Applications
Infrastructure
Business Intelligence (BI) , Corporate Governance (CG) , Enterprise Content
Management (ECM) , Enterprise Resource Management (ER) , Enterprise Risk
Management (ERM) , Human Resources Management (HRM)
Brand & Reputation Management (BRM), Business Activity Monitoring (BAM) ,
Collaboration/Knowledge Management (KM), Contact/Customer Relationship
Management (CRM) , Corporate Performance Management (CPM) , Dashboards
(GRC Workflow), Documents & Records Management (DRM) , Email
Management (EM), Employee Evaluations & Surveys (EES) , Intellectual Property
(IP) Management , Learning & Training Management (LTM) , Legal Entity
Management (LEM), Loss Management (LM), Policy & Procedure Management
(P&P) , Strategic Planning (SP)
Accountability/Responsibility Management (ARM) , Corporate Compliance
(CC) , Corporate Social Responsibility (CSR), Crisis Management (CMT) ,
Discovery (eDiscovery) , Employment Compliance Management (EC) ,
Environmental Monitoring & Reporting (EMR) , Ethical Practices/Corporate
Integrity (ECI) , Geo-Political Risk (GPR) Management , Helpline , News Feeds
(GRC Intelligence) , Reporting/eFiling (REF) , Risk Analytics (RA)
Disaster Recovery (DR) , Enterprise Architecture Standards (EAS)

I2 INTERNAL & EXTERNAL COMMUNICATION

I2.1 DEVELOP REPORTING PLAN

Establish a plan to ensure compliance with mandatory reporting requirements and provide
desired reports to management, the Board, and stakeholders.
Core Sub-practices

I2.1.01
l Identify required external reports to regulators and other stakeholders, and create a matrix indicating:
• the schedules or triggering events for each,
• the content required,
• the location or source of the content required,
• the person or office responsible for preparing and filing each report,
• the location or classification of each report copy as it will be retained in the organization,
• the record retention and protection rules, and
• the method for confirmation of delivery and receipt.

I2.1.02
l Define internal reports needed to allow the entity to certify there are no violations of mandates or policies, and those
needed to manage the GRC system, and prepare a matrix indicating:
• the schedules or triggering events for each,
• the content required,
• the location or source of the content required,
• the person or office responsible for preparing each report,
• the intended recipients of each report,
• the location or classification of each report copy as it will be retained in the organization,
• the record retention and protection rules, and
• the need for confirmation of receipt.

I2.1.03
This is not legal or professional advice. driving principled
l Define
Please contact any additionally
a professional desired voluntary reports to stakeholders
regarding 179 and create a matrix indicating: performance ®
• the
your specific needs.schedules or triggering events for each report, © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
• the content required,
• the location or source of the content required,
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 Infrastructure Disaster Recovery (DR) , Enterprise Architecture Standards (EAS)

I2 INTERNAL & EXTERNAL COMMUNICATION

I2.1 DEVELOP REPORTING PLAN

Establish a plan to ensure compliance with mandatory reporting requirements and provide
desired reports to management, the Board, and stakeholders.
Core Sub-practices

I2.1.01
l Identify required external reports to regulators and other stakeholders, and create a matrix indicating:
• the schedules or triggering events for each,
• the content required,
• the location or source of the content required,
• the person or office responsible for preparing and filing each report,
• the location or classification of each report copy as it will be retained in the organization,
• the record retention and protection rules, and
• the method for confirmation of delivery and receipt.

I2.1.02
l Define internal reports needed to allow the entity to certify there are no violations of mandates or policies, and those
needed to manage the GRC system, and prepare a matrix indicating:
• the schedules or triggering events for each,
• the content required,
• the location or source of the content required,
• the person or office responsible for preparing each report,
• the intended recipients of each report,
• the location or classification of each report copy as it will be retained in the organization,
• the record retention and protection rules, and
• the need for confirmation of receipt.

I2.1.03
l Define any additionally desired voluntary reports to stakeholders and create a matrix indicating:
• the schedules or triggering events for each report,
• the content required,
• the location or source of the content required,
• the person or office responsible for preparing and filing each report,
• the location or classification of each report as it will be retained in the organization, and
• the record retention and protection rules.

I2.1.04
l Define policies and procedures regarding referral for review and resolution when reports reflect performance outside
targets and tolerances.

I2.1.05
l Analyze existing reporting and determine gaps against the planned reports and their desired management.

I2 INTERNAL & EXTERNAL COMMUNICATION

I2.2 DEVELOP COMMUNICATION PLAN

This is not legal or professional advice.

Define how the organization will manage GRC related communications that are not formal driving principled
Please contact a professional regarding 180 performance ®
reports.
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
Core Sub-practices
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 I2 INTERNAL & EXTERNAL COMMUNICATION
I2.2 DEVELOP COMMUNICATION PLAN

Define how the organization will manage GRC related communications that are not formal
reports.
Core Sub-practices

I2.2.01
l Prepare to develop a high level communication plan by:
• defining current behavior/knowledge state of audience,
• defining desired state,
• analyzing gaps, and
• identifying areas where there is likely to be resistance to change.

I2.2.02
l Develop a high level communication plan that identifies:
• all key program messages with identified senders and target audiences,
• the various communication pieces that will deliver each message, and
• the high level delivery schedule and triggering events.

I2.2.03
l Determine what methods of communication should be used for each category of message, applying multiple methods for
key messages and taking into consideration the purpose of the communication (education, persuasion, information,
interview), such as:
• paper based,
• email,
• websites,
• postings,
• live events or meetings,
• video/audio broadcast , or
• face-to-face personal communication.

I2.2.04
l For each communications piece:
• develop communication/messaging objective and content,
• obtain required approvals,
• determine who will respond to questions,
• determine the most effective method(s) of communication,
• determine need for redundant communication (frequency and type),
• define primary communication methods:
- between GRC roles
- between GRC roles and business roles, and
- between GRC roles and external stakeholders.

I2.2.05
l Define communication/message interdependencies and how each fits into the overall landscape of other entity
communications/messages.

This is not legal or professional advice. driving principled

I3
performance ®
Please contact a professional regarding 181
your specific needs. I3 TECHNOLOGY & INFRASTRUCTURE © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 I3 TECHNOLOGY & INFRASTRUCTURE
I3
Enable the GRC system with a technology architecture that integrates with
I1 Information Management &
and, where appropriate, uses existing investments in technology. Documentation
I2 Internal & External
Principles Communication
I3 Technology & Infrastructure
01 Not everything has to be, or can be, automated; automate when it optimizes the organization's cost and risk
and the GRC performance objectives.
02 Using consistent tools to deliver similar processes offers efficiency and more accurate information.
03 Planning for GRC solutions benefits from early IT involvement in designing approaches, strategies and
controls.
04 A partnership between GRC professionals and IT professionals with common understanding of needs,
processes, and capabilities is essential to implementing the right technology.

Common Sources Of Failure

01 Not knowing what technology solutions are currently used in the organization to address GRC needs
02 Not knowing the solutions available and understanding what they do and do not provide
03 Not identifying the technology requirements for GRC throughout the organization
04 Not assessing existing technology components for applicability to identified needs
05 Not integrating existing technology solutions to share information where appropriate
06 Not including a GRC technology plan in the overall IT technology plan

Guidelines and Practices

Red Book 2.0 - GRC Capability Model

I3.1 Assess Technology Needs and Gaps

I3.2 Develop GRC Technology Portion of GRC Strategic Plan

Key Deliverables

Plans GRC Strategic Plan

Enabling Technology Components

Technology Arenas Business Intelligence (BI) , Business Process Management (BPM) , Enterprise
Content Management (ECM) , Enterprise Resource Management (ER) , Security
Management (SM)
Business Applications Budget & Finance Management (BFM), Business Activity Monitoring (BAM) ,
Business Rules (BR) Engines , Collaboration/Knowledge Management (KM),
This is not legal or professional advice.Contact/Customer Relationship Management (CRM) , Corporate Performance driving principled
Please contact a professional regardingManagement (CPM) , Dashboards 182 (GRC Workflow), Documents & Records performance ®
your specific needs. Management (DRM) , Email Management (EM), Project Portfolio Management
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
(PPM) , Supply Chain & Procurement Management (SCM) , Transaction
SINGLE USER NON-COMMERCIAL Management (TM)
LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 Plans GRC Strategic Plan

Enabling Technology Components

Technology Arenas
Business Applications
GRC Core Applications
Infrastructure
Business Intelligence (BI) , Business Process Management (BPM) , Enterprise
Content Management (ECM) , Enterprise Resource Management (ER) , Security
Management (SM)
Budget & Finance Management (BFM), Business Activity Monitoring (BAM) ,
Business Rules (BR) Engines , Collaboration/Knowledge Management (KM),
Contact/Customer Relationship Management (CRM) , Corporate Performance
Management (CPM) , Dashboards (GRC Workflow), Documents & Records
Management (DRM) , Email Management (EM), Project Portfolio Management
(PPM) , Supply Chain & Procurement Management (SCM) , Transaction
Management (TM)
Controls Management & Monitoring (CMM) , Crisis Management (CMT) ,
Information Technology Audit (ITA) , Information Technology Risk &
Compliance (ITRC) Management , Transaction Monitoring (TRM)
Business Continuity Management (BCM), Configuration and Change
Management (CCM), Disaster Recovery (DR) , Enterprise Architecture
Standards (EAS) , Identity and Access Management (IAM) , Information
Technology Operations (ITO) Management , Retention & Storage Management
(RSM) , Systems Log Management (SLM)

I3 TECHNOLOGY & INFRASTRUCTURE

I3.1 ASSESS TECHNOLOGY NEEDS AND GAPS

Identify gaps and underperforming systems in existing technology environment.

Core Sub-practices

I3.1.01
l Identify key processes controls that are less error-prone and more efficient if enabled by technology.

I3.1.02
l Define GRC technology requirements.

I3.1.03
l Understand existing technology environment.

I3.1.04
l Map functionality requirements to existing capabilities.

I3.1.05
l Identify redundancies in existing technology solutions.

I3.1.06
l Select among existing systems, the system(s) that best fit functionality requirements.

I3.1.07
l Identify unmet functional requirements.

I3.1.08
l Identify priorities for solution enhancement or additions.

This is not legal or professional advice. driving principled

Please contact a professional regarding 183 performance ®
your specific needs.
I3 TECHNOLOGY & INFRASTRUCTURE © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

I3.2 DEVELOP GRC TECHNOLOGY PORTION OF GRC STRATEGIC PLAN

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 (RSM) , Systems Log Management (SLM)

I3 TECHNOLOGY & INFRASTRUCTURE

I3.1 ASSESS TECHNOLOGY NEEDS AND GAPS

Identify gaps and underperforming systems in existing technology environment.

Core Sub-practices

I3.1.01
l Identify key processes controls that are less error-prone and more efficient if enabled by technology.

I3.1.02
l Define GRC technology requirements.

I3.1.03
l Understand existing technology environment.

I3.1.04
l Map functionality requirements to existing capabilities.

I3.1.05
l Identify redundancies in existing technology solutions.

I3.1.06
l Select among existing systems, the system(s) that best fit functionality requirements.

I3.1.07
l Identify unmet functional requirements.

I3.1.08
l Identify priorities for solution enhancement or additions.

I3 TECHNOLOGY & INFRASTRUCTURE

I3.2 DEVELOP GRC TECHNOLOGY PORTION OF GRC STRATEGIC PLAN

Develop plan for implementing technology to enable GRC processes and information flows.
Core Sub-practices

I3.2.01
l Determine which technology solutions must share information or develop/store easily combined or compared information.

I3.2.02
l Decide what existing solutions can and should be enhanced or extended to apply to similar needs in other parts of the
organization or GRC system.

I3.2.03
l Decide what new solutions should supplement or replace existing solutions.

I3.2.04
l Decide whether to build or buy identified new solutions.

This is not legal or professional advice.

I3.2.05 driving principled
Please contact a professional regarding 184
l Develop a plan for the prioritized initiatives to build, buy, or enhance technology capabilities using IT methodologies (GRC
performance ®
your specific Technology
needs. Plan). © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

I3.2.06USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
SINGLE
 I3 TECHNOLOGY & INFRASTRUCTURE
I3.2 DEVELOP GRC TECHNOLOGY PORTION OF GRC STRATEGIC PLAN

Develop plan for implementing technology to enable GRC processes and information flows.
Core Sub-practices

I3.2.01
l Determine which technology solutions must share information or develop/store easily combined or compared information.

I3.2.02
l Decide what existing solutions can and should be enhanced or extended to apply to similar needs in other parts of the
organization or GRC system.

I3.2.03
l Decide what new solutions should supplement or replace existing solutions.

I3.2.04
l Decide whether to build or buy identified new solutions.

I3.2.05
l Develop a plan for the prioritized initiatives to build, buy, or enhance technology capabilities using IT methodologies (GRC
Technology Plan).

I3.2.06
l Determine ownership and responsibility for ongoing resources and budget of enabling technology components.

I3.2.07
l Reconcile timeline conflicts between GRC technology implementation priorities and GRC strategic plan and IT strategic
plan.

This is not legal or professional advice. driving principled

Please contact a professional regarding 185 performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 Basic Member Edition ---
DOES NOT INCLUDE Appendix C
OCEG Premium and Enterprise members may use the links to Technology
Arenas and Modules in the online version of the Model (located within each
Element) to access Appendix A of the GRC-IT Blueprint™, which identifies and
defines types of technologies that enable the GRC system. The Technology
Arenas and Modules in the Model represent a bridge between the GRC
professional and the IT professional. GRC professionals can use the Technology
Arenas and Modules as a basis for discussing technology options with their IT
counterparts. Enterprise member IT professionals can use the Technology Arenas
and Modules as a bridge from the Model into the GRC Blueprint™. While the
downloadable version of the Model available to all OCEG members provides high
level guidance on which Technology Arenas and Modules support each Element of
the Model, the GRC-IT Blueprint™ provides the definitions of these Arenas and
Modules as well as visual representation of how they relate to each other. The
GRC-IT Blueprint™ also is available as a downloadable stand-alone document.

To sign up:

For OCEG Premium Membership go to:

https://www.oceg.org/subscribe/PremiumUpgrade

For OCEG Enterprise Membership contact [email protected]

186

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 APPENDIX B - DELIVERABLES

DEL.A - Authorizations
DEL.A.01 - External Authorizations
a grant of approval, authority or acceptance from an entity or geopolitical authority outside the control of the organization receiving it

Referenced in: P3 , D1

DEL.A.02 - Internal Authorization

a grant of approval, authority or acceptance from an individual vested with accountability or responsibility for a particular activity, function,
process, or entity

Referenced in: O1 , O3 , D1

DEL.A.03 - GRC System Charter

a document from a governing authority defining the purpose, objective and authorization of an individual or group to undertake activities within
the specified scope

Referenced in: O1

DEL.A.04 - Segregation of Duties

a document reflecting that the responsibilities of some roles or positions should be kept distinct from the responsibilities of other roles or
positions as a protective measure to prevent fraud, error, or conflict of interest

Referenced in: O3 , P3

DEL.D - Descriptions
DEL.D.01 - Role / Job Descriptions
a detailed explanation of the responsibilities and expectations of an individual in a particular role or job, generally including:
• accountabilities and supervisor/oversight responsibilities,
• reporting obligations,
• individual performance measure and objectives, and
• skills, qualifications and experience.

This is not legal or professional advice. driving principled

PleaseReferenced in: O2regarding
, P3
contact a professional 187 performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

DEL.D.02 - GRC
SINGLE USER Technology
NON-COMMERCIAL Data([email protected]).
LICENSE: ZORAN10 Model Descriptions EMAIL [email protected] FOR COMMERCIAL LICENSE.
 • individual performance measure and objectives, and
• skills, qualifications and experience. APPENDIX B - DELIVERABLES

Referenced in: O2 , P3

DEL.D.02 - GRC Technology Data Model Descriptions

a document describing the structure and relationships among data within a key GRC Technology Component

Referenced in: P3

DEL.D.03 - Helpline FAQ Descriptions

a complete, detailed description of the questions that are frequently asked to the helpline, together with the preferred guidance and any
information or related resources to provide to the caller or of use to the helpline staff

Referenced in: P4

DEL.D.04 - Exit Interview Checklist

A document listing the activities to be conducted and questions to be asked during an interview with an internal stakeholder before his/her
departure from the organization

Referenced in: D3

DEL.I - Internal Standards

DEL.I.04 - Control Taxonomy
A common vocabulary for describing the categories of controls along several dimensions:

Dimension 1
- preventive,
- detective and
- corrective controls

Dimension 2
- process
- human capital
- technology
- physical controls

Referenced in: D3

This is not legal or professional advice. driving principled

Please contact a professional regarding 188 performance ®
DEL.M - Matrices
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

DEL.M.01 - Policies
SINGLE USER andLICENSE:
NON-COMMERCIAL Related Procedures
ZORAN10 Matrix
([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 Referenced in: D3 APPENDIX B - DELIVERABLES

DEL.M - Matrices
DEL.M.01 - Policies and Related Procedures Matrix
a table correlating each policy to its attributes and other policies or procedures, and, optionally, to the training, reports or other sources for
evidence of compliance

Referenced in: P2 , P3

DEL.M.02 - Prioritized Risk Matrix

a table correlating each risk to its attributes such as:
• classification or prioritization,
• sources of risk (event, trend, requirement, etc.),
• inherent risk analysis (likelihood, impact, duration),
• current implemented optimization activities,
• current residual risk analysis (likelihood,impact, duration),
• planned optimization activities, and
• planned residual risk analysis.

Referenced in: A1 , A2 , A3 , P3 , P4 , P5 , P6 , R5 , M1 , M3

DEL.M.03 - Risk / Control Matrix

A listing of risks mapped to related preventive, detective and corrective controls.

Referenced in: P3 , R3

DEL.P - Plans
DEL.P.01 - Awareness and Education Plan
a synopsis reflecting the order, timing, audience, and responsibility for all communications and educational activities to be undertaken over the
course of a year or multiple years to promote general awareness of:
• the organization's commitment to meeting its GRC requirements;
• the GRC system capabilities;
• the avenues for resolving questions about GRC responsibilities and expectations;
• the GRC system activities designed to meet GRC requirements,and
• to educate regarding the specific responsibilities of the general workforce,the extended enterprise,and those in GRC specific roles.

Referenced in: P4
This is not legal or professional advice. driving principled
Please contact a professional regarding 189 performance ®
your specific needs.- Communication
DEL.P.02 and Reporting Plan © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

a scheduleSINGLE USER
that sets outNON-COMMERCIAL LICENSE: ZORAN10
the structures, processes ([email protected]).
and resources to deliver informationEMAIL [email protected]
(whether to inform orFOR COMMERCIAL
to persuade) LICENSE.
to those with
 • to educate regarding the specific responsibilities of the general workforce,the extended enterprise,and those in GRC specific roles.
APPENDIX B - DELIVERABLES

Referenced in: P4

DEL.P.02 - Communication and Reporting Plan

a schedule that sets out the structures, processes and resources to deliver information (whether to inform or to persuade) to those with
authority and responsibility to act at appropriate times to affect or monitor a program or initiative. A plan would include:
• target audience,
• objectives of the communication,
• method of delivery,
• timing of delivery,
• who is accountable and responsible for the communication and who should be consulted regarding the communication, and
• for a series of communications, the dependencies betweeen them and relative timing.

Referenced in: P7 , D1 , D2 , I2

DEL.P.03 - Crisis, Continuity and Recovery Plan

a document or series of documents that sets out the structures, processes, protocols and resources to respond to a crisis event, to deliver
interim operations pending full resumption of business and to recover from the impacts of an adverse event. Such plans would include:
• names and contact information for key response personnel,
• identification and responsible owners of key assets, processes, systems, supply relationships, and customer relationships,
• designation of safety, evacuation coordinators and evacuation sites and paths,
• key stakeholder contact points (police, fire, utilities, media, employee representatives, investor relations, analysts, etc.), and
• components of this deliverable would include:
• succession of authority;
• emergency operations plan;
• interim operations plan;
• information systems recovery plan;
• resumption of operations plan;
• emergency operating procedures; and
• test plans.

Referenced in: R4 , I1

DEL.P.05 - GRC Information Management Plan

a document that sets out the structures, processes and resources to manage GRC information through-out the information life-cycle. Would
include:
• classification schema for records, and
• policies and procedures related to:
• capture of information;
• access, use and transfer of information; and
• storage, retention, disposition and retrieval of information.

Referenced in: I1
This is not legal or professional advice. driving principled
Please contact a professional regarding 190 performance ®
your specific needs.- GRC Strategic
DEL.P.06 Plan © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

a document that details

SINGLE the structures, processes,
USER NON-COMMERCIAL technologies,
LICENSE: ZORAN10 resources, objectives EMAIL
([email protected]). and measures to establish
[email protected] FORand maintain the
COMMERCIAL capability
LICENSE.
 • storage, retention, disposition and retrieval of information.
APPENDIX B - DELIVERABLES

Referenced in: I1

DEL.P.06 - GRC Strategic Plan

a document that details the structures, processes, technologies, resources, objectives and measures to establish and maintain the capability
needed to achieve the mission and vision. Components would include:
• charter,
• mission / vision statement,
• outcomes and maturity milestones(with correlation to business objectives)
• business case,
• measurement strategy (metrics, indicators, calculation method, frequency of measurement, nature and frequency of reporting),
• organization chart,
• human capital / vendor relations plan (for implementation and ongoing operations),
• financial plan (start-up and operations),
• technology plan,
• assurance plan, and
• implementation plan.

Referenced in: C3 , O1 , O3 , M2 , M3 , I3

DEL.P.07 - Investigation Management Plan

a document that sets out the structures, processes, protocols and resources to perform and conclude an investigation. Plan would include:
• investigation governance structure,
• investigation team,
• communication and reporting plan,
• operating and communication procedures,
• budget,
• projected schedule of activities, and
• technology plan (for team management, investigation mangement, and information management).

Referenced in: R1 , R2

DEL.P.08 - Risk Optimization Plan

a document that sets out the strategy, structures, processes, activities, and resources to optimize the organization's risks. Would include:
• risk,
• risk classification,
• optimization strategy,
• optimization activities,
• residual risk objective,
• initiative completion and acceptance criteria,
• budget,
• human capital plan,
• technology plan,
• implementation timeline and milestones, and
This is not legal orplan(project
• measurement professionalperformance
advice. and outcomes). driving principled
Please contact a professional regarding 191 performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
Referenced in: A3 , P3 , P4 , P5 , P6 , M1 , M2 , M3
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 • human capital plan, APPENDIX B - DELIVERABLES
• technology plan,
• implementation timeline and milestones, and
• measurement plan(project performance and outcomes).

Referenced in: A3 , P3 , P4 , P5 , P6 , M1 , M2 , M3

DEL.P.09 - Specialized GRC Curriculum Plan

a synopsis reflecting the order and timing of all courses of study for each of the GRC system roles and may include a detailed description of each
course:
• name of course,
• course objectives,
• skills to be attained, and
• options for attendance (online, video, live) together with the skills pre-requisites for each course.

Referenced in: O2

DEL.P.10 - Corrective Control Activity Plan

A plan that details the steps to stop or slow an adverse event from impacting an organization; and restoring the system to a stable state.

Referenced in: R3

DEL.R - Reports
DEL.R.01 - Filings
an official document submitted to a governmental authority (administrative, regulatory, legislative or judicial).

Referenced in: P7 , D3 , R1 , R2 , R5

DEL.R.02 - Findings and Recommendations Report

a presentation or statement of the outcome of an activity or analysis together with recommendations for change and/or improvement.

Referenced in: P1 , P3 , P4 , P5 , D2 , D3 , R1 , R2 , R4 , R5 , M1 , M2 , M3 , M4

DEL.R.03 - Corrective Action Report

Listing of corrective control activities performed in the period under analysis, grouped by type of corrective control as well as category of
adverse event corrected. Information from prior periods may be included for comparison and analysis.

This is not legal or professional advice. driving principled

Completed, ongoing and future activities should be details relative to plan.
Please contact a professional regarding 192 performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

Referenced in: R3
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
 APPENDIX B - DELIVERABLES
Listing of corrective control activities performed in the period under analysis, grouped by type of corrective control as well as category of
adverse event corrected. Information from prior periods may be included for comparison and analysis.

Completed, ongoing and future activities should be details relative to plan.

Referenced in: R3

DEL.S - Statements of Position

DEL.S.01 - Code of Conduct
a guide linking an organization's values and principles with rules of professional conduct

Referenced in: P1

DEL.S.02 - Ethical Decisions Guidelines

the organization's recommendation on the factors to consider along with applicable requirements, policies and philosophies in determining the
proper course of action when faced with an ethical dilemma

Referenced in: P1

DEL.S.03 - Mission/ Vision/ Values Statement

an oral or documented description of the main aims, core beliefs, values, intended future state and overall plan that guide the organization's
actions and inspires people to act toward that future state

Referenced in: C4

DEL.S.04 - Statement of Organizational Objectives

a declaration of the tangible results that the organization expects to achieve through execution of its mission and vision

Referenced in: C4

This is not legal or professional advice. driving principled

Please contact a professional regarding 193 performance ®
your specific needs. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
GRC CAPABILITY MODEL™

OPEN COMPLIANCE & ETHICS GROUP

OCEG is a nonprofit think tank that helps organizations

drive principled performance by providing standards,
tools and resources that enhance corporate culture and
integrate governance, risk management, compliance,
internal control and ethics processes.
®

www.oceg.org DRIVING PRINCIPLED PERFORMANCE ®

SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.