As a GRC professional, or auditor, how do you provide assurance on the GRC capabilities within your organization? Where do you turn?
Organizations need a natural progression and interaction between governance, risk management and compliance (GRC). Regulatory fines, the global nature of business, and the complexity of technology demand it.
Don’t reinvent the wheel — OCEG has the resources to help you.
Finding Help To Build GRC Capabilities
In my first job as a Chief Audit Executive (CAE), I needed to establish a new internal audit department at my organization. I had been auditing for many years, but had never started a new audit department.
I turned to the Institute of Internal Auditors (IIA) for help. At the IIA I found a wonderful resource on how to start an internal audit department. I learned all the necessary steps and I even found sample templates. Within a short time I had all the pieces in place. No need to reinvent the wheel.
Years later, in a new organization, I found myself responsible for ethics and compliance. I was familiar with ethics and compliance, but had never set up a capability in an organization.
I turned to OCEG and found the GRC Capability Model. The Red Book (as it’s called) helped me perform a gap analysis at my organization. I had a road map. I knew all the necessary components and elements I needed to have in an integrated ethics and compliance capability. Within a short time I knew what we needed to do. No need to reinvent the wheel.
As many of you know, to be successful you must measure the effectiveness of your processes and capabilities. But where do you go to find help measuring integrated GRC?
If You Build It You Must Audit It
10 years ago, a group of leaders who worked with OCEG decided we needed a consistent way to audit GRC capabilities.
We came together as a community and developed the GRC Assessment Tools. We worked to develop an approach that any organization can use. We took the time and effort to practice the procedures on our own organizations. We made sure they worked.
GRC Assessment Tools
The purpose of the GRC Assessment Tools (Burgundy Book) is to provide a guideline for GRC professionals, as well as those responsible for providing assurance. The Burgundy Book provides a common set of assessment procedures and a common understanding of what to expect during an assessment of GRC Capabilities. These procedures align to the OCEG GRC Capability Model and you can use them for self-assessment as well as independent assessment.
OCEG’S goals in creating the Burgundy Book are to:
- Help organizations evaluate the design and operating effectiveness of their GRC Capability
- Reduce the cost of such evaluations by eliminating the time and expense of creating procedures
- Raise the overall level of maturity and quality of organizational GRC globally by helping individual organizations create their prioritized improvement plans
- Provide external judgment and recognition of sound practices
Be Informed. As an OCEG Basic Member (it’s free to join) you can download the GRC Capability Model and an excerpt of the GRC Assessment Tools.
Measure Your GRC Capabilities
Again, there is no need to reinvent the wheel, since others before you already did the work. All you have to do is download and use the available resources.