The Open Compliance and Ethics Group (OCEG) has released an updated version of its GRC Capability Model, aka the Red Book. The Phoenix, Ariz.-based nonprofit describes the document as “a comprehensive guide for anyone implementing and managing a GRC system or some aspect of that system, including those involved in compliance, training, hotlines and investigations.” Business Finance talked with OCEG’s CEO, Scott Mitchell, about the Red Book’s view of the GRC universe.

Business Finance: OCEG calls the Red Book the central component of its Framework for Principled Performance. What exactly is principled performance, and how is it related to GRC per se?

Scott Mitchell: Let me give you an analogy: CRM, or customer relationship management. At the board level or senior executive level you won’t hear many people using the acronym CRM. They talk about the business purpose for implementing CRM systems: you're trying to delight your customers, acquire new customers, develop fanatically loyal customers and so on. So the analogy is that principled performance is really the outcome of GRC that many organizations today are striving towards.

Many organizations developed rather sophisticated CRM systems that involved the integration of their sales force, their marketing efforts, their call centers, software etc. Similarly, companies are increasingly creating a sophisticated GRC backbone. They're looking at what used to be highly fragmented departmental systems and silos and seeing that to achieve principled performance they have to be integrated.

BF: What’s new in the latest version of the GRC Capability Model?

SM: In the first document there was an emphasis on the compliance side of GRC. The new document realizes for the first time the vision that we always were reaching towards, which is the full integration of governance, risk, and compliance systems. We've really beefed up the G and R pieces of GRC, and in particular in the risk assessment piece. We've given a lot of detail to the risk assessment process, what the flow of audits should be, and the reasons for that.

In Version 1 there was one section that we intentionally left blank; it was around how to apply technology to the GRC process. A lot of people, as they were building their GRC backbone — their policy and procedures, management, training, controls — were left asking “What type of technology should I be buying here?” And what they were seeing in the marketplace was a bunch of vendors saying “I've got GRC solutions.” But a GRC solution could be anything from a risk library up to automated control monitoring, so it was basically meaningless.

We've broken it down into about 60 categories of technology and functionality, and we've mapped those to the processes so that a practitioner can say, “OK, I need to enable my policy and procedure management, and this is a technology that might be able to help.”

In the first document we mapped to about five primary sources, such as Sarbanes-Oxley and COSO [the Committee of Sponsoring Organizations of the Treadway Commission] enterprise risk management. In the new document we've mapped to around 50. And we’ve streamlined it; we've probably cut about 25 percent to 30 percent of the content because over two years of use we've been able to work with companies and practitioners to understand what really matters most.

BF: How much progress are companies making in integrating their governance, risk, and compliance processes?

SM: We did some research about nine months ago and found that about 90 percent of companies believe this is a good idea and would like to head in that direction. But the number of companies actually doing it was very small; only 16 percent were engaged in projects. Now, that was nine months ago, and if we conducted the research today and found that it was 50 percent I wouldn't be surprised. But it's not a majority at yet.

Some of the Sarbanes-Oxley work is finally stabilizing, and people are now able to think about the bigger picture. So it's really coming into this budget season that we're seeing a lot of people starting to make the business case and saying “Look, we spent all this time and money on Sarbanes-Oxley — let's never let that happen again. How can we develop a backbone so that in future something like that simply becomes another issue for us to absorb, instead of a fundamental change to our business?”

BF: What kind of impact would you like to see for the new version of the model?

SM: What we hope is that this document will continue to push the agenda forward. Part of the reason why companies don’t have a sophisticated GRC structure in place is that conceptually, and even practically, it takes time and money to figure it out. In the Red Book, it has already been figured out. Our hope is that by taking that economic cost out of the marketplace, people won't have to spend money on getting their head around the issues; they can spend it on real solutions.

A year from now, my hope is that some of the numbers from our research are exactly the opposite — that 85 percent of companies will actually be doing it. And I think that's possible. The combination of Sarbanes-Oxley, the increased global footprint of businesses — which brings even more compliance issues to deal with — and the growing complexity of business has brought things to a tipping point where companies really have to do this. And we hope that the Red Book will be a recipe for them and a standard that they can use to more effectively channel their resources.

You can download OCEG’s GRC Capability Model Framework Version 2.0 here. [1]