GRC Capability Model (Red Book) FULL VERSION

GRC Capability Model (Red Book) FULL VERSION
Standard filed in Free , Capability Model , Integrated GRC

The GRC Capability Model 3.0 (Red Book) helps GRC professionals plan, assess, and improve their GRC capabilities in order to achieve Principled Performance.

Principled Performance is the reliable achievement of objectives, while addressing uncertainty and acting with integrity. GRC is the integrated collection of capabilities that enable an organization to achieve Principled Performance.

This GRC Capability Model is the first (and only) open source standard that integrates the various sub-disciplines of governance, risk, audit, compliance, ethics/culture and IT into a unified approach.

You may use and evolve this standard to address a range of situations from small projects to organization-wide rollouts, as well as a variety of subject areas from anti-corruption to business continuity to third party management. The Model is an excellent tool to frame conversations about GRC capabilities with board, senior executives, and managers.

You may also consider using this GRC Capability Model in conjunction with more specific functional frameworks from organizations such as: ISO, COSO, ISACA, IIA, NIST, and others. Together with these more narrow frameworks, you can jump start a program appropriate for your organization.


It’s not enough to aggressively move toward established objectives. For success, we must consider the boundaries of laws, social mores, and uncertainties that arise with regard to potential risks and rewards. Nor can the management of risk, compliance, and ethical conduct be separated from the objective-seeking activity. Everything must be brought into alignment and operate through fully integrated governance, risk management, and compliance capabilities.

With the help of a panel of 100+ experts, OCEG studied 250+ organizations to document best practices in this GRC Capability Model (commonly called the OCEG Red Book). The Red Book:

  • Unifies vocabulary across disciplines
  • Defines common components and elements
  • Defines common information requirements
  • Standardizes practices for things like policies and training
  • Identifies communication for everyone involved.

Four Components of the GRC Capability Model

  1. LEARN about the organization context, culture and key stakeholders to inform objectives, strategy and actions.
  2. ALIGN strategy with objectives, and actions with strategy, by using effective decision-making that addresses values, opportunities, threats and requirements.
  3. PERFORM actions that promote and reward things that are desirable, prevent and remediate things that are undesirable, and detect when something happens as soon as possible.
  4. REVIEW the design and operating effectiveness of the strategy and actions, as well as the ongoing appropriateness of objectives to improve the organization.

OCEG GRC Capability Model v3 Components & Elements

Companion Materials

Download the LEARN Component IllustrationALIGN Component IllustrationPERFORM Component Illustration and the REVIEW Component Illustration — the four companion infographics in the OCEG GRC Capabilities Illustrated series.

An Excel spreadsheet version of the Model practices is available to help:

  • Create task lists
  • Set priorities
  • Rank capabilities
  • Conduct gap analysis
  • Load practices into performance management and/or audit management tools

Additionally, the following companion materials are available: