‭Version 3.5.

1-EN‬
‭revision 2024-10-31‬

‭ RC‬
G
‭Assessment‬
‭Framework™‬
‭Useful Models, Methods, and Tools for‬
‭GRC Professionals to Provide Assurance over‬
‭GRC Capabilities‬

‭Essential Body of Knowledge for the‬

‭GRCA Exam and Certificatio‬‭n‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭GRC Assessment Framework™‬

‭(OCEG Burgundy Book)‬
‭Useful Models, Methods, and Tools for‬
‭GRC Professionals to Provide Assurance over‬
‭GRC Capabilities‬

‭Essential Body of Knowledge for the‬

‭GRC Auditor (GRCA™) Exam and Certification‬

‭Version 3.5.1-EN‬
‭revision 2024-10-31‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭This work is licensed under a‬‭Creative Commons Attribution-NonCommercial-NoDerivatives‬‭3.5.1‬

‭International License‬‭.‬

‭For commercial purposes, no part of this publication may be reproduced, distributed, or‬
‭transmitted in any form or by any means, including photocopying, recording, or other electronic or‬
‭mechanical methods, without the publisher's prior written permission. Advanced Licencing is‬
‭available at‬‭https://www.oceg.org/terms-of-use/advanced-license-permissions/‬

‭For commercial use requests, contact‬‭[email protected]‬

‭OCEG, Principled Performance, Driving Principled Performance, Putting Principles Into Practice,‬
‭GRC360°, and LeanGRC are registered trademarks of OCEG.‬

‭Protector Skillset, Protector Mindset, Protector Code, Lines of Accountability, GRC Capability‬
‭Model, GRC Professional, GRCP, GRC Fundamentals, GRC Audit, GRCA, GRC Audit Fundamentals,‬
‭Data Privacy Fundamentals, Integrated Data Privacy Professional, IDPP, Policy Management‬
‭Fundamentals, Integrated Policy Management Professional, IPMP, Integrated Audit & Assurance‬
‭Professional, IAAP, Integrated Compliance & Ethics Professional, ICEP, Integrated Risk‬
‭Management Professional, IRMP, and Lines of Accountability, are trademarks of OCEG.‬

‭This guide offers reliable information about GRC, but the author and publisher aren't providing‬
‭professional services like legal, investment, or accounting advice. Despite striving for accuracy,‬
‭they disclaim warranties regarding the content's completeness or suitability for specific purposes.‬
‭No warranties are formed through sales interactions or materials. The strategies and advice‬
‭presented may not fit your situation, necessitating professional consultation. The publisher and‬
‭author deny liability for any commercial losses or damages incurred, whether special, incidental,‬
‭consequential, personal, or other.‬

‭The front cover image is designed by Sarah Hart & Scott Mitchell; other images and illustrations‬
‭are by Scott Mitchell.‬

‭Version 3.5.1-EN revision 2024-10-31‬

‭ISBN: 979-8-9881268-0-5‬

‭OCEG‬
‭4144 N. 44th Street, Suite 6‬
‭Phoenix, AZ 85018‬
‭www.oceg.org‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭Licensing‬
‭The GRC Assessment Framework is available for download by any individual holding an active‬
‭OCEG All Access Pass and licensed for use only within organizations where they are employed.‬

‭For commercial use in consulting, technology systems, educational programs or otherwise, please‬
‭contact‬‭[email protected]‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭Acknowledgments‬
‭This version represents a significant update authored by Scott Mitchell and Adrian Resag. Other‬
‭contributors and reviewers of this and earlier versions are listed at the end of the document.‬

‭Dedication‬
‭Version 1.0 was authored by David Crawford (1935 - 2016), CPA, CIA, Audit Manager Emeritus at the‬
‭University of Texas System, and edited by Justina Crawford. We thank them for the work that they‬
‭did to develop the structure of the GRC Assessment Framework.‬

‭We dedicate this updated edition to the memory of David Crawford, a giant in the world of audit‬
‭and assurance services. He devoted his career to improving the Principled Performance of‬
‭organizations, especially institutes of higher education.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭Foreword‬
‭20 years ago, the OCEG Community created GRC and Principled Performance‬‭®‬‭and formalized‬
‭these ideas into a structured model called the GRC Capability Model (“OCEG Red Book”).‬

‭Shortly thereafter, the community created the GRC Assessment Framework™ (“OCEG Burgundy‬
‭Book”) to help individuals measure the design and operating effectiveness of the GRC Capability‬
‭or some aspect of it.‬

‭We periodically update the GRC Assessment Framework with the help of hundreds of members‬
‭and experts in the GRC ecosystem. For this update to Version 3.5.1, the objectives were to:‬

‭●‬ ‭Align‬‭- Align with the updated GRC Capability Model‬‭3.5.‬

‭●‬ ‭Simplify‬‭- Make them easier to understand, navigate‬‭and use.‬
‭●‬ ‭Clarify‬‭- Untangle and elaborate key concepts and‬‭definitions.‬

‭We achieved these objectives by adding, editing, and removing content throughout the GRC‬
‭Assessment Framework and using new technologies to capture and publish this document. This‬
‭document is organized into several sections and parts:‬

‭★‬ ‭Using this Document: Conventions used in the document and tips for using it.‬
‭★‬ ‭GRC Assurance Framework‬
‭○‬ ‭Part I - GRC Assurance Concepts: Pervasive ideas that underlie all aspects of providing‬
‭assurance over a GRC Capability or some aspect of it.‬
‭○‬ ‭Part II - GRC Assessment‬
‭■‬ ‭II.A Method: A step-by-step approach to perform an assessment.‬
‭■‬ ‭II.B Procedures: Candidate assessment procedures.‬
‭■‬ ‭II.C Information: Information to gather via documents or discussion.‬
‭○‬ ‭Part III - GRC Glossary: Alphabetic listing of consistent terms and definitions associated‬
‭with GRC Assurance and Assessments.‬
‭★‬ ‭Tools & Techniques: Collected tools & techniques referenced in this document.‬

‭Warm Regards & Enjoy!‬

‭Scott Mitchell, Founder, OCEG‬ ‭Adrian Resag, Academic Director OCEG‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭Table of Contents‬

‭Introduction‬ ‭1‬
‭Executive Summary‬ ‭1‬
‭Using this Document‬ ‭2‬
‭ oals of this document‬
G ‭‬
3
‭Users of this document‬ ‭3‬
‭Part I - GRC Assurance Concepts‬ ‭7‬
‭ hat is Assurance?‬
W ‭‬
7
‭When is Assurance Needed?‬ ‭9‬
‭What are Levels of Assurance?‬ ‭10‬
‭Do Assurance Providers need to be Independent?‬ ‭12‬
‭What are Assurance Assessments?‬ ‭13‬
‭Types of assessments‬ ‭18‬
‭Assurance Risk Equation‬ ‭20‬
‭What are ways to gather evidence?‬ ‭22‬
‭Part II.A - GRC Assessment Method‬ ‭24‬
‭Assessment planning‬ ‭24‬
‭Assessment performance‬ ‭25‬
‭Collecting assessment information‬ ‭27‬
‭Forms of assessment communication‬ ‭28‬
‭The confirmation process‬ ‭29‬
‭Communicating the results of an assessment‬ ‭30‬
‭Monitoring the implementation status of recommendations‬ ‭31‬
‭Reporting on the follow-up‬ ‭32‬
‭Part II.B - GRC Assessment Procedures‬ ‭34‬
‭L – LEARN Assessment Procedures‬ ‭35‬
‭ – ALIGN Assessment Procedures‬
A ‭ 7‬
4
‭P – PERFORM Assessment Procedures‬ ‭62‬
‭R – REVIEW Assessment Procedures‬ ‭81‬
‭Part II.C - Sources of Information and Content Criteria‬ ‭89‬
‭Part III - GRC Glossary‬ ‭155‬
‭Appendix A - Acknowledgements‬ ‭244‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭Introduction‬

‭Executive Summary‬
‭Over $1 trillion (USD) is destroyed every year because of unprincipled misconduct, mistakes, and‬
‭miscalculations. Organizations, individuals, and the public count on GRC Professionals to lead the‬
‭way and solve this trillion-dollar problem.‬

‭But it can be difficult to address this massive problem because of volatility, uncertainty,‬
‭complexity, and ambiguity (VUCA) – and the disconnection between departments, people, values,‬
‭and skills.‬

‭Therefore, the OCEG community created Principled Performance and GRC over 20 years ago – to‬
‭help solve problems using an interdisciplinary approach.‬

‭The GRC Capability Model (“OCEG Red Book”) codified a strong approach to achieve Principled‬
‭Performance. This document, the GRC Assessment Framework (“OCEG Burgundy Book”) codifies‬
‭an approach to provide assurance over the GRC Capability (and related sub-capabilities) that‬
‭contribute to achieving Principled Performance.‬

‭By providing assurance over the GRC Capability, an organization can reliably achieve objectives,‬
‭address uncertainty, and act with integrity.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭1‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭Using this Document‬

‭The purpose of the GRC Assessment Framework™ (“OCEG Burgundy Book”) is to provide GRC‬
‭professionals, as well as those responsible for providing assurance, with a common set of‬
‭assessment procedures. This document also provides a common understanding of what to expect‬
‭during an assessment of a GRC Capability or some area of the organization that implements GRC‬
‭Capabilities.‬

‭These procedures align with the GRC Capability Model™ (“OCEG Red Book”) and are useful for‬
‭self-assessments and independent assessments.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭2‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭Goals of this document‬

‭Goals for the GRC Assessment Framework (“OCEG Burgundy Book” and “Burgundy Book”):‬

‭●‬ ‭Help organizations evaluate the design and operating effectiveness of GRC Capabilities,‬
‭●‬ ‭Reduce time and expense of assessments by providing common procedures and criteria‬
‭●‬ ‭Provide objective and, optionally, external judgment and recognition of sound practices‬
‭●‬ ‭Raise the global level of maturity and quality of GRC as a pathway to Principled Performance‬

‭Users of this document‬

‭This document may be used by a diverse group of stakeholders including anyone who “‬‭uses‬‭”‬
‭assurance information; anyone who “‬‭provides‬‭” assurance‬‭by performing assessment procedures;‬
‭and anyone who “‬‭participates in‬‭” assurance activities.‬‭This includes individuals and teams across‬
‭all Lines of Accountability and external stakeholders.‬

‭Internal Users using Lines of Accountability™ Model‬

‭The Lines of Accountability Model™ helps organizations identify structures that facilitate the‬
‭governance, management, and assurance of performance, risk, and compliance by focusing on the‬
‭contribution each “line” makes to producing value and preserving value. These “Lines of‬
‭Accountability” provide a sound basis for explaining assurance.‬

‭●‬ ‭First Line‬‭- Individuals and Teams that own and manage‬‭performance, risk, and compliance‬
‭associated with day-to-day operational activities.‬

‭●‬ ‭Second Line‬‭- Individuals and Teams that establish‬‭performance, risk, and compliance‬
‭programs for the First Line. The Second Line may include an organizational service center or‬
‭staff within risk, compliance, HR, security, and technology departments. The Second Line‬
‭provides oversight through frameworks, standards, policies, tools, and techniques to‬
‭support the First Line. The Second Line often manages its own portfolio of objectives and‬
‭associated performance, risk, and compliance. The Second Line may provide limited‬
‭assurance over First Line activities, depending on the objectivity and competence related‬
‭to the subject matter.‬

‭●‬ ‭Third Line‬‭- Individuals and Teams that provide a‬‭high level of assurance on activities‬
‭performed by the First Line and Second Line. The Third Line may include internal audit,‬
‭external audit, or outside experts who are sufficiently objective and competent. The level‬
‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭3‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭of assurance possible depends on the objectivity and competence related to the subject‬
‭matter.‬

‭●‬ ‭Fourth Line‬‭- The Executive Team is accountable and‬‭responsible for the organization-wide‬
‭performance, risk, and compliance. The Fourth Line gains information from the First Line‬
‭and the Second Line and assurance from the Third Line to make decisions about managing‬
‭performance, risk, and compliance.‬

‭●‬ ‭Fifth Line‬‭- The Governing Authority (Board) is ultimately‬‭accountable and responsible for‬
‭the governance, management, and assurance of performance, risk, and compliance. While‬
‭the governing authority may choose to delegate, this plenary accountability for the‬
‭organization means that the governing authority must use due care to ensure that the‬
‭right systems are in place to learn about and address important issues – especially those‬
‭that present “red flags.”‬

‭Figure - Lines of Accountability™ (LoA)‬

‭Lines of Accountability & Assurance Model‬

‭Each Line of Accountability may use, provide, or participate in various assurance activities; and‬
‭may use this document to gain confidence specifically about the GRC Capability.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭4‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭First Line‬ ‭Second Line‬ ‭Third Line‬ ‭Fourth Line‬ ‭Fifth Line‬
‭Front Line Operations‬ ‭Shared Services and‬ ‭ pecialized‬
S ‭ xecutive‬
E ‭Governing Authority‬
‭Specialized‬ ‭Assurance Operations‬ ‭Management‬
‭Operations‬

‭ ses‬
U ‭ ses assurance‬
U ‭ ses assurance‬
U ‭ valuates other’s‬
E ‭ ses assurance‬
U ‭ ses assurance‬
U
‭information to gain‬ ‭information to gain‬ ‭assurance‬ ‭information to‬ ‭information to govern‬
‭Assurance‬ ‭confidence about its‬ ‭confidence about the‬ ‭information to see if‬ ‭manage the entire‬ ‭the entire‬
‭Deliverables‬ ‭own operations.‬ ‭adequacy of first line‬ ‭they can rely on it and‬ ‭organization.‬ ‭organization.‬
‭activities to fulfill its‬ ‭use it within their own‬
‭ ses assurance‬
U ‭second line oversight‬ ‭assurance activities.‬ ‭ ssurance‬
A ‭ ssurance‬
A
‭information to gain‬ ‭purpose.‬ ‭information helps the‬ ‭information helps the‬
‭confidence about‬ ‭fourth line gain‬ ‭fifth line gain‬
‭external providers.‬ ‭confidence that‬ ‭confidence that the‬
‭opportunities,‬ ‭assertions given to it‬
‭obstacles, and‬ ‭show a true and fair‬
‭obligations are‬ ‭view of the‬
‭addressed; and that‬ ‭organization.‬
‭weaknesses are‬
‭remediated.‬

‭ rovides‬
P ‭ onducts‬
C ‭ onducts‬
C ‭ onducts‬
C ‭ onducts‬
C ‭ onducts‬
C
‭self-assessments to‬ ‭self-assessment to‬ ‭self-assessment to‬ ‭self-assessment to‬ ‭self-assessment to‬
‭Assurance‬ ‭evaluate its own‬ ‭evaluate its own‬ ‭evaluate its own‬ ‭evaluate its own‬ ‭evaluate its own‬
‭Services‬ ‭activities.‬ ‭activities.‬ ‭activities.‬ ‭activities.‬ ‭activities.‬

‭ onducts assurance‬
C ‭ onducts assurance‬
C ‭ onducts assurance‬
C ‭ enerally does not‬
G ‭ ay engage internal‬
M
‭on external suppliers‬ ‭on first line activities‬ ‭on other lines of‬ ‭conduct assurance‬ ‭or external assurance‬
‭and external‬ ‭with the possibility of‬ ‭accountability with‬ ‭itself, but can assign‬ ‭providers to gain‬
‭activities with the‬ ‭higher levels of‬ ‭the possibility of‬ ‭the first or second or‬ ‭confidence about the‬
‭possibility of higher‬ ‭assurance (depending‬ ‭higher levels of‬ ‭third line to conduct‬ ‭organization.‬
‭levels of assurance‬ ‭on objectivity and‬ ‭assurance (depending‬ ‭assurance as‬
‭(depending on‬ ‭competence).‬ ‭on objectivity and‬ ‭appropriate.‬
‭objectivity and‬ ‭competence).‬
‭competence)‬

‭ articipates in‬
P ‭ articipates in‬
P ‭ articipates in‬
P ‭ articipates in‬
P ‭ ollaborates with‬
C ‭ articipates in‬
P
‭assurance programs‬ ‭assurance programs‬ ‭assurance programs‬ ‭assurance by‬ ‭assurance programs‬
‭Assurance‬ ‭by providing‬ ‭by providing‬ ‭by providing‬ ‭providing information‬ ‭by providing‬
‭Activities‬ ‭information about‬ ‭information about‬ ‭information about‬ ‭and access.‬ ‭information about‬
‭their own activities.‬ ‭their own activities, as‬ ‭their own activities.‬ ‭fifth line activities.‬
‭well as the first line‬ ‭ articipates in‬
P
‭operations they‬ ‭ orks with‬
W ‭assurance programs‬ ‭ versees and directs‬
O
‭oversee.‬ ‭stakeholders and‬ ‭by taking action and‬ ‭assurance activities.‬
‭other information‬ ‭assigning‬
‭users to define the‬ ‭responsibility for‬
‭purpose, scope,‬ ‭recommendations‬
‭objectives and nature‬ ‭made by assurance‬
‭of assurance‬ ‭providers.‬
‭programs.‬

‭Figure - Participation and Contribution to Assurance by Line of Accountability‬

‭External Users‬
‭Any external reviewer may use these procedures to provide information consumers an appropriate‬
‭level of assurance given their needs.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭5‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭External Auditors‬

‭External auditors may use these procedures to provide assurance as part of an agreed-upon‬
‭procedures (AUP) project. The AUP approach allows any individual who is duly licensed as a‬
‭certified public accountant, certified chartered accountant, or the international equivalent‬
‭thereof may perform these procedures according to the professional standards to which they are‬
‭subject and issue a findings report that can be judged by intended recipients based upon their‬
‭own criteria.‬

‭The procedures are written in such a way that any individual trained in and subject to the‬
‭professional standards applicable to agreed-upon procedures engagements can perform the‬
‭procedures without separate licensure or qualification by OCEG.‬

‭Third Party Auditors‬

‭Third parties and business partners may periodically audit an organization to gain assurance that‬
‭contractual obligations are fulfilled. Third parties may use these procedures as part of their due‬
‭diligence or audit programs.‬

‭Regulators‬

‭Regulators and governmental authorities may periodically audit an organization to gain assurance‬
‭about things such as:‬

‭-‬ ‭Adequacy internal control over financial reporting (ICFR)‬

‭-‬ ‭Adequacy of compliance programs mandated by laws and regulations‬
‭-‬ ‭Adequacy of risk management programs mandated by laws and regulations‬

‭These procedures provide a sound foundation to evaluate the design and operating effectiveness‬
‭of risk management programs, compliance programs, and other similar programs.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭6‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭Part I - GRC Assurance Concepts‬

‭What is Assurance?‬
‭A high-performing GRC Capability is the pathway to Principled Performance. Information about the‬
‭purpose, design and operation of the GRC Capability help internal and external stakeholders‬
‭understand if the organization is “reliably achieving objectives, addressing uncertainty, and acting‬
‭with integrity.”‬

‭The need for assurance arises when information users (i.e., stakeholders) want increased‬
‭confidence that statements made by information producers (i.e., management) are justified and‬
‭present a fair and true representation of reality.‬

‭Far from adversarial, this need for assurance is a natural consequence of collaboration across‬
‭diverse organizational structures and the increasingly complex nature of enterprise. This need‬
‭arises any time an information user lacks proximity, resolution, expertise or trust to have the‬
‭confidence they need.‬

‭Those managing and governing the organization need to have confidence that what they BELIEVE‬
‭is happening, actually is happening, and that it is working. Assurance provides confidence to‬
‭management, the governing authority, and other stakeholders that beliefs match reality.‬

‭Some definitions:‬

‭●‬ ‭Assurance‬‭- the act of objectively and competently‬‭evaluating subject matter to provide‬
‭justified conclusions and confidence that statements and beliefs about the subject matter‬
‭are true.‬
‭●‬ ‭Evaluate‬‭- the act of judging subject matter by comparing‬‭evidence against suitable‬
‭criteria.‬
‭●‬ ‭Subject Matter‬‭- identifiable statements, conditions,‬‭events, or activities for which there is‬
‭evidence.‬
‭●‬ ‭Suitable Criteria‬‭- benchmarks used to evaluate subject‬‭matter that yield consistent and‬
‭meaningful results.‬

‭More definitions about the people involved:‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭7‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭●‬ ‭Information User‬‭(also‬‭Information Consumer‬‭) - an individual, group, or any entity that‬

‭receives information.‬
‭●‬ ‭Information Producer (‬‭also‬‭Information Supplier)‬‭-‬‭an individual, group, or any entity that‬
‭produces data/information to send to another individual, group, or entity.‬
‭●‬ ‭Assurance Provider‬‭- someone who conducts assurance activities (especially to mediate‬
‭the information relationship between information producer and information user.‬

‭Assurance Providers add value by mediating the relationship between Information Producer and‬
‭Information Consumer so that the Information User can gain confidence that statements and‬
‭beliefs about the subject matter are justified and true.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭8‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭When is Assurance Needed?‬

‭When discussing the need for assurance, it's helpful to consider it in the context of the‬
‭relationship between the Information User and the Information Producer. There are a few key‬
‭situations where assurance becomes particularly important:‬

‭●‬ ‭Proximity:‬‭The Information User may not be closely‬‭connected to the Information Producer‬
‭or the processes used to generate the information. This distance can lead to uncertainty‬
‭about the accuracy of the information. Assurance serves as a bridge, giving the Information‬
‭User confidence that the information is a fair and true representation of reality.‬

‭●‬ ‭Expertise:‬‭The Information User may not have the necessary‬‭expertise to effectively‬
‭evaluate the information. This includes understanding the design, operation, and outputs‬
‭of the processes used by the Information Producer. In such cases, assurance plays a critical‬
‭role in helping the Information User trust that the information they receive is a fair and true‬
‭representation of reality.‬

‭●‬ ‭Information:‬‭The Information User may only receive‬‭summarized or condensed information‬

‭that omits crucial details. This lack of comprehensive data, or information asymmetry, can‬
‭lead to misinterpretation or a partial understanding. The Assurance Provider ensures that‬
‭despite the brevity or compression, what is conveyed is a fair and true representation of‬
‭reality.‬

‭●‬ ‭Trust:‬‭There are times when there isn't a foundation‬‭of trust between Information Users‬
‭and Information Producers. This could be due to the nature of their relationship (like‬
‭competitors inherently distrusting each other) or past actions (such as a violation of a‬
‭contract). In these situations, an Assurance Provider acts as an intermediary to facilitate‬
‭the flow of information even when trust is absent.‬

‭●‬ ‭Importance:‬‭If the effect of a risk materializing‬‭would be so great that it would significantly‬
‭damage an organization, then it would be important for the Information User to have a high‬
‭level of assurance. This high level of assurance would help the Information User gain the‬
‭confidence they need to know operations are likely to continue without any unexpected‬
‭issue, or otherwise to detect and correct potential problems.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭9‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭What are Levels of Assurance?‬

‭Assurance is a concept that involves different degrees and levels, rather than being a simple “yes‬
‭or no” matter. The Level of Assurance depends on the competence and objectivity of the person‬
‭providing it. In the same way, the requirement for a specific level of assurance also varies. It is‬
‭crucial to align the level of assurance with the specific needs it is meant to address.‬

‭In general, the level of assurance will be dependent on the level of importance associated with the‬
‭area under consideration. For example, if a particular area of the organization is “high risk” then it‬
‭may be important to have a high level of assurance that critical processes are running smoothly.‬

‭Assurance is never absolute. It is common for GRC Professionals to specify a desired “level of‬
‭assurance” about some subject matter. The Level of Assurance about something is a function of‬
‭the Assurance Objectivity and Assurance Competence of the Assurance Provider.‬

‭●‬ ‭Objectivity‬‭- the degree to which an Assurance Provider‬‭can be impartial, disinterested,‬

‭independent, and free to conduct necessary activities and to form an opinion about the‬
‭subject matter.‬
‭●‬ ‭Competence‬‭- the degree to which an Assurance Provider‬‭can use sophisticated,‬
‭professional, and structured techniques to evaluate the subject matter.‬
‭●‬ ‭Level of Assurance‬‭- a measure of the degree of confidence‬‭that an assurance provider can‬
‭deliver to an information consumer about statements an information provider makes about‬
‭the subject matter.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭10‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭Not everything requires a high level of assurance. For example, a manager in the sales department‬
‭may want “some” assurance that the way they conduct sales calls is sound. For this lower level of‬
‭assurance, they might call five colleagues in other companies and ask about their process. Then‬
‭use that information with the sales team to identify gaps.‬

‭The VP of sales, on the other hand, might want a “higher” level of assurance that all sales teams‬
‭are using best practices to conduct sales calls. This might entail hiring an outside expert, using a‬
‭vetted sales call maturity model, to conduct design and operational testing of controls used in the‬
‭sales process.‬

‭●‬ ‭Absolute Assurance‬‭- a level of assurance that is‬‭impossible to achieve.‬

‭●‬ ‭Reasonable Assurance‬‭- a special type of assurance,‬‭provided by external auditors as part‬
‭of a financial audit or examination, that subject matter conforms to suitable criteria and is‬
‭free from material error.‬
‭●‬ ‭Limited Assurance‬‭- a level of assurance resulting‬‭from reviews, compilations, and other‬
‭activities performed by competent personnel who are sufficiently objective about the‬
‭subject matter.‬
‭●‬ ‭Lower Assurance‬‭- a more limited level of assurance‬‭resulting from activities such as‬
‭self-assessments and benchmarking performed by the personnel responsible for the‬
‭subject matter.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭11‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭Do Assurance Providers need to be Independent?‬

‭The terms "independent" or "independence" are occasionally used in reference to assurance to‬
‭emphasize the importance of the structural or reporting relationship between the assurance‬
‭provider, the information producer, and the information consumer. The notion is that the‬
‭assurance provider should have a structurally independent status to enhance objectivity. This‬
‭means that the assurance provider must not report to the information producer, or have some‬
‭“dual reporting” relationship to an organizational unit outside of the information producer to‬
‭reduce conflict.‬

‭However, independence alone does not guarantee objectivity and is simply a means to achieve it.‬

‭Therefore, a GRC Professional must recognize that independence is a tool to achieve objectivity.‬
‭Independence is not synonymous with objectivity, and may not be recommended given a target‬
‭level of assurance.‬

‭For example, when a high level of assurance is desired (e.g., evaluating internal control over‬
‭financial reporting), it may be beneficial for the assurance provider to be fully independent of the‬
‭information producer. When a lower level of assurance is desired (e.g., benchmarking one’s own‬
‭work), independence may not be required or recommended.‬

‭Hence, it is important to note that independence should not be confused with objectivity. While‬
‭they are related concepts, independence alone does not guarantee objectivity and is not always‬
‭recommended.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭12‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭What are Assurance Assessments?‬

‭Assessments may vary depending on the needs of the Information Users. There are generally a few‬
‭types of assessments.‬

‭Maturity Assessments‬
‭A Maturity Assessment evaluates an area of the organization against a Maturity Model that serves‬
‭as suitable criteria. A Maturity Model provides a theoretical continuum, often expressed in‬
‭“levels,” along which maturity can be described incrementally from one level to the next. Maturity‬
‭levels may be used to assess how capable (prepared) the organization is to perform practices:‬

‭●‬ ‭Level 1 - Initial.‬‭Practices are improvised, ad hoc,‬‭and often chaotic.‬

‭●‬ ‭Level 2 - Managed.‬‭Practices are defined and managed,‬‭though sometimes informally.‬
‭●‬ ‭Level 3 - Consistent.‬‭Practices are formally documented‬‭and consistently managed.‬
‭●‬ ‭Level 4 - Measured.‬‭Practices are measured and managed‬‭with data-driven evidence.‬
‭●‬ ‭Level 5 - Optimizing.‬‭Practices are consistently improved‬‭over time.‬

‭In some maturity models, the highest Level 5 is called “Optimized.” However, GRC Professionals‬
‭recognize that an area is never “optimized” but rather in the process of “optimizing” over time.‬

‭GRC Professionals apply the concept of maturity at all levels of The GRC Capability Model as‬
‭needed. For example, the Education Element could be assessed for Maturity:‬

‭●‬ ‭Level 1 - Initial.‬‭Education practices are improvised‬‭and often chaotic.‬

‭●‬ ‭Level 2 - Managed.‬‭Education Practices are defined‬‭and managed, though sometimes‬
‭informally. This means the team knows how to define, develop and deliver education, but‬
‭nothing is documented. And, when workers are educated, records are not always created or‬
‭stored.‬
‭●‬ ‭Level 3 - Consistent.‬‭Education Practices are formally‬‭documented and consistently‬
‭managed. This means the team follows documented practices to define, develop and‬
‭deliver education. Learner records are created and maintained.‬
‭●‬ ‭Level 4 - Measured.‬‭Education Practices are measured‬‭and managed with data-driven‬
‭evidence. This means that the documented process generates enough data and indicators‬
‭to judge the effectiveness, efficiency, responsiveness, and resilience of Education.‬
‭●‬ ‭Level 5 - Optimizing.‬‭Education Practices are consistently‬‭improved over time. This means‬
‭that the indicators are not only captured and judged but that the team can demonstrate‬
‭continuous improvement.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭13‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭14‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭Effectiveness Assessments‬
‭Effectiveness Assessments comprise the vast majority of traditional “internal audits” in most‬
‭organizations. In the audit discipline the word “effectiveness” has special meaning to encompass‬
‭the design and operating effectiveness of an area of the organization.‬

‭●‬ ‭Design Effectiveness‬‭- Evidence of logically designed‬‭actions & controls relative to‬
‭objectives, opportunities, obstacles, and obligations. This is accomplished by evaluating‬
‭the design actions & controls against suitable criteria.‬
‭●‬ ‭Operating Effectiveness‬‭- Evidence that actions &‬‭controls operate as intended. This is‬
‭accomplished by substantive testing of information generated by actions & controls to‬
‭judge actual results against expected results.‬

‭Taken together, design and operating effectiveness help an organization have confidence that an‬
‭area of the organization is logically designed to achieve a particular objective, and that it is‬
‭operating as designed. In short, it gives confidence that “what we think is happening actually is‬
‭happening and making a difference in the right way.”‬

‭ ESIGN‬
D ‭OPERATING‬ ‭IMPLICATIONS‬
‭ FFECTIVENESS‬ ‭EFFECTIVENESS‬
E

‭No‬ ‭No‬ ‭ HAOS: The design is not sound and the area is not‬
C
‭operating according to this unsound design.‬

‭Yes‬ ‭No‬ ‭ ULLIBLE: The design is sound, but the area is not‬
G
‭operating according to the sound design.‬

‭ ften this means that management believes that an area‬

O
‭is effective because they do not know that the area is not‬
‭operating according to design.‬

‭No‬ ‭Yes‬ I‭ N THE WEEDS: The design is not sound, but the area is‬
‭operating according to this unsound design.‬

‭ ften this means that personnel in the area are blindly‬

O
‭following a bad design.‬

‭Yes‬ ‭Yes‬ ‭ FFECTIVE: The design is sound and the area is operating‬
E
‭according to this sound design.‬

‭It is important to conduct Design Effectiveness before or in conjunction with an Operating‬

‭Effectiveness Assessment so that the organization knows that the right design is effectively‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭15‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭operating (“doing the right things the right way”) instead of knowing that the wrong design is‬
‭effectively operating (“doing the wrong things the right way”).‬

‭Design Effectiveness Assessment‬

‭A Design Effectiveness Assessment evaluates the design of an area of the organization against‬
‭suitable criteria such as a standard, a best practice model, or some other framework that‬
‭describes a “sound” design for that area of the organization.‬

‭For example, a Design Effectiveness Assessment may use:‬

‭●‬ ‭A sales methodology to evaluate the design effectiveness of the sales process.‬
‭●‬ ‭An international standard to evaluate the design effectiveness of an infosec system.‬
‭●‬ ‭Accounting rules to evaluate the design effectiveness of the financial accounting systems.‬

‭In all cases, the Design Effectiveness Assessment will look for gaps between what actually “is” in‬
‭place and what “ought” to be in place according to the suitable criteria. Gaps are not necessarily a‬
‭design deficiency, but may indicate a design decision based on idiosyncratic objectives of the‬
‭organization. Thus professional judgment must be used to make determinations.‬

‭Operating Effectiveness Assessment‬

‭An Operating Effectiveness Assessment evaluates the actual operation of an area of the‬
‭organization against suitable criteria. This typically entails gathering evidence from actual‬
‭“transactions” in the system under consideration. Transactions in this sense are generalizable and‬
‭include everything from financial transactions to training records to access control logs.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭16‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭Performance Assessments using the Total Performance Model™‬

‭For each element, the GRC Capability Model describes Total Performance across four dimensions:‬
‭Effectiveness, Efficiency, Responsiveness, and Resilience. These dimensions should be‬
‭considered across all components, elements, and practices.‬

‭For example, the Education Element could be assessed for Total Performance:‬

‭●‬ ‭Effective (“Sound”)‬‭. Is the design of the education‬‭program logical? Does it follow best‬
‭practices? Are all topical areas covered? Are the workers we intend to educate actually‬
‭getting educated? Are they retaining the knowledge/skills they need? Is the education‬
‭program impacting the intended business objectives?‬
‭●‬ ‭Efficient (“Lean”)‬‭. What does it cost to educate the‬‭workforce? Is the cost per Worker‬
‭going up/down? How does this cost compare to organizations of similar size?‬
‭●‬ ‭Responsive (“Agile”)‬‭. How long does it take to educate‬‭a department? How long does it‬
‭take to identify an education need and 100% coverage of the intended audience? When an‬
‭error is found in the education program, how long does it take to be detected and‬
‭corrected?‬
‭●‬ ‭Resilient (“Antifragile”)‬‭. What will we do if the‬‭online education system fails? What kind of‬
‭slack do we have in education timelines in case of unplanned distractions? What kind of‬
‭backup staff do we have in case someone gets sick?‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭17‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭Types of assessments‬
‭Assessments can be more-or-less formal and performed on an infrequent or continuous basis.‬

‭1)‬ ‭Engagement assessments‬

‭Engagements‬ ‭are‬ ‭projects‬ ‭with‬ ‭a‬ ‭defined‬ ‭start‬ ‭and‬ ‭end.‬ ‭Engagements‬ ‭are‬ ‭more‬ ‭formal‬
‭assignments‬ ‭that‬ ‭try‬ ‭to‬ ‭give‬ ‭a‬ ‭high‬ ‭assurance‬ ‭by‬ ‭using‬ ‭more‬ ‭objectivity‬ ‭and‬ ‭competence,‬
‭including well-defined reporting requirements.‬

‭These include:‬

‭●‬ ‭External audits‬

‭●‬ ‭Internal audits‬
‭●‬ ‭Post project evaluations‬
‭●‬ ‭Full inventory counts‬
‭●‬ ‭Full population product quality testing‬

‭2)‬‭Periodic assessments‬
‭Periodic‬‭assessments‬‭take‬‭place‬‭at‬‭intervals‬‭which‬‭are‬‭usually‬‭relatively‬‭short‬‭compared‬‭to‬‭more‬
‭formal engagements.‬

‭These include:‬

‭●‬ ‭Partial inventory counts‬

‭●‬ ‭Sample-basis product or service quality testing‬
‭●‬ ‭Satisfaction surveys‬

‭3)‬‭Continuous assessments‬
‭Continuous‬‭assessments‬‭consist‬‭of‬‭ongoing‬‭operations‬‭monitoring.‬‭The‬‭definition‬‭of‬‭ongoing‬‭will‬
‭depend‬ ‭on‬ ‭the‬ ‭activity‬‭monitored.‬‭For‬‭example,‬‭a‬ ‭verification‬‭once‬‭a‬‭day‬‭of‬‭bank‬‭balances‬‭might‬
‭be sufficient to be considered "continuous" and ongoing.‬

‭●‬ ‭Embedded modules‬

‭●‬ ‭Automated exception reporting‬
‭●‬ ‭Continuous testing‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭18‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭19‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭Assurance Risk Equation‬

‭Assurance‬ ‭Risk‬ ‭is‬ ‭the‬ ‭risk‬ ‭that‬ ‭an‬ ‭assurance‬ ‭assessment‬ ‭provides‬ ‭inaccurate‬ ‭conclusions,‬
‭especially‬‭inaccurate‬‭positive‬‭conclusions,‬‭that‬‭statements‬‭about‬‭the‬‭subject‬‭matter‬‭are‬‭justified‬
‭and true.‬

‭The Assurance Risk Equation‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭20‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭The Assurance Risk Equation includes the following components:‬

‭●‬ ‭Inherent‬‭Risk‬‭(IR):‬‭the‬‭natural‬‭risk‬‭of‬‭an‬‭uncontrolled‬‭process.‬‭Said‬‭differently,‬‭it‬‭is‬‭the‬‭level‬
‭of risk in the absence of actions & controls.‬
‭●‬ ‭Control Risk (CR): the risk that internal controls fail to appropriately respond to risks.‬
‭●‬ ‭Non-Detection‬ ‭Risk‬ ‭(NDR):‬ ‭the‬ ‭risk‬ ‭that‬ ‭errors‬ ‭that‬ ‭exist‬ ‭are‬ ‭not‬ ‭found.‬ ‭This‬ ‭notably‬
‭describes‬ ‭the‬ ‭risk‬ ‭that‬ ‭assurance‬ ‭will‬ ‭not‬ ‭detect‬ ‭significant‬ ‭risks‬ ‭so‬ ‭that‬ ‭actions‬ ‭can‬ ‭be‬
‭taken in response to them.‬

‭Multiplying‬‭the‬‭inherent‬‭risk‬‭with‬‭the‬‭control‬‭risk‬‭(IR‬‭x‬‭CR)‬‭approximates‬‭the‬‭current‬‭residual‬‭risk.‬
‭Residual‬ ‭Risk‬ ‭(RR)‬ ‭is‬ ‭the‬ ‭level‬ ‭of‬ ‭risk‬‭in‬‭the‬‭presence‬‭of‬‭actions‬‭&‬‭controls‬‭but‬‭in‬‭the‬‭absence‬‭of‬
‭assurance.‬

‭The‬ ‭Assurance‬ ‭Risk‬ ‭Equation‬ ‭helps‬ ‭to‬ ‭determine‬ ‭if‬ ‭there‬ ‭might‬ ‭be‬ ‭a‬ ‭“meaningful‬
‭misunderstanding”‬ ‭between‬ ‭what‬ ‭the‬ ‭assurance‬ ‭provider‬ ‭is‬ ‭giving‬ ‭as‬ ‭assertions‬ ‭to‬ ‭its‬
‭stakeholders‬ ‭and‬ ‭the‬‭true‬‭situation‬‭(if‬‭assurance‬‭did‬‭not‬‭detect‬‭the‬‭error‬‭or‬‭no‬‭action‬‭was‬‭taken‬
‭when‬ ‭it‬ ‭was‬ ‭detected).‬ ‭A‬ ‭meaningful‬ ‭misunderstanding‬ ‭happens‬ ‭when‬ ‭information‬ ‭producers‬
‭make‬ ‭inaccurate‬ ‭statements‬ ‭to‬ ‭information‬ ‭consumers‬ ‭about‬ ‭subject‬ ‭matter.‬ ‭Common‬ ‭reasons‬
‭for inaccurate statements include:‬

‭●‬ ‭Misconduct‬‭. The information producer intentionally‬‭made inaccurate statements.‬

‭●‬ ‭Mistakes‬‭.‬ ‭The‬ ‭information‬ ‭producer‬ ‭made‬ ‭statements‬ ‭that‬ ‭turned‬ ‭out‬ ‭to‬ ‭be‬ ‭inaccurate‬
‭because of errors in underlying systems, actions, and controls.‬
‭●‬ ‭Miscalculations‬‭.‬ ‭The‬ ‭information‬ ‭producer‬ ‭made‬ ‭mathematically‬ ‭inaccurate‬ ‭statements‬
‭about‬ ‭the‬ ‭subject‬ ‭matter‬ ‭where‬ ‭there‬ ‭were‬ ‭undetectable‬ ‭errors‬ ‭in‬ ‭the‬ ‭input‬ ‭of‬ ‭such‬
‭statements.‬

‭In‬‭external‬‭audit,‬‭this‬‭is‬‭referred‬‭to‬‭as‬‭the‬‭risk‬‭that‬‭a‬‭"material‬‭misstatement"‬‭could‬‭be‬‭present‬‭in‬
‭the financial statements.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭21‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭If‬‭the‬‭Inherent‬‭Risk‬‭and‬‭the‬‭Control‬‭Risk‬‭are‬‭higher,‬‭the‬‭Assurance‬‭Provider‬‭must‬‭do‬‭extra‬‭work‬‭to‬
‭ensure that the Non-Detection Risk is lower.‬

‭If‬‭the‬‭Inherent‬‭and‬‭the‬‭Control‬‭Risk‬‭are‬‭lower,‬‭the‬‭Assurance‬‭Provider‬‭may‬‭consider‬‭not‬‭doing‬‭extra‬
‭work to reduce Non-Detection Risk.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭22‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭What are ways to gather evidence?‬

‭There are many types of procedures to gather evidence and conduct tests.‬‭For a higher level of‬
‭assurance, evidence gathering procedures are used in combination to provide additional‬
‭verification of various pieces of evidence.‬

‭This verification ultimately contributes to the reliability of the information provided allowing the‬
‭assurance provider to make more accurate statements and conclusions about subject matter. This‬
‭is intended to raise stakeholder confidence and reassurance.‬

‭Example: "inquiry" (e.g. interviews) will be performed at the same time as "observation", results will‬
‭be compared, and comparison will validate evidence.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭23‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭Part II.A - GRC Assessment Method‬

‭Assessment planning‬
‭Assurance‬ ‭planning‬ ‭includes‬ ‭the‬ ‭process‬ ‭of‬ ‭determining‬ ‭the‬ ‭assessments‬ ‭to‬ ‭perform‬ ‭and‬ ‭their‬
‭resources‬‭.‬‭,‬

‭Assurance planning‬

‭Before the assessment, the following should be defined in an approved annual or strategic‬
‭Assurance Plan:‬

‭●‬ ‭The initial scope and objectives of the assessment.‬

‭●‬ ‭The resources allocated: staffing, travel budget, etc.‬

‭An Assurance Plan sets out a proposal for assessments to be performed and states an initial‬
‭scope and objectives for each assessment. The plan should receive the feedback and approval‬
‭from the party to which the assurance function reports (e.g., the Board of Directors or a Risk‬
‭Management Oversight Board).‬

‭Assessment planning‬

‭To plan an assessment, the assessment team will likely perform a certain amount of preliminary‬
‭research to properly understand the area under review and to assess its risks. This preliminary‬
‭research and assessment of risks will help make sure that all significant risk areas are identified.‬

‭With a greater understanding of the area under review, the scope and objectives of the‬
‭assessment might need to be adjusted. Depending on the nature of the change and the formality‬
‭of the reporting structure, these changes might need to be approved.‬

‭A kick-off meeting might be held with those assessed to gain support for the assessment, notify‬
‭all participants of the objectives, scope, and process of the assessment and to help schedule the‬
‭work.‬

‭A notification of the assessment summarizing the objectives, scope and criteria can be sent‬
‭(sometimes called an “Engagement Letter”) and a kick-off meeting held.‬

‭The initial scope might need to be adjusted, but changes should be approved.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭24‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭Workflow of assurance planning and assessment planning‬

‭Assessment performance‬

‭Assessment preparation‬

‭To‬ ‭prepare‬ ‭for‬ ‭an‬ ‭assessment,meetings‬ ‭can‬ ‭be‬‭held‬‭to‬‭get‬‭an‬‭overview‬‭of‬‭operations,‬‭especially‬

‭with the person responsible for the area being assessed.‬

‭Documenting‬‭a‬‭detailed‬‭assessment‬‭of‬‭risks‬‭at‬‭this‬‭stage‬‭(e.g.,‬‭in‬‭a‬‭risk‬‭inventory)‬‭will‬‭help‬‭ensure‬
‭that key risks are covered in the assessment.‬

‭From‬‭the‬‭risk‬‭assessment,‬‭the‬‭Work‬‭Program‬‭can‬‭be‬‭created‬‭(which‬‭can‬‭be‬‭part‬‭of‬‭a‬‭Risk-Control‬
‭Matrix).‬ ‭A‬ ‭Work‬ ‭Program‬ ‭details‬ ‭what‬ ‭tests‬ ‭and‬ ‭other‬ ‭work‬ ‭should‬ ‭be‬ ‭performed‬ ‭in‬ ‭the‬
‭assessment.‬‭A‬‭Risk-Control‬‭Matrix‬‭is‬‭a‬‭document‬‭that‬‭shows‬‭how‬‭controls‬‭cover‬‭risks‬‭to‬‭achieving‬
‭objectives.‬

‭A‬ ‭first‬ ‭collection‬ ‭of‬ ‭documents‬ ‭can‬ ‭be‬ ‭requested‬ ‭to‬ ‭help‬ ‭prepare‬ ‭the‬‭risk‬‭assessment‬‭and‬‭work‬
‭program.‬ ‭This‬ ‭would‬ ‭usually‬ ‭not‬ ‭be‬ ‭detailed‬ ‭samples‬ ‭but‬ ‭rather‬ ‭documents‬ ‭that‬ ‭show‬ ‭a‬ ‭full‬
‭statistical population (e.g., all transactions in the past year).‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭25‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭Workflow of assessment preparation‬

‭Assessment fieldwork: assessing the design of controls‬

‭After‬ ‭analyzing‬ ‭documents‬ ‭and‬‭assessing‬‭risks,‬‭more‬‭detailed‬‭meetings‬‭can‬‭be‬‭held‬‭focusing‬‭on‬

‭key areas of concern.‬

‭Controls‬ ‭can‬ ‭be‬ ‭evaluated‬ ‭to‬ ‭understand‬ ‭whether‬ ‭their‬ ‭design‬ ‭would‬ ‭ensure‬ ‭that‬ ‭risks‬ ‭are‬
‭properly treated, assuming the controls are well performed.‬

‭Assessment fieldwork: assessing the effectiveness of controls‬

‭Operating‬ ‭effectiveness‬ ‭gives‬ ‭evidence‬ ‭that‬ ‭actions‬ ‭&‬ ‭controls‬ ‭operate‬ ‭as‬ ‭intended.‬ ‭This‬ ‭is‬
‭accomplished‬ ‭by‬ ‭substantive‬ ‭testing‬ ‭of‬ ‭information‬ ‭generated‬ ‭by‬ ‭actions‬ ‭&‬ ‭controls‬ ‭to‬ ‭judge‬
‭actual results against expected results.‬

‭Further‬‭documents‬‭can‬‭be‬‭requested,‬‭especially‬‭on‬‭controls‬‭evaluated‬‭as‬‭significant.‬‭For‬‭example,‬
‭samples‬ ‭or‬ ‭a‬ ‭population‬ ‭of‬ ‭transactions‬ ‭or‬ ‭documents‬ ‭can‬ ‭be‬ ‭requested‬ ‭that‬ ‭evidence‬
‭compliance‬ ‭(such‬ ‭as‬ ‭contracts).‬ ‭They‬ ‭are‬ ‭used‬ ‭to‬ ‭perform‬ ‭tests‬ ‭of‬ ‭detail‬ ‭which‬ ‭confirm‬ ‭that‬ ‭a‬
‭control works effectively.‬

‭Documenting work‬

‭The‬ ‭work‬ ‭performed,‬ ‭and‬ ‭related‬ ‭results‬ ‭can‬ ‭then‬ ‭be‬ ‭documented‬ ‭in‬ ‭the‬ ‭working‬ ‭papers‬ ‭of‬ ‭the‬
‭assessment.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭26‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭Workflow of assessment fieldwork‬

‭Collecting assessment information‬

‭Common techniques for gathering information as part of the preliminary research include:‬

‭1)‬ ‭Reviewing previous assessment data‬

‭The‬‭work‬‭and‬‭results‬‭from‬‭previous‬‭assessments‬‭can‬‭be‬‭reviewed‬‭to‬‭gain‬‭a‬‭better‬‭understanding‬
‭of‬‭the‬‭area.‬‭The‬‭full‬‭work‬‭program‬‭and‬‭tests‬‭should‬‭however‬‭not‬‭be‬‭reused‬‭without‬‭a‬‭re-evaluation‬
‭of risks.‬

‭2)‬ ‭Walk-throughs‬

‭Walk-throughs‬ ‭of‬ ‭processes,‬ ‭usually‬ ‭gained‬ ‭from‬ ‭interviews‬ ‭of‬ ‭observation,‬ ‭are‬ ‭step-by-step‬
‭descriptions‬ ‭of‬ ‭tasks‬ ‭from‬ ‭start‬ ‭to‬‭finish.‬‭They‬‭are‬‭usually‬‭gained‬‭from‬‭the‬‭person‬‭who‬‭performs‬
‭the task.‬

‭3)‬ ‭Observation and interviews‬

‭Observing‬ ‭places,‬ ‭processes‬ ‭and‬ ‭how‬ ‭tasks‬ ‭are‬ ‭performed‬ ‭is‬ ‭important‬‭to‬‭determine‬‭how‬‭these‬
‭things take place in practice.‬

‭Interviews‬ ‭efficiently‬ ‭help‬ ‭learn‬ ‭about‬ ‭an‬ ‭audit‬ ‭area,‬ ‭help‬ ‭answer‬ ‭questions‬ ‭and‬ ‭confirm‬
‭observations.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭27‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭4)‬ ‭Process mapping‬

‭Mapping‬‭processes‬‭helps‬‭to‬‭visually‬‭represent‬‭a‬‭process,‬‭for‬‭instance‬‭by‬‭creating‬‭the‬‭workflow‬‭of‬
‭a process.‬

‭5)‬ ‭Benchmarking‬

‭Benchmarking is a comparison to other analogous processes, best practices, or other criteria. A‬

‭gap analysis can help spot differences with the benchmark.‬

‭Forms of assessment communication‬

‭Assessment communications can take many forms and formally written reports are just one‬
‭example.‬

‭The formality and type of reporting will depend on the particular circumstances but‬
‭communicating in several different ways is usually the most effective.‬

‭Risk ratings given to particular observations and recommendations help prioritize actions and‬
‭focus attention on the most important issues noted.‬

‭Though well-written observations, recommendations, and action plans can lead to effective‬
‭actions, much of the value of an assessment lies in working with others to find solutions to the‬
‭issues noted rather than simply the written deliverables.‬

‭Some common forms of assessment reporting include the following (several methods might be‬
‭used together):‬

‭●‬ ‭Formal‬‭report:‬‭a‬‭formal‬‭report‬‭includes‬‭all‬‭information‬‭that‬‭an‬‭interested‬‭stakeholder‬‭would‬
‭need to know.‬
‭●‬ ‭Shared‬ ‭issue‬ ‭tracking:‬ ‭a‬ ‭shared‬ ‭issue‬ ‭tracking‬ ‭system‬ ‭where‬ ‭stakeholders‬ ‭can‬ ‭access‬
‭reporting (e.g., a shared file or common application).‬
‭●‬ ‭Formal‬ ‭minuted‬ ‭meetings:‬ ‭formal‬ ‭meetings‬ ‭to‬ ‭communicate‬ ‭observations,‬ ‭possibly‬ ‭with‬
‭meeting minutes taken or with written or slideshow support.‬
‭●‬ ‭Informal‬‭meetings:‬‭more‬‭informal‬‭meetings‬‭can‬‭be‬‭held‬‭for‬‭issues‬‭of‬‭lower‬‭importance‬‭or‬‭to‬
‭further discuss issues.‬
‭●‬ ‭Informal‬ ‭communication:‬ ‭issues‬ ‭of‬ ‭lower‬ ‭importance‬ ‭might‬ ‭be‬ ‭communicated‬ ‭orally‬ ‭to‬
‭action owners directly or by email.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭28‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭The confirmation process‬

‭Making sure that your reporting is free from errors can be done by confirming your observations.‬

‭Corroborating‬ ‭your‬ ‭observations‬ ‭with‬ ‭people‬ ‭close‬ ‭to‬ ‭the‬ ‭issue‬ ‭as‬ ‭well‬ ‭as‬ ‭others‬ ‭who‬ ‭can‬ ‭be‬
‭objective about them helps you gain support for your conclusions.‬

‭What‬ ‭might‬ ‭seem‬ ‭like‬ ‭an‬ ‭obvious‬ ‭breach‬ ‭to‬ ‭an‬ ‭assessor‬ ‭might‬‭have‬‭complex‬‭reasons‬‭for‬‭having‬
‭been done that way.‬

‭Mitigating‬ ‭circumstances‬‭might‬‭also‬‭explain‬‭why‬‭a‬‭particular‬‭observation‬‭was‬‭made‬‭and‬‭why‬‭it‬‭is‬
‭unlikely to happen again.‬

‭Workflow of the confirmation process‬

‭Findings‬ ‭and‬ ‭recommendations‬ ‭from‬ ‭the‬ ‭assessment‬‭should‬‭generally‬‭be‬‭confirmed.‬‭Confirming‬
‭with‬‭people‬‭at‬‭several‬‭levels‬‭helps‬‭corroborate‬‭findings.‬‭There‬‭can‬‭be‬‭exceptions‬‭to‬‭this,‬‭such‬‭as‬
‭in‬ ‭the‬ ‭case‬ ‭of‬ ‭suspected‬ ‭fraud‬ ‭or‬ ‭when‬ ‭confirming‬ ‭findings‬ ‭is‬ ‭not‬ ‭possible‬ ‭or‬ ‭when‬ ‭impractical‬
‭(e.g., too many providers of data).‬

‭Action‬‭owners,‬‭often‬‭together‬‭with‬‭management,‬‭should‬‭determine‬‭action‬‭which‬‭would‬‭treat‬‭the‬
‭risks observed.‬

‭Assessors‬ ‭should‬ ‭confirm‬ ‭whether‬ ‭the‬ ‭actions‬ ‭determined‬ ‭by‬ ‭the‬ ‭action‬ ‭owner‬ ‭would‬‭treat‬‭the‬
‭risks observed. If they would not, the action owner should improve the action plan.‬

‭If still not acceptable, the findings should be escalated to a level where a decision can be taken.‬

‭When acceptable, the report can be finalized and reported.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭29‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭Workflow of report drafting‬

‭Communicating the results of an assessment‬

‭The‬ ‭distribution‬ ‭of‬ ‭results‬ ‭should‬ ‭be‬ ‭cautious.‬ ‭Results‬ ‭are‬ ‭often‬ ‭confidential‬ ‭and‬ ‭sharing‬ ‭one‬
‭area’s failings to all others can cause resentment.‬

‭Results‬‭are‬‭therefore‬‭best‬‭kept‬‭to‬‭those‬‭who‬‭need‬‭to‬‭know.‬‭Extracts‬‭of‬‭the‬‭full‬‭report‬‭can‬‭be‬‭sent‬
‭to individual persons or teams.‬

‭Generally reporting should be sent to:‬

‭●‬ ‭Action owners who need to resolve the issues noted.‬

‭●‬ ‭Management owners with responsibility over the concerned area.‬
‭●‬ ‭Governance bodies (e.g., Risk Management Board) who oversee the area.‬

‭Workflow of the communication of results‬

‭Results‬‭can‬‭be‬‭distributed‬‭in‬‭the‬‭form‬‭of‬‭a‬‭formal‬‭report.‬‭Less‬‭formal‬‭assessments‬‭can‬‭take‬‭other‬
‭forms such as having the results in a shared file, in a slideshow presentation or shared by email.‬

‭Full results might be distributed to:‬

‭●‬ ‭A‬ ‭governance‬ ‭body:‬ ‭the‬ ‭Board‬ ‭of‬‭Directors,‬‭Audit‬‭Committee,‬‭Information‬‭Security‬‭Board,‬

‭etc.‬
‭●‬ ‭Management owners: Senior Management, country, functional or divisional management.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭30‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭●‬ ‭Action‬‭owners‬‭and‬‭persons‬‭responsible‬‭for‬‭the‬‭area‬‭being‬‭assessed.‬‭Action‬‭owners‬‭working‬
‭on the full area being assessed generally get the full results.‬

‭“Management‬ ‭owners”‬ ‭are‬ ‭those‬ ‭in‬ ‭the‬ ‭executive‬ ‭ultimately‬ ‭responsible‬ ‭for‬ ‭ensuring‬ ‭that‬ ‭the‬
‭actions to treat risk have been taken.‬

‭“Action‬‭owners"‬‭are‬‭people‬‭who‬‭are‬‭directly‬‭responsible‬‭for‬‭carrying‬‭out‬‭the‬‭actions‬‭which‬‭would‬
‭treat the risks observed.‬

‭As‬‭the‬‭nature‬‭of‬‭results‬‭is‬‭usually‬‭confidential,‬‭extracts‬‭of‬‭part‬‭of‬‭the‬‭results‬‭can‬‭instead‬‭be‬‭sent‬
‭to action owners or other stakeholders.‬

‭Workflow of the communication of results‬

‭Monitoring the implementation status of recommendations‬

‭A follow-up on the status of recommendations issued should be performed.‬

‭The‬‭follow-up‬‭should‬‭assess‬‭whether‬‭the‬‭risks‬‭from‬‭the‬‭observations‬‭have‬‭decreased,‬‭rather‬‭than‬
‭if the actions from the recommendations or the action plans have taken place.‬

‭If‬ ‭actions‬ ‭have‬ ‭been‬ ‭taken‬ ‭to‬ ‭sufficiently‬ ‭reduce‬ ‭the‬ ‭risk,‬ ‭then‬ ‭the‬ ‭recommendation‬ ‭can‬ ‭be‬
‭considered closed.‬

‭It can also be considered closed if the risk does not exist anymore (e.g., operations were closed).‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭31‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭A‬ ‭follow-up‬ ‭can‬ ‭be‬ ‭performed‬ ‭by‬ ‭the‬ ‭owner‬ ‭of‬ ‭the‬ ‭process,‬ ‭but‬ ‭it‬ ‭will‬ ‭be‬ ‭most‬ ‭objective‬ ‭if‬
‭performed by an independent reviewer.‬

‭Workflow for the follow-up process‬

‭A‬ ‭follow-up‬ ‭on‬ ‭the‬ ‭status‬ ‭of‬ ‭recommendations‬ ‭issued‬ ‭verifies‬ ‭if‬ ‭risks‬ ‭have‬ ‭been‬ ‭treated‬ ‭or‬
‭extinguished.‬

‭Extinguished‬ ‭means‬ ‭that‬ ‭circumstances‬ ‭have‬ ‭changed‬ ‭to‬ ‭the‬ ‭point‬ ‭where‬ ‭the‬ ‭risk‬ ‭noted‬ ‭in‬ ‭the‬
‭observation‬‭is‬‭no‬‭longer‬‭relevant.‬‭For‬‭example,‬‭reducing‬‭costs‬‭in‬‭the‬‭division‬‭of‬‭a‬‭company‬‭which‬
‭has been sold is no longer necessary.‬

‭There are 2 possibilities:‬

‭●‬ ‭Risks have been sufficiently reduced.‬

‭●‬ ‭Risks‬ ‭have‬ ‭not‬ ‭been‬ ‭sufficiently‬‭reduced,‬‭though‬‭the‬‭follow-up‬‭can‬‭note‬‭which‬‭actions‬‭or‬
‭reduction in risk has still taken place.‬

‭Risks‬‭might‬‭also‬‭have‬‭increased‬‭due‬‭to‬‭circumstances,‬‭regardless‬‭of‬‭the‬‭actions‬‭which‬‭the‬‭action‬
‭owner or others have taken.‬

‭The database (or other tracking of recommendations) should then be updated.‬

‭For still open recommendations, an updated action plan might be necessary. For other‬
‭recommendations past their initial deadline, a new deadline should be determined.‬

‭Points to consider therefore include:‬

‭●‬ ‭Was the finding’s risk treated (regardless of the approach used)?‬
‭●‬ ‭Is‬ ‭the‬ ‭recommendation‬‭still‬‭valid‬‭(that‬‭is‬‭to‬‭say,‬‭is‬‭the‬‭risk‬‭in‬‭the‬‭observation‬‭still‬‭a‬‭risk‬‭for‬
‭the future)?‬
‭●‬ ‭Should implementation be postponed and the action plan updated?‬

‭Reporting on the follow-up‬

‭The assessor should seek agreement on the frequency and nature of reporting on the follow-up.‬

‭Management‬‭and‬‭the‬‭governance‬‭body*‬‭which‬‭oversees‬‭the‬‭area‬‭should‬‭be‬‭informed‬‭of‬‭the‬‭status‬
‭of implementation of recommendations, especially:‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭32‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭●‬ ‭High risk items not yet implemented.‬

‭●‬ ‭Overdue (postponed) items.‬
‭●‬ ‭Time-sensitive items.‬

‭*Governance‬ ‭bodies‬ ‭such‬ ‭as:‬ ‭the‬ ‭Board‬ ‭of‬ ‭Directors,‬ ‭Compliance‬ ‭Governance‬ ‭Committee,‬‭Audit‬
‭Committee, IT Governance Committee, etc.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭33‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭Part II.B - GRC Assessment Procedures‬

‭Use these assessment procedures to help provide assurance about the design and operating‬
‭effectiveness of the GRC Capability or some aspect of it. Assessment Procedures are organized‬
‭using the components and elements of the GRC Capability Model and use the following structure:‬

‭Review Procedure Structure‬

‭<ELEMENT NUMBER> <ELEMENT NAME>‬

‭Obstacles / Risks:‬
‭● Descriptions of key obstacles and risks‬
‭● Intended to be illustrative but neither exhaustive nor required in all organizations‬
‭● Tailor to the needs of the organization under assessment‬

‭Control Objectives‬ ‭Review Procedure‬ ‭Sources of Information‬ ‭Assessment‬

‭Description of the objectives‬ ‭● Listing of illustrative review‬ ‭● Listing of illustrative‬ ‭Use this‬
‭that the actions and controls‬ ‭procedures‬ ‭sources of information‬ ‭column for‬
‭are intended to address.‬ ‭● Review procedures are neither‬ ‭used in the Review‬ ‭convenience‬
‭exhaustive nor required in all‬ ‭Procedure.‬ ‭to track when‬
‭organizations.‬ ‭● Sources of Information‬ ‭procedures‬
‭● Use Objectives and Analysis to‬ ‭are labeled with “typical”‬ ‭are complete.‬
‭determine the appropriate review‬ ‭deliverable titles.‬
‭procedures.‬ ‭● Organizations may use‬
‭different labels, or no‬
‭label at all to organize‬
‭the information‬
‭outlined.‬
‭● Find details about the‬
‭information in‬‭Part II.C‬
‭Sources of Information‬
‭and Content Criteria‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭34‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭L – LEARN Assessment Procedures‬

‭Examine and understand stakeholders, the external context, the internal‬

‭context, and the culture of the organization to make sense of reality and‬
‭changes as they unfold.‬

‭Principled Performance® requires that an organization learn about and make sense of internal and‬
‭external realities as it strives to meet the needs of stakeholders.‬

‭The internal context and culture describe the capabilities and resources that the organization‬
‭uses to meet stakeholder needs. The external context represents the reality in which the‬
‭organization operates.‬

‭By making sense of internal realities, external realities, culture, and stakeholders, the organization‬
‭can shape the most appropriate direction, objectives, and approach to achieve Principled‬
‭Performance.‬

‭LEARN Component - Elements‬

‭Figure - LEARN Component Overview Diagram‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭35‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭L1 External Context‬

‭Examine and understand the external context in which the organization‬

‭operates.‬

‭Practices‬

‭1.‬ ‭Analyze External Context -‬‭Consider industry, market,‬‭political, economic, societal,‬

‭technology, legal, environmental, demographic, geopolitical, and other external‬
‭factors that may affect the organization.‬

‭2.‬ ‭Influence External Context -‬‭Identify external factors‬‭that the organization may‬
‭attempt to influence.‬

‭3.‬ ‭Assign External Factors -‬‭Assign accountability to‬‭individuals with authority and‬
‭resources to successfully analyze, influence, and sense external factors.‬

‭4.‬ ‭Sense External Context -‬‭Continually watch for and‬‭make sense of changes in the‬
‭external context that have a direct, indirect, or cumulative effect on the‬
‭organization and notify appropriate personnel and systems.‬

‭5.‬ ‭Reconsider External Context -‬‭Define the events and‬‭timescale that trigger‬
‭reconsideration of external factors.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭36‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭Review Procedure‬

‭L1 External Context‬

‭Obstacles / Risks:‬
‭● Improper understanding of the external context leading to improper decision making and a weaker ability to‬
‭organize people, processes, technology, and initiatives to be effective.‬
‭● The organization fails to identify external factors which it can influence.‬
‭● Insufficient authority or resources are assigned to analyze, influence or sense the external context.‬
‭● Changes in risks and obligations from the external context are not properly detected.‬
‭● Personnel affected by changes in the external context are not properly notified so that action may be‬
‭taken.‬

‭Control Objectives‬ ‭Review Procedure‬ ‭Sources of Information‬ ‭Assessment‬

‭The external context is‬ ‭● Ensure that processes are in place‬ ‭● Risk Inventory*‬
‭properly analyzed and‬ ‭to identify risks and obligations in the‬ ‭● Risk Matrix*‬
‭documented.‬ ‭external context for each significant‬
‭factor, such as a market intelligence‬
‭function, surveillance of key‬
‭economic trends and the receipt and‬
‭review of new laws and regulations‬
‭● Ensure that the organization‬
‭considers industry, market, political,‬
‭economic, societal, technology,‬
‭legal, environmental, demographic,‬
‭geopolitical, and other external‬
‭factors that may affect the‬
‭organization‬
‭● Obtain a list of all identified‬
‭significant external sources of risks‬
‭and obligations and verify for‬
‭completeness and frequency of‬
‭update‬

‭External factors that the‬ ‭● Ensure that the organization‬ ‭● SWOT Analysis*‬
‭organization may attempt to‬ ‭considers its ability to influence‬ ‭● Stakeholder Analysis*‬
‭influence are identified.‬ ‭external factors, which may be‬
‭defined in tools such as a SWOT‬
‭analysis or a Stakeholder Analysis‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭37‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭L1 External Context‬

‭Authority and resources are‬ ‭● Ensure systems are in place to‬ ‭● Exception Reports*‬
‭assigned to individuals to‬ ‭ensure that authority and resources‬ ‭● Job Descriptions‬
‭successfully analyze,‬ ‭have been allocated for the review‬ ‭● Budgets‬
‭influence, and sense‬ ‭and treatment of external factors, for‬ ‭● Organizational Chart*‬
‭external factors.‬ ‭example by reviewing Job‬
‭Descriptions, Budgets and‬
‭Organizational Charts‬
‭● Review the process for identifying‬
‭gaps in monitoring resources, and‬
‭whether these may have been‬
‭documented within Exception‬
‭Reports‬

‭The external context is‬ ‭● Review practices for assessing‬ ‭● Strategic Risk‬
‭monitored for changes that‬ ‭changes in the external context,‬ ‭Assessment*‬
‭may affect the organization.‬ ‭such as legal and regulatory‬ ‭● Legal and Regulatory‬
‭surveillance, market analysis or‬ ‭Surveillance*‬
‭strategic risk assessments‬ ‭● Market Analysis*‬

‭Affected personnel are‬ ‭● Verify that reporting on external‬ ‭● Reporting on Risks and‬
‭notified or aware of potential‬ ‭risks and obligations is‬ ‭Obligations‬
‭impacts and systems‬ ‭communicated to required persons‬
‭adjusted as necessary.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭38‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭L2 Internal Context‬

‭Examine and understand the internal context, including how the‬

‭organization is structured and operating.‬

‭Practices‬

‭1.‬ ‭Analyze the Internal Context‬‭- Consider internal strengths‬‭and weaknesses, strategic‬
‭plans, operating plans, organizational structures, policies, people, processes, technology,‬
‭resources, information, and other internal factors that define the organization's‬
‭operations.‬

‭2.‬ ‭Influence Internal Context‬‭- Identify internal factors‬‭that the organization may choose to‬
‭influence.‬

‭3.‬ ‭Assign Internal Factors -‬‭Assign accountability to‬‭individuals with authority and resources‬
‭to successfully analyze, influence and sense internal factors.‬

‭4.‬ ‭Sense the Internal Context‬‭- Continually watch for‬‭and make sense of changes in the‬
‭internal context that have a direct, indirect, or cumulative effect on the organization and‬
‭notify appropriate personnel and systems.‬

‭5.‬ ‭Reconsider Internal Context‬‭- Define the events and‬‭timescale that trigger‬
‭reconsideration of internal factors.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭39‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭Review Procedure‬

‭L2 Internal Context‬

‭Obstacles / Risks:‬
‭● Improper understanding of the internal context leading to improper decision making and a weaker ability to‬
‭organize people, processes, technology, and initiatives to be effective.‬
‭● The organization fails to identify internal factors which it can influence.‬
‭● Insufficient authority or resources are assigned to analyze, influence or sense the internal context.‬
‭● Changes in risks and obligations from the internal context are not properly detected.‬
‭● Personnel affected by changes in the internal context are not properly notified so that action may be taken.‬

‭Control Objectives‬ ‭Review Procedure‬ ‭Sources of Information‬ ‭Assessment‬

‭The Internal Context is‬ ‭● Ensure that processes are in place‬ ‭● Risk Inventory*‬
‭properly analyzed and‬ ‭to identify risks and obligations in the‬ ‭● Risk Matrix*‬
‭documented.‬ ‭internal context for each significant‬
‭factor‬
‭● Ensure that the organization‬
‭considers internal strengths and‬
‭weaknesses, strategic plans,‬
‭operating plans, organizational‬
‭structures, policies, people,‬
‭processes, technology, resources,‬
‭information, and other internal‬
‭factors that define the organization's‬
‭operations‬
‭● Obtain a list of all identified‬
‭significant internal sources of risks‬
‭and obligations and verify for‬
‭completeness and frequency of‬
‭update‬

‭Internal factors that the‬ ‭● Ensure that the organization‬ ‭● SWOT Analysis*‬
‭organization may attempt to‬ ‭considers its ability to influence‬ ‭● Stakeholder Analysis*‬
‭influence are identified.‬ ‭internal factors‬

‭Authority and resources are‬ ‭● Ensure the events which trigger a‬ ‭● Exception Reports*‬
‭assigned to individuals to‬ ‭reconsideration of internal factors‬ ‭● Job Descriptions‬
‭successfully analyze,‬ ‭are defined.‬ ‭● Budgets‬
‭influence, and sense internal‬ ‭● Ensure a frequency for review of‬ ‭● Organizational Chart*‬
‭factors.‬ ‭the internal context has been‬
‭defined‬

‭The internal context is‬ ‭● Ensure the events which trigger a‬ ‭● Policies and‬
‭monitored for changes that‬ ‭reconsideration of internal factors‬ ‭Procedures* over‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭40‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭L2 Internal Context‬

‭may affect the organization.‬ ‭are defined‬ ‭Internal Monitoring‬

‭● Ensure a frequency for review of‬
‭the internal context has been‬
‭defined‬

‭Affected personnel are‬ ‭● Verify that reporting on internal‬ ‭● Reporting on Risks and‬
‭notified or aware of potential‬ ‭risks and obligations is‬ ‭Obligations‬
‭impacts and systems‬ ‭communicated to required persons‬
‭adjusted as necessary.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭41‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭L3 Culture‬

‭Understand the existing culture, climate, and mindsets about the governance,‬
‭assurance, and management of performance, risk, and compliance.‬

‭Practices‬
‭1.‬ ‭Analyze Governance Culture‬‭– Analyze the climate and‬‭mindsets about constraining and‬
‭conscribing the organization, including how the governing authority and executive team‬
‭are engaged and whether leadership models behavior in words and deeds.‬
‭2.‬ ‭Analyze Management Culture‬‭– Analyze the climate and‬‭mindsets about arranging‬
‭resources and operating the organization, including how the organization is inspired to‬
‭achieve effective, efficient, responsive, and resilient performance.‬
‭3.‬ ‭Analyze Assurance Culture‬‭– Analyze the climate and‬‭mindsets about how the‬
‭organization objectively examines and judges the effectiveness, efficiency,‬
‭responsiveness, and resilience of critical activities and outcomes.‬
‭4.‬ ‭Analyze Performance Culture‬‭– Analyze the climate‬‭and mindsets about how the‬
‭workforce perceives performance, especially the associated trade-offs.‬
‭5.‬ ‭Analyze Risk Culture‬‭– Analyze the climate and mindsets‬‭about how the workforce‬
‭perceives risk, its impact on work, and its integration with decision-making.‬
‭6.‬ ‭Analyze Compliance Culture‬‭– Analyze the climate and‬‭mindsets about how the workforce‬
‭fulfills its mandatory and voluntary obligations.‬
‭7.‬ ‭Analyze Ethical Culture‬‭– Analyze the climate and‬‭mindsets about how the workforce‬
‭generally demonstrates integrity.‬
‭8.‬ ‭Analyze Workforce Culture‬‭– Analyze the climate and‬‭mindsets about workforce‬
‭satisfaction, loyalty, turnover rates, skill development, and engagement.‬
‭9.‬ ‭Assign Culture Factors -‬‭Assign accountability to‬‭individuals with authority and resources‬
‭to successfully analyze and sense factors associated with culture.‬
‭10.‬ ‭Influence Culture.‬‭Identify aspects of culture that‬‭the organization may attempt to‬
‭influence.‬
‭11.‬ ‭Sense the Culture‬‭– Continually watch for and make‬‭sense of changes in culture that may‬
‭have a direct, indirect, or cumulative effect on objectives or strategies.‬
‭12.‬ ‭Reconsider Culture‬‭- Define the events and timescale‬‭that trigger reconsideration of‬
‭culture.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭42‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭Review Procedure‬

‭L3 Culture‬

‭Obstacles / Risks:‬
‭● Resistance to change in leadership and governance practices.‬
‭● Misalignment of management goals with organizational objectives.‬
‭● Inaccurate assessment of assurance and risk perception.‬
‭● Non-compliance with ethical standards and regulations due to cultural factors.‬
‭● Workforce disengagement and high turnover rates.‬
‭● Difficulty in assigning accountability for cultural change.‬
‭● Challenges in effectively influencing organizational culture.‬
‭● Inadequate systems for sensing shifts in cultural dynamics.‬

‭Control Objectives‬ ‭Review Procedure‬ ‭Sources of Information‬ ‭Assessment‬

‭Analyze Governance‬
‭● Conduct surveys of governance‬ ‭● Leadership‬
‭Culture to understand‬
‭culture and assess leadership‬ ‭Communication‬
‭leadership engagement‬
‭communication‬ ‭● Employee Surveys‬
‭and behavior‬

‭Analyze Management &‬

‭● Review performance‬
‭Performance Culture for‬ ‭● Efficiency‬
‭management systems and resource‬
‭effective resource use and‬ ‭Assessments*‬
‭allocation strategies‬
‭efficiency‬

‭Analyze Assurance & Risk‬

‭Culture to evaluate‬ ‭● Evaluate assurance practices and‬
‭● Risk Assessments*‬
‭effectiveness and risk‬ ‭perception of risks‬
‭perception‬

‭Analyze Compliance &‬ ‭● Audit compliance adherence and‬

‭● Compliance & Ethics‬
‭Ethical Culture for‬ ‭assess ethical conduct‬
‭Incident Records (cf.‬
‭adherence and ethical‬ ‭● Review prior compliance or ethical‬
‭Risk Event Register*)‬
‭behavior‬ ‭incidents‬

‭Analyze Workforce Culture‬ ‭● Employee‬

‭● Survey workforce satisfaction,‬
‭to gauge satisfaction,‬ ‭Satisfaction Surveys‬
‭loyalty, and engagement levels‬
‭loyalty, and development‬ ‭● Staff Turnover‬

‭Assign & Influence Culture‬

‭● Organizational‬
‭Factors by assigning‬ ‭● Identify cultural change agents;‬
‭Change Management‬
‭responsibility for cultural‬ ‭understand influence strategies‬
‭Plans*‬
‭change‬

‭Sense & Reconsider‬ ‭● Implement ongoing monitoring‬ ‭● Continuous‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭43‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭L3 Culture‬

‭Culture to monitor and‬ ‭systems for cultural shifts;‬ ‭Monitoring Tools*‬

‭adapt to cultural shifts‬ ‭establish triggers for culture‬ ‭● Strategy Review‬
‭reassessment‬ ‭Schedules‬

‭Analyze Governance‬ ‭● Conduct leadership reviews and‬

‭● Leadership‬
‭Culture to understand‬ ‭assess leadership communication‬
‭Communication‬
‭engagement and‬ ‭● Review employee perceptions of‬
‭● Employee Surveys‬
‭leadership modeling‬ ‭leadership‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭44‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭L4 Stakeholders‬

‭Interact with stakeholders to understand expectations, requirements,‬

‭and perspectives that impact the organization.‬

‭Practices‬

‭1.‬ ‭Identify Stakeholders‬‭– Identify and understand both‬‭the organizations and specific‬
‭individuals within organizations to understand the concerns and needs of stakeholders.‬

‭2.‬ ‭Prioritize Stakeholder Needs‬‭– Analyze and prioritize‬‭key stakeholder concerns and needs‬
‭based on relative interest and power, highlighting needs that compete with or conflict with‬
‭each other.‬

‭3.‬ ‭Develop Relationships & Influence Stakeholders‬‭- Develop‬‭plans and accountability to‬
‭develop relationships with and influence each stakeholder and effectively communicate‬
‭how to address concerns and needs.‬

‭4.‬ ‭Assign Stakeholders -‬‭Assign accountability to individuals‬‭with authority and resources to‬
‭successfully analyze and sense stakeholders.‬

‭5.‬ ‭Sense Stakeholders‬‭- Continually watch for and make‬‭sense of changes in stakeholders‬
‭that have a direct, indirect, or cumulative effect on the organization and notify appropriate‬
‭personnel and systems.‬

‭6.‬ ‭Reconsider Stakeholders‬‭- Define the events and timescale‬‭that trigger reconsideration of‬
‭stakeholders.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭45‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭Review Procedure‬

‭L4 Stakeholders‬

‭Obstacles / Risks:‬
‭● Difficulty in accurately identifying all relevant stakeholders.‬
‭● Challenges in prioritizing conflicting stakeholder needs effectively.‬
‭● Barriers in developing and maintaining strong stakeholder relationships.‬
‭● Complexity in assigning clear stakeholder accountability.‬
‭● Keeping pace with rapid changes in stakeholder attitudes and needs.‬
‭● Determining the right timing and criteria for reevaluating stakeholders.‬

‭Control Objectives‬ ‭Review Procedure‬ ‭Sources of Information‬ ‭Assessment‬

‭Identify Stakeholders to‬ ‭● Conduct stakeholder analysis‬ ‭● Stakeholder‬

‭understand needs‬ ‭● Perform stakeholder interviews‬ ‭Analysis*‬

‭Prioritize Stakeholder‬ ‭● Analyze stakeholder feedback‬

‭● Stakeholder‬
‭Needs based on interest‬ ‭● Assess power dynamics and‬
‭Analysis*‬
‭and power‬ ‭influence‬

‭● Review plans for building‬

‭Develop Relationships &‬
‭relationships with stakeholders‬ ‭● Stakeholder‬
‭Influence Stakeholders‬
‭● Under engagement with‬ ‭Analysis*‬
‭strategically‬
‭stakeholders‬

‭● Organizational‬
‭Chart*‬
‭Assign staff to understand‬ ‭● Assign responsible individuals‬
‭● Stakeholder‬
‭Stakeholder interests and‬ ‭● Develop stakeholder‬
‭Analysis*‬
‭needs‬ ‭management strategies‬
‭● Delegation of‬
‭Authority Matrix*‬

‭● Implement systems for‬ ‭● Continuous‬

‭Sense Stakeholders to‬
‭continuous monitoring‬ ‭Monitoring Tools*‬
‭monitor changes impacting‬
‭● Conduct periodic stakeholder‬ ‭● Feedback‬
‭the organization‬
‭reviews‬ ‭Mechanisms‬

‭● Establish protocols for periodic‬

‭Reconsider Stakeholders‬ ‭● Reassessment‬
‭reassessment‬
‭based on specific events‬ ‭Schedules*‬
‭● Analyze impact of significant‬
‭and timescales‬ ‭● Event Triggers*‬
‭events on stakeholder relations‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭46‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭A – ALIGN Assessment Procedures‬

‭Define direction and objectives, and an approach to address‬

‭opportunities, obstacles, and obligations.‬

‭Principled Performance® requires that organizations can define the direction of the organization,‬
‭set objectives, and design an approach that addresses the opportunities, obstacles, and‬
‭obligations along the way.‬

‭Mission, vision, and values establish long-term direction, while‬‭objectives and‬‭indicators measure‬
‭progress‬‭towards achieving objectives‬‭. Identify and‬‭analyze opportunities, obstacles, and‬
‭obligations so the organization can design actions & controls to reliably achieve objectives,‬
‭address uncertainty and act with integrity.‬

‭ALIGN Component - Elements‬

‭Figure - ALIGN Component Overview Diagram‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭47‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭A1 Direction‬

‭Direct the organization with a clear mission, vision, and values that guide‬

‭overall goals and strategies.‬

‭Practices‬

‭1.‬ ‭Define Direction-Setting Criteria -‬‭Guide, constrain,‬‭and conscribe how to set direction,‬
‭including how the internal and external context, culture, and stakeholders factor into‬
‭decisions about the direction and which organizational level/unit should be accountable.‬

‭2.‬ ‭Define Mission, Vision & Values -‬‭Create formal statements‬‭about core values, what the‬
‭organization aims to do, what it aims to be, and why it exists, including the key stakeholders‬
‭it serves.‬

‭3.‬ ‭Select Stakeholders‬‭- Select and prioritize stakeholders,‬‭especially customers, and‬

‭understand their wants, needs, and associated functional, social, and emotional‬
‭requirements.‬

‭4.‬ ‭Explore Goals & Strategies‬‭- Use direction-setting‬‭criteria to explore a balanced set of‬
‭goals and strategies that link to mission, vision and values.‬

‭5.‬ ‭Select Goals & Strategies‬‭- Use direction-setting‬‭criteria to select, prioritize and link goals‬
‭and strategies with each other and with the direction of other organizational levels/units.‬

‭6.‬ ‭Validate Direction‬‭- Communicate, negotiate, and finalize‬‭direction with other‬

‭organizational levels/units.‬

‭7.‬ ‭Reconsider Direction‬‭- Define the events or timescale‬‭to reconsider direction.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭48‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭Review Procedure‬

‭A1 Direction‬

‭Obstacles / Risks:‬
‭● Challenges in establishing clear and consistent direction-setting criteria.‬
‭● Difficulty in articulating a cohesive mission, vision, and values.‬
‭● Complexities in selecting and prioritizing relevant stakeholders.‬
‭● Balancing diverse goals and strategies to align with the organization's direction.‬
‭● Ensuring effective communication and negotiation in validating direction.‬
‭● Determining appropriate timing and criteria for reevaluating direction.‬

‭Control Objectives‬ ‭Review Procedure‬ ‭Sources of Information‬ ‭Assessment‬

‭Define Direction-Setting‬
‭● Understand the framework for‬ ‭● Organizational‬
‭Criteria to guide‬
‭setting the organization’s direction‬ ‭Strategic Plan*‬
‭organizational decisions‬

‭● Organizational‬
‭Mission Statement*‬
‭Define Mission, Vision &‬ ‭● Review the organization’s mission‬ ‭● Organizational Vision‬
‭Values clearly and formally‬ ‭and vision‬ ‭Statement*‬
‭● Organizational‬
‭Values Statement*‬

‭Select and Prioritize‬ ‭● Stakeholder‬

‭● Review stakeholder analyses and‬
‭Stakeholders, focusing on‬ ‭Analysis*‬
‭customer surveys‬
‭customer needs‬ ‭● Customer Surveys‬

‭● Strategic Planning‬
‭● Review the organization’s goals‬ ‭Documents‬
‭Explore Goals & Strategies‬
‭and strategies‬ ‭● Organizational Goals‬
‭aligned with mission and‬
‭● Be present in strategic planning‬ ‭and Objectives*‬
‭values‬
‭sessions‬ ‭● Organizational‬
‭Strategic Plan*‬

‭● Review how objectives and‬

‭Select and Link Goals &‬ ‭strategies are prioritized‬
‭● Organizational Goals‬
‭Strategies with‬ ‭● Understand how objectives and‬
‭and Objectives*‬
‭organizational direction‬ ‭strategies are linked with‬
‭organizational levels/units‬

‭Validate Direction through‬

‭● Assess strategy communication‬ ‭● Strategy‬
‭communication and‬
‭strategies‬ ‭Communication Plans‬
‭negotiation‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭49‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭A1 Direction‬

‭● Verify protocols for direction‬

‭Reconsider Direction based‬
‭reassessment‬ ‭● Reassessment‬
‭on specific events or‬
‭● Monitor for the impact of events‬ ‭Schedules*‬
‭timescales‬
‭on strategic direction‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭50‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭A2 Objectives‬

‭Define a balanced set of measurable objectives, results, and indicators.‬

‭Practices‬

‭1.‬ ‭Define Objective-Setting Criteria‬‭- Guide, constrain,‬‭and conscribe how to set objectives,‬
‭including how the direction factors into decisions about objectives and which‬
‭organizational unit should be accountable.‬

‭2.‬ ‭Explore Objectives‬‭- Define initial, tentative objectives‬‭and work with other units to explore‬
‭how objectives may link to other units and how opportunities, obstacles, and obligations‬
‭may shape the selection of final objectives.‬

‭3.‬ ‭Select Objectives‬‭- Use objective-setting criteria‬‭to select, prioritize, and finalize‬
‭objectives and link them with the objectives of other organizational units.‬

‭4.‬ ‭Define Indicators & Results‬‭– Define measurable results,‬‭including a mix of leading and‬
‭lagging indicators of progress and status.‬

‭5.‬ ‭Assign Objectives -‬‭Assign objectives, results, and‬‭indicators to an accountable individual‬

‭with authority and resources to succeed.‬

‭6.‬ ‭Validate Objectives‬‭– Communicate, negotiate, and‬‭finalize objectives with other‬

‭organizational units.‬

‭7.‬ ‭Reconsider Objectives‬‭- Define the events or timescale‬‭to reconsider objectives.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭51‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭Review Procedure‬

‭A2 Objectives‬

‭Obstacles / Risks:‬
‭● Challenges in setting objective criteria aligning with organizational direction.‬
‭● Difficulty in exploring and linking objectives across different units.‬
‭● Complexity in selecting, prioritizing, and finalizing interconnected objectives.‬
‭● Establishing measurable and relevant indicators and results.‬
‭● Assigning objectives to individuals with appropriate authority and resources.‬
‭● Ensuring effective communication and negotiation with other units.‬
‭● Identifying appropriate times and events to reconsider objectives.‬

‭Control Objectives‬ ‭Review Procedure‬ ‭Sources of Information‬ ‭Assessment‬

‭● Understand if and how objective‬

‭● Objective-Setting‬
‭Define Objective-Setting‬ ‭setting criteria guidelines were‬
‭Criteria*‬
‭Criteria to guide objective‬ ‭developed‬
‭● Organizational‬
‭formation‬ ‭● Review organizational strategies‬
‭Strategic Plan*‬
‭and directions‬

‭Explore Objectives for‬ ‭● Verify initial objective-setting and‬

‭● Organizational Goals‬
‭tentative alignment and‬ ‭the collaborate between units for‬
‭and Objectives*‬
‭inter-unit linkage‬ ‭setting objectives‬

‭● Objective-Setting‬
‭Select Objectives using‬ ‭● Apply objective-setting criteria‬
‭Criteria*‬
‭defined criteria for‬ ‭● Prioritize and finalize objectives in‬
‭● Organizational Goals‬
‭organizational alignment‬ ‭alignment with other units‬
‭and Objectives*‬

‭● Key Performance‬
‭Indicators (KPI)*‬
‭● Key Risk Indicators‬
‭Define Indicators & Results‬ ‭● Review results and risk,‬
‭(KRI)*‬
‭for measurable progress‬ ‭performance or compliance‬
‭● Key Compliance‬
‭tracking‬ ‭indicator guidelines‬
‭Indicators (KCI)*‬
‭● Framework of‬
‭Indicators‬

‭● Assign objectives and‬ ‭● Organizational‬

‭Assign Objectives to‬ ‭accountability‬ ‭Chart*‬
‭responsible individuals‬ ‭● Develop individual responsibility‬ ‭● Delegation of‬
‭plans‬ ‭Authority Matrix*‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭52‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭A2 Objectives‬

‭● Evidence of‬
‭Validate Objectives with‬ ‭● Understand communication and‬ ‭negotiation and‬
‭other organizational units‬ ‭negotiations on objectives‬ ‭communication of‬
‭objectives‬

‭● Verify protocols for objectives‬

‭Reconsider Objectives‬ ‭● Reassessment‬
‭reassessment‬
‭based on specific events or‬ ‭Schedules*‬
‭● Monitor for the impact of events‬
‭timescales‬ ‭● Risk Event Register*‬
‭on objectives‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭53‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭A3 Identification‬

‭Imagine, identify, and describe the opportunities, obstacles, and‬

‭obligations that might impact objectives.‬

‭Practices‬

‭1.‬ ‭Define Identification Criteria‬‭- Guide, constrain,‬‭and conscribe how opportunities,‬

‭obstacles, and obligations are identified, categorized, and prioritized, including targets,‬
‭appetites, tolerances, and capacities.‬

‭2.‬ ‭Understand Existing Approach‬‭– Review and map the‬‭existing context, direction,‬
‭objectives, strategies, tactics, actions, and controls to understand gaps, overlaps, and‬
‭other factors that introduce opportunities, obstacles, and obligations.‬

‭3.‬ ‭Identify Opportunities & Reward‬‭- Identify opportunities‬‭and levels of reward associated‬
‭with existing and proposed strategies.‬

‭4.‬ ‭Identify Obstacles & Risk‬‭- Identify obstacles and‬‭levels of risk associated with existing and‬
‭proposed strategies.‬

‭5.‬ ‭Identify Obligations & Compliance‬‭- Identify mandatory‬‭and voluntary obligations and‬
‭levels of compliance associated with existing and proposed strategies.‬

‭6.‬ ‭Identify Interrelatedness & Trends‬‭- Identify how‬‭opportunities, obstacles, and obligations‬
‭are linked and influenced by each other.‬

‭7.‬ ‭Validate Identification -‬‭Communicate, negotiate,‬‭and finalize the identified opportunities,‬

‭obstacles, and obligations with other organizational units.‬

‭8.‬ ‭Prioritize Analysis‬‭- Prioritize opportunities, obstacles,‬‭and obligations for further analysis‬
‭based on identification criteria and the priority of associated objectives.‬

‭9.‬ ‭Modify Objectives‬‭- Consider modifying objectives‬‭and results based on opportunities,‬

‭obstacles, and obligations.‬

‭10.‬ ‭Reconsider Identification‬‭- Define the events or timescale‬‭to reconsider identification.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭54‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭Review Procedure‬

‭A3 Identification‬

‭Obstacles / Risks:‬
‭● Challenges in defining clear and effective identification criteria.‬
‭● Difficulty in understanding and mapping the existing strategic context.‬
‭● Overlooking potential opportunities and associated rewards.‬
‭● Underestimating obstacles and their associated risks.‬
‭● Inadequate identification of compliance obligations.‬
‭● Overlooking the interrelatedness and trends among various factors.‬
‭● Obstacles in validating identification across organizational units.‬
‭● Challenges in prioritizing opportunities, obstacles, and obligations effectively.‬
‭● Risks in modifying objectives without comprehensive analysis.‬

‭Control Objectives‬ ‭Review Procedure‬ ‭Sources of Information‬ ‭Assessment‬

‭● Verify documentation in place‬

‭● Criteria Guideline‬
‭defining criteria for opportunities‬
‭Documents‬
‭Define Identification‬ ‭(such as minimum required ROI),‬
‭● Risk Appetite‬
‭Criteria for categorizing‬ ‭obstacles (such as a Risk‬
‭Statement*‬
‭opportunities, obstacles,‬ ‭Management Policy) or obligations‬
‭● Risk Management‬
‭and obligations‬ ‭(such as a Compliance Policy).‬
‭Policy*‬
‭● Analyze targets, appetites,‬
‭● Compliance Policy*‬
‭tolerances, and capacities‬

‭● Organizational‬
‭● Review current strategies and‬ ‭Strategic Plan*‬
‭Understand Existing‬
‭actions‬ ‭● Organizational Goals‬
‭Approach to identify gaps‬
‭● Map out existing controls over‬ ‭and Objectives*‬
‭and overlaps‬
‭risks and obstacles‬ ‭● Compliance Gap‬
‭Analysis*‬

‭● SWOT Analysis*‬
‭Identify Opportunities &‬ ‭● Organizational‬
‭● Evaluate potential rewards in‬
‭Reward associated with‬ ‭Strategic Plan*‬
‭current and proposed strategies‬
‭strategies‬ ‭● Organizational Goals‬
‭and Objectives*‬

‭● Risk Assessments*‬
‭Identify Obstacles & Risk in‬ ‭● Risk Inventory*‬
‭● Assess risk levels and identify‬
‭current and proposed‬ ‭● Risk Matrix*‬
‭potential obstacles‬
‭strategies‬ ‭● Business Impact‬
‭Assessment*‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭55‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭A3 Identification‬

‭● Determine mandatory and‬

‭voluntary obligations, which might‬
‭● Compliance‬
‭be documented in a register of‬
‭Obligation Register‬
‭Identify Obligations &‬ ‭compliance obligations or Policies‬
‭● Policies and‬
‭Compliance related to‬ ‭and Procedures‬
‭Procedures*‬
‭strategies‬ ‭● Evaluate compliance levels, for‬
‭● Compliance Gap‬
‭instance by verifying existing or‬
‭Analysis*‬
‭creating new compliance gap‬
‭analyses‬

‭Identify Interrelatedness &‬

‭● Analyze the linkages and trends‬ ‭● Risk Assessments*‬
‭Trends among different‬
‭between various elements‬ ‭● Sensitivity Analyses‬
‭factors‬

‭● Assessment‬
‭● Communicate and negotiate‬
‭Validate Identification‬ ‭Reporting*‬
‭findings‬
‭across organizational units‬ ‭● Internal Audit‬
‭● Finalize identification results‬
‭Reports*‬

‭● Risk Assessments*‬
‭● Prioritize opportunities,‬
‭Prioritize opportunities,‬ ‭● Compliance Gap‬
‭obstacles, and obligations for‬
‭obstacles, and obligations‬ ‭Analysis*‬
‭further analysis using established‬
‭for further analysis‬ ‭● Business Impact‬
‭criteria‬
‭Assessment*‬

‭Modify Objectives based on‬ ‭● Consider suggesting adjustments‬ ‭● Organizational Goals‬

‭identified factors‬ ‭to objectives based on new insights‬ ‭and Objectives*‬

‭● Reassessment‬
‭● Establish protocols for periodic‬ ‭Schedules*‬
‭Reconsider Identification‬
‭reassessment or adjustments‬ ‭● Risk Assessments*‬
‭periodically‬
‭following trigger events‬ ‭● Risk Management‬
‭Policy*‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭56‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭A4 Analysis‬

‭Analyze the current and planned approach to quantify and address risk,‬
‭reward, and compliance.‬

‭Practices‬

‭1.‬ ‭Define Analysis Criteria‬‭- Guide, constrain, and conscribe‬‭how opportunities, obstacles,‬
‭and obligations are analyzed and prioritized using quantitative and qualitative techniques‬
‭to estimate risk, reward, and compliance; and compare them to targets, tolerances, and‬
‭capacities.‬

‭2.‬ ‭Analyze Risk/Reward‬‭– Consider the sources, likelihood,‬‭and consequences of‬

‭opportunities and obstacles to determine the levels of inherent and residual risk/reward‬
‭based on the adequacy of actions & controls.‬

‭3.‬ ‭Analyze Compliance‬‭– Consider mandatory and voluntary‬‭obligations/requirements to‬

‭determine the level of compliance based on the adequacy of actions & controls.‬

‭4.‬ ‭Evaluate Adequacy‬‭– Use analysis criteria to evaluate‬‭the adequacy of current levels of‬
‭residual risk/reward and levels of compliance to determine if additional analysis is required.‬

‭5.‬ ‭Validate Analysis -‬‭Communicate, negotiate, and finalize‬‭the analysis of risk/reward and‬
‭compliance with other organizational units.‬

‭6.‬ ‭Prioritize Design‬‭– Use analysis criteria to prioritize‬‭areas where modifications are‬
‭necessary to address opportunities, obstacles, and obligations so that levels of residual‬
‭risk/reward and compliance are acceptable.‬

‭7.‬ ‭Reconsider Analysis‬‭- Define the events or timescale‬‭to reconsider analysis.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭57‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭Review Procedure‬

‭A 4 Analysis‬

‭Obstacles / Risks:‬
‭● Challenges in defining comprehensive analysis criteria.‬
‭● Difficulty in accurately analyzing inherent and residual risk/reward.‬
‭● Complexities in assessing compliance with mandatory and voluntary obligations.‬
‭● Evaluating the adequacy of current risk/reward levels and compliance may be subjective.‬
‭● Ensuring validation of analysis across different organizational units.‬
‭● Prioritizing design modifications effectively.‬
‭● Identifying appropriate triggers for reanalysis.‬

‭Control Objectives‬ ‭Review Procedure‬ ‭Sources of Information‬ ‭Assessment‬

‭● Review current practices and any‬

‭● Strategic Risk‬
‭established criteria for analyzing‬
‭Define Analysis Criteria for‬ ‭Assessment*‬
‭opportunities or obligations.‬
‭opportunities and‬ ‭● Risk Assessments*‬
‭● Consider potential improvements‬
‭obligations‬ ‭● Risk Management‬
‭in quantitative and qualitative‬
‭Policy*‬
‭analysis techniques‬

‭● Strategic Risk‬
‭Analyze Risk/Reward‬ ‭● Assess inherent and residual‬
‭Assessment*‬
‭considering sources,‬ ‭risk/reward‬
‭● Risk Assessments*‬
‭likelihood, and‬ ‭● Review adequacy of actions and‬
‭● Control‬
‭consequences‬ ‭controls‬
‭Assessments*‬

‭● Compliance Gap‬
‭Analyze Compliance with‬ ‭● Evaluate compliance levels‬
‭Analysis*‬
‭obligations and‬ ‭● Review actions and controls over‬
‭● Control‬
‭requirements‬ ‭compliance for adequacy‬
‭Assessments*‬

‭● Use analysis criteria to assess‬

‭● Compliance Gap‬
‭Evaluate Adequacy of‬ ‭adequacy of controls over risks and‬
‭Analysis*‬
‭current residual risk/reward‬ ‭rewards‬
‭● Control‬
‭and compliance levels‬ ‭● Determine need for additional‬
‭Assessments*‬
‭analysis‬

‭● Evidence of‬
‭Validate Analysis across‬ ‭● Review how analysis findings are‬ ‭communication and‬
‭organizational units‬ ‭communicated and negotiated‬ ‭negotiation on analysis‬
‭findings‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭58‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭A 4 Analysis‬

‭● Strategic Risk‬
‭Assessment*‬
‭● Review assessments which show‬
‭Prioritize Design‬ ‭● Risk Assessments*‬
‭residual risks to understand how‬
‭modifications based on‬ ‭● Control‬
‭the organization prioritizes actions‬
‭analysis criteria‬ ‭Assessments*‬
‭to mitigate them‬
‭● Assessment‬
‭Reporting*‬

‭● Reassessment‬
‭● Establish triggers for reanalysis‬
‭Reconsider Analysis based‬ ‭Schedules*‬
‭● Analyze impact of significant‬
‭on specific events or‬ ‭● Risk Assessments*‬
‭events on organizational goals and‬
‭timescales‬ ‭● Risk Management‬
‭objectives‬
‭Policy*‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭59‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭A5 Design‬

‭Develop an integrated plan to reliably achieve objectives within‬

‭acceptable levels of risk, reward, and compliance.‬

‭Practices‬

‭1.‬ ‭Define Design Criteria‬‭- Guide, constrain, and conscribe‬‭how actions & controls are‬
‭prioritized to achieve acceptable levels of risk, reward, and compliance.‬
‭2.‬ ‭Explore Design Options & Details‬‭– Explore design‬‭options to avoid, accept, share or‬
‭control with more awareness by making design decisions about policies, people,‬
‭processes, technology, and information.‬
‭3.‬ ‭Design Management Actions & Controls‬‭- Select a mix‬‭of proactive, detective, and‬
‭responsive controls to manage acceptable levels of risk/reward and compliance.‬
‭4.‬ ‭Design Governance Actions & Controls‬‭- Select additional‬‭actions & controls for the‬
‭governing authority to guide, constrain and conscribe the organization.‬
‭5.‬ ‭Design Assurance Actions & Controls‬‭- Select additional‬‭actions & controls for the‬
‭assurance providers to evaluate priority areas and subject matter.‬
‭6.‬ ‭Evaluate Costs & Benefits‬‭- Consider the costs and‬‭benefits associated with design‬
‭options.‬
‭7.‬ ‭Allocate Actions & Controls‬‭- Allocate actions & controls‬‭across multiple lines of‬
‭accountability and organizational units to gain depth and coverage, while segregating‬
‭duties to prevent conflicts of interest.‬
‭8.‬ ‭Refine Key Indicators‬‭– Refine key indicators to monitor‬‭performance, risk, and compliance.‬
‭9.‬ ‭Validate Design‬‭- Communicate, negotiate, and finalize‬‭design decisions with other‬
‭organizational units.‬
‭10.‬ ‭Develop Integrated Plan‬‭– Develop a plan and acquire‬‭resources to govern, assure and‬
‭manage organizational changes.‬
‭11.‬ ‭Reconsider Design‬‭- Define the events or timescale‬‭to reconsider the design.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭60‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭Review Procedure‬

‭A5 Design‬

‭Obstacles / Risks:‬
‭● Challenges in defining comprehensive and clear design criteria.‬
‭● Difficulty in exploring and finalizing optimal design options.‬
‭● Complexity in balancing proactive, detective, and responsive controls.‬
‭● Governance actions do not align with organizational goals.‬
‭● Inaccurate or improper evaluation of costs versus benefits of design choices.‬
‭● Conflicts of interest due to improper allocation of actions and controls.‬
‭● No stakeholder agreement on chosen design.‬
‭● The integrated plan is not cohesive nor well-resourced.‬
‭● Triggers and schedules for design reconsideration are not in place or inadequate.‬

‭Control Objectives‬ ‭Review Procedure‬ ‭Sources of Information‬ ‭Assessment‬

‭Define Design Criteria for‬ ‭● Perform control design‬

‭● Risk Appetite‬
‭risk, reward, and‬ ‭assessments‬
‭Statement*‬
‭compliance levels‬ ‭● Review chosen risk responses‬

‭Explore Design Options &‬ ‭● Analyze design alternatives‬ ‭● Control design‬

‭Details for better‬ ‭● Conduct impact assessments of‬ ‭assessment*‬
‭decision-making‬ ‭design choices‬ ‭● Risk Responses*‬

‭● Perform control design‬

‭● Control design‬
‭assessments‬
‭Design Management‬ ‭assessment*‬
‭● Review chosen risk responses if‬
‭Actions & Controls for‬ ‭● Risk Responses*‬
‭properly documented‬
‭risk/reward balance‬ ‭● Risk Management‬
‭● Review risk management‬
‭Plan*‬
‭strategies‬

‭● Perform assessments of‬

‭governance‬ ‭● Governance‬
‭● Review reporting to‬ ‭Framework*‬
‭governance-level boards and‬ ‭● Governance Policies*‬
‭Design Governance Actions‬
‭committees‬ ‭● Governance‬
‭& Controls for‬
‭● Assess organizational alignment‬ ‭Assessments‬
‭organizational guidance‬
‭with governance stakeholder goals‬ ‭● Internal Audit Plan*‬
‭● Review governance-level policies,‬ ‭● Risk Management‬
‭such as the Internal Audit Charter‬ ‭Plan*‬
‭or Risk Management Charter.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭61‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭A5 Design‬

‭● Review assurance and control‬

‭Design Assurance Actions‬ ‭actions, such as the Internal Audit‬ ‭● Assurance Plans‬
‭& Controls for priority areas‬ ‭Plan or planned investigations by‬ ‭● Internal Audit Plan*‬
‭the Compliance function‬

‭● Review cost-benefit analyses of‬

‭● Cost-Benefit‬
‭Evaluate Costs & Benefits‬ ‭different design options‬
‭Analyses‬
‭of design options‬ ‭● Review budgets used for planning‬
‭● Budgets‬
‭and evaluating design options‬

‭● Review how actions and controls‬

‭are allocated across the‬
‭organization‬
‭● RACI Matrix*‬
‭● Assess segregation of duties, for‬
‭Allocate Actions & Controls‬ ‭● Job descriptions‬
‭example by reviewing how‬
‭for organizational coverage‬ ‭● Organizational‬
‭responsibilities are allocated as‬
‭Chart*‬
‭described in RACI matrices, job‬
‭descriptions or organizational‬
‭charts‬

‭● Key Performance‬
‭● Review the process for‬ ‭Indicators (KPI)*‬
‭Refine Key Indicators for‬
‭developing the design of risk,‬ ‭● Key Risk Indicators‬
‭performance, risk, and‬
‭performance and compliance‬ ‭(KRI)*‬
‭compliance‬
‭indicators‬ ‭● Key Compliance‬
‭Indicators (KCI)*‬

‭● Evidence of‬
‭Validate Design through‬
‭● Conduct validation meetings‬ ‭communication and‬
‭negotiation and‬
‭● Finalize design decisions‬ ‭negotiation on design‬
‭communication‬
‭decisions‬

‭● Plan Development‬
‭Develop Integrated Plan for‬ ‭● Plan development sessions‬ ‭Reports‬
‭organizational changes‬ ‭● Acquire necessary resources‬ ‭● Resource Allocation‬
‭Plans‬

‭● Establish triggers for‬

‭Reconsider Design based‬ ‭● Reassessment‬
‭re-evaluating controls‬
‭on specific events or‬ ‭Schedules*‬
‭● Analyze impact of significant‬
‭timescales‬ ‭● Risk Assessments*‬
‭events on control design‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭62‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭P – PERFORM Assessment Procedures‬

‭Address opportunities, obstacles, and obligations by performing‬

‭proactive, detective, and responsive actions & controls to serve‬
‭governance, management, and assurance needs.‬

‭Principled Performance® requires that organizations address opportunities, obstacles, and‬

‭obligations using a mix of actions & controls. Actions & controls are organized by type, category,‬
‭and orientation.‬

‭Action & control types include proactive, detective, and responsive controls. These types use‬
‭techniques from categories such as policy, people, process, physical, technology, and‬
‭information. Regardless of type or technique, every action & control aims to serve a management,‬
‭governance, or assurance orientation.‬

‭PERFORM Component - Elements‬

‭Figure - PERFORM Component Overview Diagram‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭63‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭P1 Controls‬

‭Implement a mix of action & control types, categories, and techniques to‬

‭serve the governance, management, and assurance of opportunities,‬

‭obstacles, and obligations.‬

‭Practices‬

‭1.‬ ‭Establish & Perform Proactive actions & controls‬‭–‬‭Encourage favorable events and‬
‭prevent unfavorable ones.‬

‭2.‬ ‭Establish & Perform Detective actions & controls‬‭–‬‭Determine progress toward objectives‬
‭and identify the actual or potential occurrence of favorable and unfavorable conduct,‬
‭conditions, and events.‬

‭3.‬ ‭Establish & Perform Responsive actions & controls‬‭– Recover from unfavorable conduct,‬
‭events, and conditions; correct identified weaknesses; execute necessary discipline;‬
‭recognize and reinforce favorable conduct and deter future undesired conduct or‬
‭conditions.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭64‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭Review Procedure‬

‭P1 Controls‬

‭Obstacles / Risks:‬
‭● Resistance to proactive control measures due to perceived constraints.‬
‭● Challenges in accurately detecting favorable and unfavorable events.‬
‭● Difficulty in effectively responding to identified issues and enforcing discipline.‬
‭● Balancing recognition of positive behavior with deterrence of negative behavior.‬

‭Control Objectives‬ ‭Review Procedure‬ ‭Sources of Information‬ ‭Assessment‬

‭Establish & Perform‬

‭● Control‬
‭Proactive Actions &‬ ‭● Review the control effectiveness‬
‭effectiveness‬
‭Controls to encourage‬ ‭of proactive actions & controls.‬
‭assessment*‬
‭favorable events‬

‭Establish & Perform‬

‭● Control‬
‭Detective Actions &‬ ‭● Review the control effectiveness‬
‭effectiveness‬
‭Controls to identify‬ ‭of detective actions & controls.‬
‭assessment*‬
‭conduct and events‬

‭Establish & Perform‬

‭● Control‬
‭Responsive Actions &‬ ‭● Review the control effectiveness‬
‭effectiveness‬
‭Controls for recovery and‬ ‭of responsive actions & controls.‬
‭assessment*‬
‭correction‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭65‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭P2 Policies‬

‭Implement policies to address opportunities, obstacles, and obligations‬

‭and set clear expectations of conduct for the key internal stakeholders‬

‭and the extended enterprise.‬

‭Practices‬

‭1.‬ ‭Develop Codes of Conduct –‬‭Work with stakeholders‬‭to develop codes of conduct that‬
‭address the mission, vision, values, and expected business conduct.‬

‭2.‬ ‭Establish Policy Framework –‬‭Establish a framework‬‭for identifying, creating, approving,‬

‭enforcing, and updating policies and related procedures.‬

‭3.‬ ‭Develop Policies and Procedures‬‭– Use a mix of preventative‬‭and directive policies, related‬
‭procedures, and standards to address opportunities, obstacles, and obligations.‬

‭4.‬ ‭Manage Policies –‬‭Implement, communicate, manage,‬‭enforce, and audit policies, related‬
‭procedures, and standards to ensure that they operate as intended and remain relevant.‬

‭5.‬ ‭Champion Policies –‬‭Demonstrate support for policies,‬‭procedures, and standards to‬
‭ensure stakeholders and personnel understand the organization’s commitment.‬

‭6.‬ ‭Establish Ethical Decision-Making Guidelines –‬‭Establish‬‭and champion decision-making‬

‭guidelines on choosing a course of action when the circumstances are not explicitly‬
‭covered by the code of conduct or other policies.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭66‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭Review Procedure‬

‭P2 Policies‬

‭Obstacles / Risks:‬
‭● Challenges in aligning codes of conduct with organizational mission and values.‬
‭● Difficulties in establishing a comprehensive policy framework.‬
‭● Complexities in developing policies that effectively address diverse needs.‬
‭● Ensuring consistent implementation and enforcement of policies.‬
‭● Difficulty in maintaining stakeholder and personnel support for policies.‬
‭● Challenges in establishing ethical decision-making guidelines for ambiguous situations.‬

‭Control Objectives‬ ‭Review Procedure‬ ‭Sources of Information‬ ‭Assessment‬

‭● Interview stakeholders to identify‬

‭opportunities to improve the Code‬
‭Develop Codes Of Conduct‬ ‭● Code of Conduct*‬
‭of Conduct‬
‭aligning with organizational‬ ‭● Organizational‬
‭● Benchmark the alignment of the‬
‭values‬ ‭Values Statement*‬
‭Code of Conduct with‬
‭organizational values‬

‭Establish Policy Framework‬

‭for policy creation and‬ ‭● Review the framework for policies‬ ‭● Policy Framework*‬
‭enforcement‬

‭● Review for the existence of‬

‭Develop Policies and‬ ‭Policies and Procedures over key‬ ‭● Policy Framework*‬
‭Procedures addressing key‬ ‭operations, risks and obligations,‬ ‭● Policies and‬
‭areas‬ ‭and whether it meets the‬ ‭Procedures*‬
‭objectives of the Policy Framework‬

‭Manage Policies ensuring‬ ‭● Review the completeness,‬

‭● Policies and‬
‭effective operation and‬ ‭accuracy and appropriateness of‬
‭Procedures*‬
‭relevance‬ ‭Policies and Procedures‬

‭● Review leadership support and‬

‭● Leadership support‬
‭Champion Policies to‬ ‭communication for Policies and‬
‭and communication for‬
‭demonstrate organizational‬ ‭Procedures and other efforts to‬
‭Policies and‬
‭commitment‬ ‭champion policies or policy‬
‭Procedures‬
‭compliance‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭67‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭P3 Communication‬

‭Implement communications to address opportunities, obstacles, and‬

‭obligations by interacting with the right audiences at the right time with‬

‭the right information and intelligence.‬

‭Practices‬

‭1.‬ ‭Establish Communication Framework -‬‭Establish a framework‬‭to identify, create, approve,‬

‭deliver, enforce, and update communications, including how to select the appropriate‬
‭sender, recipient/audience, intention, message, cadence, and channel.‬

‭2.‬ ‭Develop Stakeholder Reporting‬‭- Establish formal communications,‬‭reports, and filings‬

‭required by mandatory obligations; and those voluntarily agreed to in contracts and‬
‭promises made to other stakeholders.‬

‭3.‬ ‭Develop Internal Reporting‬‭– Establish formal communications,‬‭reports, and dashboards‬

‭that enable the board, senior management, and other personnel to govern and manage the‬
‭organization.‬

‭4.‬ ‭Develop Informal Communications‬‭– Establish informal‬‭communications that enable the‬

‭workforce, and allow personnel to share information.‬

‭5.‬ ‭Develop Communications Channels‬‭– Develop a range‬‭of channels for external, internal,‬
‭and informal communications, including a way to solicit feedback from‬
‭recipients/audiences.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭68‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭Review Procedure‬

‭P3 Communication‬

‭Obstacles / Risks:‬
‭● Misalignment of communication strategies with organizational objectives.‬
‭● Challenges in maintaining compliance in stakeholder reporting.‬
‭● Inadequate internal reporting systems for effective governance and management.‬
‭● Risks associated with the informal communication channels.‬
‭● Limitations in the effectiveness of communication channels.‬
‭● Difficulty in obtaining and interpreting feedback from communication recipients.‬

‭Control Objectives‬ ‭Review Procedure‬ ‭Sources of Information‬ ‭Assessment‬

‭● Analyze the effectiveness of‬ ‭● Communication on‬

‭Establish a Communication‬ ‭current communication strategies,‬ ‭risks and obligations‬
‭Framework to identify and‬ ‭such as those over the distribution‬ ‭● Communication of‬
‭deliver effective messages‬ ‭of policies and procedures, risk‬ ‭Policies and‬
‭information or required obligations‬ ‭Procedures‬

‭● Risk Management‬
‭Develop Stakeholder‬ ‭● Review the reporting on risks and‬ ‭Reporting‬
‭Reporting for mandatory‬ ‭obligations to relevant stakeholders‬ ‭● Compliance‬
‭and voluntary obligations‬ ‭for appropriateness‬ ‭Reporting‬
‭● Regulatory Reporting‬

‭Develop Internal Reporting‬

‭● Review internal reporting systems‬ ‭● Internal Reporting‬
‭for governance and‬
‭and dashboards‬ ‭Systems‬
‭management‬

‭Develop Informal‬
‭● Informal‬
‭Communications to‬ ‭● Understand the impact of‬
‭Communication‬
‭facilitate information‬ ‭informal communication channels‬
‭Channels‬
‭sharing‬

‭● Assess and suggest‬

‭● Evidence of‬
‭Develop Communications‬ ‭enhancements to the range of‬
‭communication‬
‭Channels for varied internal‬ ‭communication channels‬
‭channels and feeback‬
‭and external needs‬ ‭● Assess feedback mechanisms in‬
‭systems‬
‭place‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭69‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭P4 Education‬

‭Educate the governing authority, management, the workforce, and the‬

‭extended enterprise about expected conduct, and increase the skills and‬
‭motivation needed to help the organization address opportunities,‬
‭threats, and requirements.‬

‭Practices‬

‭1.‬ ‭Define an Awareness and Education Plan –‬‭Develop a‬‭plan to educate the governing‬
‭authority, management, the workforce,and the extended enterprise about their‬
‭responsibilities and expected conduct.‬

‭2.‬ ‭Define a Curriculum Plan –‬‭Develop a job specific‬‭curriculum and appropriate training‬
‭program for the governing authority, management, the workforce,and the extended‬
‭enterprise to fulfill their responsibilities.‬

‭3.‬ ‭Develop or Acquire Content –‬‭Develop or acquire content‬‭that does not exist in the current‬
‭curriculum or education plan and modify any content that needs updating inorder to meet‬
‭current learning objectives.‬

‭4.‬ ‭Implement Education –‬‭Implement and manage the education‬‭program to ensure that each‬
‭target audience achieves learning objectives and can apply knowledge and skills to their‬
‭jobs.‬

‭5.‬ ‭Provide Helpline –‬‭Establish ways for the workforce‬‭and other stakeholders to seek‬
‭guidance about future conduct and ask general questions, including the option for‬
‭anonymity in locations where that is required or allowed.‬

‭6.‬ ‭Provide Integrated Support –‬‭Establish ways for the‬‭workforce to get integrated support‬
‭within their usual work environment.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭70‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭Review Procedure‬

‭P4 Education‬

‭Obstacles / Risks:‬
‭● Difficulty in creating comprehensive and relevant educational content.‬
‭● Challenges in defining a curriculum that meets the needs of diverse roles.‬
‭● Ensuring the updated content aligns with current learning objectives.‬
‭● Implementation barriers in effectively delivering education programs.‬
‭● Overcoming reluctance or limitations in using helplines or support channels.‬
‭● Integrating support systems effectively within the usual work environment.‬

‭Control Objectives‬ ‭Review Procedure‬ ‭Sources of Information‬ ‭Assessment‬

‭● Review education and training‬ ‭● Education and‬

‭Define an Awareness and‬ ‭planning‬ ‭Training Plan*‬
‭Education Plan for all‬ ‭● Verify whether the needs of‬ ‭● Education and‬
‭organizational levels‬ ‭different groups are taken into‬ ‭Training Plan* Needs‬
‭account‬ ‭Assessment‬

‭Define a Curriculum Plan‬ ‭● Evaluate education and training‬ ‭● Education and‬

‭tailored to specific job roles‬ ‭plan design‬ ‭Training Plan*‬

‭● Review the completeness and‬

‭Develop or Acquire Content‬ ‭● Budgets (allocated‬
‭appropriateness of existing‬
‭to update or expand‬ ‭to education and‬
‭education and training material and‬
‭education‬ ‭training)‬
‭resources‬

‭● Assess the execution of‬

‭education and training programs‬
‭Implement Education to‬ ‭● Obtain feedback on education‬ ‭● Feedback on‬
‭achieve learning objectives‬ ‭and training programs‬ ‭Education and Training‬
‭● Monitor learning outcomes and‬
‭application‬

‭Provide Helpline for‬

‭● Assess helpline and guidelines‬ ‭● Helpline System for‬
‭guidance on conduct and‬
‭over education and training‬ ‭Education and Training‬
‭general queries‬

‭Provide Integrated Support‬ ‭● Evidence on the‬

‭● Assess effectiveness of‬
‭within the work‬ ‭effectiveness of‬
‭integrated support‬
‭environment‬ ‭integrated support‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭71‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭P5 Incentives‬

‭Implement incentives to address opportunities, obstacles, and‬

‭obligations by encouraging the right proactive, detective, and responsive‬

‭conduct in the workforce and extended enterprise.‬

‭Practices‬

‭1.‬ ‭Define Desired Conduct –‬‭Determine the types of desired‬‭conduct including definitions,‬
‭classifications,and procedures necessary to identify those who contribute to positive‬
‭outcomes and those who notify the organization when they identify allegations or‬
‭indications of undesirable conduct.‬

‭2.‬ ‭Hire and Promote Based on Conduct Expectations –‬‭Articulate‬‭desired conduct when‬
‭defining jobs, career paths,and performance review criteria of employees and business‬
‭partners, using the same criteria for promoting individuals.‬

‭3.‬ ‭Develop and Implement Compensation, Reward and RecognitionPrograms –‬‭Establish‬

‭compensation, reward,and recognition programs for all employees, business partners,and‬
‭other stakeholders that recognize individuals and organizational units for exhibiting‬
‭desired conduct and do not reward undesirable conduct.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭72‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭Review Procedure‬

‭P5 Incentives‬

‭Obstacles / Risks:‬
‭● Misalignment of defined desired conduct with organizational values and goals.‬
‭● Challenges in incorporating conduct expectations into hiring and promotion processes.‬
‭● Difficulty in designing compensation programs that effectively differentiate between desirable and‬
‭undesirable conduct.‬
‭● Risk of unintended consequences in reward and recognition programs.‬

‭Control Objectives‬ ‭Review Procedure‬ ‭Sources of Information‬ ‭Assessment‬

‭● Obtain evidence that desired‬

‭conduct in each area of the‬ ‭● Policies and‬
‭Define Desired Conduct‬ ‭organization is defined, for example‬ ‭Procedures*‬
‭in Policies and Procedures or the‬ ‭● Code of Conduct*‬
‭Code of Conduct‬

‭● Ensure that meeting conduct‬

‭● Job Descriptions‬
‭expectations are a factor in‬
‭● Hiring Practices‬
‭promotion decisions‬
‭Hire and Promote Based on‬ ‭● Employee‬
‭● Review hiring practices to ensure‬
‭Conduct Expectations‬ ‭Background Checks‬
‭that they take into account‬
‭● Employee‬
‭behavioral factors and perform‬
‭Performance Reviews‬
‭adequate background checks‬

‭● Review the design of‬

‭compensation structures to ensure‬ ‭● Compensation‬
‭Develop Compensation,‬ ‭that they encourage desirable‬ ‭Structures‬
‭Reward, and Recognition‬ ‭behavior and avoid undesirable‬ ‭● Reward Programs‬
‭Programs‬ ‭behavior‬ ‭● Employee‬
‭● Review Reward Programs, such as‬ ‭Performance Reviews‬
‭bonus schemes‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭73‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭P6 Notification‬

‭Implement multiple pathways for people and systems to report progress‬

‭toward objectives and the actual or potential occurrence of unfavorable‬

‭and favorable conduct, conditions, and events.‬

‭Practices‬

‭1.‬ ‭Capture Favorable Events‬‭- Implement pathways to capture‬‭and alert the organization‬
‭about favorable performance, risk, and compliance successes, especially emerging‬
‭opportunities, high performance, and events that exemplify the organizational mission,‬
‭vision, and values.‬

‭2.‬ ‭Capture Unfavorable Events‬‭- Implement pathways to‬‭capture and alert the organization‬
‭about unfavorable performance, risk, and compliance incidents, especially emerging‬
‭threats, low performance, suspicions of noncompliance, violations of company policies,‬
‭and concerns about unethical conduct.‬

‭3.‬ ‭Filter and Route Notifications –‬‭Prioritize, substantiate,‬‭validate, and route notifications to‬
‭be handled by the right organizational units based on topic, type, and severity.‬

‭4.‬ ‭Protect Notification Information –‬‭Protect information‬‭associated with notifications and‬

‭ensure pathways comply with mandatory requirements in the locale where the notification‬
‭originates and the organization operates.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭74‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭Review Procedure‬

‭P6 Notification‬

‭Obstacles / Risks:‬
‭● Challenges in effectively capturing and recognizing favorable events.‬
‭● Difficulties in identifying and responding to unfavorable events.‬
‭● Complexity in filtering, validating, and routing notifications appropriately.‬
‭● Ensuring the protection and compliance of notification information.‬

‭Control Objectives‬ ‭Review Procedure‬ ‭Sources of Information‬ ‭Assessment‬

‭● Reporting Channels‬
‭● Key Performance‬
‭Capture Favorable Events‬ ‭● Verify implemented reporting‬ ‭Indicators (KPI)*‬
‭to recognize performance‬ ‭channels‬ ‭● Key Risk Indicators‬
‭and success‬ ‭● Analyze success indicators‬ ‭(KRI)*‬
‭● Key Compliance‬
‭Indicators (KCI)*‬

‭Capture Unfavorable‬
‭● Assess reporting on unfavorable‬ ‭● Incident Logs (cf.‬
‭Events to identify risks and‬
‭incidents‬ ‭Risk Event Register*)‬
‭noncompliance‬

‭● Ensure that communication‬

‭Filter and Route‬ ‭channels are in place for favorable‬
‭Notifications based on‬ ‭or unfavorable events, such as‬ ‭● Reporting Channels‬
‭priority and severity‬ ‭appropriate committees, reports on‬
‭risk events and reporting channels‬

‭● Evidence of‬
‭● Ensure that notifications of‬
‭appropriate or‬
‭events appropriately reach their‬
‭Protect Notification‬ ‭inappropriate‬
‭intended audience‬
‭Information‬ ‭communication of‬
‭● Ensure pathways comply with‬
‭events‬
‭local regulations‬
‭● Regulatory Reporting‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭75‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭P7 Inquiry‬

‭Implement multiple pathways to discover information from people and‬

‭systems about progress toward objectives and the actual or potential‬

‭occurrence of unfavorable and favorable conduct, conditions, and‬

‭events.‬

‭Practices‬

‭1.‬ ‭Discover Favorable Events -‬‭Implement pathways to‬‭discover information and alert the‬
‭organization about favorable performance, risk, and compliance successes, especially‬
‭emerging opportunities, high performance, and events that exemplify the organizational‬
‭mission, vision, and values.‬

‭2.‬ ‭Discover Unfavorable Events -‬‭Implement pathways to‬‭discover information and alert the‬
‭organization about unfavorable performance, risk, and compliance incidents, especially‬
‭emerging threats, low performance, suspicions of noncompliance, violations of company‬
‭policies, and concerns about unethical conduct.‬

‭3.‬ ‭Establish an Approach to Surveys and Information Requests –‬‭Establish an‬

‭organization-wide approach to surveys, self-assessments, and other information requests‬
‭that reduces the burden on survey subjects and improves information quality.‬

‭4.‬ ‭Gather Information Through Observations and Conversations –‬‭Establish informal‬

‭pathways through observations, meetings, focus groups, and individual conversations.‬

‭5.‬ ‭Analyze Information and Findings –‬‭Analyze information‬‭and findings from all pathways to‬
‭identify, prioritize, and route findings to management and stakeholders.‬

‭6.‬ ‭Protect Inquiry Information –‬‭Protect information‬‭associated with inquiry and ensure‬
‭pathways comply with mandatory requirements in the locale where the inquiry originates‬
‭and the organization operates.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭76‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭Review Procedure‬

‭P7 Inquiry‬

‭Obstacles / Risks:‬
‭● Challenges in effectively discovering and recognizing favorable events.‬
‭● Difficulties in identifying and addressing unfavorable events promptly.‬
‭● Overburdening stakeholders with surveys and information requests.‬
‭● Inadequacy of informal pathways for gathering reliable information.‬
‭● Complexity in analyzing diverse information and findings.‬
‭● Risk of non-compliance in protecting inquiry information.‬

‭Control Objectives‬ ‭Review Procedure‬ ‭Sources of Information‬ ‭Assessment‬

‭Discover Favorable Events‬ ‭● Review systems for gathering‬ ‭● Evidence of‬

‭to alert about successes‬ ‭favorable events‬ ‭deliberate gathering of‬
‭and opportunities‬ ‭favorable events‬

‭● Internal Audit‬
‭● Review systems for identifying‬
‭Reports*‬
‭Discover Unfavorable‬ ‭risk events, such as from audits and‬
‭● Compliance‬
‭Events to address threats‬ ‭investigations from Internal Audit,‬
‭Investigation Reports‬
‭and policy violations‬ ‭Compliance or other internal‬
‭● Internal Investigation‬
‭investigations‬
‭Reports‬

‭● Policies and‬
‭Establish an Approach to‬ ‭● Review the framework over and‬
‭Procedures* over‬
‭Surveys and Information‬ ‭the approach to surveys and‬
‭surveys and‬
‭Requests‬ ‭information requests‬
‭information requests‬

‭Gather Information through‬ ‭● Evidence of informal‬

‭● Understand the use of informal‬
‭Observations and‬ ‭inquiry and information‬
‭inquiry and information channels‬
‭Conversations‬ ‭channels‬

‭● Ensure that internal assessments‬

‭Analyze Information and‬ ‭● Assessment Working‬
‭and investigations are properly‬
‭Findings comprehensively‬ ‭Papers*‬
‭conducted‬

‭● Ensure that confidentiality is‬ ‭● Policies and‬

‭preserved‬ ‭Procedures* over‬
‭Protect Inquiry Information‬
‭● Ensure legal requirements for the‬ ‭confidentiality and the‬
‭and ensure compliance‬
‭preservation of evidence are‬ ‭preservation of legal‬
‭adhered to‬ ‭evidence‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭77‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭P8 Response‬

‭Implement responses that uncover and address root causes to‬

‭compound and accelerate favorable events and benefits – and to correct‬

‭and recover from unfavorable events and harm.‬

‭Practices‬

‭1.‬ ‭Correct and Recover -‬‭Perform actions & controls to‬‭slow down, stop and recover from the‬
‭impact of threats after they occur to minimize harm and prevent future occurrence.‬

‭2.‬ ‭Recognize, Compound & Accelerate‬‭- Deliver incentives‬‭and perform actions & controls‬
‭that accelerate and compound the impact of favorable events after they occur to maximize‬
‭benefit and promote future occurrence.‬

‭3.‬ ‭Implement Investigations –‬‭Develop and execute internal‬‭investigation processes to‬

‭address allegations or indications of unfavorable events, and maintain a process for‬
‭responding to external inquiries and investigations.‬

‭4.‬ ‭Implement Crisis Responses –‬‭Develop and execute plans‬‭to respond to various crises,‬
‭correct unfavorable events, and recover from harm.‬

‭5.‬ ‭Conduct After Action Reviews -‬‭Uncover root causes‬‭of favorable and unfavorable events‬
‭and improve proactive, detective, and responsive actions & controls.‬

‭6.‬ ‭Discipline and Retrain –‬‭Apply consistent discipline‬‭to individuals at fault and provide‬
‭necessary retraining.‬

‭7.‬ ‭Determine Disclosures –‬‭Determine if, when, how, and‬‭what to disclose, especially those‬
‭events that require external disclosures to stakeholders.‬

‭8.‬ ‭Improve Actions & Controls –‬‭Ensure that root causes‬‭and any weaknesses in proactive,‬
‭detective, and responsive actions & controls are addressed.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭78‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭Review Procedure‬

‭P8 Response‬

‭Obstacles / Risks:‬
‭● Challenges in effectively correcting and recovering from threats.‬
‭● Difficulties in recognizing and maximizing the impact of favorable events.‬
‭● Complexity in conducting thorough internal investigations.‬
‭● Challenges in developing and executing crisis response plans.‬
‭● Identifying root causes in after-action reviews may be complex.‬
‭● Ensuring consistent discipline and effective retraining can be challenging.‬
‭● Deciding on appropriate disclosures of events to stakeholders.‬
‭● Improving actions and controls in response to identified root causes.‬

‭Control Objectives‬ ‭Review Procedure‬ ‭Sources of Information‬ ‭Assessment‬

‭● Verify processes in place to‬ ‭● Business Continuity‬

‭recover and correct incidents,‬ ‭Plan (BCP)*‬
‭Correct and Recover from‬ ‭including verifying business‬ ‭● Disaster Recovery‬
‭risk events‬ ‭continuity and disaster recovery‬ ‭Plan (DRP)*‬
‭plans in place and assessing‬ ‭● Corrective Controls‬
‭corrective controls‬ ‭Assessments‬

‭● Verify incentives and actions in‬

‭place, such as bonuses or‬
‭Recognize, Compound &‬
‭promotions based on merit, to‬
‭Accelerate favorable‬ ‭● Incentive Schemes‬
‭maximize the benefits of favorable‬
‭events‬
‭events and suggest potential‬
‭improvements‬

‭● Verify the internal investigation‬

‭processes for responding to‬
‭● Internal Investigation‬
‭Implement Investigations‬ ‭allegations and compliance‬
‭Guidelines‬
‭for internal and external‬ ‭breaches‬
‭● External Inquiry‬
‭inquiries‬ ‭● Verify the process for responding‬
‭Response Guidelines‬
‭to external investigations, such as‬
‭those from regulatory authorities‬

‭● Incident Reporting‬
‭Implement Crisis‬ ‭● Verify crisis response plans‬ ‭(cf. Risk Event‬
‭Responses for various‬ ‭● Verify if crisis management‬ ‭Register*)‬
‭crises‬ ‭strategies were properly tested‬ ‭● Crisis Response‬
‭Plan*‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭79‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭P8 Response‬

‭● Verify reporting and analysis‬

‭● Incident‬
‭following incidents, such as‬
‭Conduct Post-incident‬ ‭Post-mortem Analysis*‬
‭post-mortem investigations and‬
‭Analysis to uncover root‬ ‭● Root Cause Analysis‬
‭root cause analyses‬
‭causes‬ ‭● Incident Response‬
‭● Suggest improvements to‬
‭Improvement Plans‬
‭responsive actions and controls‬

‭● Assess the application of‬

‭Discipline and Retrain‬ ‭● Disciplinary Records‬
‭disciplinary measures‬
‭individuals at fault‬ ‭● Retraining Programs‬
‭● Assess retraining programs‬

‭● Verify incident reporting‬

‭procedures‬ ‭● Incident Reporting‬
‭Determine Disclosures for‬ ‭● Assess the appropriateness of‬ ‭Procedures‬
‭external stakeholders‬ ‭disclosures following incidents to‬ ‭● Incident Reports (cf.‬
‭ensure that appropriate‬ ‭Risk Event Register*)‬
‭communication took place‬

‭● Ensure that identified‬

‭Improve Actions & Controls‬
‭weaknesses were properly‬ ‭● Improvement Action‬
‭based on root cause‬
‭addressed through plans for‬ ‭Plans*‬
‭analyses‬
‭improvement‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭80‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭R – REVIEW Assessment Procedures‬

‭Continuously improve total performance by monitoring actions &‬

‭controls – and providing assurance about priority objectives,‬
‭opportunities, obstacles, and obligations.‬

‭Principled Performance® requires that organizations monitor actions & controls, provide‬
‭assurance about priority areas, and continuously improve total performance to be effective,‬
‭efficient, responsive, and resilient in all areas.‬

‭Monitoring helps management and the governing authority understand progress toward‬
‭objectives and whether opportunities, obstacles, and obligations are addressed. Assurance‬
‭activities objectively and competently evaluate the organization to provide justified conclusions‬
‭and confidence about total performance.‬

‭Both monitoring and assurance activities identify opportunities to improve total performance so‬
‭that the capability and organization are more effective, efficient, responsive, and resilient.‬

‭REVIEW Component - Elements‬

‭Figure - REVIEW Component Overview Diagram‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭81‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭R1 Monitoring‬

‭Implement ongoing and periodic activities to gauge the effectiveness,‬

‭efficiency, responsiveness, and resilience of actions & controls.‬

‭Practices‬

‭1.‬ ‭Plan Monitoring Approach –‬‭Establish a strategy for‬‭ongoing and periodic monitoring of‬
‭the effectiveness, efficiency, responsiveness, and resilience of actions & controls.‬

‭2.‬ ‭Identify Monitoring Information –‬‭Identify information‬‭to support monitoring activities‬‭and‬

‭which must be monitored‬‭.‬

‭3.‬ ‭Perform Monitoring Activities –‬‭Execute the monitoring‬‭strategic plan and implement‬
‭monitoring actions and controls‬‭Perform monitoring‬‭activities‬‭.‬

‭4.‬ ‭Analyze and Report Monitoring Results –‬‭Analyze the‬‭results of monitoring activities to‬
‭identify weaknesses and opportunities for improvements.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭82‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭Review Procedure‬

‭R1 Monitoring‬

‭Obstacles / Risks:‬
‭● Difficulty in establishing a comprehensive monitoring strategy.‬
‭● Challenges in identifying relevant and sufficient monitoring information.‬
‭● Inefficiencies in performing monitoring activities.‬
‭● Inaccurate or incomplete analysis of monitoring results.‬

‭Control Objectives‬ ‭Review Procedure‬ ‭Sources of Information‬ ‭Assessment‬

‭● Ensure follow-up procedures are‬

‭in place for responses to identified‬ ‭● Improvement Action‬
‭Plan Monitoring Approach‬ ‭risks and responses to treat them‬ ‭Plans*‬
‭to ensure ongoing and‬ ‭● Verify continuous monitoring‬ ‭● Monitoring‬
‭periodic oversight‬ ‭processes, such as real-time data‬ ‭Processes‬
‭sources or regularly created‬ ‭● Exception Reports*‬
‭exception reports.‬

‭● Key Performance‬
‭Indicators (KPI)*‬
‭● Assess if required key‬
‭● Key Risk Indicators‬
‭Identify Information‬ ‭performance indicators (KPIs) or‬
‭(KRI)*‬
‭required for effective‬ ‭other information required for‬
‭● Key Compliance‬
‭monitoring‬ ‭monitoring has been properly‬
‭Indicators (KCI)*‬
‭identified‬
‭● Information Required‬
‭for Monitoring‬

‭● Ensure that monitoring activities‬

‭are correctly performed‬
‭Perform Monitoring‬ ‭● Improvement Action‬
‭● Verify the follow-up and‬
‭Activities efficiently and‬ ‭Plans*‬
‭implementation status of actions to‬
‭effectively‬ ‭● Follow-up Reporting*‬
‭respond to identified risks and‬
‭recommendations for improvement‬

‭● Verify the reporting on the‬

‭Analyze and Report‬ ‭follow-up and implementation‬ ‭● Improvement Action‬
‭Monitoring Results to‬ ‭status of actions to respond to‬ ‭Plans*‬
‭identify improvements‬ ‭identified risks and‬ ‭● Follow-up Reporting*‬
‭recommendations for improvement‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭83‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭R2 Assurance‬

‭Objectively and competently evaluate priority areas to enhance the‬

‭confidence of management, the governing authority, and other‬

‭stakeholders about levels of performance, risk, and compliance.‬

‭Practices‬

‭1.‬ ‭Formulate Assurance Approach‬‭– Formulate a strategy‬‭for selecting, assessing,‬

‭monitoring, and improving the overall approach to providing periodic and ongoing‬
‭assurance over performance, risk, and compliance.‬

‭2.‬ ‭Select Assurance Assessment Areas –‬‭Select assessment‬‭areas based on priority‬

‭objectives and the related likelihood and impact of meaningful misunderstanding between‬
‭associated information producers and information users.‬

‭3.‬ ‭Conduct Assurance Assessments‬‭– Define the desired‬‭level of assurance and then plan,‬
‭perform, report, and follow up on individual assessments.‬

‭4.‬ ‭Monitor Assurance Assessments‬‭– Monitor progress,‬‭completion, and follow-up for‬

‭individual assessments and the portfolio of assessments.‬

‭5.‬ ‭Improve Assurance Approach‬‭– Improve the overall assurance‬‭strategy and execution.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭84‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭Review Procedure‬

‭R2 Assurance‬

‭Obstacles / Risks:‬
‭● Challenges in formulating a comprehensive assurance strategy.‬
‭● Difficulty in selecting the most relevant assurance assessment areas.‬
‭● Complexities in defining and achieving desired levels of assurance.‬
‭● Monitoring individual and portfolio assessments efficiently.‬
‭● Continuously improving assurance strategies and execution.‬

‭Control Objectives‬ ‭Review Procedure‬ ‭Sources of Information‬ ‭Assessment‬

‭● Ensure that Strategic Assurance‬

‭Plans are in place and cover all‬
‭significant risks over the‬
‭● Strategic Assurance‬
‭multi-period (or multi-year)‬
‭Plan‬
‭assurance period‬
‭Formulate Assurance‬ ‭● Periodic Assurance‬
‭● Ensure that Periodic Assurance‬
‭Approach for effective‬ ‭Plan‬
‭Plans (e.g. Annual Internal Audit‬
‭periodic and ongoing‬ ‭● Internal Audit Plan*‬
‭Plan) are in place‬
‭assurance‬ ‭● Evidence of review‬
‭● Ensure that assurance plans have‬
‭and approval of‬
‭received the appropriate review,‬
‭assurance plans‬
‭feedback and approval, for example‬
‭approval of the Internal Audit Plan‬
‭by the Audit Committee‬

‭● Strategic Assurance‬
‭● Ensure that assurance plans are‬
‭Plan‬
‭based on approaches which‬
‭● Periodic Assurance‬
‭Select Assurance‬ ‭emphasize significant risks or‬
‭Plan‬
‭Assessment Areas based‬ ‭organizational priorities‬
‭● Internal Audit Plan*‬
‭on priority objectives‬ ‭● Ensure that assurance plans are‬
‭● Risk Assessments*‬
‭based on an appropriate‬
‭● Strategic Risk‬
‭assessment of risks‬
‭Assessment*‬

‭● Ensure that planned assessments‬

‭● Assessment‬
‭Conduct Assurance‬ ‭have correctly taken place and were‬
‭Reporting*‬
‭Assessments to ensure‬ ‭appropriate‬
‭● Internal Audit‬
‭desired assurance levels‬ ‭● Verify assessment reporting, such‬
‭Reports*‬
‭as internal audit reports‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭85‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭R2 Assurance‬

‭● Monitor the progress of‬

‭● Assessment‬
‭assessments and assurance efforts‬
‭Monitor Assurance‬ ‭Reporting*‬
‭● Ensure that the follow-up status‬
‭Assessments for progress‬ ‭● Internal Audit‬
‭of issued recommendations has‬
‭and completion‬ ‭Reports*‬
‭been obtained at the required‬
‭● Follow-up Reporting*‬
‭regular intervals‬

‭● Review the need to update and‬ ‭● Assurance‬

‭Improve Assurance‬
‭improve assurance strategies and‬ ‭Guidelines‬
‭Approach for enhanced‬
‭practices, such as improvements to‬ ‭● Internal Audit‬
‭strategy and execution‬
‭Internal Audit Procedures‬ ‭Procedures‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭86‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭R3 Improvement‬

‭Review information from monitoring and assurance to identify‬

‭opportunities for improvement.‬

‭Practices‬

‭1.‬ ‭Plan Improvement Approach –‬‭Develop a strategy and‬‭prioritized plan for implementing‬
‭improvements to the capability.‬

‭2.‬ ‭Conduct Improvement Initiatives –‬‭Implement improvement‬‭initiatives.‬

‭3.‬ ‭Monitor Improvements‬‭- Monitor improvement initiative‬‭progress, completion, and‬

‭follow-up.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭87‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭Review Procedure‬

‭R3 Improvement‬

‭Obstacles / Risks:‬
‭● Resistance to change in improvement strategies.‬
‭● Challenges in prioritizing and strategizing improvement plans.‬
‭● Ineffective implementation of improvement initiatives.‬
‭● Difficulty in accurately monitoring improvement progress and outcomes.‬

‭Control Objectives‬ ‭Review Procedure‬ ‭Sources of Information‬ ‭Assessment‬

‭● Strategic Planning‬
‭Documents‬
‭Plan Improvement‬
‭● Verify improvement plans and the‬ ‭● Organizational Goals‬
‭Approach to develop a‬
‭prioritization of improvement areas‬ ‭and Objectives*‬
‭strategic improvement plan‬
‭● Organizational‬
‭Strategic Plan*‬

‭Conduct Improvement‬ ‭● Verify the implementation of‬

‭● Follow-up Reporting*‬
‭Initiatives effectively‬ ‭identified improvements‬

‭● Track the progress of‬

‭improvement initiatives to ensure‬
‭Monitor Improvements for‬
‭their timely performance‬ ‭● Follow-up Reporting*‬
‭progress and effectiveness‬
‭● Ensure the completion and‬
‭follow-up of initiatives‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭88‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭Part II.C - Sources of Information and‬

‭Content Criteria‬
‭Use this alphabetized list of Sources of Information, which outlines important information and‬
‭associated content criteria, as a guide to collect and assess information. Your organization might‬
‭refer to these sources by different names, they could be part of a system, or you might need to‬
‭discuss with management to access the information. The focus is on obtaining the right‬
‭information. This ensures:‬

‭●‬ ‭Completeness of information (all necessary details included)‬

‭●‬ ‭Existence of information (verification of its real presence)‬
‭●‬ ‭Accuracy (the document is free from mistakes)‬
‭●‬ ‭Valuation (evaluation of the information's significance)‬
‭●‬ ‭Obligation (presence of required elements in the document)‬
‭●‬ ‭Presentation (information is communicated clearly and understandably)‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭89‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭Assessment Reporting‬

‭Description:‬

‭Assessment Reporting in a business context involves the systematic documentation and analysis‬
‭of various assessments conducted within an organization. These reports typically include‬
‭evaluations of processes, performances, projects, or other specific areas needing review and‬
‭improvement.‬

‭Main Uses:‬

‭1.‬ ‭Performance Evaluation: To assess employee or departmental performance against set‬

‭benchmarks.‬
‭2.‬ ‭Project Analysis: For evaluating the success and areas of improvement in completed or‬
‭ongoing projects.‬
‭3.‬ ‭Risk Assessment: To identify and analyze potential risks in various operations or strategies.‬
‭4.‬ ‭Process Improvement: As a tool for identifying inefficiencies and areas for process‬
‭optimization.‬
‭5.‬ ‭Compliance Verification: To ensure organizational activities align with legal and regulatory‬
‭requirements.‬
‭6.‬ ‭Strategic Planning: Assisting in forming or adjusting business strategies based on‬
‭evaluated data.‬
‭7.‬ ‭Training and Development: Identifying areas where staff training and development are‬
‭required.‬
‭8.‬ ‭Customer Satisfaction Analysis: To evaluate customer feedback and improve service or‬
‭product offerings.‬

‭Criteria:‬

‭Must Include:‬

‭●‬ ‭Clear objectives and scope of the assessment.‬

‭●‬ ‭Methodology used for data collection and analysis.‬
‭●‬ ‭Detailed findings and conclusions.‬
‭●‬ ‭Recommendations based on the assessment.‬
‭●‬ ‭Summary of key data points and metrics.‬
‭●‬ ‭Date of the report and period covered.‬

‭May Include:‬

‭●‬ ‭Comparative analysis with previous assessments.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭90‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭●‬ ‭Graphs, charts, and visual aids for easier data interpretation.‬
‭●‬ ‭Stakeholder feedback and input.‬
‭●‬ ‭Follow-up actions and responsible parties.‬
‭●‬ ‭Impact analysis on different departments or aspects of the business.‬
‭●‬ ‭References to related documents or external sources.‬

‭Assessment Working Papers‬

‭Description:‬

‭Assessment Working Papers are detailed documents created during the evaluation process of‬
‭various projects, initiatives, or organizational functions. They contain data analyses, findings,‬
‭recommendations, and methodologies used for assessment. These papers serve as a record of‬
‭the evaluation process and its outcomes.‬

‭Main Uses:‬

‭1.‬ ‭Data Analysis: Provide a comprehensive breakdown of data collected during assessments.‬
‭2.‬ ‭Project Evaluation: Offer insights into the effectiveness and efficiency of projects or‬
‭initiatives.‬
‭3.‬ ‭Recommendation Development: Basis for developing actionable recommendations based‬
‭on the assessment findings.‬
‭4.‬ ‭Methodology Documentation: Record the methodologies and criteria used in the‬
‭assessment process.‬
‭5.‬ ‭Performance Tracking: Track the performance and progress of ongoing projects or‬
‭initiatives.‬
‭6.‬ ‭Audit Trail: Serve as an audit trail for decision-making processes and evaluations.‬
‭7.‬ ‭Stakeholder Communication: Facilitate communication with stakeholders by providing‬
‭detailed evaluation reports.‬
‭8.‬ ‭Training and Development: Act as a resource for training and developing staff in‬
‭assessment techniques and best practices.‬

‭Criteria:‬

‭Must Include:‬

‭●‬ ‭Comprehensive data analysis and findings.‬

‭●‬ ‭Clear and detailed methodologies used in the assessment.‬
‭●‬ ‭Specific recommendations based on the assessment findings.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭91‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭●‬ ‭Documentation of sources and references.‬

‭●‬ ‭Summary of the evaluation process, including objectives and scope.‬
‭●‬ ‭Conclusions derived from the assessment.‬

‭May Include:‬

‭●‬ ‭Case studies or examples to illustrate findings.‬

‭●‬ ‭Comparative analysis with past assessments or benchmarks.‬
‭●‬ ‭Potential risks or uncertainties identified during the assessment.‬
‭●‬ ‭Action plans for implementing recommendations.‬
‭●‬ ‭Feedback or input from relevant stakeholders.‬
‭●‬ ‭Graphs, charts, and visual aids to enhance understanding of data.‬

‭Business Continuity Plan (BCP)‬

‭Description:‬

‭A Business Continuity Plan (BCP) is a strategic document that outlines how a company will‬
‭continue operating during an unplanned disruption in service. It includes contingencies for‬
‭business processes, assets, human resources, and business partners – every aspect of the‬
‭business that might be affected.‬

‭Main Uses:‬

‭1.‬ ‭Emergency Response Procedures: Outlines steps to take immediately following a‬

‭disruption.‬
‭2.‬ ‭Business Recovery: Provides strategies for resuming critical business functions.‬
‭3.‬ ‭Crisis Communication: Details communication protocols with employees, customers, and‬
‭stakeholders.‬
‭4.‬ ‭Asset Protection: Ensures the safeguarding of physical and digital assets during a crisis.‬
‭5.‬ ‭Employee Safety and Support: Establishes procedures to protect and support employees in‬
‭emergencies.‬
‭6.‬ ‭Compliance and Legal Considerations: Addresses legal obligations and compliance‬
‭requirements in crisis scenarios.‬
‭7.‬ ‭Testing and Drills: Guides regular testing and drills to prepare for potential disruptions.‬
‭8.‬ ‭Supply Chain Management: Plans for supply chain disruptions to minimize business impact.‬
‭9.‬ ‭Data Backup and Recovery: Outlines procedures for backing up and recovering data.‬

‭Criteria:‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭92‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭Must Include:‬

‭●‬ ‭Risk Assessment: Identification of potential risks and their impact on business operations.‬
‭●‬ ‭Critical Business Functions: Identification of business functions critical to operations and‬
‭their prioritization.‬
‭●‬ ‭Recovery Strategies: Detailed strategies for restoring critical functions and resources.‬
‭●‬ ‭Emergency Contact Information: A list of key contacts for emergencies, including‬
‭employees, suppliers, emergency services and -if need be- the authorities as well.‬
‭●‬ ‭Communication Plan: A clear plan for communicating with employees, customers, and‬
‭stakeholders during a disruption.‬
‭●‬ ‭Roles and Responsibilities: Defined roles and responsibilities for staff during a disruption,‬
‭and assigning accountable parties.‬

‭May Include:‬

‭●‬ ‭Training Requirements: Guidelines for training employees on BCP procedures.‬

‭●‬ ‭Insurance Information: Details of relevant insurance coverage and procedures.‬
‭●‬ ‭Technology Recovery Solutions: Specific technology solutions for data and system‬
‭recovery.‬
‭●‬ ‭Alternate Locations: Information on alternate business locations if the primary site is‬
‭unusable.‬
‭●‬ ‭Review and Update Schedule: A schedule for regularly reviewing and updating the BCP.‬
‭●‬ ‭Scenario-Specific Plans: Plans tailored for different types of disruptions (e.g., natural‬
‭disasters, cyber-attacks).‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭93‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭Business Impact Assessment‬

‭Description:‬

‭A Business Impact Assessment (BIA) is a document that evaluates the potential effects of an‬
‭interruption to critical business operations due to an emergency, disaster, or other disruptions. It‬
‭primarily aims to identify vital functions and processes within the organization and assess the‬
‭consequences of their disruption.‬

‭Main Uses:‬

‭1.‬ ‭Risk Identification: Identifies risks and threats to critical business operations.‬
‭2.‬ ‭Priority Setting: Helps in prioritizing business functions and processes based on their‬
‭importance to the organization.‬
‭3.‬ ‭Resource Allocation: Guides the allocation of resources for risk mitigation and continuity‬
‭planning.‬
‭4.‬ ‭Recovery Strategy Development: Assists in developing strategies for business continuity‬
‭and disaster recovery.‬
‭5.‬ ‭Impact Analysis: Evaluates the potential financial, operational, and customer-related‬
‭impacts of disruptions.‬
‭6.‬ ‭Policy Formation: Aids in the formulation of policies and procedures for emergency‬
‭response and recovery.‬
‭7.‬ ‭Stakeholder Communication: Provides a basis for communicating risks and impacts to‬
‭stakeholders, including employees, customers, and investors.‬
‭8.‬ ‭Compliance Assurance: Ensures compliance with legal, regulatory, and industry standards‬
‭related to business continuity.‬

‭Criteria:‬

‭Must Include:‬

‭●‬ ‭Identification of critical business functions and processes.‬

‭●‬ ‭Analysis of the impact of disruptions on these functions and processes.‬
‭●‬ ‭Timeframes for recovery of critical functions.‬
‭●‬ ‭Financial impact analysis of potential disruptions.‬
‭●‬ ‭Assessment of the impact on customers and stakeholders.‬
‭●‬ ‭Dependencies between business functions and external entities.‬

‭May Include:‬

‭●‬ ‭Scenario analysis for different types of disruptions.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭94‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭●‬ ‭Recommendations for risk mitigation strategies.‬

‭●‬ ‭Impact on organizational reputation and brand.‬
‭●‬ ‭Employee safety and communication plans.‬
‭●‬ ‭Technology and data recovery requirements.‬
‭●‬ ‭Legal and regulatory compliance impacts.‬

‭Code of Conduct‬

‭Description:‬

‭The Code of Conduct is a formal document outlining the standards, behaviors, and ethical‬
‭principles that guide employees in an organization. It serves as a benchmark for professional‬
‭conduct and decision-making, reflecting the organization's values and compliance requirements.‬

‭Main Uses:‬

‭1.‬ ‭Guiding Employee Behavior: Sets clear expectations for employee conduct in professional‬
‭settings.‬
‭2.‬ ‭Ethical Decision-Making: Provides a framework for making ethical choices in various‬
‭business scenarios.‬
‭3.‬ ‭Legal Compliance: Ensures that employees are aware of and adhere to legal standards and‬
‭regulatory requirements.‬
‭4.‬ ‭Conflict Resolution: Acts as a reference point in resolving disputes or misconduct within‬
‭the organization.‬
‭5.‬ ‭Brand Reputation: Upholds and promotes the organization’s reputation by ensuring‬
‭consistent ethical behavior.‬
‭6.‬ ‭New Employee Orientation: Introduces new hires to the organization's ethical standards‬
‭and expected behaviors.‬
‭7.‬ ‭Performance Management: Serves as a standard for evaluating employee performance and‬
‭conduct.‬

‭Criteria:‬

‭Must Include:‬

‭●‬ ‭Ethical Principles: Core ethical values and principles of the organization.‬
‭●‬ ‭Behavioral Standards: Specific expectations regarding employee behavior.‬
‭●‬ ‭Compliance Requirements: Legal and regulatory compliance obligations relevant to the‬
‭organization.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭95‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭●‬ ‭Conflict of Interest Policies: Guidelines on identifying and managing conflicts of interest.‬
‭●‬ ‭Reporting Mechanisms: Procedures for reporting unethical behavior or breaches of the‬
‭code.‬
‭●‬ ‭Disciplinary Actions: Consequences of violating the code.‬

‭May Include:‬

‭●‬ ‭Diversity and Inclusion Policies: Guidelines promoting workplace diversity and inclusivity.‬
‭●‬ ‭Environmental Responsibility: Standards for sustainable and environmentally responsible‬
‭practices.‬
‭●‬ ‭Data Protection Guidelines: Policies related to handling and protecting sensitive‬
‭information.‬
‭●‬ ‭Customer Relations Standards: Expectations for ethical and fair treatment of customers.‬
‭●‬ ‭Community Engagement Principles: Guidelines for interacting and engaging with the‬
‭community.‬
‭●‬ ‭Health and Safety Policies: Standards ensuring employee health and safety in the‬
‭workplace.‬

‭Compliance Gap Analysis‬

‭Description:‬

‭Compliance Gap Analysis is an evaluative tool used by organizations to assess their current‬
‭compliance status against regulatory requirements or industry standards. This analysis identifies‬
‭areas where the organization's practices and procedures fall short of compliance criteria.‬

‭Main Uses:‬

‭1.‬ ‭Identifying Compliance Shortfalls: Pinpoints specific areas where the organization does‬
‭not meet regulatory or industry standards.‬
‭2.‬ ‭Risk Management: Assists in identifying and managing compliance-related risks.‬
‭3.‬ ‭Strategic Planning: Aids in aligning organizational strategies with compliance‬
‭requirements.‬
‭4.‬ ‭Continuous Improvement: Facilitates ongoing improvement of processes and systems to‬
‭meet compliance standards.‬
‭5.‬ ‭Training and Development: Helps identify areas where employee training or development is‬
‭needed for better compliance.‬
‭6.‬ ‭Auditing Preparation: Prepares the organization for external audits by highlighting‬
‭potential compliance issues.‬
‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭96‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭Criteria:‬

‭Must Include:‬

‭●‬ ‭Detailed List of Applicable Regulations and Standards: A comprehensive list of all relevant‬
‭compliance requirements.‬
‭●‬ ‭Current Compliance Status: Assessment of the organization's current adherence to these‬
‭regulations and standards.‬
‭●‬ ‭Gap Identification: Specific identification of areas where compliance is not met.‬
‭●‬ ‭Impact Analysis: Evaluation of the potential risks and consequences of these compliance‬
‭gaps.‬
‭●‬ ‭Action Plan: Recommendations for addressing identified gaps.‬
‭●‬ ‭Timeline for Compliance: A realistic timeline for implementing the necessary changes to‬
‭achieve compliance.‬

‭May Include:‬

‭●‬ ‭Stakeholder Analysis: Identification of stakeholders affected by compliance issues.‬

‭●‬ ‭Resource Requirements: Estimation of resources needed to address compliance gaps.‬
‭●‬ ‭Best Practice Comparisons: Analysis of how similar organizations handle compliance.‬
‭●‬ ‭Change Management Strategies: Strategies for implementing necessary changes within‬
‭the organization.‬
‭●‬ ‭Follow-Up Procedures: Methods for monitoring and ensuring continued compliance after‬
‭gaps are addressed.‬
‭●‬ ‭Legal Implications: Analysis of legal consequences of non-compliance.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭97‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭Compliance Policy‬

‭Description:‬

‭A Compliance Policy is a formal document in organizations that outlines the legal, ethical, and‬
‭operational standards and procedures employees must follow. It ensures adherence to laws,‬
‭regulations, and company guidelines, reducing legal risks and maintaining the company's integrity.‬

‭Main Uses:‬

‭1.‬ ‭Guiding Employee Conduct: Establishes clear expectations for employee behavior and‬
‭professional standards.‬
‭2.‬ ‭Legal Compliance: Ensures adherence to applicable laws and regulations, avoiding legal‬
‭penalties.‬
‭3.‬ ‭Risk Management: Identifies and mitigates risks associated with non-compliance.‬
‭4.‬ ‭Training and Education: Serves as a reference for training employees on‬
‭compliance-related matters.‬
‭5.‬ ‭Decision-Making Framework: Provides a framework for making decisions in complex,‬
‭legally-sensitive situations.‬
‭6.‬ ‭Auditing and Reporting: Assists in internal and external auditing processes by outlining‬
‭compliance requirements.‬
‭7.‬ ‭Stakeholder Assurance: Reinforces trust with stakeholders by demonstrating commitment‬
‭to legal and ethical standards.‬

‭Criteria:‬

‭Must Include:‬

‭●‬ ‭Legal and Regulatory Requirements: Specific laws and regulations relevant to the‬
‭organization's operations.‬
‭●‬ ‭Ethical Standards: Guidelines for ethical conduct in business operations.‬
‭●‬ ‭Procedures for Reporting Violations: Clear processes for reporting non-compliance issues.‬
‭●‬ ‭Disciplinary Actions: Consequences for non-compliance with the policy.‬
‭●‬ ‭Oversight Responsibilities: Roles and responsibilities for monitoring and enforcing‬
‭compliance.‬
‭●‬ ‭Review and Update Procedures: Protocols for regularly reviewing and updating the policy.‬

‭May Include:‬

‭●‬ ‭Industry-Specific Guidelines: Additional standards specific to the industry in which the‬
‭organization operates.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭98‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭●‬ ‭Case Studies or Examples: Real-life scenarios to illustrate compliance issues.‬

‭●‬ ‭Contact Information for Compliance Officers: Specific contacts for seeking guidance or‬
‭reporting issues.‬
‭●‬ ‭Training Requirements: Mandatory training programs for employees on compliance topics.‬
‭●‬ ‭External Resources: Links to external sources for more detailed legal or regulatory‬
‭information.‬
‭●‬ ‭Confidentiality Agreements: Provisions related to the handling of sensitive information.‬

‭Continuous Monitoring Tools‬

‭Description:‬

‭Continuous Monitoring Tools are software systems used in businesses to consistently track and‬
‭analyze various operational and performance metrics. These tools often operate in real-time,‬
‭providing ongoing insights into an organization's processes, security posture, compliance status,‬
‭and other critical aspects.‬

‭Main Uses:‬

‭1.‬ ‭Performance Analysis: Regularly assesses performance metrics to ensure operational‬

‭efficiency.‬
‭2.‬ ‭Security Surveillance: Continuously monitors for security threats and vulnerabilities.‬
‭3.‬ ‭Compliance Management: Tracks adherence to regulatory and internal standards.‬
‭4.‬ ‭Risk Identification: Identifies potential risks in processes and systems.‬
‭5.‬ ‭Resource Optimization: Helps in allocating resources effectively based on real-time data.‬
‭6.‬ ‭Process Improvement: Identifies areas for process enhancements and efficiency gains.‬
‭7.‬ ‭Incident Response: Facilitates quick response to operational or security incidents.‬
‭8.‬ ‭Data Integrity Checks: Ensures accuracy and consistency of data across systems.‬
‭9.‬ ‭User Behavior Analysis: Monitors user activities to detect anomalies or unauthorized‬
‭actions.‬

‭Criteria:‬

‭Must Include:‬

‭●‬ ‭Real-time data collection and analysis capabilities.‬

‭●‬ ‭Customizable alerts and notifications.‬
‭●‬ ‭User-friendly dashboard for data visualization.‬
‭●‬ ‭Integration with existing systems and databases.‬
‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭99‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭●‬ ‭Secure data storage and access controls.‬

‭●‬ ‭Comprehensive reporting features.‬

‭May Include:‬

‭●‬ ‭Predictive analytics for forecasting potential issues.‬

‭●‬ ‭Machine learning capabilities for improved threat detection.‬
‭●‬ ‭Multi-factor authentication for enhanced security.‬
‭●‬ ‭API support for extended functionality.‬
‭●‬ ‭Automated remediation workflows.‬
‭●‬ ‭Customizable modules for specific operational needs.‬

‭Control Assessments‬

‭Description:‬

‭Control Assessments are systematic evaluations conducted within an organization to determine‬

‭the effectiveness and efficiency of internal controls. These assessments help in identifying and‬
‭mitigating risks, ensuring compliance with regulations, and promoting operational integrity.‬

‭Main Uses:‬

‭1.‬ ‭Risk Mitigation: Identifies weaknesses in controls that could lead to potential risks.‬
‭2.‬ ‭Regulatory Compliance: Ensures adherence to laws, regulations, and guidelines.‬
‭3.‬ ‭Operational Efficiency: Evaluates the effectiveness of processes and systems.‬
‭4.‬ ‭Financial Integrity: Assists in maintaining accurate and reliable financial reporting.‬
‭5.‬ ‭Information Security: Checks the adequacy of measures protecting sensitive data.‬
‭6.‬ ‭Continuous Improvement: Provides insights for enhancing business processes and‬
‭controls.‬
‭7.‬ ‭Stakeholder Assurance: Offers assurance to stakeholders about the control environment.‬
‭8.‬ ‭Audit Preparation: Prepares for internal or external audits by assessing control‬
‭effectiveness.‬

‭Criteria:‬

‭Must Include:‬

‭●‬ ‭Scope of Assessment: Clearly defined boundaries of what is being evaluated.‬

‭●‬ ‭Control Objectives: Specific objectives that controls are meant to achieve.‬
‭●‬ ‭Evaluation Methodology: Standard methods used for assessing controls.‬
‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭100‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭●‬ ‭Risk Identification: Identifying risks associated with control failures.‬

‭●‬ ‭Findings and Recommendations: Specific issues found and suggested improvements.‬
‭●‬ ‭Compliance Standards: Reference to relevant legal, regulatory, or industry standards.‬

‭May Include:‬

‭●‬ ‭Historical Comparison: Analysis of control performance over time.‬

‭●‬ ‭Stakeholder Feedback: Input from employees or external stakeholders.‬
‭●‬ ‭Quantitative Metrics: Data-driven measurements of control effectiveness.‬
‭●‬ ‭Control Owner Information: Details about individuals responsible for specific controls.‬
‭●‬ ‭Follow-Up Actions: Plans for addressing identified issues.‬
‭●‬ ‭Best Practice Benchmarks: Comparisons with industry or sector best practices.‬

‭Control Design Assessment‬

‭Description:‬

‭Control Design Assessment is a detailed evaluation of an organization's internal control systems.‬

‭It reviews how these controls are designed to mitigate risks, ensure compliance, and support‬
‭operational efficiency. This assessment typically examines the appropriateness, effectiveness,‬
‭and alignment of control mechanisms with organizational objectives.‬

‭Main Uses:‬

‭1.‬ ‭Risk Mitigation: Identifies and assesses controls in place to mitigate various business risks.‬
‭2.‬ ‭Compliance Assurance: Evaluates controls for compliance with legal, regulatory, and‬
‭internal standards.‬
‭3.‬ ‭Operational Efficiency: Assesses how control mechanisms enhance or impede operational‬
‭workflows.‬
‭4.‬ ‭Process Improvement: Identifies areas where control processes can be optimized for better‬
‭performance.‬
‭5.‬ ‭Audit Preparation: Aids in preparing for internal and external audits by documenting control‬
‭effectiveness.‬
‭6.‬ ‭Decision Support: Provides insights for management decisions regarding process changes‬
‭or resource allocation.‬
‭7.‬ ‭Training and Development: Serves as a basis for developing training programs on effective‬
‭control practices.‬

‭Criteria:‬
‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭101‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭Must Include:‬

‭●‬ ‭Control Objectives: Clear objectives for each control mechanism.‬

‭●‬ ‭Risk Coverage: Analysis of how controls address specific risks.‬
‭●‬ ‭Control Activities: Detailed description of control activities and procedures.‬
‭●‬ ‭Responsibility Assignment: Identification of individuals or teams responsible for each‬
‭control.‬
‭●‬ ‭Control Effectiveness: Evaluation of the effectiveness of the control mechanisms.‬
‭●‬ ‭Compliance Standards: Reference to relevant legal, regulatory, and internal compliance‬
‭standards.‬

‭May Include:‬

‭●‬ ‭Control Integration: Assessment of how controls integrate with other processes.‬
‭●‬ ‭Technology Utilization: Analysis of technology used in control mechanisms.‬
‭●‬ ‭Historical Data Analysis: Review of historical data for trend analysis and control‬
‭effectiveness over time.‬
‭●‬ ‭Change Management Procedures: Processes for updating and modifying controls.‬
‭●‬ ‭Feedback Mechanisms: Systems in place for receiving feedback and continuous‬
‭improvement of controls.‬
‭●‬ ‭Best Practice Comparison: Comparison with industry best practices or benchmarks.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭102‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭Crisis Response Plan‬

‭Description:‬

‭A Crisis Response Plan is a strategic document that outlines an organization's procedures and‬
‭protocols for dealing with emergencies or unexpected significant events. It serves as a guide for‬
‭managing crises effectively and minimizing their impact on operations.‬

‭Main Uses:‬

‭1.‬ ‭Emergency Preparedness: Provides guidelines for immediate response in crisis situations.‬
‭2.‬ ‭Risk Mitigation: Helps in reducing the potential impact of crises on the organization.‬
‭3.‬ ‭Communication Strategy: Outlines communication protocols during a crisis, including‬
‭internal and external messaging.‬
‭4.‬ ‭Resource Allocation: Identifies and allocates resources necessary for crisis management.‬
‭5.‬ ‭Training and Drills: Serves as a foundation for training employees in crisis response and‬
‭conducting drills.‬
‭6.‬ ‭Recovery Planning: Guides the recovery process post-crisis to restore normal operations.‬
‭7.‬ ‭Legal Compliance: Ensures adherence to legal requirements and standards during crises.‬
‭8.‬ ‭Stakeholder Engagement: Provides a framework for engaging with stakeholders during a‬
‭crisis.‬

‭Criteria:‬

‭Must Include:‬

‭●‬ ‭Clear Roles and Responsibilities: Assign specific tasks and roles for crisis management.‬
‭●‬ ‭Contact Information: Include contact details of key personnel and external support.‬
‭●‬ ‭Response Procedures: Detailed step-by-step response actions for different types of crises.‬
‭●‬ ‭Communication Plans: Clearly defined communication strategies for internal and external‬
‭stakeholders.‬
‭●‬ ‭Resource List: Inventory of resources and tools required for crisis management.‬
‭●‬ ‭Escalation Protocols: Guidelines for escalating the crisis within the organizational‬
‭hierarchy.‬

‭May Include:‬

‭●‬ ‭Post-Crisis Analysis: Procedures for reviewing and analyzing the crisis response.‬
‭●‬ ‭Training Schedules: Regular training programs and drills for staff.‬
‭●‬ ‭Recovery Strategies: Plans for operational recovery and business continuity.‬
‭●‬ ‭Psychological Support: Resources for emotional and psychological support for employees.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭103‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭●‬ ‭Legal and Regulatory Guidelines: Information on relevant legal and regulatory obligations.‬
‭●‬ ‭Media and Public Relations Guidelines: Protocols for dealing with media and public‬
‭relations during a crisis.‬

‭Delegation of Authority Matrix‬

‭Description:‬

‭A Delegation of Authority Matrix is a document or system in an organization that clearly outlines‬

‭the levels of authority, specifying who has the power to make decisions, approve actions, and‬
‭allocate resources. It serves as a guideline for decision-making processes within the organization.‬

‭Main Uses:‬

‭1.‬ ‭Clear Decision-Making: Provides a clear framework for who is authorized to make specific‬
‭decisions.‬
‭2.‬ ‭Accountability: Establishes accountability by linking authority to specific roles or‬
‭individuals.‬
‭3.‬ ‭Efficiency in Operations: Streamlines operations by reducing delays in decision-making.‬
‭4.‬ ‭Risk Management: Limits and controls risks by ensuring decisions are made by‬
‭appropriately authorized personnel.‬
‭5.‬ ‭Conflict Resolution: Helps in resolving conflicts by clarifying roles and responsibilities.‬
‭6.‬ ‭Training and Development: Assists in identifying training needs based on the levels of‬
‭authority and responsibility.‬
‭7.‬ ‭Succession Planning: Useful in succession planning by outlining authority levels and‬
‭responsibilities.‬
‭8.‬ ‭Regulatory Compliance: Ensures compliance with internal policies and external regulations‬
‭regarding decision-making.‬

‭Criteria:‬

‭Must Include:‬

‭●‬ ‭Roles and Responsibilities: Clear definition of each role and its corresponding‬
‭responsibilities.‬
‭●‬ ‭Levels of Authority: Specific levels of authority attached to roles.‬
‭●‬ ‭Decision-Making Powers: Detailed scope of decision-making powers for each role.‬
‭●‬ ‭Approval Limits: Financial and operational approval limits for each level of authority.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭104‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭●‬ ‭Delegation Protocols: Procedures for delegating authority, including temporary‬

‭delegations.‬
‭●‬ ‭Revision Procedures: Processes for updating and revising the matrix.‬

‭May Include:‬

‭●‬ ‭Signature Authorities: Specifics on who can sign off on legal documents, contracts, etc.‬
‭●‬ ‭Emergency Protocols: Guidelines for delegation in emergency or unforeseen situations.‬
‭●‬ ‭Audit Trails: Mechanisms for tracking decisions made under delegated authority.‬
‭●‬ ‭Cross-Functional Delegations: Provisions for authority across different departments or‬
‭functions.‬
‭●‬ ‭Training Requirements: Required training or qualifications for holding certain levels of‬
‭authority.‬
‭●‬ ‭Reporting Lines: Clarity on reporting lines and communication channels.‬

‭Disaster Recovery Plan (DRP)‬

‭Description:‬

‭A Disaster Recovery Plan (DRP) is a documented, structured approach with instructions for‬
‭responding to unplanned incidents. This plan is an essential part of business continuity planning‬
‭and is aimed at protecting an organization from major negative events.‬

‭Main Uses:‬

‭1.‬ ‭Business Continuity: Ensures continuous operation and minimizes downtime during‬
‭disasters.‬
‭2.‬ ‭Risk Mitigation: Helps in mitigating risks associated with data loss and system failures.‬
‭3.‬ ‭Emergency Response: Guides the organization in emergency response and recovery‬
‭operations.‬
‭4.‬ ‭Data Recovery: Outlines procedures for data backup and restoration.‬
‭5.‬ ‭Communication Management: Provides a framework for communication during and after a‬
‭disaster.‬
‭6.‬ ‭Regulatory Compliance: Ensures compliance with legal and regulatory requirements‬
‭concerning disaster recovery.‬
‭7.‬ ‭Resource Allocation: Assists in efficient allocation and utilization of resources during‬
‭disaster recovery.‬
‭8.‬ ‭Training and Awareness: Serves as a tool for training employees on disaster response‬
‭protocols.‬
‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭105‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭Criteria:‬

‭Must Include:‬

‭●‬ ‭Identification of Key Assets: Listing of critical business assets and processes.‬
‭●‬ ‭Risk Assessment: Analysis of potential disasters and their impact.‬
‭●‬ ‭Recovery Strategies: Detailed recovery strategies for different disaster scenarios.‬
‭●‬ ‭Communication Plan: Clear communication guidelines for stakeholders during a disaster.‬
‭●‬ ‭Roles and Responsibilities: Defined roles and responsibilities for disaster recovery tasks.‬
‭●‬ ‭Regular Updates and Testing: Procedures for regular updates and testing of the plan.‬

‭May Include:‬

‭●‬ ‭Employee Training Programs: Guidelines for training employees in disaster response.‬
‭●‬ ‭Alternate Operating Strategies: Plans for alternate operating procedures and locations.‬
‭●‬ ‭Insurance Information: Details of relevant insurance coverage.‬
‭●‬ ‭Vendor Information: Contact information and roles of critical vendors and partners.‬
‭●‬ ‭Technology Recovery Solutions: Specific technology solutions for data and system‬
‭recovery.‬
‭●‬ ‭Post-Disaster Review Process: Guidelines for reviewing and learning from disaster‬
‭incidents.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭106‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭Education and Training Plan‬

‭Description:‬

‭An Education and Training Plan is a structured document or digital system that outlines the‬
‭learning and development strategies for employees within an organization. It typically details the‬
‭educational goals, training methods, timelines, and evaluation processes to enhance employee‬
‭skills and knowledge.‬

‭Main Uses:‬

‭1.‬ ‭Skill Development: Guides the development of specific skills and competencies among‬
‭employees.‬
‭2.‬ ‭Career Progression: Assists in planning career development paths for employees.‬
‭3.‬ ‭Performance Improvement: Aims to improve overall employee performance and‬
‭productivity.‬
‭4.‬ ‭Compliance Training: Ensures that employees are trained in compliance with industry‬
‭standards and regulations.‬
‭5.‬ ‭Change Management: Supports the organization through changes by providing necessary‬
‭training.‬
‭6.‬ ‭Succession Planning: Prepares employees for advancement into more significant roles‬
‭within the organization.‬
‭7.‬ ‭Innovation and Adaptation: Encourages innovation by equipping employees with new skills‬
‭and knowledge.‬

‭Criteria:‬

‭Must Include:‬

‭●‬ ‭Identified Learning Objectives: Clear goals for what the training aims to achieve.‬
‭●‬ ‭Target Audience: Specific groups or individuals who will receive the training.‬
‭●‬ ‭Training Methodologies: Detailed methods and approaches for delivering the training.‬
‭●‬ ‭Timeline and Schedule: A defined schedule outlining when training sessions will occur.‬
‭●‬ ‭Evaluation Metrics: Criteria for measuring the effectiveness of the training.‬
‭●‬ ‭Resource Allocation: Details of resources required for the training, including budget and‬
‭materials.‬

‭May Include:‬

‭●‬ ‭Customization Options: Flexibility for tailoring training to individual or departmental needs.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭107‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭●‬ ‭Feedback Mechanisms: Processes for gathering participant feedback to improve future‬
‭training.‬
‭●‬ ‭Career Pathing: Integration with individual career progression plans.‬
‭●‬ ‭Digital Learning Platforms: Utilization of e-learning tools and platforms.‬
‭●‬ ‭External Training Opportunities: Information on external workshops, seminars, or courses.‬
‭●‬ ‭Mentoring and Coaching: Inclusion of mentoring or coaching programs for further‬
‭development.‬

‭Efficiency Assessments‬

‭Description:‬

‭Efficiency Assessments are analytical reports or tools used to evaluate the effectiveness and‬
‭productivity of various operations within an organization. These assessments focus on how‬
‭resources are utilized, identifying areas of high performance and those needing improvement.‬

‭Main Uses:‬

‭1.‬ ‭Resource Optimization: Identifying areas where resources can be used more effectively.‬
‭2.‬ ‭Process Improvement: Highlighting processes that can be streamlined or improved for‬
‭better efficiency.‬
‭3.‬ ‭Cost Reduction: Pinpointing where cost savings can be achieved without compromising‬
‭quality or output.‬
‭4.‬ ‭Performance Benchmarking: Comparing current operational efficiencies against industry‬
‭standards or past performance.‬
‭5.‬ ‭Strategic Planning: Assisting in forming strategies that align with efficient practices.‬
‭6.‬ ‭Employee Productivity Analysis: Evaluating staff performance and identifying training or‬
‭development needs.‬
‭7.‬ ‭Technology Utilization: Assessing how technology is used and identifying potential for‬
‭technological upgrades or automation.‬

‭Criteria:‬

‭Must Include:‬

‭●‬ ‭Comprehensive evaluation of key processes and operations.‬

‭●‬ ‭Analysis of resource allocation and utilization.‬
‭●‬ ‭Metrics and benchmarks for measuring efficiency.‬
‭●‬ ‭Identification of strengths and areas for improvement.‬
‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭108‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭●‬ ‭Recommendations for enhancing efficiency.‬

‭●‬ ‭Evaluation of employee performance and productivity.‬

‭May Include:‬

‭●‬ ‭Comparative analysis with industry standards.‬

‭●‬ ‭Financial analysis highlighting cost-saving areas.‬
‭●‬ ‭Assessment of technology and tools in current use.‬
‭●‬ ‭Long-term efficiency trends and forecasts.‬
‭●‬ ‭Impact analysis on customer satisfaction and service quality.‬
‭●‬ ‭Environmental impact assessment of operational practices.‬

‭Event Triggers‬

‭Description:‬

‭Event Triggers in a business context refer to specific conditions or occurrences that initiate a‬
‭predefined process or action within an organization. These triggers can be internal or external and‬
‭are often used to prompt timely responses or changes in operational procedures.‬

‭Main Uses:‬

‭1.‬ ‭Initiating Workflow Processes: Automatically starts a workflow or task when certain‬
‭conditions are met.‬
‭2.‬ ‭Alerting and Notifications: Sends alerts or notifications to relevant stakeholders in‬
‭response to specific events.‬
‭3.‬ ‭Data Collection: Triggers data collection processes for real-time analytics or reporting.‬
‭4.‬ ‭Compliance Monitoring: Ensures compliance with regulatory requirements by triggering‬
‭necessary actions upon certain events.‬
‭5.‬ ‭Resource Allocation: Adjusts resource allocation in response to changing operational‬
‭needs or demands.‬
‭6.‬ ‭Risk Management: Activates risk management protocols in response to identified risks or‬
‭threats.‬
‭7.‬ ‭Performance Tracking: Begins tracking performance metrics when specific criteria are‬
‭achieved.‬

‭Criteria:‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭109‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭Must Include:‬

‭●‬ ‭Clear Definition of Trigger Events: Precisely defined conditions or events that activate the‬
‭trigger.‬
‭●‬ ‭Associated Actions or Processes: Specific actions or processes that are initiated by the‬
‭trigger.‬
‭●‬ ‭Relevant Stakeholders: Identification of parties affected or involved in the triggered‬
‭actions.‬
‭●‬ ‭Trigger Thresholds: Defined thresholds or criteria for the trigger activation.‬
‭●‬ ‭Response Timeframes: Timeframes within which actions must be initiated post-trigger.‬
‭●‬ ‭Monitoring and Reporting Mechanisms: Systems for monitoring the triggers and reporting‬
‭their activation.‬

‭May Include:‬

‭●‬ ‭Escalation Procedures: Steps for escalating the issue if the trigger indicates a critical‬
‭situation.‬
‭●‬ ‭Feedback Loops: Mechanisms for evaluating the effectiveness of the trigger and making‬
‭adjustments.‬
‭●‬ ‭Historical Data Analysis: Utilization of historical data to refine and optimize trigger‬
‭conditions.‬
‭●‬ ‭Integration with Other Systems: Linking the trigger to other organizational systems for a‬
‭cohesive response.‬
‭●‬ ‭Customization Options: Flexibility to customize triggers based on departmental or‬
‭situational needs.‬
‭●‬ ‭Automated Resolution Steps: Automated steps that are taken immediately after the trigger‬
‭event.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭110‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭Exception Reports‬

‭Description:‬

‭Exception Reports are documents or system outputs in an organization that highlight incidents or‬
‭cases deviating from the standard or expected norms and practices. These reports are typically‬
‭generated through automated systems and are used for identifying and addressing anomalies in‬
‭business processes.‬

‭Main Uses:‬

‭1.‬ ‭Identifying Process Deviations: Pinpoints areas where actual results differ from planned or‬
‭standard outcomes.‬
‭2.‬ ‭Quality Control: Assists in monitoring quality standards and identifying areas of‬
‭non-compliance.‬
‭3.‬ ‭Performance Analysis: Helps analyze employee or department performance against‬
‭established benchmarks.‬
‭4.‬ ‭Risk Management: Aids in identifying potential risks or issues arising from deviations.‬
‭5.‬ ‭Operational Improvement: Provides insights for improving operational efficiency and‬
‭effectiveness.‬
‭6.‬ ‭Compliance Monitoring: Useful in ensuring adherence to regulatory and internal policy‬
‭requirements.‬

‭Criteria:‬

‭Must Include:‬

‭●‬ ‭Clear Identification of Exceptions: Specific details of the deviation from norms or‬
‭expectations.‬
‭●‬ ‭Contextual Information: Background or circumstances leading to the exception.‬
‭●‬ ‭Impact Analysis: Assessment of the potential or actual impact of the exception.‬
‭●‬ ‭Timeframe: The period during which the exception occurred.‬
‭●‬ ‭Responsible Parties: Identification of individuals or departments involved.‬
‭●‬ ‭Recommendations for Action: Suggested steps or measures to address the exception.‬

‭May Include:‬

‭●‬ ‭Historical Data Comparison: Analysis of similar exceptions in the past.‬

‭●‬ ‭Trend Analysis: Identification of patterns or trends leading to exceptions.‬
‭●‬ ‭Root Cause Analysis: In-depth exploration of the underlying causes of exceptions.‬
‭●‬ ‭Future Risk Projection: Estimation of potential future risks based on the exception.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭111‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭●‬ ‭Performance Metrics: Key performance indicators related to the exception.‬

‭●‬ ‭Feedback Mechanisms: Opportunities for stakeholders to provide input or feedback on the‬
‭exception and its handling.‬

‭Follow-up Reporting‬

‭Description:‬

‭Follow-up Reporting involves the creation of documents or entries in a system that track the‬
‭progress, outcomes, and subsequent actions taken following an initial event, project, or decision‬
‭within an organization. This type of reporting is crucial for ensuring accountability and continuous‬
‭improvement.‬

‭Main Uses:‬

‭1.‬ ‭Monitoring Progress: Tracks the development and implementation of actions taken after‬
‭initial decisions or events.‬
‭2.‬ ‭Evaluating Outcomes: Assesses the effectiveness and impact of actions and decisions‬
‭made.‬
‭3.‬ ‭Ensuring Accountability: Keeps individuals and teams responsible for following through on‬
‭commitments and plans.‬
‭4.‬ ‭Identifying Areas for Improvement: Highlights successes and failures to inform future‬
‭strategies and actions.‬
‭5.‬ ‭Facilitating Communication: Serves as a communication tool to update stakeholders on the‬
‭status of ongoing projects or initiatives.‬
‭6.‬ ‭Risk Management: Helps in identifying and mitigating risks that emerge during the‬
‭implementation phase.‬
‭7.‬ ‭Decision Support: Provides data and insights to support future decision-making processes.‬

‭Criteria:‬

‭Must Include:‬

‭●‬ ‭Summary of initial objectives or decisions.‬

‭●‬ ‭Detailed progress updates with timelines.‬
‭●‬ ‭Analysis of outcomes compared to expected results.‬
‭●‬ ‭Identification of any deviations or unexpected results.‬
‭●‬ ‭Recommendations for future actions or adjustments.‬
‭●‬ ‭Accountability details, specifying who is responsible for what actions.‬
‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭112‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭May Include:‬

‭●‬ ‭Feedback from stakeholders involved in or affected by the project.‬

‭●‬ ‭Quantitative data to support findings.‬
‭●‬ ‭Contextual information about external factors influencing outcomes.‬
‭●‬ ‭Lessons learned and best practices identified through the process.‬
‭●‬ ‭Financial implications or cost analysis related to the actions taken.‬

‭Governance Framework‬

‭Description:‬

‭A Governance Framework is a set of policies, rules, and procedures that define how an‬
‭organization is managed and controlled. It outlines the roles, responsibilities, and‬
‭decision-making processes within an organization, ensuring that it operates effectively, ethically,‬
‭and in compliance with laws and regulations.‬

‭Main Uses:‬

‭1.‬ ‭Defining Organizational Structure: Establishes the hierarchy and reporting relationships‬
‭within the organization.‬
‭2.‬ ‭Guiding Decision-Making: Provides a basis for making consistent, informed decisions‬
‭aligned with the organization's objectives.‬
‭3.‬ ‭Ensuring Compliance: Helps ensure adherence to legal and regulatory requirements.‬
‭4.‬ ‭Risk Management: Identifies and addresses potential risks associated with governance‬
‭issues.‬
‭5.‬ ‭Performance Measurement: Sets standards for evaluating the performance of different‬
‭departments and personnel.‬
‭6.‬ ‭Conflict Resolution: Offers mechanisms for resolving internal conflicts and disputes.‬
‭7.‬ ‭Stakeholder Communication: Facilitates effective communication with stakeholders‬
‭regarding governance matters.‬
‭8.‬ ‭Ethical Conduct: Promotes ethical behavior and corporate social responsibility.‬

‭Criteria:‬

‭Must Include:‬

‭●‬ ‭Organizational Structure: Clear definition of roles, responsibilities, and authorities.‬

‭●‬ ‭Decision-Making Processes: Detailed procedures for making and implementing decisions.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭113‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭●‬ ‭Compliance Protocols: Guidelines for compliance with laws, regulations, and ethical‬
‭standards.‬
‭●‬ ‭Risk Management Procedures: Strategies for identifying, assessing, and mitigating risks.‬
‭●‬ ‭Performance Evaluation‬‭Criteria:‬‭Standards for assessing‬‭the performance of the‬
‭organization and its employees.‬
‭●‬ ‭Conflict Resolution Mechanisms: Clear procedures for addressing and resolving internal‬
‭disputes.‬

‭May Include:‬

‭●‬ ‭Stakeholder Engagement Guidelines: Policies for engaging with and communicating to‬
‭stakeholders.‬
‭●‬ ‭Ethical Standards and Conduct Guidelines: Specific ethical principles and behavior‬
‭expectations.‬
‭●‬ ‭Sustainability Practices: Protocols for promoting environmental and social sustainability.‬
‭●‬ ‭Technology Governance: Policies related to the use and management of technology within‬
‭the organization.‬
‭●‬ ‭Crisis Management Plans: Strategies and procedures for handling organizational crises.‬
‭●‬ ‭Change Management Procedures: Guidelines for managing and implementing change‬
‭within the organization.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭114‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭Governance Policies‬

‭Description:‬

‭Governance Policies are formal documents within an organization that outline the rules,‬
‭guidelines, and practices for decision-making and management. These policies ensure‬
‭compliance, define roles and responsibilities, and guide the organization's strategic direction.‬

‭Main Uses:‬

‭1.‬ ‭Defining Organizational Structure: Outlining the hierarchy and roles within the‬
‭organization.‬
‭2.‬ ‭Guiding Decision-Making: Providing a framework for making consistent, fair decisions.‬
‭3.‬ ‭Ensuring Compliance: Helping to adhere to legal and regulatory requirements.‬
‭4.‬ ‭Managing Risk: Offering guidelines to identify, assess, and mitigate risks.‬
‭5.‬ ‭Facilitating Strategic Planning: Serving as a reference for aligning operations with the‬
‭organization's mission and goals.‬
‭6.‬ ‭Resolving Conflicts: Providing procedures for handling internal disputes and issues.‬

‭Criteria:‬

‭Must Include:‬

‭●‬ ‭Roles and Responsibilities: Clearly defined roles and responsibilities of board members,‬
‭executives, and employees.‬
‭●‬ ‭Decision-Making Processes: Detailed processes for making key organizational decisions.‬
‭●‬ ‭Compliance Requirements: Specific legal and regulatory compliance guidelines.‬
‭●‬ ‭Ethical Standards: Guidelines for ethical behavior and conflict of interest management.‬
‭●‬ ‭Risk Management Procedures: Steps for identifying and managing potential risks.‬
‭●‬ ‭Conflict Resolution Mechanisms: Procedures for addressing and resolving internal‬
‭conflicts.‬

‭May Include:‬

‭●‬ ‭Sustainability Practices: Guidelines for environmental and social responsibility.‬

‭●‬ ‭Data Governance: Policies related to data management and security.‬
‭●‬ ‭Stakeholder Engagement: Protocols for interacting with shareholders, customers, and‬
‭other stakeholders.‬
‭●‬ ‭Change Management: Guidelines for managing organizational changes.‬
‭●‬ ‭Performance Metrics: Standards for measuring and evaluating performance.‬
‭●‬ ‭Communication Protocols: Policies for internal and external communications.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭115‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭Improvement Action Plans‬

‭Description:‬

‭Improvement Action Plans are strategic documents used in organizations to outline specific steps‬
‭for enhancing processes, services, or products. These plans typically identify areas needing‬
‭improvement, set clear objectives for enhancement, and detail actionable steps to achieve these‬
‭goals.‬

‭Main Uses:‬

‭1.‬ ‭Identifying Improvement Areas: Pinpoints specific processes or aspects of the business‬
‭that require enhancements.‬
‭2.‬ ‭Setting Improvement Objectives: Establishes clear, measurable goals for what the‬
‭improvements should achieve.‬
‭3.‬ ‭Actionable Steps Development: Provides a roadmap of specific actions required to achieve‬
‭the improvement goals.‬
‭4.‬ ‭Resource Allocation: Assists in allocating resources, including time, personnel, and budget,‬
‭for the implementation of improvements.‬
‭5.‬ ‭Performance Tracking: Enables monitoring and measuring the effectiveness of the‬
‭improvement efforts.‬
‭6.‬ ‭Continuous Improvement: Fosters a culture of ongoing refinement and optimization within‬
‭the organization.‬

‭Criteria:‬

‭Must Include:‬

‭●‬ ‭Clear Objectives: Defined, measurable goals for improvement.‬

‭●‬ ‭Specific Actions: Detailed steps and strategies for achieving the objectives.‬
‭●‬ ‭Timeline: A realistic timeline for implementing the actions.‬
‭●‬ ‭Responsibility Allocation: Clear assignment of responsibilities for each action step.‬
‭●‬ ‭Resource Requirements: Identification of resources needed, such as budget, personnel,‬
‭and materials.‬
‭●‬ ‭Success Metrics: Criteria for measuring the success of the improvement actions.‬

‭May Include:‬

‭●‬ ‭Risk Assessment: Analysis of potential risks and challenges in implementing the actions.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭116‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭●‬ ‭Feedback Mechanisms: Processes for gathering feedback and making adjustments.‬
‭●‬ ‭Historical Data Analysis: Use of past performance data to inform improvement strategies.‬
‭●‬ ‭Stakeholder Involvement: Inclusion of different stakeholders in the planning and‬
‭implementation stages.‬
‭●‬ ‭Continuous Monitoring: Ongoing evaluation and adjustment of the plan based on‬
‭performance data.‬

‭Incident Post-mortem Analysis‬

‭Description:‬

‭Incident Post-mortem Analysis is a detailed report compiled after an unexpected event or incident‬
‭in an organization. It focuses on what happened, why it happened, how it was handled, and what‬
‭can be learned to prevent future occurrences.‬

‭Main Uses:‬

‭1.‬ ‭Identifying Root Causes: To understand the underlying reasons for the incident.‬
‭2.‬ ‭Improving Response Strategies: Enhancing future response plans and procedures.‬
‭3.‬ ‭Training and Development: Serving as a learning tool for staff to prevent similar incidents.‬
‭4.‬ ‭Policy Revision: Informing changes in policies or practices to mitigate risks.‬
‭5.‬ ‭Performance Evaluation: Assessing how effectively the incident was managed.‬
‭6.‬ ‭Communication: Providing transparent information to stakeholders about the incident and‬
‭response.‬
‭7.‬ ‭Regulatory Compliance: Ensuring compliance with legal and industry standards‬
‭post-incident.‬

‭Main Criteria:‬

‭Must Include:‬

‭●‬ ‭A comprehensive timeline of the incident.‬

‭●‬ ‭Detailed analysis of the causes and contributing factors.‬
‭●‬ ‭Assessment of the response actions taken.‬
‭●‬ ‭Identification of strengths and weaknesses in the response.‬
‭●‬ ‭Recommendations for preventing future incidents.‬
‭●‬ ‭Documentation of lessons learned and best practices.‬

‭May Include:‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭117‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭●‬ ‭Impact assessment on various aspects of the organization.‬

‭●‬ ‭Interviews or feedback from involved personnel.‬
‭●‬ ‭Comparison with similar incidents in the past.‬
‭●‬ ‭Review of relevant policies and procedures.‬
‭●‬ ‭Follow-up actions and accountability measures.‬
‭●‬ ‭Metrics or data supporting the analysis findings.‬

‭Internal Audit Plan‬

‭Description:‬

‭An Internal Audit Plan is a strategic document used within organizations to outline the focus and‬
‭direction of internal auditing activities. It identifies key areas of risk and compliance, setting a‬
‭schedule for audits over a specific period, usually a fiscal year.‬

‭Main Uses:‬

‭1.‬ ‭Risk Assessment: Identifies and evaluates risks to guide audit priorities.‬
‭2.‬ ‭Resource Allocation: Determines the allocation of audit resources based on identified risks‬
‭and priorities.‬
‭3.‬ ‭Compliance Monitoring: Ensures adherence to laws, regulations, and internal policies.‬
‭4.‬ ‭Operational Efficiency: Evaluates operational processes for efficiency and effectiveness.‬
‭5.‬ ‭Strategic Alignment: Aligns audit activities with the organization's strategic objectives.‬
‭6.‬ ‭Performance Measurement: Assesses the effectiveness of controls and procedures.‬
‭7.‬ ‭Continuous Improvement: Identifies areas for process improvements and best practices.‬
‭8.‬ ‭Stakeholder Assurance: Provides assurance to management and stakeholders about the‬
‭control environment.‬
‭9.‬ ‭Fraud Detection: Helps in identifying and mitigating potential fraud.‬

‭Criteria:‬

‭Must Include:‬

‭●‬ ‭Scope of Audit: Clearly defined areas and functions to be audited.‬

‭●‬ ‭Objectives: Specific objectives for each audit activity.‬
‭●‬ ‭Timeline: A detailed schedule for audit activities.‬
‭●‬ ‭Resource Allocation: Allocation of personnel and other resources for each audit.‬
‭●‬ ‭Risk Assessment: Analysis of risks in various organizational areas.‬
‭●‬ ‭Methodology: Outline of the audit methodology to be used.‬
‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭118‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭May Include:‬

‭●‬ ‭Follow-up Procedures: Steps for follow-up on previous audit findings.‬

‭●‬ ‭Stakeholder Communication: Plan for communicating with internal and external‬
‭stakeholders.‬
‭●‬ ‭Training Requirements: Identification of training needs for audit staff.‬
‭●‬ ‭Technology Utilization: Use of technology in audit processes.‬
‭●‬ ‭Reporting Format: Standardized format for audit reporting.‬

‭Internal Audit Reports‬

‭Description:‬

‭Internal Audit Reports are formal documents produced by an organization's internal audit function.‬
‭They provide an independent and objective assessment of the organization's policies, procedures,‬
‭and operations, focusing on areas such as risk management, control, and governance processes.‬

‭Main Uses:‬

‭1.‬ ‭Risk Management Evaluation: Assessing the effectiveness of risk management strategies‬
‭and practices.‬
‭2.‬ ‭Control System Analysis: Examining the adequacy and effectiveness of internal control‬
‭systems.‬
‭3.‬ ‭Compliance Verification: Ensuring compliance with laws, regulations, and internal policies.‬
‭4.‬ ‭Operational Efficiency Review: Identifying areas for operational improvement and efficiency‬
‭gains.‬
‭5.‬ ‭Financial Integrity Check: Evaluating the accuracy and integrity of financial records and‬
‭reporting.‬
‭6.‬ ‭Strategic Decision Support: Providing insights to management for informed‬
‭decision-making.‬
‭7.‬ ‭Fraud Detection: Identifying potential fraudulent activities or vulnerabilities.‬
‭8.‬ ‭Policy and Procedure Assessment: Reviewing the appropriateness and effectiveness of‬
‭current policies and procedures.‬

‭Criteria:‬

‭Must Include:‬

‭●‬ ‭Scope of Audit: Clearly defined boundaries and focus of the audit.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭119‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭●‬ ‭Audit Methodology: Description of the audit procedures and methods used.‬
‭●‬ ‭Findings and Observations: Detailed account of findings, including any discrepancies or‬
‭issues identified.‬
‭●‬ ‭Risk Assessment: Evaluation of risks related to the audited areas.‬
‭●‬ ‭Recommendations: Practical suggestions for improvement based on findings.‬
‭●‬ ‭Management Response: Feedback or comments from management on the audit findings.‬

‭May Include:‬

‭●‬ ‭Follow-up Actions: Outline of steps to be taken in response to the audit.‬

‭●‬ ‭Comparative Analysis: Comparison with previous audits or industry benchmarks.‬
‭●‬ ‭Impact Analysis: Assessment of the potential impact of findings on different areas of the‬
‭organization.‬
‭●‬ ‭Timeline for Review: Suggested timeline for re-evaluation or follow-up audits.‬
‭●‬ ‭Resource Allocation: Recommendations for resource adjustments to address identified‬
‭issues.‬
‭●‬ ‭Best Practice Highlights: Identification of areas where the organization excels, based on‬
‭audit findings.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭120‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭Key Compliance Indicators (KCI)‬

‭Description:‬

‭Key Compliance Indicators (KCI) are metrics used by organizations to measure and monitor their‬
‭adherence to legal, regulatory, and ethical standards. These indicators help in evaluating the‬
‭effectiveness of compliance programs and identifying areas that require improvement.‬

‭Main Uses:‬

‭1.‬ ‭Monitoring Compliance: Tracking adherence to various regulatory and legal requirements.‬
‭2.‬ ‭Risk Management: Identifying and managing compliance-related risks.‬
‭3.‬ ‭Performance Measurement: Evaluating the performance of compliance processes and‬
‭activities.‬
‭4.‬ ‭Decision Making: Assisting management in making informed decisions regarding‬
‭compliance strategies.‬
‭5.‬ ‭Reporting: Providing data for internal and external compliance reporting.‬
‭6.‬ ‭Audit Preparation: Facilitating preparation for internal and external audits by providing‬
‭relevant compliance data.‬
‭7.‬ ‭Trend Analysis: Analyzing trends over time to identify patterns or areas of concern in‬
‭compliance.‬
‭8.‬ ‭Policy Development: Informing the development and revision of policies and procedures to‬
‭ensure compliance.‬

‭Main Criteria:‬

‭Must Include:‬

‭●‬ ‭Relevance: Indicators should be directly related to key compliance areas.‬

‭●‬ ‭Measurability: Each KCI must be quantifiable for effective tracking.‬
‭●‬ ‭Clarity: Clearly defined for consistent interpretation and application.‬
‭●‬ ‭Timeliness: Updated regularly to reflect the most current compliance status.‬
‭●‬ ‭Comparability: Able to be compared over different periods for trend analysis.‬
‭●‬ ‭Actionable: Providing insights that lead to actionable steps for improvement.‬

‭May Include:‬

‭●‬ ‭Benchmarks: Including industry or sector-specific benchmarks for comparison.‬

‭●‬ ‭Risk Weighting: Assigning different weights to KCIs based on their impact on the‬
‭organization.‬
‭●‬ ‭Segmentation: Differentiating KCIs by department, function, or geographic location.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭121‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭●‬ ‭Integration: Aligning with other performance metrics for a holistic view of organizational‬
‭performance.‬
‭●‬ ‭Predictive Analysis: Using KCIs for predicting potential future compliance issues.‬
‭●‬ ‭Customization: Tailoring KCIs to specific organizational needs or goals.‬

‭Key Performance Indicators (KPI)‬

‭Description:‬

‭Key Performance Indicators (KPIs) are quantifiable metrics used by organizations to assess their‬
‭performance against specific objectives and goals. These indicators help in tracking progress,‬
‭measuring efficiency, and identifying areas needing improvement.‬

‭Main Uses:‬

‭1.‬ ‭Performance Measurement: Evaluating the efficiency and effectiveness of various‬

‭operations and processes.‬
‭2.‬ ‭Goal Tracking: Monitoring progress towards achieving short-term and long-term‬
‭organizational goals.‬
‭3.‬ ‭Decision Making: Guiding strategic and operational decisions by providing data-driven‬
‭insights.‬
‭4.‬ ‭Resource Allocation: Assisting in optimizing the allocation of resources by identifying‬
‭high-performing areas.‬
‭5.‬ ‭Problem Identification: Highlighting areas of concern or underperformance that require‬
‭attention.‬
‭6.‬ ‭Motivation and Engagement: Serving as a tool for employee motivation by setting clear‬
‭targets and measuring achievements.‬
‭7.‬ ‭Benchmarking: Comparing performance against industry standards or competitors.‬
‭8.‬ ‭Trend Analysis: Identifying trends over time to forecast future performance and make‬
‭proactive adjustments.‬
‭9.‬ ‭Risk Management: Detecting potential risks and challenges by monitoring deviations from‬
‭expected performance levels.‬

‭Criteria:‬

‭Must include:‬

‭●‬ ‭Relevance: Must align with the organization's goals and objectives.‬
‭●‬ ‭Quantifiability: Must be measurable in quantitative terms.‬
‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭122‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭●‬ ‭Clarity: Must be clear and understandable for all stakeholders.‬

‭●‬ ‭Actionability: Must provide insights that can lead to actionable steps.‬
‭●‬ ‭Consistency: Must be consistently measurable over time for accurate comparison.‬
‭●‬ ‭Timeliness: Must be current and updated regularly to reflect the most recent performance‬
‭data.‬

‭May Include:‬

‭●‬ ‭Segmentation: Can be broken down by departments, teams, or projects for more detailed‬
‭analysis.‬
‭●‬ ‭Customizability: Can be tailored to specific departmental or organizational needs.‬
‭●‬ ‭Comparability: Can be designed to allow comparison with industry benchmarks or past‬
‭performance data.‬
‭●‬ ‭Integration: Can be integrated with other metrics for comprehensive performance analysis.‬
‭●‬ ‭Predictive Value: May provide insights for future performance predictions or trends.‬
‭●‬ ‭Feedback Mechanism: Can include a feedback loop for continuous improvement.‬

‭Key Risk Indicators (KRI)‬

‭Description:‬

‭Key Risk Indicators (KRIs) are metrics used by organizations to provide an early signal of increasing‬
‭risk exposures in various areas of the enterprise. They are used to monitor potential changes in‬
‭the risk profile of a business, allowing for proactive risk management.‬

‭Main Uses:‬

‭1.‬ ‭Risk Identification: Helps in identifying emerging or potential risks before they materialize.‬
‭2.‬ ‭Performance Tracking: Tracks the performance of various departments or processes in‬
‭managing risks.‬
‭3.‬ ‭Trend Analysis: Assists in analyzing trends over time to predict potential risk areas.‬
‭4.‬ ‭Decision Support: Provides data-driven support for strategic and operational‬
‭decision-making.‬
‭5.‬ ‭Compliance Monitoring: Ensures adherence to regulatory requirements and internal‬
‭policies.‬
‭6.‬ ‭Risk Communication: Facilitates communication about risks within the organization.‬
‭7.‬ ‭Resource Allocation: Aids in prioritizing and allocating resources for risk mitigation.‬
‭8.‬ ‭Benchmarking: Enables comparison of risk levels against industry standards or past‬
‭performance.‬
‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭123‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭Criteria:‬

‭Must Include:‬

‭●‬ ‭Relevance: Indicators should be closely aligned with the organization’s risk profile.‬
‭●‬ ‭Quantifiability: KRIs should be quantifiable to allow for objective measurement.‬
‭●‬ ‭Timeliness: The indicators must provide timely data to be effective in early risk detection.‬
‭●‬ ‭Actionability: KRIs should lead to actionable insights for risk mitigation.‬
‭●‬ ‭Clarity: Clearly defined to ensure consistent understanding across the organization.‬
‭●‬ ‭Comparability: Should be consistent over time for effective trend analysis.‬

‭May Include:‬

‭●‬ ‭Thresholds for Action: Specific points at which actions are triggered.‬
‭●‬ ‭Historical Data: Past data for benchmarking and trend analysis.‬
‭●‬ ‭Predictive Value: Indicators that can forecast potential future risks.‬
‭●‬ ‭Segmentation: Differentiation of indicators by department, region, or product line.‬
‭●‬ ‭Integration with Other Metrics: Linkage with other business metrics for a holistic view.‬
‭●‬ ‭Frequency of Reporting: Regular intervals for updating and reporting the KRIs.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭124‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭Legal and Regulatory Surveillance‬

‭Description:‬

‭Legal and Regulatory Surveillance involves the continuous monitoring and analysis of legal and‬
‭regulatory changes that could affect an organization. This includes new laws, amendments to‬
‭existing laws, and changes in regulatory guidelines that could impact various aspects of the‬
‭business.‬

‭Main Uses:‬

‭1.‬ ‭Compliance Assurance: Ensures the organization remains compliant with current laws and‬
‭regulations.‬
‭2.‬ ‭Risk Management: Identifies potential legal and regulatory risks to the business.‬
‭3.‬ ‭Strategic Planning: Aids in adjusting business strategies in response to legal and‬
‭regulatory changes.‬
‭4.‬ ‭Training and Awareness: Keeps employees informed about relevant legal and regulatory‬
‭changes.‬
‭5.‬ ‭Policy Development: Assists in developing or revising internal policies to align with new‬
‭legal requirements.‬
‭6.‬ ‭Stakeholder Communication: Facilitates clear communication with stakeholders regarding‬
‭changes in the legal and regulatory landscape.‬
‭7.‬ ‭Contract Review: Guides the review and modification of contracts to maintain legal‬
‭compliance.‬

‭Criteria:‬

‭Must Include:‬

‭●‬ ‭Comprehensive Coverage: Should encompass all relevant legal and regulatory areas.‬
‭●‬ ‭Timeliness: Updates must be timely to ensure current compliance.‬
‭●‬ ‭Accuracy: Information should be accurate and reliable.‬
‭●‬ ‭Clarity: Presented in a clear, understandable manner.‬
‭●‬ ‭Actionable Insights: Should provide actionable information for decision-making.‬
‭●‬ ‭Relevance: Information should be directly relevant to the organization's operations.‬

‭May Include:‬

‭●‬ ‭Risk Assessment Metrics: May include metrics to assess the impact of legal changes.‬
‭●‬ ‭Historical Data: Could contain historical data for trend analysis.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭125‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭●‬ ‭Stakeholder Analysis: Might include an analysis of how changes affect different‬
‭stakeholders.‬
‭●‬ ‭Legal Opinions: May provide expert legal opinions or interpretations.‬
‭●‬ ‭Comparative Analysis: Could offer a comparison with legal frameworks in other regions or‬
‭industries.‬
‭●‬ ‭Implementation Guidelines: Might suggest practical steps for implementation.‬

‭Market Analysis‬

‭Description:‬

‭Market Analysis is a comprehensive assessment of a specific market within an industry. It‬

‭examines market size, growth rate, dynamics, customer segments, competition, and trends. This‬
‭analysis helps businesses understand their position and potential in the marketplace.‬

‭Main Uses:‬

‭1.‬ ‭Identifying Target Customers: Helps in pinpointing the specific demographics and‬
‭preferences of potential customers.‬
‭2.‬ ‭Competitive Analysis: Assesses competitors’ strengths, weaknesses, and market share.‬
‭3.‬ ‭Product Development: Informs the development of products or services to meet market‬
‭needs.‬
‭4.‬ ‭Strategic Planning: Aids in making informed decisions for business strategies based on‬
‭market trends and conditions.‬
‭5.‬ ‭Risk Assessment: Evaluates potential risks in market entry or expansion.‬
‭6.‬ ‭Marketing Strategy: Guides the creation of effective marketing campaigns tailored to the‬
‭market.‬
‭7.‬ ‭Investment Decisions: Assists in evaluating the viability and potential return on investment‬
‭in new projects or ventures.‬

‭Criteria:‬

‭Must Include:‬

‭●‬ ‭Market Size: Quantitative data on the current size of the market.‬
‭●‬ ‭Growth Trends: Historical and projected growth rates of the market.‬
‭●‬ ‭Customer Demographics: Detailed description of customer segments, including age,‬
‭gender, income level, etc.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭126‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭●‬ ‭Competitor Analysis: Information about key competitors, their market share, and‬
‭strategies.‬
‭●‬ ‭Regulatory Environment: Overview of relevant regulations and legal factors affecting the‬
‭market.‬
‭●‬ ‭Market Dynamics: Insights into market drivers, restraints, opportunities, and challenges.‬

‭May Include:‬

‭●‬ ‭Technological Trends: Analysis of current and emerging technology trends impacting the‬
‭market.‬
‭●‬ ‭Supply Chain Analysis: Overview of the supply chain and its impact on the market.‬
‭●‬ ‭Customer Behavior Patterns: Insights into consumer behavior, preferences, and buying‬
‭patterns.‬
‭●‬ ‭Economic Indicators: Impact of broader economic factors on the market.‬
‭●‬ ‭SWOT Analysis: Strengths, weaknesses, opportunities, and threats in the market context.‬
‭●‬ ‭Future Outlook: Predictions or scenarios for future market developments.‬

‭Objective-Setting Criteria‬

‭Description:‬

‭Objective-Setting Criteria refer to a set of guidelines and standards used by an organization to‬
‭define its goals and objectives. These criteria serve as a framework for establishing clear and‬
‭achievable targets that align with the organization's mission and strategic direction.‬

‭Main Uses:‬

‭Objective-Setting Criteria are employed for various purposes within an organization, including:‬

‭Strategic Planning: They provide a foundation for formulating long-term strategies and plans.‬

‭1.‬ ‭Performance Evaluation: Objectives set according to these criteria are used to assess the‬
‭performance of teams, departments, and the organization as a whole.‬
‭2.‬ ‭Resource Allocation: They guide the allocation of resources, such as budget and‬
‭manpower, to support the achievement of objectives.‬
‭3.‬ ‭Communication: Objective-Setting Criteria facilitate effective communication of goals and‬
‭expectations to employees and stakeholders.‬
‭4.‬ ‭Decision-Making: They aid in decision-making by providing a clear reference point for‬
‭evaluating options.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭127‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭5.‬ ‭Continuous Improvement: Criteria may be used to assess and refine objectives over time‬
‭for continuous improvement.‬

‭Criteria:‬

‭Must Include:‬

‭●‬ ‭Specificity: Objectives should be specific and clearly defined, leaving no room for‬
‭ambiguity.‬
‭●‬ ‭Measurability: Criteria must include quantifiable metrics or key performance indicators‬
‭(KPIs) to gauge progress.‬
‭●‬ ‭Relevance: Objectives should align with the organization's mission, vision, and strategic‬
‭priorities.‬
‭●‬ ‭Achievability: Criteria must consider the organization's capabilities and available resources.‬
‭●‬ ‭Time-Bound: Objectives should have defined timeframes or deadlines for accomplishment.‬
‭●‬ ‭Responsibility: Each objective should be assigned to a responsible individual or team.‬

‭May Include:‬

‭●‬ ‭Alignment with Values: Objectives may align with the organization's core values and ethical‬
‭principles.‬
‭●‬ ‭Risk Assessment: Criteria may consider potential risks and contingencies for objective‬
‭achievement.‬
‭●‬ ‭Benchmarking: Including benchmarks or industry standards for performance comparison.‬
‭●‬ ‭Flexibility: Criteria may allow for adjustments to objectives in response to changing‬
‭circumstances.‬
‭●‬ ‭Stakeholder Consideration: Taking into account the interests and needs of relevant‬
‭stakeholders when setting objectives.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭128‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭Organizational Change Management Plans‬

‭Description:‬

‭Organizational Change Management Plans are comprehensive documents used by businesses to‬
‭guide the process of implementing changes within the organization. They focus on the human‬
‭aspect of change, outlining strategies for managing transitions, communicating changes to‬
‭employees, and ensuring that changes are effectively integrated into the company's culture and‬
‭operations.‬

‭Main Uses:‬

‭1.‬ ‭Guiding Implementation of Changes: Provides a roadmap for introducing and implementing‬
‭new processes, systems, or structures within the organization.‬
‭2.‬ ‭Employee Engagement: Facilitates communication and involvement of employees in the‬
‭change process, ensuring their buy-in and reducing resistance.‬
‭3.‬ ‭Training and Development: Identifies necessary training and development programs to‬
‭equip employees with new skills or knowledge required for the change.‬
‭4.‬ ‭Risk Management: Helps in identifying and mitigating risks associated with the change‬
‭process.‬
‭5.‬ ‭Performance Monitoring: Establishes metrics and procedures for monitoring the‬
‭effectiveness of the change and its impact on the organization.‬
‭6.‬ ‭Feedback Integration: Offers mechanisms for collecting and incorporating employee‬
‭feedback throughout the change process.‬

‭Criteria:‬

‭Must Include:‬

‭●‬ ‭Clear Objectives: Specific goals and desired outcomes of the change.‬
‭●‬ ‭Stakeholder Analysis: Identification of individuals or groups affected by the change and‬
‭their roles.‬
‭●‬ ‭Communication Plan: Strategies for informing and engaging stakeholders about the‬
‭change.‬
‭●‬ ‭Timeline: Detailed schedule outlining phases of the change process.‬
‭●‬ ‭Risk Assessment: Analysis of potential risks and mitigation strategies.‬
‭●‬ ‭Success Metrics: Criteria for measuring the success of the change initiative.‬

‭May Include:‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭129‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭●‬ ‭Change Champion Identification: Selection of leaders or influencers to drive and support‬
‭the change.‬
‭●‬ ‭Training Programs: Specific training needs and plans for different employee groups.‬
‭●‬ ‭Budget Considerations: Financial resources required for the change.‬
‭●‬ ‭Cultural Impact Analysis: Evaluation of how the change affects organizational culture.‬
‭●‬ ‭Post-Implementation Review Plan: Framework for assessing the change after‬
‭implementation.‬
‭●‬ ‭Feedback Mechanisms: Tools for gathering ongoing feedback from employees.‬

‭Organizational Chart‬

‭Description:‬‭An organizational chart is a visual representation‬‭that shows the structure of an‬

‭organization and the relationships and relative ranks of its parts and positions/jobs. It typically‬
‭outlines the hierarchy of employees, departments, and divisions, as well as how they‬
‭interconnect.‬

‭Main Uses:‬

‭1.‬ ‭Identifying Reporting Relationships: Clarifies who reports to whom.‬

‭2.‬ ‭Workforce Planning: Assists in understanding current human resources and future needs.‬
‭3.‬ ‭Enhancing Communication: Helps employees understand their role in the organization and‬
‭whom to approach for specific issues.‬
‭4.‬ ‭Onboarding New Employees: Provides new hires with a clear picture of the company's‬
‭structure.‬
‭5.‬ ‭Managing Change: Useful in planning and communicating changes in organizational‬
‭structure.‬
‭6.‬ ‭Resource Allocation: Helps in understanding where resources are concentrated and where‬
‭they might be needed.‬

‭Criteria:‬

‭Must Include:‬

‭●‬ ‭Clear Hierarchy: Clearly defined levels of authority and responsibility.‬

‭●‬ ‭Departmental and Divisional Breakdown: Distinct sections for different departments or‬
‭divisions.‬
‭●‬ ‭Names and Positions: Full names and job titles of individuals.‬
‭●‬ ‭Lines of Reporting: Clear lines indicating who reports to whom.‬
‭●‬ ‭Contact Information: Basic contact details like email or extension numbers.‬
‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭130‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭●‬ ‭Updated Information: Regular updates to reflect current organizational structure.‬

‭May Include:‬

‭●‬ ‭Photographs: Images of staff members for easier identification.‬

‭●‬ ‭Physical Location: Office locations or room numbers for each department or individual.‬
‭●‬ ‭Brief Job Descriptions: A short summary of roles and responsibilities.‬
‭●‬ ‭Project Teams or Committees: Special project groups or committees within the‬
‭organization.‬
‭●‬ ‭External Links: Connections to external stakeholders or partners.‬
‭●‬ ‭Date of Last Update: Indicating the chart's currency.‬

‭Organizational Goals and Objectives‬

‭Description:‬

‭Organizational Goals and Objectives refer to the specific targets and benchmarks an organization‬
‭sets to guide its operations and measure its performance. These goals are typically aligned with‬
‭the company's mission and vision, and they provide a roadmap for achieving its long-term‬
‭aspirations.‬

‭Main Uses:‬

‭1.‬ ‭Strategic Planning: Directing the development of long-term strategies.‬

‭2.‬ ‭Performance Measurement: Assessing the effectiveness of different departments and‬
‭teams.‬
‭3.‬ ‭Resource Allocation: Guiding decisions on where to allocate financial, human, and material‬
‭resources.‬
‭4.‬ ‭Employee Motivation and Engagement: Setting clear objectives to motivate employees.‬
‭5.‬ ‭Decision-Making: Assisting managers in making informed decisions that align with the‬
‭company's direction.‬
‭6.‬ ‭Risk Management: Identifying and managing risks in line with achieving set goals.‬

‭Criteria:‬

‭Must Include:‬

‭●‬ ‭Specific: Clearly defined and detailed.‬

‭●‬ ‭Measurable: Quantifiable to track progress.‬
‭●‬ ‭Achievable: Realistic and attainable within available resources.‬
‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭131‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭●‬ ‭Relevant: Aligned with the broader mission and vision of the organization.‬
‭●‬ ‭Time-Bound: Include a clear timeframe for achievement.‬
‭●‬ ‭Flexible: Adaptable to changing circumstances.‬

‭May Include:‬

‭●‬ ‭Benchmarks for Comparison: Standards for comparing performance against competitors or‬
‭industry norms.‬
‭●‬ ‭Long-Term Vision Components: Aspects of the organization's long-term vision.‬
‭●‬ ‭Departmental/Sub-Goal Alignment: Alignment with goals of various departments.‬
‭●‬ ‭Stakeholder Considerations: Interests of different stakeholders (like employees,‬
‭customers, shareholders).‬
‭●‬ ‭Sustainability Aspects: Consideration of environmental and social sustainability goals.‬
‭●‬ ‭Innovation Targets: Goals related to innovation and technological advancement.‬

‭Organizational Mission Statement‬

‭Description:‬

‭An Organizational Mission Statement is a brief, formal declaration of the fundamental purpose of‬
‭an organization. It defines the organization's core values, ethical commitments, and overarching‬
‭goals. It is often concise and inspirational, designed to succinctly communicate the organization's‬
‭direction and priorities to both employees and external stakeholders.‬

‭Main Uses:‬

‭1.‬ ‭Guiding Organizational Strategy: It sets the foundation for developing long-term and‬
‭short-term strategic plans.‬
‭2.‬ ‭Employee Alignment: Helps in aligning employees' goals and actions with the organization's‬
‭purpose.‬
‭3.‬ ‭Stakeholder Engagement: Acts as a communication tool to inform stakeholders about the‬
‭organization's intentions and core values.‬
‭4.‬ ‭Decision-Making: Assists leaders and employees in making decisions that align with the‬
‭organization’s ethos.‬
‭5.‬ ‭Brand Identity: Enhances the organization's brand by clearly stating its purpose and values.‬
‭6.‬ ‭Talent Attraction: Attracts potential employees who resonate with the organization's‬
‭values.‬
‭7.‬ ‭Performance Evaluation: Provides a reference point for evaluating organizational‬
‭performance against its stated mission.‬
‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭132‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭Criteria:‬

‭Must Include:‬

‭●‬ ‭Clear articulation of the organization's purpose.‬

‭●‬ ‭Statement of core values or principles.‬
‭●‬ ‭Brief and concise wording.‬
‭●‬ ‭Inspirational and motivational language.‬
‭●‬ ‭Alignment with the organization's long-term vision.‬
‭●‬ ‭Accessibility and comprehensibility to all stakeholders.‬

‭May Include:‬

‭●‬ ‭Specific goals or objectives.‬

‭●‬ ‭Reference to the organization's history or founder’s vision.‬
‭●‬ ‭Mention of the target audience or beneficiaries.‬
‭●‬ ‭A statement about the organization’s unique position or competitive advantage.‬
‭●‬ ‭Ethical commitments or social responsibility initiatives.‬
‭●‬ ‭Future-oriented aspirations or growth targets.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭133‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭Organizational Strategic Plan‬

‭Description:‬

‭An Organizational Strategic Plan is a detailed document that outlines an organization's long-term‬
‭goals, strategies, and objectives. It acts as a guiding roadmap, influencing decision-making and‬
‭resource allocation, and includes an analysis of both internal and external factors affecting the‬
‭organization.‬

‭Main Uses:‬

‭1.‬ ‭Guiding Organizational Direction: Sets a clear path for the future of the organization.‬
‭2.‬ ‭Informed Decision-Making: Provides a strategic framework for making key decisions.‬
‭3.‬ ‭Efficient Resource Allocation: Helps in allocating resources according to strategic‬
‭priorities.‬
‭4.‬ ‭Performance Measurement: Acts as a benchmark to assess organizational progress and‬
‭effectiveness.‬
‭5.‬ ‭Stakeholder Engagement: Communicates the organization's goals and strategies to‬
‭stakeholders.‬
‭6.‬ ‭Risk Management: Identifies and prepares for potential risks and opportunities.‬
‭7.‬ ‭Facilitating Change Management: Offers a structured approach to managing organizational‬
‭changes.‬
‭8.‬ ‭Aligning Employee Objectives: Ensures that employee goals are in sync with organizational‬
‭aims.‬

‭Criteria:‬

‭Must Include:‬

‭●‬ ‭Clear Vision and Mission Statements: Articulating the organization's core purpose and‬
‭aspirations.‬
‭●‬ ‭Defined Goals and Objectives: Detailed, SMART (Specific, Measurable, Achievable,‬
‭Relevant, Time-bound) goals.‬
‭●‬ ‭Strategic Initiatives: Key strategies and actions for achieving objectives.‬
‭●‬ ‭SWOT Analysis: Comprehensive analysis of Strengths, Weaknesses, Opportunities, and‬
‭Threats.‬
‭●‬ ‭Key Performance Indicators (KPIs): Metrics for tracking progress towards goals.‬
‭●‬ ‭Stakeholder Analysis: Identification and consideration of key stakeholder interests.‬

‭May Include:‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭134‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭●‬ ‭Financial Projections: Forecasts of financial performance and budget requirements.‬

‭●‬ ‭Market Analysis: Insights into market trends, competition, and customer demographics.‬
‭●‬ ‭Risk Assessment: Evaluation of potential risks and corresponding mitigation strategies.‬
‭●‬ ‭Succession Planning: Strategies for leadership continuity and talent management.‬
‭●‬ ‭Environmental and Social Impact Assessment: Evaluation of the plan's impact on society‬
‭and the environment.‬
‭●‬ ‭Technology Roadmap: Strategies for integrating and leveraging new technological‬
‭advancements.‬

‭Organizational Values Statement‬

‭Description:‬

‭An Organizational Values Statement is a document that outlines the core values and beliefs of a‬
‭company. These values guide the behavior, decisions, and actions within the organization,‬
‭shaping its culture and public image.‬

‭Main Uses:‬

‭1.‬ ‭Guiding Employee Behavior: Serving as a framework for expected conduct in the workplace.‬
‭2.‬ ‭Decision Making: Providing a basis for making business decisions aligned with the company‬
‭ethos.‬
‭3.‬ ‭Recruitment and Onboarding: Assisting in attracting candidates who share similar values‬
‭and inculcating new employees with the company's culture.‬
‭4.‬ ‭Brand Identity: Helping to establish and communicate the company's identity and ethical‬
‭stance to the public and stakeholders.‬
‭5.‬ ‭Conflict Resolution: Offering a reference point for resolving ethical dilemmas and internal‬
‭disputes.‬

‭Criteria:‬

‭Must Include:‬

‭●‬ ‭Core Values: Clearly stated fundamental values central to the company.‬
‭●‬ ‭Mission Alignment: A connection to the organization’s mission and vision.‬
‭●‬ ‭Ethical Standards: Guidelines on ethical behavior and decision-making.‬
‭●‬ ‭Inclusivity Statements: A commitment to diversity and inclusion.‬
‭●‬ ‭Implementation Strategies: How these values will be implemented and upheld in the‬
‭organization.‬
‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭135‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭●‬ ‭Leadership Endorsement: Sign-off or endorsement from top management.‬

‭May Include:‬

‭●‬ ‭Historical References: Linkages to the organization’s history and evolution.‬

‭●‬ ‭Employee Responsibilities: Specific expectations from employees in upholding these‬
‭values.‬
‭●‬ ‭Community Engagement: Statements on how values align with community and social‬
‭responsibilities.‬
‭●‬ ‭Environmental Commitment: If applicable, a focus on sustainability and environmental‬
‭stewardship.‬
‭●‬ ‭Global Perspectives: Considerations for international operations and cultural sensitivity.‬
‭●‬ ‭Review Procedures: Processes for periodically reviewing and updating the values‬
‭statement.‬

‭Policies and Procedures‬

‭Description:‬

‭Policies and Procedures are official documents that outline an organization's rules, guidelines, and‬
‭the standard operating procedures (SOPs). These documents are essential for maintaining‬
‭consistency, compliance, and efficiency within a business.‬

‭Main Uses:‬

‭1.‬ ‭Guiding employee behavior and decision-making processes.‬

‭2.‬ ‭Ensuring compliance with laws and regulations.‬
‭3.‬ ‭Standardizing operations across the organization.‬
‭4.‬ ‭Serving as a reference for conflict resolution and disciplinary actions.‬
‭5.‬ ‭Training and onboarding new employees.‬
‭6.‬ ‭Reducing risks and liabilities for the organization.‬
‭7.‬ ‭Enhancing efficiency and quality of work.‬
‭8.‬ ‭Providing a basis for performance evaluations and improvements.‬
‭9.‬ ‭Facilitating communication of expectations and responsibilities.‬
‭10.‬ ‭Serving as a documentation for auditing and legal purposes.‬

‭Criteria:‬

‭Must Include:‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭136‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭●‬ ‭Clearly defined objectives and scope of the policy or procedure.‬

‭●‬ ‭Detailed steps or guidelines for implementation.‬
‭●‬ ‭Roles and responsibilities of personnel involved.‬
‭●‬ ‭Compliance requirements with relevant laws and regulations.‬
‭●‬ ‭Effective date and review schedule for updates.‬
‭●‬ ‭Approval signatures from authorized personnel.‬

‭May Include:‬

‭●‬ ‭Background or rationale for the policy or procedure.‬

‭●‬ ‭Specific examples or scenarios for clarity.‬
‭●‬ ‭References to related policies or documents.‬
‭●‬ ‭Consequences of non-compliance.‬
‭●‬ ‭Resources or tools required for implementation.‬
‭●‬ ‭Contact information for further inquiries or support.‬

‭Policy Framework‬

‭Description:‬

‭A policy framework is an organized set of principles, rules, guidelines, and best practices‬
‭established by an organization to direct and control its activities. It serves as a foundation for‬
‭decision-making and operational processes, ensuring consistency and compliance with internal‬
‭standards and external regulations.‬

‭Main Uses:‬

‭1.‬ ‭Guiding employee behavior and decision-making.‬

‭2.‬ ‭Ensuring compliance with legal and regulatory requirements.‬
‭3.‬ ‭Establishing standard operating procedures for various tasks.‬
‭4.‬ ‭Providing a basis for performance evaluation and accountability.‬
‭5.‬ ‭Enhancing organizational transparency and communication.‬
‭6.‬ ‭Managing risks and establishing control mechanisms.‬
‭7.‬ ‭Supporting strategic planning and goal alignment.‬
‭8.‬ ‭Facilitating training and development programs.‬

‭Criteria:‬

‭Must Include:‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭137‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭●‬ ‭Clearly defined objectives and scope.‬

‭●‬ ‭Specific guidelines and procedures relevant to the organization's operations.‬
‭●‬ ‭Compliance requirements with relevant laws and regulations.‬
‭●‬ ‭Roles and responsibilities of employees and management.‬
‭●‬ ‭Enforcement mechanisms and consequences for non-compliance.‬
‭●‬ ‭Revision and update procedures to remain current and effective.‬

‭May Include:‬

‭●‬ ‭Case studies or examples to illustrate policy application.‬

‭●‬ ‭References to external resources or best practices.‬
‭●‬ ‭Mechanisms for employee feedback and policy improvement.‬
‭●‬ ‭Details on policy dissemination and training methods.‬
‭●‬ ‭Cross-references to other related internal policies or documents.‬
‭●‬ ‭Tools and resources for policy implementation and monitoring.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭138‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭RACI Matrix‬

‭Description:‬

‭A RACI Matrix, an acronym for Responsible, Accountable, Consulted, and Informed, is a chart used‬
‭in project management and organizational planning. It clarifies roles and responsibilities in‬
‭cross-functional or departmental projects and processes.‬

‭Main Uses:‬

‭1.‬ ‭Clarifying Roles: Delineates specific roles and responsibilities in a project or task.‬
‭2.‬ ‭Improving Communication: Ensures all stakeholders are aware of their roles and‬
‭responsibilities.‬
‭3.‬ ‭Enhancing Decision-Making: Identifies decision-makers and those who need to be‬
‭consulted.‬
‭4.‬ ‭Conflict Resolution: Helps in resolving disputes regarding workload and responsibilities.‬
‭5.‬ ‭Resource Management: Aids in the allocation and management of resources based on‬
‭roles.‬
‭6.‬ ‭Efficiency Optimization: Streamlines processes by clearly defining roles and reducing‬
‭overlap.‬

‭Criteria:‬

‭Must Include:‬

‭●‬ ‭Task or Project Elements: Clear listing of tasks or project components.‬

‭●‬ ‭Team Members: Names or roles of individuals involved in the project.‬
‭●‬ ‭Responsible (R): Individuals or roles who perform the task.‬
‭●‬ ‭Accountable (A): The single person responsible for the task's completion.‬
‭●‬ ‭Consulted (C): Those whose opinions are sought; typically subject matter experts.‬
‭●‬ ‭Informed (I): Those who are kept updated on progress, but not actively involved.‬

‭May Include:‬

‭●‬ ‭Deadlines: Project or task-specific deadlines.‬

‭●‬ ‭Progress Indicators: Status or stages of task completion.‬
‭●‬ ‭Priority Levels: Indicating the importance or urgency of tasks.‬
‭●‬ ‭Additional Roles: Such as supporters or deputies, if applicable.‬
‭●‬ ‭Feedback Mechanisms: Ways to provide feedback on the process or tasks.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭139‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭Reassessment Schedules‬

‭Description:‬

‭Reassessment schedules are structured timetables that outline the frequency and scope of‬
‭reviewing and updating various aspects of a business. They ensure that processes, policies, and‬
‭practices remain relevant, efficient, and compliant with current standards and regulations.‬

‭Main Uses:‬

‭1.‬ ‭Ensuring compliance with industry standards and regulatory requirements.‬

‭2.‬ ‭Keeping business practices up-to-date with market trends and technological‬
‭advancements.‬
‭3.‬ ‭Identifying areas for improvement in operational efficiency.‬
‭4.‬ ‭Facilitating continuous improvement and strategic planning.‬
‭5.‬ ‭Monitoring and managing risks effectively.‬
‭6.‬ ‭Assisting in resource allocation and budgeting.‬
‭7.‬ ‭Guiding training and development programs.‬
‭8.‬ ‭Supporting audit and quality assurance processes.‬
‭9.‬ ‭Enhancing decision-making with current and accurate information.‬
‭10.‬ ‭Aligning business objectives with changing external environments.‬

‭Criteria:‬

‭Must Include:‬

‭●‬ ‭Clear timelines for each reassessment activity.‬

‭●‬ ‭Defined scope and objectives for each review.‬
‭●‬ ‭Roles and responsibilities of involved personnel.‬
‭●‬ ‭Compliance requirements and regulatory standards to be met.‬
‭●‬ ‭Methodology for conducting the reassessment.‬
‭●‬ ‭Criteria for evaluating the effectiveness of current practices.‬

‭May Include:‬

‭●‬ ‭Specific tools and resources required for reassessment.‬

‭●‬ ‭Historical data and benchmarks for comparison.‬
‭●‬ ‭Provisions for unexpected changes or emergencies.‬
‭●‬ ‭Feedback mechanisms from stakeholders.‬
‭●‬ ‭Plans for implementing recommendations post-reassessment.‬
‭●‬ ‭Documentation and reporting formats.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭140‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭Risk Appetite Statement‬

‭Description:‬

‭A Risk Appetite Statement (RAS) is a formal document that outlines an organization's willingness‬
‭to take risks. It serves as a guideline for decision-making, ensuring that risks are understood,‬
‭intentional, and within the organization's capacity to manage.‬

‭Main Uses:‬

‭1.‬ ‭Guiding Risk Management: Sets the parameters for risk-taking, aligning it with business‬
‭objectives.‬
‭2.‬ ‭Decision Making: Helps in making informed decisions by understanding acceptable risk‬
‭levels.‬
‭3.‬ ‭Compliance and Regulation: Ensures adherence to regulatory requirements regarding risk‬
‭management.‬
‭4.‬ ‭Strategic Planning: Assists in aligning business strategies with risk tolerance.‬
‭5.‬ ‭Performance Monitoring: Used to monitor and assess risk exposure against the set‬
‭appetite.‬
‭6.‬ ‭Stakeholder Communication: Communicates the organization's risk approach to‬
‭stakeholders, including investors and employees.‬
‭7.‬ ‭Resource Allocation: Directs resources towards areas within the acceptable risk threshold.‬

‭Criteria:‬

‭Must Include:‬

‭●‬ ‭Quantitative and Qualitative Measures: Clear metrics and narratives that define acceptable‬
‭risk levels.‬
‭●‬ ‭Risk Tolerance Levels: Specific thresholds for different types of risks.‬
‭●‬ ‭Alignment with Business Objectives: Demonstration of how risk appetite aligns with the‬
‭organization's goals.‬
‭●‬ ‭Governance Structure: Outline of roles and responsibilities in managing risk.‬
‭●‬ ‭Review and Update Mechanisms: Procedures for regular review and updates of the‬
‭statement.‬
‭●‬ ‭Risk Categories: Identification and definition of relevant risk categories.‬

‭May Include:‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭141‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭●‬ ‭Scenario Analysis: Examples of potential scenarios and how they fit within the risk appetite.‬
‭●‬ ‭Historical Data Analysis: Insights from past experiences and risk events.‬
‭●‬ ‭Stakeholder Input: Perspectives and expectations from various stakeholders.‬
‭●‬ ‭External Benchmarks: Comparison with industry standards or competitor risk appetites.‬
‭●‬ ‭Change Management Procedures: Guidelines on managing changes in risk appetite.‬
‭●‬ ‭Risk Appetite Metrics Evolution: Explanation of how risk metrics might evolve over time.‬

‭Risk Assessments‬

‭Description:‬

‭Risk Assessments are systematic processes used to identify, evaluate, and prioritize risks within‬
‭an organization. These assessments focus on potential hazards and vulnerabilities that could‬
‭negatively impact the organization's operations, assets, employees, or reputation.‬

‭Main Uses:‬

‭1.‬ ‭Identifying potential risks and threats to an organization.‬

‭2.‬ ‭Evaluating the likelihood and potential impact of identified risks.‬
‭3.‬ ‭Guiding the development of strategies to manage or mitigate risks.‬
‭4.‬ ‭Assisting in compliance with legal and regulatory requirements.‬
‭5.‬ ‭Enhancing decision-making processes by providing insights into potential risks.‬
‭6.‬ ‭Supporting crisis management and contingency planning.‬
‭7.‬ ‭Informing stakeholders about the risk environment of the organization.‬
‭8.‬ ‭Guiding resource allocation to address high-priority risks.‬
‭9.‬ ‭Monitoring and reviewing the effectiveness of risk management strategies.‬
‭10.‬ ‭Contributing to the overall strategic planning of the organization.‬

‭Criteria:‬

‭Must Include:‬

‭●‬ ‭Identification of potential risks and hazards.‬

‭●‬ ‭Assessment of the likelihood and impact of each risk.‬
‭●‬ ‭Risk prioritization based on severity and probability.‬
‭●‬ ‭Recommendations for risk mitigation strategies.‬
‭●‬ ‭Documentation of the assessment process and findings.‬
‭●‬ ‭A review and update mechanism for ongoing risk assessment.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭142‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭May Include:‬

‭●‬ ‭Historical data and analysis of past incidents.‬

‭●‬ ‭Stakeholder input and feedback on perceived risks.‬
‭●‬ ‭Scenario analysis and forecasting of potential future risks.‬
‭●‬ ‭Integration with other organizational planning documents.‬
‭●‬ ‭Use of risk assessment tools and software.‬
‭●‬ ‭Cross-reference with industry standards and best practices.‬
‭●‬ ‭Reporting mechanisms for ongoing risk monitoring.‬

‭Risk Event Register‬

‭Description:‬

‭A Risk Event Register is a document or system used in organizations to record and track potential‬
‭risk events that might affect projects or operations. It serves as a central repository for identifying,‬
‭assessing, and managing risks.‬

‭Main Uses:‬

‭1.‬ ‭Risk Identification: Documenting potential risks that could impact project outcomes.‬
‭2.‬ ‭Risk Analysis: Assessing the likelihood and impact of identified risks.‬
‭3.‬ ‭Risk Prioritization: Ranking risks to focus on those with the highest potential impact or‬
‭probability.‬
‭4.‬ ‭Mitigation Planning: Developing strategies and actions to reduce or manage risks.‬
‭5.‬ ‭Monitoring and Review: Continuously tracking risks and the effectiveness of mitigation‬
‭strategies.‬
‭6.‬ ‭Communication Tool: Facilitating discussions and awareness about risks among‬
‭stakeholders.‬
‭7.‬ ‭Decision Making: Assisting in informed decision-making by providing risk-related insights.‬
‭8.‬ ‭Compliance and Reporting: Ensuring compliance with regulatory requirements and‬
‭supporting internal or external reporting.‬
‭9.‬ ‭Historical Reference: Serving as a reference for future projects to learn from past risk‬
‭events.‬

‭Criteria:‬

‭Must Include:‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭143‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭●‬ ‭Risk Description: A clear and concise description of each risk.‬

‭●‬ ‭Risk Category: Classification of risk (e.g., operational, financial, strategic).‬
‭●‬ ‭Likelihood and Impact Assessment: Quantitative or qualitative evaluation of each risk.‬
‭●‬ ‭Risk Owner: Individual or team responsible for managing the risk.‬
‭●‬ ‭Mitigation Strategies: Specific actions or plans to manage or mitigate the risk.‬
‭●‬ ‭Status Updates: Regular updates on the risk's status and changes over time.‬

‭May Include:‬

‭●‬ ‭Risk Trigger Events: Specific events or conditions that might trigger the risk.‬
‭●‬ ‭Risk Tolerance Levels: Organizational thresholds for acceptable levels of risk.‬
‭●‬ ‭Historical Data: Past incidents or events related to the risk.‬
‭●‬ ‭Contingency Plans: Backup plans in case primary mitigation strategies fail.‬
‭●‬ ‭Financial Implications: Estimated cost or financial impact of the risk.‬
‭●‬ ‭Stakeholder Impact: Analysis of how stakeholders are affected by the risk.‬
‭●‬ ‭Review Dates: Scheduled dates for reviewing and reassessing the risk.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭144‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭Risk Inventory‬

‭Description:‬

‭A Risk Inventory is a comprehensive catalog or database that identifies, assesses, and categorizes‬
‭various risks an organization might face. It's a vital tool for risk management, serving as a central‬
‭repository for risk-related data.‬

‭Main Uses:‬

‭1.‬ ‭Risk Assessment: Helps in evaluating the likelihood and impact of different risks.‬
‭2.‬ ‭Decision Making: Assists in making informed decisions by understanding potential risks.‬
‭3.‬ ‭Compliance Monitoring: Ensures adherence to legal and regulatory requirements regarding‬
‭risk management.‬
‭4.‬ ‭Strategic Planning: Aids in developing strategies that account for potential risks.‬
‭5.‬ ‭Resource Allocation: Guides in allocating resources effectively to mitigate identified risks.‬
‭6.‬ ‭Crisis Management: Prepares the organization for potential crises by preemptively‬
‭identifying risks.‬
‭7.‬ ‭Performance Monitoring: Tracks risk management efforts and their effectiveness over time.‬

‭Criteria:‬

‭Must Include:‬

‭●‬ ‭Risk Identification: Clear listing of all potential risks.‬

‭●‬ ‭Risk Categorization: Classification of risks into categories (e.g., operational, financial,‬
‭strategic).‬
‭●‬ ‭Risk Assessment: Evaluation of the likelihood and impact of each risk.‬
‭●‬ ‭Risk Ownership: Identification of individuals or departments responsible for managing each‬
‭risk.‬
‭●‬ ‭Mitigation Strategies: Specific strategies or actions to manage or mitigate the risks.‬
‭●‬ ‭Monitoring Mechanisms: Methods for tracking and reviewing risks over time.‬

‭May Include:‬

‭●‬ ‭Historical Data: Past incidents and how they were managed.‬
‭●‬ ‭External Risk Factors: Consideration of external environmental factors.‬
‭●‬ ‭Risk Appetite Statement: Organization’s tolerance level for various risks.‬
‭●‬ ‭Change Logs: Documentation of any changes in risk status or management strategies.‬
‭●‬ ‭Stakeholder Feedback: Input from employees, customers, and other stakeholders on‬
‭perceived risks.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭145‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭●‬ ‭Compliance Requirements: Relevant legal and regulatory compliance requirements related‬
‭to risks.‬

‭Risk Management Plan‬

‭Description:‬

‭A Risk Management Plan is a strategic document that outlines how risk management activities will‬
‭be conducted within an organization. It identifies potential risks, assesses their impact and‬
‭likelihood, and proposes mitigation strategies to manage these risks effectively.‬

‭Main Uses:‬

‭1.‬ ‭Identifying Potential Risks: Helps in foreseeing potential risks in projects or operations.‬
‭2.‬ ‭Risk Assessment: Assesses the likelihood and impact of identified risks.‬
‭3.‬ ‭Risk Mitigation Strategies: Provides strategies to minimize or manage the impact of risks.‬
‭4.‬ ‭Resource Allocation: Assists in allocating resources effectively for risk management.‬
‭5.‬ ‭Decision Making: Supports informed decision-making by providing insights into potential‬
‭risks.‬
‭6.‬ ‭Compliance and Reporting: Ensures compliance with legal and regulatory requirements and‬
‭aids in reporting risk management activities to stakeholders.‬

‭Criteria:‬

‭Must Include:‬

‭●‬ ‭List of Potential Risks: Detailed identification of possible risks to the organization.‬
‭●‬ ‭Risk Assessment: Evaluation of the likelihood and potential impact of each risk.‬
‭●‬ ‭Mitigation Strategies: Specific actions or strategies to address each identified risk.‬
‭●‬ ‭Roles and Responsibilities: Clear definition of who is responsible for managing each risk.‬
‭●‬ ‭Monitoring and Review Process: A process for regularly reviewing and updating the risk‬
‭management plan.‬
‭●‬ ‭Communication Plan: Methods for communicating about risks and their management to‬
‭relevant stakeholders.‬

‭May Include:‬

‭●‬ ‭Risk Scoring or Ranking: A system for prioritizing risks based on their severity or likelihood.‬
‭●‬ ‭Historical Data Analysis: Analysis of past incidents to inform current risk assessment.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭146‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭●‬ ‭Training Requirements: Identification of training needs for staff on risk management‬
‭practices.‬
‭●‬ ‭Contingency Plans: Plans for dealing with risks that materialize.‬
‭●‬ ‭Budget Implications: Financial considerations related to managing risks.‬
‭●‬ ‭Audit and Compliance Checks: Procedures for regular audits and ensuring compliance with‬
‭the risk management plan.‬

‭Risk Management Policy‬

‭A Risk Management Policy is a formal document that outlines an organization's approach to‬
‭managing risks. It serves as a guide for identifying, assessing, and mitigating potential risks that‬
‭could affect the organization's operations, finances, reputation, and overall objectives.‬

‭Main Uses:‬

‭1.‬ ‭Guiding Risk Assessment: Helps in identifying potential risks and assessing their impact‬
‭and likelihood.‬
‭2.‬ ‭Risk Mitigation Planning: Provides a framework for developing strategies to mitigate‬
‭identified risks.‬
‭3.‬ ‭Decision-Making Support: Assists management in making informed decisions by‬
‭understanding potential risks.‬
‭4.‬ ‭Compliance Assurance: Ensures that the organization complies with relevant laws,‬
‭regulations, and standards.‬
‭5.‬ ‭Training and Awareness: Serves as a reference for training employees on risk management‬
‭practices.‬
‭6.‬ ‭Business Continuity Planning: Aids in developing strategies for maintaining business‬
‭operations under adverse conditions.‬
‭7.‬ ‭Stakeholder Reassurance: Provides confidence to stakeholders regarding the‬
‭organization's risk management capabilities.‬

‭Criteria:‬

‭Must Include:‬

‭●‬ ‭Risk Identification Process: Clear methods for identifying potential risks.‬
‭●‬ ‭Risk Assessment Procedures: Guidelines on how to assess the severity and likelihood of‬
‭identified risks.‬
‭●‬ ‭Risk Mitigation Strategies: Specific strategies and actions for managing and reducing risks.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭147‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭●‬ ‭Roles and Responsibilities: Clear definition of roles and responsibilities in the risk‬
‭management process.‬
‭●‬ ‭Monitoring and Review Mechanisms: Processes for ongoing monitoring and periodic review‬
‭of risks.‬
‭●‬ ‭Reporting Structure: Guidelines for reporting and communicating risk-related information‬
‭within the organization.‬

‭May Include:‬

‭●‬ ‭Case Studies or Examples: Real-life examples or hypothetical scenarios to illustrate risk‬
‭management principles.‬
‭●‬ ‭Technology Utilization: Information on how technology can be used in risk management.‬
‭●‬ ‭External Resource Links: References to external standards, guidelines, or resources related‬
‭to risk management.‬
‭●‬ ‭Change Management Procedures: Guidelines on how to manage risks arising from‬
‭organizational changes.‬
‭●‬ ‭Stakeholder Communication Plans: Strategies for communicating risk-related information‬
‭to stakeholders.‬
‭●‬ ‭Legal and Regulatory References: Information on relevant legal and regulatory‬
‭requirements affecting risk management.‬

‭Risk Matrix‬

‭Description:‬

‭A Risk Matrix is a visual tool used in risk management to assess the level of risks by considering the‬
‭severity of their potential impact and the likelihood of their occurrence. It typically takes the form‬
‭of a grid with likelihood on one axis and impact on the other.‬

‭Main Uses:‬

‭1.‬ ‭Identifying and prioritizing risks in projects or operations.‬

‭2.‬ ‭Facilitating decision-making in risk mitigation and management.‬
‭3.‬ ‭Enhancing communication about risks within the organization.‬
‭4.‬ ‭Assisting in the development of risk response strategies.‬
‭5.‬ ‭Tracking and monitoring changes in risk over time.‬

‭Criteria:‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭148‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭Must Include:‬

‭●‬ ‭A grid or table format with clearly defined axes for impact and likelihood.‬
‭●‬ ‭Defined levels of risk impact (e.g., low, medium, high).‬
‭●‬ ‭Defined levels of risk likelihood (e.g., rare, possible, likely).‬
‭●‬ ‭A method for assigning values or ratings to risks.‬
‭●‬ ‭Clear guidelines for interpreting the matrix.‬

‭May Include:‬

‭●‬ ‭Specific risk examples relevant to the organization or project.‬

‭●‬ ‭Color coding or other visual means to differentiate risk levels.‬
‭●‬ ‭Thresholds for action or escalation.‬
‭●‬ ‭Historical data for comparison.‬
‭●‬ ‭Links to risk management policies or procedures.‬
‭●‬ ‭Annotations or notes on specific risks or categories.‬
‭●‬ ‭Integration with other risk assessment tools or software.‬

‭Risk Responses‬

‭Risk Responses refer to the specific actions or strategies employed by an organization to manage‬
‭identified risks. These responses are based on the nature and impact of the risk and are typically‬
‭classified into five categories: Accept, Share, Avoid, Transfer, and Control. Each category‬
‭represents a distinct approach to handling risks.‬

‭Main Uses:‬

‭1.‬ ‭Strategic Decision Making: Guiding the organization in making informed choices about risk‬
‭management.‬
‭2.‬ ‭Risk Mitigation Planning: Developing plans to reduce the potential impact of risks.‬
‭3.‬ ‭Resource Allocation: Directing resources effectively to address significant risks.‬
‭4.‬ ‭Compliance Management: Ensuring adherence to regulatory and legal requirements.‬
‭5.‬ ‭Performance Monitoring: Tracking the effectiveness of risk response strategies.‬
‭6.‬ ‭Stakeholder Communication: Informing stakeholders about how risks are being managed.‬
‭7.‬ ‭Project Management: Integrating risk responses into project plans and activities.‬

‭Criteria:‬

‭Must Include:‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭149‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭●‬ ‭Type of Risk Response: Clearly indicating whether it is Accept, Share, Avoid, Transfer, or‬
‭Control.‬
‭●‬ ‭Description of the Risk: Providing a detailed description of the risk being addressed.‬
‭●‬ ‭Rationale for the Response: Explaining why a particular response was chosen.‬
‭●‬ ‭Implementation Plan: Outlining steps for implementing the response.‬
‭●‬ ‭Responsible Parties: Identifying who is accountable for executing the response.‬
‭●‬ ‭Expected Outcomes: Describing the anticipated results of the response.‬

‭May Include:‬

‭●‬ ‭Cost-Benefit Analysis: Evaluating the financial implications of the risk response.‬
‭●‬ ‭Timeline for Implementation: Providing a schedule for the response activities.‬
‭●‬ ‭Risk Metrics: Metrics or indicators used to measure the risk.‬
‭●‬ ‭Alternative Responses: Discussing other potential responses that were considered.‬
‭●‬ ‭Historical Data: Including past experiences or data relevant to the risk or response.‬
‭●‬ ‭Stakeholder Feedback: Incorporating input from stakeholders affected by the risk.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭150‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭Stakeholder Analysis‬

‭Description:‬

‭Stakeholder Analysis is a systematic process used to identify, assess, and categorize individuals‬
‭or groups that have an interest in or influence on a project or business initiative. This analysis‬
‭helps organizations understand stakeholder attitudes, power dynamics, and potential impacts on‬
‭project success.‬

‭Main Uses:‬

‭1.‬ ‭Identifying key stakeholders who can impact or are impacted by a project.‬
‭2.‬ ‭Assessing stakeholders' interests, influence, and expectations.‬
‭3.‬ ‭Developing communication strategies tailored to different stakeholder groups.‬
‭4.‬ ‭Anticipating and managing potential conflicts or risks.‬
‭5.‬ ‭Facilitating stakeholder engagement and buy-in for project decisions.‬
‭6.‬ ‭Informing project planning and decision-making processes.‬
‭7.‬ ‭Evaluating stakeholder satisfaction and feedback post-project.‬

‭Criteria:‬

‭Must Include:‬

‭●‬ ‭Identification of stakeholders (e.g., employees, customers, suppliers, investors).‬

‭●‬ ‭Assessment of stakeholders' power, influence, and interest levels.‬
‭●‬ ‭Classification of stakeholders (e.g., supporters, neutral, opponents).‬
‭●‬ ‭Analysis of stakeholders' expectations and concerns.‬
‭●‬ ‭Strategies for stakeholder engagement and communication.‬
‭●‬ ‭Evaluation of potential risks and impacts associated with stakeholders.‬

‭May Include:‬

‭●‬ ‭Historical data on stakeholders' past interactions and behaviors.‬

‭●‬ ‭Cultural, social, or political factors influencing stakeholders.‬
‭●‬ ‭Predictive analysis of stakeholder reactions to potential decisions.‬
‭●‬ ‭Stakeholder feedback mechanisms and channels.‬
‭●‬ ‭Periodic reviews and updates to reflect changes in the stakeholder landscape.‬
‭●‬ ‭Documentation of stakeholder contributions and impacts on the project.‬

‭Strategic Risk Assessment‬

‭Description:‬
‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭151‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭A strategic risk assessment is an analytical process used by organizations to identify, evaluate,‬

‭and prioritize risks that could impact their long-term objectives and strategies. This tool assesses‬
‭various external and internal factors that could pose threats or opportunities for the organization.‬

‭Main Uses:‬

‭1.‬ ‭Identifying Potential Risks: Recognizing external and internal threats that might affect the‬
‭organization's strategy.‬
‭2.‬ ‭Risk Prioritization: Determining which risks are most likely to impact organizational goals‬
‭and require immediate attention.‬
‭3.‬ ‭Resource Allocation: Guiding the distribution of resources to mitigate high-priority risks.‬
‭4.‬ ‭Decision Making: Informing leadership about potential risks to make more informed‬
‭strategic decisions.‬
‭5.‬ ‭Compliance and Regulation: Ensuring the organization remains compliant with relevant‬
‭laws and industry regulations.‬
‭6.‬ ‭Scenario Planning: Developing scenarios to understand the possible impact of different‬
‭risk events.‬
‭7.‬ ‭Performance Monitoring: Evaluating the effectiveness of strategies implemented to‬
‭manage or mitigate risks.‬

‭Criteria:‬

‭Must Include:‬

‭●‬ ‭Comprehensive Risk Identification: A detailed list of potential strategic risks.‬

‭●‬ ‭Risk Evaluation: Assessment of the likelihood and potential impact of each identified risk.‬
‭●‬ ‭Risk Prioritization: Ranking of risks based on their significance and urgency.‬
‭●‬ ‭Mitigation Strategies: Proposed actions or plans to address or reduce the risks.‬
‭●‬ ‭Monitoring Mechanisms: Systems for regularly reviewing and updating the risk‬
‭assessment.‬
‭●‬ ‭Stakeholder Involvement: Inclusion of key stakeholders in the risk assessment process.‬

‭May Include:‬

‭●‬ ‭Historical Data Analysis: Utilization of past data and trends to anticipate future risks.‬
‭●‬ ‭External Expert Opinions: Insights from industry experts or consultants.‬
‭●‬ ‭Benchmarking Data: Comparison with industry standards or competitors' risk profiles.‬
‭●‬ ‭Quantitative Models: Use of statistical and financial models for risk analysis.‬
‭●‬ ‭Risk Appetite Statement: Definition of the level of risk the organization is willing to accept.‬
‭●‬ ‭Technology Integration: Use of software or tools for risk analysis and reporting.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭152‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭SWOT Analysis‬

‭Description:‬

‭A SWOT Analysis is a strategic planning tool used to identify and assess the Strengths,‬
‭Weaknesses, Opportunities, and Threats involved in a business venture or project. It involves an‬
‭internal examination of strengths and weaknesses in an organization, as well as external factors‬
‭presenting opportunities or threats.‬

‭Main Uses:‬

‭1.‬ ‭Strategic Planning: Assists in forming strategies by considering internal and external‬
‭factors.‬
‭2.‬ ‭Decision Making: Helps in making informed decisions by analyzing various aspects of a‬
‭business.‬
‭3.‬ ‭Competitor Analysis: Provides insights into competitors' strengths and weaknesses.‬
‭4.‬ ‭Problem-Solving: Identifies areas of improvement and potential challenges.‬
‭5.‬ ‭Resource Allocation: Assists in efficiently allocating resources by identifying key areas that‬
‭need focus.‬
‭6.‬ ‭Market Analysis: Aids in understanding market trends and potential areas for expansion.‬
‭7.‬ ‭Performance Analysis: Evaluates organizational or project performance against internal‬
‭and external factors.‬

‭Criteria:‬

‭Must Include:‬

‭●‬ ‭Strengths: Clear identification of internal strengths of the organization or project.‬

‭●‬ ‭Weaknesses: Honest assessment of internal weaknesses or areas of improvement.‬
‭●‬ ‭Opportunities: Analysis of external opportunities available in the market or environment.‬
‭●‬ ‭Threats: Identification of external threats or challenges that could impact the business.‬
‭●‬ ‭Summary: A concise summary of the findings and their implications.‬
‭●‬ ‭Actionable Strategies: Recommendations or strategies based on the SWOT analysis.‬

‭May Include:‬

‭●‬ ‭Comparative Analysis: Comparison with competitors or industry benchmarks.‬

‭●‬ ‭Stakeholder Feedback: Insights from employees, customers, or other stakeholders.‬
‭●‬ ‭Historical Data Analysis: Examination of past performance or trends.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭153‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭●‬ ‭Scenario Planning: Possible future scenarios based on current SWOT analysis.‬
‭●‬ ‭Risk Assessment: Evaluation of potential risks associated with identified weaknesses or‬
‭threats.‬
‭●‬ ‭Priority Setting: Prioritization of issues or opportunities based on their potential impact.‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭154‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭Part III - GRC Glossary‬

‭The GRC Glossary provides comprehensive and unified definitions for terms that span‬
‭governance, strategy, performance, risk, compliance, security, continuity, audit & assurance.‬

‭For the most recent and authoritative version, please refer to‬
‭https://oceg.org/glossary/‬

‭—----------------------------------------------‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭155‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭Appendix A - Acknowledgements‬
‭Special thanks to all the individuals who have contributed to the development of the GRCA over‬
‭the years.‬

‭First Edition Authors:‬ ‭David Heller‬

‭David Crawford‬ ‭Dominique Vincenti‬

‭Justina Crawford‬ ‭Edwin Hightower‬

‭OCEG Team:‬ ‭Eric Hespenheide‬

‭Scott Mitchell‬ ‭Erin Mackler‬

‭Carole Stern Switzer‬ ‭Gabriel Romero‬

‭Adrian Resag‬ ‭Glenn Carleton‬

‭Kelly Ray‬ ‭Guarav Kapoor‬

‭OCEG Community Contributors:‬ ‭Holly Roland‬

‭Parveen Gupta‬ ‭Jack Seward‬

‭Barbara Kipp‬ ‭Jay Brietz‬

‭Bob Jacobson‬ ‭Jay Martin‬

‭Brian Brown‬ ‭Joanna David‬

‭Brin Odell‬ ‭Joe Motz‬

‭Carlo DiFlorio‬ ‭John Carlson‬

‭Chris Ideker‬ ‭John Fraedrich‬

‭Christopher Dooley‬ ‭Jonathan Bellis‬

‭Colleen O’Donnell‬ ‭Karen Gring‬

‭David Childers‬ ‭Kathryn Holt‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭156‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭Ken Vanderwal‬

‭Kristen Gantt‬

‭Kristi Kevern‬

‭Leanne Bradley‬

‭Michael Munro‬

‭Michael Rose‬

‭Nick Ciancio‬

‭Norman Comstock‬

‭Patricia Towers‬

‭Paul Happe‬

‭Paul Liebman‬

‭Paul Sobel‬

‭Raymie Daroga‬

‭Rich Seleznov‬

‭Sara Liftman‬

‭Scott Leatherman‬

‭Scott Roney‬

‭Tent Gazzaway‬

‭Tom McCormick‬

‭Worth MacMurray‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭157‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM
 ‭GRC Assessment Framework Version 3.5.1-EN revision 2024-10-31‬

‭© 2002 - 2024 OCEG. All Rights Reserved (feedback to‬‭[email protected]‬‭)‬ ‭158‬

Licensed for noncommercial personal use by Osama Alsuraybi ([email protected]) on 3/22/2025, 1:03:29 PM