GRC Standards

The best way to jumpstart your program

Access GRC Standards

Benefit of Standards

GRC standards recognize that the governance, management and assurance of performance, risk and compliance require common capabilities and methods.

By using these standards your organization will:

  • Build confidence that your programs are sound and reliable
  • Meet regulation requirements, at a lower cost
  • Reduce costs across all aspects of your organization
  • Achieve Principled Performance

By using these standards you, as a professional will:

  • Understand and apply leading practices from disciplines outside of your core profession
  • Work with your peers in other departments to solve complex problems
  • Become a valued advisor to the business (instead of a necessary burden)
  • Gain career mobility and increase your compensation
  • Achieve Principled Performance (as an individual)

GRC Standards define the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity

Rigorous Process

The OCEG community "invented" GRC in 2003 and has spent over a decade perfecting the approach. With the help of a panel of 100+ experts, OCEG studied 250+ organizations to document best practices in the GRC Capability Model (commonly called the OCEG Red Book)

The GRC Capability Model was originally published in 2005 and has gone through several revisions. Each revision is led by Co-Chairs of a Steering Committee comprised of leading professionals from governance, risk management, audit, compliance, ethics/culture and IT.

Together, these professionals work to improve the standard practices that comprise an integrated GRC Capability.

GRC Capability Model (OCEG Red Book)

The GRC Capability Model is the core standard that provides:

  • Unified vocabulary across disciplines
  • Defined common components and elements
  • Defined common information requirements
  • Standardized practices for things like policies and training
  • Identified communication for everyone involved; including strategic decision-makers.
Access GRC Capability Model Spanish Arabic

Policy Management Capability Model

Quickly learn, master, and apply the principles and practices you need to support your organization. Stop guessing about how to build a Policy Management Program. Follow a proven blueprint for success.

Access Policy Management Pro

Assessment Toolkits

GRC Assessment Tools (OCEG Burgundy Book)

The GRC Assessment Tools provides everything you need to assess or audit GRC Capabilities including:

  • Helps organizations evaluate the design and operating effectiveness of their GRC capabilities
  • Reduces the cost of such evaluations by eliminating the time and expense of creating procedures
  • Provides standard methods for external judgment and recognition of sound practices
  • Offers a review process that enables creation of prioritized improvement plans
  • Raises the level of maturity and quality of GRC capabilities in all organizations
Access GRC Assessment Tools

GRC Helps People Like You

Use the acronym GRACE-IT to remember all of the roles that must work together to achieve Principled Performance

Learn how multiple roles work together
G Governance
& Strategy R Risk
Management A Internal
Audit C Compliance
Management E Ethics
& Culture IT IT &
Security