Whether you use the term or not – the fact is organizations do GRC. You will not get one organization to stand up and state they lack governance, do not manage risk, and can care less about compliance to mandated (e.g., regulatory) and voluntary (e.g., social responsibility) boundaries.

The question is: are your organization’s GRC related processesresponsive (agile), efficient (lean), and effective (sound)?

One of the most common questions I get: is there a GRC professional certification? Unfortunately my answer to date has been: none that I endorse.

In fact, there has been only one GRC certification offered that I am aware of. This has been done by a training/education firm to promote their training. Unfortunately this is not the proper place for a certification to belong.

A good professional certification will be based on two requirements:

  1. It has to be established and maintained by a non-profit organization focused on advancing the area of expertise.
  2. It has to be based on a publicly vetted common body of knowledge.

To date there has not been a non-profit organization offering a professional GRC certification based on a comprehensive and vetted GRC common body of knowledge.

The good news: OCEG is in development of a GRC professional certification. This certification is based on the Red Book 2: GRC Capability Model: the only comprehensive GRC common body of knowledge available. It will compliment and not conflict with domain specific certifications offered by other associations that specialize in areas of GRC such as audit, compliance, risk, IT, and others.

OCEG will be launching the full certification this summer. In the meantime, those attending theOCEG/Corporate Integrity GRC Fundamentals, Strategy, & Technology Bootcamps (based on Red Book 2) will have the opportunity to help define the scope of this certification, contribute to design of its test, and be among the first to receive this important professional designation. OCEG will be engaging GRC Bootcamp attendees to propose test questions and format.

A firm foundation of knowledge is the critical element for a professional certification. The landscape of governance, risk management, and compliance initiatives is broad and littered with a variety of specific standards and frameworks. Each of these specific frameworks may be good at what they focus on – but they fail to link GRC together and put everything in context with each other. Risk management, security, corporate governance, control, security, compliance, audit, quality, EH&S, sustainability – all have their respective islands of standards. This makes putting a GRC strategy in place that bridges these silos difficult as language, implementations, and approaches are quite different. In fact – organizations trying to get an enterprise view of risk and compliance desperately search for a GRC “Rosetta Stone.”

There is only one framework that brings this universe of GRC into a common language, process, and architecture – that is the OCEG Red Book (v2) and its GRC Capability Model™. Although various standards and guidance frameworks exist to address discrete portions of governance, risk management and compliance issues, the OCEG GRC Capability Model™ is the only one that provides comprehensive and detailed practices for an integrated and collaborative approach to GRC. These practices address the many elements that make up a complete GRC business architecture. Applying the elements of the GRC Capability Model™ and the practices within them enable an organization to:


  • Achieve business objectives
  • Enhance organizational culture
  • Increase stakeholder confidence
  • Prepare and protect the organization
  • Prevent, detect and reduce adversity
  • Motivate and inspire desired conduct
  • Improve responsiveness and efficiency
  • Optimize economic and social value

The GRC Capability Model™ describes key elements of an effective GRC architecture that integrate the principles of good corporate governance, risk management, compliance, ethics and internal control. It provides a comprehensive guide for anyone implementing and managing a GRC system or some aspect of that system. The OCEG GRC Capability Model™ is organized in eight components:


  1. CULTURE & CONTEXT. Understand the current culture and the internal and external business contexts in which the organization operates, so that the GRC system can address current realities – and identify opportunities to affect the context to be more congruent with desired organizational outcomes.
  2. ORGANIZE & OVERSEE. Organize and oversee the GRC system so that it is integrated with and when appropriate modifies, the existing operating model of the business and assign to management specific responsibility, decision-making authority, and accountability to achieve system goals.
  3. ASSESS & ALIGN. Asses risks and optimize the organizational risk profile with a portfolio of initiatives, tactics, and activities.
  4. PREVENT & PROMOTE. Promote and motivate desirable conduct, and prevent undesirable events and activities, using a mix of controls and incentives.
  5. DETECT & DISCERN. Detect actual and potential undesirable conduct, events, GRC system weaknesses, and stakeholder concerns using a broad network of information gathering and analysis techniques.
  6. RESPOND & RESOLVE. Respond to and recover from noncompliance and unethical conduct events, or GRC system failures, so that the organization resolves each immediate issue and prevent or resolve similar issues more effectively and efficiently in the future.
  7. MONITOR & MEASURE. Monitor, measure and modify the GRC system on a periodic and ongoing basis to ensure it contributes to business objectives while being effective, efficient and responsive to the changing environment.
  8. INFORM & INTEGRATE. Capture, document and manage GRC information so that it efficiently and accurately flows up, down and across the extended enterprise, and to external stakeholders.

OCEG’s GRC Capability Model™ is the Rosetta Stone framework that brings a holistic enterprise view of GRC together. It works from the board of directors down into the management and process of an organization. It’s goal is not to replace other frameworks and standards but to give them a common language and context to operate within and thus provide enterprise collaboration and communication across governance, risk, and compliance.

I sat on the OCEG Steering Committee (with over 100 other contributors) to define this valuable work and am encouraged by a number of global organizations that are using it and and seeing benefits achieved. There is nothing else available in scope and practicality to implement a GRC program around. For those interested in rolling up your sleeves further – whether an organization implementer, technology provider, or professional services provider – I encourage
you to get involved with OCEG, Red Book: GRC Capability Model, and the GRC professional certification.

Please reply back with your feedback and thoughts. How do you see organizations bringing together an enterprise view of governance, risk, and compliance? In today’s complex business environment a failure to get an enterprise perspective on this is a recipe for disaster.

I would love to hear your thoughts, experiences, and approaches to effective policy management. Please comment on this blog or send me an e-mail.

BOOTCAMP: GRC Fundamentals, Strategy, & Technology

Join Corporate Integrity, LLC in a three-day basic training exercise in GRC Fundamentals, Strategy, and Technology. Attendees will receive value in understanding and defining a GRC strategy. This bootcamp is authorized and endorsed by OCEG. The objective of this bootcamp is to provide attendees with the knowledge and hands-on practice necessary to efficiently design a GRC program. Attendees will learn about defining a GRC Strategy aligned with Red Book 2 through lectures and practical group interaction, discussions, and exercises. Others, such as technology providers and professional service firms, also benefit from understanding the issues and approaches to GRC challenges that organizations across industries are grappling with.

Chicago, IL, USAGRC Fundamentals, Strategy, & Technology

Date: Wednesday, April 21, 2010 at 8:00 AM – Friday, April 23, 2010 at 5:00 PM (CT)

London, UKGRC Fundamentals, Strategy, & Technology

Date: Monday, June 7, 2010 at 8:00 AM – Wednesday, June 9, 2010 at 5:00 PM(GMT)

San Diego, CA, USAGRC Fundamentals, Strategy, & Technology

Date: Wednesday, June 23, 2010 at 8:00 AM – Friday, June 25, 2010 at 5:00 PM (PT)

New York, NY, USAGRC Fundamentals, Strategy, & Technology

Date: Monday, August 9, 2010 at 8:00 AM – Wednesday, August 11, 2010 at 5:00 PM (ET)

Leave a Reply

Your email address will not be published. Required fields are marked *