OCEG GRC Burgundy Book 3 Final

OCEG BURGUNDY BOOK
guidance for people who govern, audit and

manage performance, risk and compliance
Version 3.0
Thank You
The continuing work of OCEG is made possible by the support of its global membership of more
than 50,000 individuals in thousands of organizations of all types and sizes. We especially
appreciate the extra involvement and support we received from the following organizations that
sponsored and funded our many projects and provided thought leadership over the past year,
and that currently participate on our GRC Solutions Council or Executive Council. Please join us
in thanking these leading organizations and their representatives:
Star Supporters
Additional Executive and Solutions Council Members
© 2004-2016
Table Of Contents
Table Of Contents ................................................................................................................... i
Acknowledgements .............................................................................................................. iii
Licensing .............................................................................................................................. iii
Forward – About the Burgundy Book ..................................................................................... 1
Anatomy of the GRC Capability Model ................................................................................... 7

Components ..................................................................................................................................7
Elements ........................................................................................................................................8
Practices ........................................................................................................................................9
Actions and Controls ......................................................................................................................9
Suggested Documentation..............................................................................................................9
Assessment Procedures ....................................................................................................... 10

L – LEARN .....................................................................................................................................10
A – ALIGN.....................................................................................................................................20
P – PERFORM ...............................................................................................................................31
R – REVIEW ..................................................................................................................................57
APPENDIX 1 – MAPPING IT SOLUTIONS TO RED BOOK.......................................................... 65
APPENDIX 2 – RED BOOK SUGGESTED DOCUMENTATION .................................................... 66

DOC.A – Authorizations ................................................................................................................66
DOC.D – Descriptions ...................................................................................................................66
DOC.I – Internal Standards ...........................................................................................................67
DOC.M – Matrices ........................................................................................................................67
DOC.P – Plans...............................................................................................................................68
DOC.R – Reports ...........................................................................................................................70
DOC.S – Statements of Position ....................................................................................................71
APPENDIX 3 - SAMPLING AND TESTING ................................................................................ 72
APPENDIX 4 - CRITERIA FOR REVIEW PROCEDURES .............................................................. 73
APPENDIX 5 - CRITERIA USAGE SUMMARY ......................................................................... 138

© 2004-2016 i
APPENDIX 6 - DOCUMENT COVER SHEET ............................................................................ 140
APPENDIX 7 - “RED BOOK” SUGGESTED DOCUMENTATION USAGE SUMMARY ................... 141
APPENDIX 8 - GLOSSARY .................................................................................................... 143
APPENDIX 9 - SUMMARY OF REVIEW PROCEDURES REQUIRED FOR DESIGN REVIEW .......... 144
APPENDIX 10 –TYPES OF REVIEW ....................................................................................... 145
APPENDIX 11 - AUP ENGAGEMENT REPORT CONTENT........................................................ 147
APPENDIX 12 - COMPANION MATERIALS ........................................................................... 148
APPENDIX 13 - CONTRIBUTORS TO BURGUNDY BOOK 1.0 – 3.0 DEVELOPMENT................. 149
LEGAL NOTICE ................................................................................................................... 151
© 2004-2016 ii
Acknowledgements
For this version 3.0, substantial revisions were required to reflect the changes to Red Book 3.0
and we are thankful to the volunteer team from Tata Consultancy Services for undertaking this
substantial effort.
Emily Suppe is a Risk and Compliance Engagement Leader in Tata's Global Consulting Group.
She's a Certified Internal Auditor, SOX Auditor, and former CFO. For the past twelve years,
Emily has done GRC consulting and sales; working with large ERP and custom software
solutions.
Kelly D. Ray, J.D. is an OCEG Fellow, and GRC Solution Strategist at TCS. Formerly Director
of Core Knowledge for OCEG, Kelly chairs the GRC UTBMS Code Set Development Team
promulgated by the LEDES Oversight Committee and brings her more than 20 years of
experience to several GRC standards initiatives, including the OCEG GRX-XML Committee.
Version 1.0 was authored by David Crawford, CPA, CIA, Audit Manager Emeritus at the
University of Texas System and edited by Justina Crawford and we thank them for the work that
they did to develop the structure of the GRC Capability Tools.
Conforming edits to versions 2.0 and 2.1 were made by OCEG executives, Carole Switzer and
Scott Mitchell, to ensure alignment with updates to the Red Book.
Appendix 13 identifies other contributors to this and earlier versions.
Licensing
The GRC Assessment Tools and procedures set out within this document are available for
download by any individual holding an active OCEG All Access Pass, and are licensed for their
use only within organizations where they are employed. For commercial use in consulting,
technology systems, educational programs or otherwise
please contact info@oceg.org
OCEG, Principled Performance, GRC Capability Model, and GRC Assessment Tools are all
trademarks of OCEG.
© 2004-2016 iii
Forward – About the Burgundy Book
The purpose of the GRC Assessment Tools (Burgundy Book) is to provide GRC
professionals, as well as those responsible for providing assurance, with a common set
of assessment procedures and a common understanding of what can be expected
during an assessment of a GRC Capability. These procedures align to the OCEG GRC
Capability Model™ (“Red Book”) and can be used for self- assessment as well as
independent assessment.
OCEG’S goals in creating the Burgundy Book are to:
• Help organizations evaluate the design and operating effectiveness of their GRC
Capability
• Reduce the cost of such evaluations by eliminating the time and expense of
creating procedures
• Raise the overall level of maturity and quality of organizational GRC
globally by helping individual organizations create their prioritized
improvement plans
• Provide external judgment and recognition of sound practices
Scope and Scale

The Burgundy Book is designed to support scalable assessments. In addition to use for
a full GRC Capability review, it can be applied to a review of individual risk or
requirement specific programs (i.e., anti-fraud program, privacy program, etc.), discrete
business units, sub-capabilities (i.e., hotline, risk management, values management,
training, etc.) and at an enterprise level. A critical first step before undertaking a review
is to clearly define the scope of the capability that is to be reviewed. When reviewing a
capability that is less than enterprise-wide or when the enterprise is not a corporation,
references to the board should be interpreted as references to the appropriate governing
authority, given the scope. Additionally, when a risk-specific program is under review,
the reviewer may rely on additional materials in OCEG publications to clarify the scope
and serve as additional guidance in conducting the review.
OCEG recognizes that much of the documentation, methodology and processes being
assessed herein may in fact be workflows, business rules, IT automated controls, and
reports generated and managed in technology solutions. The procedures herein are
NOT intended to be a substitute for agreed upon procedures to assess the design and
operation per design of the enabling GRC architecture or specific systems identified in
© 2004-2016 Page 1
the OCEG GRC Solutions Guide or any assessment of IT controls either general or
specific.
Use of the Procedures within an Organization

OCEG recognizes that these procedures might be performed by either GRC Capability
management or by internal audit as part of an effort to provide assurance to the
organization’s executive management, the Board or the GRC Capability’s oversight
authority. These self-assessments provide the opportunity for continuous improvement
of the GRC Capability and a positive indication that a third-party review would find no
deficiencies.
Third-Party Reviewers
External auditors may also use these procedures to provide such assurance (subject to
having arranged a commercial use license).The assessment process is designed as an
agreed upon procedures (AUP) program. OCEG specifically chose this approach so that
any individual who is duly licensed as a certified public accountant, or certified chartered
accountant, or the international equivalent thereof and who is in good standing with
his/her licensing authority may perform these procedures according to the professional
standards to which he/she is subject and issue a findings report that can be judged by an
intended recipient based upon their own criteria. (In the United States, engagements
using these procedures would be performed pursuant to AT-101 and AT-201.)
The procedures are written in such a way that any individual trained in and subject to the
professional standards applicable to agreed upon procedures engagements can perform
the procedures without separate licensure or qualification by OCEG. However, OCEG
makes additional training and personal certification available regarding the subject area
of GRC so that evaluators may meet professional standards that would require this
subject matter expertise.
OCEG encourages broad use of these procedures. Accordingly, a third-party may use
them as agreed upon procedures for reviewing an entity (subject to obtaining a
commercial use license from OCEG), recognizing that the report can only be relied upon
by the contracted/intended recipients. There is no restriction on either reviewers or third-
parties in saying that they rely upon Burgundy Book procedures when conducting
© 2004-2016 Page 2
reviews or when reviewing their clients or third-parties generally (i.e., ABC Bank uses the
OCEG Burgundy Book as part of its lending due diligence when evaluating prospective
clients), subject to license requirements.
Document Conventions
Each AUP is described by the following sections:
Objectives
This section describes what an Element will achieve when it is designed and operating
effectively.
Requested Information
This section describes documents and narrative to be provided by management to the

evaluator based on scope of the review and before the evaluator commences the
procedures.
• Documents Requested includes the list of “Red Book” Suggested
Documentation referred to in the actual procedures. It is understood that what
is being provided in response to these requests are copies and not original
documentation, so procedures do not reflect terms like “a copy of”.
• Management Narrative includes specific requests for written narrative to be

provided by management to explain information that may or may not be
documented or may require greater understanding of how what is documented
works in operation. The absence of documentation goes to an organization’s
maturity rather than its capability. Thus, for every Element, there is an
opportunity for Management Narrative. The narrative is not meant to duplicate
what could be produced as documents, but is merely meant as a substitute or
augmentation when part of the documentation does not exist, the production of
the documents would disclose privileged information, or provided documents
need to be augmented with an overarching, supplemental explanation. This
affords the evaluated organization an opportunity to describe how a particular
Element is implemented despite the lack of documentation or clarity in how
documentation works together. To the extent that management narrative is
obtained through an interview process, it is incumbent upon the interviewer(s) to
document the management narrative(s) for use in Review Procedures that call
for comparison against the substance of the management narrative. And, in the
event of multiple interviews, that all relevant interview-based management
narratives be provided to the assessor(s) performing the Review Procedures
relevant to the full scope of the interview topics.
• Other Information is specific supplemental information needed by the evaluator

to perform a Review Procedure.
© 2004-2016 Page 3
• System with Potentially Relevant Information identifies the classes of GRC
Solutions from the GRC Solutions Guide that are expected to contain further
information relevant to assessing the Element under review.
• Review Procedures are activities to be undertaken by the Evaluator in

preparing the report based upon inspection of the provided information, or other
testing.
Preliminary Procedures
OCEG’s philosophy behind creating the Capability Assessment Tools is to avoid
unfettered, costly, fishing expeditions which outstrip the value achieved from undertaking
the evaluation. Instead, OCEG has crafted the Burgundy Book based on the following
principles:
1) High-performing GRC capabilities understand their business context, particularly
the mandates to which they are subject in the jurisdictions in which they operate.
2) High-performing GRC capabilities make risk-aware resource allocation decisions,
allocating more resources to the management of key risks than other risks.
3) What GRC capabilities do for their highest priority risks is most indicative of their
capability.
4) Results obtained through appropriate sampling are a sufficient indicator of overall
performance.
Reporting Standards for all “Review Procedures” Performed

Report all missing criteria in design procedures (the Review Procedures identified in
Appendix 9) with management’s explanation and comments. Report all attribute failures
in operational testing procedures (all remaining Review Procedures not listed in
Appendix 9) with management’s explanation and comments. Report the source for and
title of additional information utilized in performing a “Review Procedure” if it is other than
the Suggested Documentation or Other Requested Information.
Pre-Requisite Procedures
Many of the procedures across the Capability Assessment Program presume that during
scoping, the following five pre-requisite procedures have been performed:
1) Obtain a list of jurisdictions in which the entity, or portion thereof, under
evaluation operates (Operating Geographies).
2) Obtain the Prioritized Risk Matrix and based upon the definition of relative priority
for each risk, determine that management has identified a set of risks as highest
in priority (Key Risks).
3) Obtain the Segregation of Duties Matrix to identify individuals currently
assigned to Key GRC Roles (Key GRC Personnel).
© 2004-2016 Page 4
4) Obtain the related Role/Job Descriptions for all key roles: (include a copy with
final report)
i. Oversight
ii. Champions / leaders
iii. Management roles
iv. Execution roles
1. Methodology development and maintenance
2. Risk and requirements identification, analysis, and optimization
3. Implementation & program /project management
4. Compliance / detection
5. Investigation and resolution
6. Performance measurement
7. Communications
8. Information management
9. Technology
10. Assurance
5) After selecting the Elements to be assessed, utilize a summary listing of all the
Red Book Suggested Documentation obtained in a Requested Information item
and review the Suggested Documentation against the Content Criteria in
Appendix 4, noting any gaps or deficiencies.
6) Use the sampling parameters provided in Appendix 3 unless otherwise specified.
Streamlining Procedures
1) Assure that the entire assessment team has reviewed three key items from
Suggested Documentation, the GRC Strategic Plan, the Prioritized Risk Matrix
(including the Risk/Control Matrix), and the Integrated Plan in detail, as they
are the foundation of the GRC capability and are found throughout the Elements.
2) Utilization of documents and information maintained by support units of the
organization which may be outside of the normal GRC capability structure, such
as Human Resources and Accounting, is required to complete some of the
“Review Procedures” in this book.
Appendices
• Appendix 1 has a matrix of the GRC Solutions defined in the OCEG GRC
Solutions Guide v 2.1 identified as holding potentially relevant information for the
indicated Capability Model Element.
• Appendix 2 has Red Book Suggested Deliverables definitions.
• Appendix 3 has Sampling and Testing Parameters. These guidelines are to be
used for all sample selections unless otherwise noted in the specific “Review
Procedures”.
• Appendix 4 has Criteria for “Review Procedures” involving the design of the
GRC capability. These criteria are taken directly from the applicable sections of
the Red Book, so there is no need for the evaluator to search the Red Book in
order to perform a design procedure.
• Appendix 5 has a Criteria Usage Summary to document the various parts of the
Review Procedures that utilize each of the Criteria in Appendix 2.
© 2004-2016 Page 5
• Appendix 6 has the Document Cover Sheet that must accompany each set of
data provided to an evaluator in response to a Requested Information item.
• Appendix 7 has a “Red Book” Suggested Documentation Usage Summary to
document the sections of the Burgundy Book that request a copy of specific
GRC capability deliverables.
• Appendix 8 has a glossary of terms specific to this document.
• Appendix 9 has “Review Procedures” Required for Design Reviews.
• Appendix 10 has descriptions of the GRC Capability review options and the
agreed upon procedures that must be completed for each option.
• Appendix 11 has Agreed Upon Procedures Engagement Report Document
Conventions
• Appendix 12 has a list of companion materials
• Appendix 13 has a list of past contributors to Burgundy Book development
© 2004-2016 Page 6
Anatomy of the GRC Capability Model
An organization that strives to achieve Principled Performance will have a number of
integrated capabilities. The GRC Capability Model discusses and outlines these
capabilities. Here are definitions and an overview of several key terms in the GRC
Capability Model.
Components
Components outline an iterative continuous improvement process to achieve Principled
Performance. While there is an implied sequence, Components operate concurrently.
L – LEARN — Examine and analyze context, culture, and stakeholders to learn what the
organization needs to know to establish and support objectives and strategies.
A – ALIGN — Align performance, risk and compliance objectives, strategies, decision-
making criteria, actions and controls with the context, culture and stakeholder
requirements.
P – PERFORM — Address threats, opportunities, and requirements by encouraging
desired conduct and events, and prevent what is undesired, through the application of
proactive, detective, and responsive actions and controls.
R – REVIEW — Conduct activities to monitor and improve design and operating
effectiveness of all actions and controls, including their continued alignment to objectives
and strategies.
Figure 1 – GRC Capability Model Component View
© 2004-2016 Page 7
Elements
Each Element expands on the Component it sits within, to describe key aspects of high-
performing integrated capabilities. Each Element includes a discussion of key
management actions and controls and addresses design and implementation
considerations. Elements define the core aspects of effective capabilities and can serve
as the starting point for assessing the current state of your organization’s approach.
Elements can be applied at many levels in the organization to address enterprise
objectives, departmental capabilities, or actions and controls within specific areas of
concerns. Each Element is further supported by detailed Practices set out in Appendix
A of the GRC Capability Model®, which may be customized and scaled for use by any
organization on an entity-wide, unit or project level.
Figure 2 – GRC Capability Model Element View
© 2004-2016 Page 8
Practices
Practices set out in Appendix A of the GRC Capability Model® (Red Book) describe key
observable actions within each Element that, taken together, are hallmarks of effective
capabilities. While one organization may follow a 5-step process and another
organization may follow a 20-step process to accomplish the same thing, the identified
practices should be present in both. Often, external mandates are not specific regarding
business practices; rather, they articulate only general requirements that an organization
must address. The Practices help an organization address those requirements as well
as organizational mandates in a defined, repeatable, and documented fashion.
Actions and Controls

Throughout the GRC Capability Model® there are numerous references to “actions and
controls.” An organization should consider the three perspectives that it must addressed
when setting goals and objectives, establishing strategies for achieving them,
implementing actions and controls to ensure management of performance, risk and
compliance, and providing assurance. There are three general types of actions and
controls, and it is essential that organizations utilize an appropriate mix of these.
➢ Proactive Actions & Controls proactively incentivize desirable and prevent
undesirable conditions or events.
➢ Detective Actions & Controls detect the actual or potential occurrence of
desirable and undesirable conditions and events.
➢ Responsive Actions & Controls provide recognition for desirable conduct and
correct undesirable conditions or events.
Suggested Documentation
Earlier versions of the GRC Capability Model® included defined “Deliverables” which
were organized in categories of documents that would be created and maintained by the
integrated capabilities. Recognizing that with the increased use of GRC technologies,
the information contained in these deliverables may now be maintained in databases
that enable various reports and views, version 3.0 of the GRC Capability Model® instead
sets out “Suggested Documentation,” incorporated in full as Appendix 2. The items
listed and defined are to be considered examples of ways that documentation may be
organized for various uses, including assessment of the capabilities.
© 2004-2016 Page 9
OCEG Burgundy Book
Assessment Procedures
L – LEARN
Examine and analyze context, culture, and stakeholders to learn what the
organization needs to know to establish and support objectives and
strategies.
L1 External Context
Understand the external business context in which the organization operates.
● Analyze the External Context – Analyze influencing factors in the external
context including:
○ Industry forces
○ Market
○ Technology
○ Societal
○ Regulatory and legal
○ Geopolitical
○ Environmental
○ Third-party relationships
○ External opportunities and threats (as part of SWOT)
● Analyze External Stakeholder and Influencer Needs – Identify key external
stakeholders, and influencers of opinion, and analyze and prioritize their needs
and requirements.
● Watch the External Context – Continually look for changes in the external
context that may have a direct, indirect, or cumulative effect on objectives or
strategies.
Objectives
1. Capability utilizes an understanding of the external factors to determine the best

methods of governing and integrating the capability and organizing the people,
processes, technology, and initiatives to be effective.
2. Capability implements methods, procedures, accountability, and resources to monitor
the external forces and key risk indicators that affect organizational risks and
requirements.
© 2004-2016 Page 10
3. Capability considers the degree of inherent risk in determining the level of investment
spent on monitoring and attempting to influence the external context.
4. Capability meets legal mandates that apply and is nimble enough to address regional
and situational differences in those requirements.
5. Capability designs its monitoring processes and enabling technology to permit
sufficient time to plan and implement changes.
1. Red Book Suggested Documentation

1.1. Prioritized Risk Matrix (including the Risk/Control Matrix)
1.2. Segregation of Duties Matrix
1.3. Findings and Recommendations Report on the GRC Capability of the metrics
for the most recently completed fiscal year and current year-to-date [Metric
Report]
2. Management Narrative
2.1. Describe the capability’s approach to understanding and discerning opportunities
to shape the external context, including influencing requirements derived from
the following forces:
• Industry (competitors, supply chain, labor markets, etc.)
• Market (customer demographics, economic conditions, etc.)
• Technology (technological shifts and breakthroughs, etc.)
• Society (community needs, media trends, etc.)
• Regulatory environment
• Geopolitical environment (current enforcement posture, etc.)
2.2. Describe the ways in which the capability personnel stay in the loop about
changes to the external context (including supply chain, operating location
geographies and partnerships), has taken external factors into consideration
and adapted; based on an understanding of external forces, including
stakeholder and influencer needs.
2.3. Describe the frequency of planned or scheduled analysis of external forces and
the key events and triggers that prompt reassessment of the external context.
2.4. In the absence of a procedure resulting in an exception report being generated
when a gap in resources monitoring the external context is identified, describe
the process for identifying monitoring resource gaps, the frequency with which
coverage analysis is performed, and the average duration of identified gaps in
coverage.
3. Other Information
3.1. Obtain a list of all identified external sources of risks and requirements and the
job/role (including current occupant) that is responsible for monitoring each.
3.2. Obtain any exception reports from the prior fiscal year and the current year-to-
date identifying gaps in the jobs/roles with occupants monitoring external
sources of risk and requirements.
4. GRC Technology Solutions with Pertinent information

4.1. See Appendix Chart.
© 2004-2016 Page 11
Review Procedures
RP 1. Select a sample of Key Risks from the Prioritized Risk Matrix (including the
Risk/Control Matrix) obtained in Requested Information Item 1.1 and trace to the
list of identified risks or requirements obtained in Requested Information Item 3.1
to confirm that there is a GRC job/role (with a current occupant) obtained in
Requested Information Item 3.1 assigned to monitor the external sources of that
risk or requirement.
RP 2. Select a judgmental sample of five Key Risks and confirm that monitoring reports
for proposed and final changes are prepared and sent to Key GRC Personnel
from the Segregation of Duties Matrix obtained in Requested Item 1.2
responsible for maintaining the Prioritized Risk Matrix (including the Risk/Control
Matrix), noting the date of the distribution compared to the deadlines for
influencing proposed changes and the dates for compliance for requirements.
RP 3. Review the Findings and Recommendation [Metrics] Report obtained in
Requested Information Item 1.3:
3.1. To identify the percentage of external sources currently being monitored;
and
3.2. To identify the average period between notification and the deadline for
either influencing proposed changes or complying with changed
requirements.
RP 4. Review the Exception Reports obtained in Requested Information Item 3.3 and
confirm they were generated in conformity to the process described in Requested
Information Item 2.2.
© 2004-2016 Page 12
L2 Internal Context
Understand the internal business context in which the organization operates.
● Analyze the Internal Context – Analyze influencing factors in the internal
context including:
○ Internal strengths and weaknesses (as part of SWOT)
○ Existing strategic plan
○ Existing operating plan
○ Existing organizational structures
○ Existing incentives (appropriate or perverse) for performance
○ Existing key processes and resources (people, financial, process and
technology)
○ Existing information and gaps or conflicts in information
● Watch the Internal Context – Continually look for changes in the internal
context that may have a direct, indirect or cumulative effect on objectives or
strategies.
Objectives
1. Capability utilizes an understanding of the internal factors to determine the best

methods of governing, integrating the capability and organizing the people,
processes, technology, and initiatives to be effective.
2. Capability uses effectiveness, efficiency, and responsiveness performance indicators
in addition to or in lieu of project management indicators to understand internal
strengths, weaknesses and opportunities for change.
3. Capability feeds information about performance into appropriate processes (i.e., risk
identification, risk analysis, risk treatment option selection, systemic improvement,
etc.) and incentive programs.
4. Capability monitoring level of effort and sophistication of resources is congruent with
the level of risk.
5. Capability designs its processes and technology to permit sufficient time to plan and
implement changes to the internal context.
1.1. Integrated Plan
1.2. Prioritized Risk Matrix (including Risk/Controls matrix)
1.3. Control Taxonomy
2.1. Describe the capability’s approach to understanding the internal context and
changes thereto, including the following attributes:
2.1.1. Goals, business objectives, and values
2.1.2. Organizational structure
2.1.3. Key human capital assets
2.1.4. Technology assets
2.1.5. Information assets
© 2004-2016 Page 13
2.1.6. Physical assets
2.1.7. Business processes
2.1.8. Products and services
2.2. Describe the ways in which the capability has adapted to take into consideration
effective measures based on changes to relevant internal factors.
2.3. Describe the frequency of planned or scheduled analysis and the key events
and triggers that prompt reassessment of the internal context.
3.1. Communication and Reporting Plan for Change or Transformation function.
3.2. Key GRC Personnel prepared in Pre-Requisite Procedure 3.

Review Procedures
RP 1. Inspect the Communication and Reporting Plan for the Change or Transformation
function (i.e., Enterprise Program Office or Technology Enterprise Project
Management Office) obtained in Requested Information Item 3.1 and confirm that
Key GRC Personnel obtained in Requested Information Item 3.2 are included as
recipients of information about changes to the organization.
RP 2. Select a sampling of internal changes or transformations identified in the
Communication and Reporting Plan for the Change or Transformation function
obtained in Requested Information Item 3.1 and trace those changes through to
the Integrated Plan obtained in Requested Information Item 1.1.
RP 3. Select a sampling of items from the Integrated Plan obtained in Requested
Information Item 1.1, and confirm that completed control modifications or
additions are reflected in the most recent Prioritized Risk / Controls Matrix
obtained in Requested Item 1.2 and the Controls Taxonomy obtained in
Requested Item 1.3.
© 2004-2016 Page 14
L3 Culture
Understand the existing culture, including how leadership models culture, the
organizational climate, and individual mindsets about the governance, assurance,
and management of performance, risk, and compliance.
● Analyze Governance Culture – Analyze the existing approach to governing the
organization, including the degree to which the governing authority is engaged,
and whether leadership sets an appropriate "tone at the top" and models
behavior in both words and deeds; the way that policies are used to create
management boundaries and how limits are set.
● Analyze Management Culture – Analyze the existing approach to managing
and enabling the workforce including compensation structures and other
incentives.
● Analyze Risk Culture – Analyze the existing climate and individual mindsets
about how the workforce perceives risk, its impact on their work and the
organization as a whole, and how effectively risk management is integrated with
the decision-making and running of the business.
● Analyze Ethical Culture – Analyze the existing climate (observable, formal
elements in the organization) and individual mindsets about the degree to which
management and the workforce believe the organization expects and supports
responsible behavior and integrity.
● Analyze Workforce Engagement – Analyze the existing workforce culture
including employee satisfaction, loyalty, turnover rates, skill development, and
engagement.
● Watch the Culture – Continually look for changes in culture that may have a
direct, indirect, or cumulative effect on objectives or strategies.
Objectives
1. Capability utilizes an understanding of the organizational culture and sub-cultures to
determine the best methods of governing and integrating the capability and
organizing the people, processes, and technology for operating with integrity across
various geographic or functional locations.
2. Capability recognizes changes, identifies triggers, and develops response plans.
3. Capability implements methods, procedures, accountability, and resources to monitor
the internal and external forces and key risk indicators that affect organizational
culture and sub-culture.
4. Capability considers the degree of inherent risk in determining the level of investment
spent on monitoring and responding to cultural change.
© 2004-2016 Page 15
1.1. GRC Strategic Plan (include a copy with final report)
1.2. Most recent Board assessment report, including Board self-assessment results
1.4. Findings and Recommendations Report
2.1. Describe the ways in which the capability has been adapted to take into
consideration what would be effective given the existing cultural factors; and, how
the capability plans to change aspects of the culture, if needed, over what period
of time and how such change is to be monitored/measured.
2.2. Describe the process for monitoring cultural indicators, including what indicators
are monitored, frequency of monitoring, and action triggers.
3.1. Obtain a list of all identified internal and external sources of cultural change and
the jobs/roles (including current occupant) responsible for monitoring each.
3.2. Obtain the survey questions for the survey identified in the list of workforce and
stakeholder surveys during the past three (3) years (a list of which is obtained
under P7 – Inquiry, Requested Information 3.1)
3.3. Obtain the Findings and Recommendation reports from the workforce and
stakeholder surveys during the past three (3) years (a list of which is obtained
under P7 – Inquiry, Requested Information 3.1).

Review Procedures
RP 1. Inspect the Management Narrative obtained in Requested Information Items 2.1
and 2.2 and confirm that process includes the identification, analysis, and
tracking of cultural indicators. Report the absence of any of these attributes.
RP 2. Inspect the most recent Board assessment results obtained in Requested
Information Item 1.1 to confirm that it covers:
2.1. Knowledge level of Board is adequate to perform their role
2.2. Comfort in raising issues
2.3. Comfort in challenging management
2.4. Whether suggestions get thoughtful consideration
2.5. Involvement in strategy setting/vetting
2.6. Impact of Board on the business
2.7. Level of engagement
2.8. Effectiveness
© 2004-2016 Page 16
RP 3. Select a sample of Key Risks from the Prioritized Risk Matrix (including the
Risk/Control Matrix) obtained in Requested Information Item 1.1 and trace to the
list of identified cultural indicators obtained in Requested Information Item 3.1
confirm that there is a GRC job/role (with a current occupant) obtained in
Requested Information Item 3.1 assigned to monitor the internal and external
sources of cultural norms and change.
RP 4. Inspect the Survey instruments obtained in Requested Information 3.2, and
confirm that questions designed to elicit cultural indicators are included in surveys
targeted to a sampling of the workforce, the Board, and key third-party
stakeholders on at least an annual basis.
RP 5. Review the Findings and Recommendations Reports obtained in Requested
Information 3.2 for the surveys with qualifying questions identified in Review
Procedure 4, and confirm that in the Recommendations were considered for
inclusion in the Integrated Plan according to the Continuous GRC System
Improvement Methodology.
© 2004-2016 Page 17
L4 Stakeholders
Interact with stakeholders to understand expectations, requirements, and
perspectives that impact the organization.
● Understand Stakeholders – Research and analyze the organizations and key
individuals involved within various stakeholder constituencies to understand their
concerns and how best to relate to them.
● Analyze External Stakeholder and Influencer Needs – Identify key external
stakeholders, and influencers of opinion, and analyze and prioritize their needs
and requirements.
● Develop Stakeholder Relations Plans – Develop stakeholder relation plans for
each key stakeholder constituency.
Objectives
1. Capability provides insight and feedback to authorities, stakeholders and key
influencers who shape the requirements, risks and cultural norms that affect the
organization.
2. Capability considers seeking to modify requirements and expectations as a risk
treatment option.
1.2. Communication and Reporting Plan
2.1. Describe the approach to monitoring key authorities, stakeholders, and
influencers including how changes to requirements, rewards, cultural norms, the
risk environment and conformance are recognized and communicated for
purposes of risk analysis (same as Requested Information Item 2.3 in Element
A3 -Identification)
2.2. Describe the process for developing and maintaining the Communication and
Reporting Plan including how contact with stakeholders is controlled to ensure all
communications and reports are included.

© 2004-2016 Page 18
Review Procedures
RP 1. Select a sample of Key Risks that are the result of external mandates from the
Prioritized Risk Matrix obtained in Requested Information Item 1.1 and confirm
that the organization has an assigned monitor as specified in the list obtained in
Segregation of Duties Matrix obtained in Requested Information Item 3.1.
RP 2. Inquire of the employees assigned to monitor the key risks selected in the
previous procedure how they communicate information concerning their assigned
source of risks to the risk analysis process and confirm that it complies with the
process described in the Management Narrative obtained in Requested
RP 3. Inspect the Communication and Reporting Plan and confirm that it complies with
the process described in the Management Narrative obtained in Requested
Information item 2.2.
© 2004-2016 Page 19
A – ALIGN
Align performance, risk, and compliance objectives, strategies, decision-
making criteria, actions, and controls with the context, culture, and
stakeholder requirements.
A1 Direction
Provide direction by establishing clear mission, vision and values statements,
high-level objectives, as well as guidance about how decisions will be made.
● Define Mission, Vision, and Values – Create a formal statement of what the
organization will do, what it seeks to be, and the core values the organization
holds and applies to its decisions, with commitment from the governing authority
and management.
● Analyze Opportunities, Threats and Requirements – Perform a high-level
analysis of identified context opportunities, threats, and requirements for use in
defining high-level objectives and strategies.
● Define High-Level Goals – Define high-level goals and related indicators that
management can use in setting detailed objectives and strategies.
● Define Management Boundaries – Develop instructions that limit and guide
management as it sets detailed objectives and strategies.
● Define Decision-Making Criteria – Define criteria for selecting objectives and
strategies, guidance on priorities, risk/reward trade-off (e.g., risk appetite,
tolerance, thresholds, and capacity) and compliance.
Objectives
1. Capability is intentionally designed as a single program or collection of integrated

programs depending on which approach best serves meeting the goals of its charter
and the organization, given its culture, context, and objectives.
2. Capability aligns its outcomes to organizational objectives and values and, as
appropriate, to scope and in proximity to strategic planning activities, guides the
setting of organizational objectives and values.
3. Capability is championed by the Board and/or executive management which is
committed to GRC (“Tone at the Top”).
1.1. Organizational Mission, Vision, and Values Statements (include a copy with final
report)
1.2. GRC Strategic Plan (include a copy with final report) including:
1.2.1. GRC Business Case
1.2.2. GRC Capability Charter (include a copy with final report)
© 2004-2016 Page 20
1.3. Internal Authorization
2.1. Describe the process of mapping the capability mission, and values to
organizational mission, vision, and values.
2.2. In the absence of a GRC Strategic Plan, describe all aspects of the plan as
reflected in Appendix 4.
2.3. No narrative substitutes for having an explicit GRC Capability Charter.
2.4. Describe the overall approach to the GRC capability (enforcing/directive or
encouraging/collaborative).
2.5. Describe ways in which the capability is championed / endorsed by the board or
oversight authority and management.
3.1. Obtain the map of GRC capability mission, vision, and values, to organizational
mission, vision, and values.
4. GRC Technology Solutions with Pertinent Information

Review Procedures
RP 1. Confirm that the map obtained in Requested Information Item 3.1 of GRC
capability mission, vision, and values (Requested Information Item 1.2) to
organizational mission, vision, and values (Requested Information Items 1.1) was
prepared as described in Requested Information Item 2.1.
RP 2. Inspect Requested Information Item 1.3 to determine that the Board (or duly
delegated representative) has properly authorized the GRC Business Case for
the establishment of the GRC Capability obtained in Requested Information Item
1.2.1.
RP 3. Inspect Requested Information Item 1.4 to determine that the Board (or duly
delegated representative) has properly authorized the GRC Strategic Plan and
GRC Capability Charter obtained in Requested Information Items 1.2 and 1.2.2.
RP 4. Report the absence of a formal charter and/or formal approval of the charter by
the governing authority.
© 2004-2016 Page 21
A2 Objectives
Define a balanced set of measurable objectives that are consistent with decision-
making criteria and appropriate for the established frame of reference.
● Apply Decision-Making Criteria – Objectives should be consistent with the
decision-making criteria set for acceptable levels of residual risk, performance,
and compliance in light of the stated mission, vision, and values and the frame of
reference.
● Develop Additional Decision-Making Criteria – In some instances, additional
decision-making criteria will be required to guide action in achieving objectives.
● Consider Cumulative or Competing Effect of Objectives – Evaluate
objectives holistically at the organization level to consider impact on other
objectives; and determine if some objectives take priority over others when
decision-making criteria would otherwise demand reconsideration.
● Document Objectives – Clearly state and document objectives so they can be
viewed and used by all relevant parties including internal managers responsible
for attainment of objectives and internal/external stakeholders.
Objectives
1. Capability aligns its outcomes to organizational objectives and values and, as
appropriate to scope and proximity to strategic planning activities, guides the setting
of organizational objectives and values.
1.1. Statement of Organizational Objectives (include a copy with final report)
1.2. GRC Strategic Plan, including GRC metrics
2.1. Describe the process of mapping the capability objectives to organizational
objectives.
2.2. Describe the contribution of the GRC metrics to the measures tracking progress
on organizational objectives.
2.3. Describe the method by which the GRC capability incorporates the prioritization
of objectives into capability design, risk prioritization, and prioritization of
initiatives in the Integrated Plan.
3.1. Obtain the map of GRC capability objectives to organizational objectives.
3.2. Obtain the key metrics used by the organization to measure progress toward
organizational objectives.

© 2004-2016 Page 22
Review Procedures
RP 1. Confirm that the map obtained in Requested Information Item 3.1 of GRC
capability objectives (Requested Information Item 1.1) to organizational
objectives (Requested Information Items 1.2) was prepared as described in
Requested Information Item 2.1.
RP 2. Confirm that the GRC Metrics obtained in Requested Information item 1.2, bear
the relationship to the organizational metrics obtained in Requested Information
Item 3.2 described in the narrative obtained in Requested Information Item 2.2.
RP 3. Inspect the Management Narrative obtained in Requested Information Item 2.3,
and confirm that objective relationships and prioritization is factored into design,
risk prioritization, and prioritization of initiatives in accordance with:
3.1. The GRC Design and Performance Assessment Methodology
3.2. Risk Requirements & Opportunities Identification & Assessment
Methodology
3.3. Prioritization of initiatives in the Integrated Plan
© 2004-2016 Page 23
A3 Identification
Identify forces that may cause desirable (opportunity) or undesirable (threat)
effects on the achievement of objectives, as well as those that may compel the
organization to conduct itself in a particular way (requirement).
● Review Capability – Identify and evaluate the existing capability (people,
process, and technology) and how it affects ability to achieve objectives.
● Identify Forces – Identify external and internal forces, events, and conditions
that may produce a requirement or cause a desirable or undesirable effect on
objectives, taking into consideration the possible need to revise objectives or
strategic direction.
● Identify Opportunities, Threats and Requirements – Identify opportunities,
threats and both mandatory and voluntary requirements that affect ability to
achieve objectives.
● Identify Interrelatedness & Trends – Identify how opportunities, threats, and
requirements relate to one another and have been trending internally and
externally.
Objectives
1. Capability uses a well-reasoned approach to periodically and continuously identify
new and changing opportunities, threats and requirements.
2. Capability uses an inclusive set of internal and external resources to identify a
comprehensive universe of opportunities, threats and requirements.

1.1. Risk and Controls Matrix (included as part of Prioritized Risk Matrix) for the prior
and current fiscal years
2.1. Describe the methodology(ies) / process(es) used to identify applicable laws,
rules, regulations, and standards to which the firm has represented compliance or
by industry practices must adhere to maintain presence in the market
(requirements).
2.2. Describe the methodology(ies) / process(es) used to identify other sources of
risks (threats) which create potential obstacles to business success
2.3. Describe the methodology(ies) / process(es) used to identify potential desirable
effects (opportunities) on the achievement of business objectives.
2.4. Describe the approach to monitoring key authorities, stakeholders, and
influencers including how changes to requirements, rewards, cultural norms, the
risk environment and conformance are recognized and communicated for
purposes of risk identification and analysis (same as Requested Information Item
2.1 in Element L4 – Stakeholders).
© 2004-2016 Page 24
2.5. Describe the methodologies / process(es) used to manage changes to the Risk /
Control Matrix based upon changes to the sources of opportunities, threats and
requirements.
2.6. Describe the process for assigning responsibility to an individual or department
for monitoring each identified risk, reward and requirements.
2.7. In the absence of a Third-Party Risk Management Framework, describe the
process for promulgating the methodologies and processes described in
Requested Information Items 2.1 through 2.6 through the extended enterprise.
3.1. Obtain a copy of the Third-Party Risk Management Plan
3.2. Obtain a copy of the Third Party Risk Management Framework documentation

Review Procedures
RP 1. Confirm that the organization’s approach to opportunity, risk (threat), and
requirement identification obtained in Requested Information Items 2.1, 2.2, and
2.3 covers the criteria in the Identification section of the Risk, Requirements &
Opportunities Identification & Assessment Methodology in Appendix 4.
RP 2. Confirm that the organization’s approach to managing change identification
obtained in Requested Information Items 2.4 and 2.5 covers the criteria in the
Identification section of the Risk, Requirements & Opportunities Identification &
Assessment Methodology in Appendix 4.
RP 3. Inspect the Risk and Controls Matrix obtained in Requested Information Item 1.1
and confirm that changes to Risk and Controls Matrix were made between the
version for the prior fiscal year and the current fiscal year in accordance with the
methods and processes described in Management Narrative obtained in
Requested Information Item 2.4
RP 4. Confirm that the organization’s approach to managing third party risk
identification as reflected in the Third-Party Risk Management Plan and Third-
Party Risk Management Framework documentation obtained in Requested
Information Item 3.1 and 3.2 conform to the requirements in the Risk,
Requirements & Opportunities Identification & Assessment Methodology as well
as the Third Party Risk Management Framework in Appendix 4.
© 2004-2016 Page 25
A4 Assessment
Analyze current and planned approach to address opportunities, threats and
requirements using decision-making criteria with quantitative and qualitative
methods.
● Analyze Risk/Reward – Measure and evaluate the effect of opportunities and
threats without actions or controls (inherent) and after application of actions and
controls (residual).
● Analyze Compliance – Measure and evaluate level of compliance to
requirements currently and after actions and controls.
● Prioritize Management of Threats, Opportunities and Requirements –
Prioritize and categorize the effects of opportunities, threats, and requirements to
determine approach and resource allocation.
Objectives
1. Capability understands inherent risks and intensity of compliance so that current and
future resource allocation is rationalized based on the underlying risk level.
2. Those responsible for analyzing risks, rewards and conformance are using
consistent methodologies for similar items so comparison and aggregation can be
made.
3. Capability allocates resources to bring unacceptable risks, rewards and conformance
into line with tolerances and frees up resources that currently reduce specific ones
below established tolerances.
2.1. Describe the process for analyzing risks, rewards, and conformance, creating
applicable profiles, and assigning optimization strategies to each threat,
opportunity and requirement.
2.2. In the event the Capability has not defined a common set of definitions as
described in the Risk, Requirements & Opportunities Identification & Assessment
Methodology, describe the process used to reconcile differences to understand
risks and controls at an enterprise level.
2.3. If multiple assessment methodologies are used, describe the process used to
consolidate/translate and compare the analytical information produced.
2.4. Describe the process for assigning priorities to each risk, reward, and
requirement identified.
2.5. In the absence of a Third-Party Risk Management Framework, describe the
process for promulgating the methodologies and processes described in
Requested Information Items 2.1 through 2.4 through the extended enterprise.
© 2004-2016 Page 26
3.1. Obtain a copy of the Third-Party Risk Management Plan
3.2. Obtain a copy of the Third-Party Risk Management Framework documentation

Review Procedures
RP 1. Confirm that the organization’s approach to assessment obtained in Requested
Information Items 2.1 thru 2.4 covers the content specified in the Assessment
section of the Risk, Requirements & Opportunities Identification & Assessment
Methodology in Appendix 2.
RP 2. Select a sample of items in the Prioritized Risk Matrix (including the Risk/Control
Matrix) and confirm, through interviews with key personnel involved and
inspection of documentation, that the applicable processes identified in
Management Narrative obtained in Requested Information Items 2.1 through 2.4
were followed.
RP 3. If multiple risk assessment methodologies are used, confirm that the
consolidation process obtained in Requested Information Item 2.3 is being
performed.
RP 4. From the Integrated Plan obtained in Requested Information Item 1.2, select a
sample of initiatives and confirm for each that a method has been established to
determine whether planned residual risk is achieved or reward measure is
achieved after implementation, and the controls in the optimization initiative have
been implemented, and the Prioritized Risk Matrix (including the Risk/Control
Matrix) obtained in Requested Information Item 1.1 reflects the implemented
controls and monitoring activities have been designed and implemented to
ensure controls are operating on an ongoing basis.
RP 5. Confirm that the organization’s approach to managing third party risk assessment
as reflected in the Third-Party Risk Management Plan and Third-Party Risk
Management Framework documentation obtained in Requested Information Item
3.1 and 3.2 conform to the requirements in the Risk, Requirements &
Opportunities Identification & Assessment Methodology as well as the Third Party
Risk Management Framework in Appendix 4.
© 2004-2016 Page 27
A5 Design
Develop strategic and tactical plans to achieve the objectives, while addressing
uncertainty and acting with integrity, consistent with decision-making criteria.
• Explore Options to Address Requirements – When current level of
compliance is unacceptable, or when existing actions and controls are not
optimal, explore additional actions and controls to address requirements.
• Explore Options to Address Risk/Reward – When the current residual risk
and/or performance is unacceptable, or when current approach can be improved,
explore alternative actions and controls to address risk/reward.
• Design Transfer and Risk Financing Strategies – Design a portfolio of transfer
and risk financing instruments and approaches consistent with the organization’s
risk decision-making criteria (risk appetite, tolerance, thresholds, and capacity).
• Determine Planned Residual Risk/Reward and Compliance – Evaluate the
anticipated level of residual risk/reward and compliance, after planned actions
and controls are operating effectively, to vet alternatives and select optimal
solution.
• Address Inherently High Risk – Identify current and planned actions and
controls that specifically address inherently high risk that, should the actions and
controls cease to perform effectively, would expose the organization to
unacceptable levels of risk.
• Develop Key Indicators – Develop key indicators that inform management
about the effectiveness of actions and controls including level of reward, risk, and
compliance.
• Develop the Information Management Structure – Manage information to be
secure, relevant, reliable, and available when needed.
• Establish Technology Architecture – Evaluate and integrate use of
technologies to support GRC capabilities.
• Develop Integrated Plan – Develop a plan and acquire resources to govern,
assure and manage changes to approaches to addressing reward, risk and
compliance.
• Enable Execution – Ensure required support and resources, including change
management, are furnished to achieve established objectives and follow direction
of the plans.
Objectives
1. Capability approach draws real distinctions among priorities of action plans related to
opportunities, threats and requirements based on risks, rewards and conformance
analytics so that resources are appropriately allocated.
2. Capability approach for selecting risk treatment options does not reflect a single
treatment bias.
3. Capability has a means of knowing whether initiatives are implemented in
accordance with plans and whether projected residual risk targets are realized,
adapting appropriately if not.
© 2004-2016 Page 28
4. Risk is managed by appropriate means pending successful implementation of
initiatives.
5. Capability leverages existing resources and integrates with existing processes when
possible.
6. Capability coordinates with IT in understanding requirements and opportunities for
automation, as well as available capabilities and opportunities to leverage existing
technologies.
7. Capability collaborates with IT in synchronizing GRC Technology Plan and GRC
Information Management Plan with Organizational Technology Plan and Information
Management Plan.
1.2. GRC Information Management Plan
1.3. GRC Strategic Plan, including following:
1.3.1. GRC Business Case
1.3.2. GRC Assessment Plan
1.3.3. GRC Technology Plan
1.3.4. Third-Party Risk Management Plan
2.1. Describe the process utilized to design the GRC capability and its measurement,
including development of the GRC Business Case, GRC Strategic Plan, and
GRC Assessment Plan.
2.2. Describe the process for designing, implementing, and maintaining the Third-
Party Risk Management Plan.
2.3. Describe the process utilized to design the GRC Information Management Plan.
2.4. Describe the process utilized to design the GRC Technology Plan.
2.5. Describe the process utilized to integrate GRC technology solutions with the
organizational technology plan including the degree of information sharing and
collaboration in the Capability planning and technology implementation
processes.
3.1. Obtain a copy of the organization’s master Information Management Plan.
3.2. Obtain a list of GRC capability reports and communications for the immediate
preceding fiscal year.
3.3. Obtain a copy of the organization’s technology plan.

© 2004-2016 Page 29
Review Procedures
RP 1. Inspect the Management Narrative obtained in Requested Information Item 2.1
and confirm that it includes all the criteria in the GRC Design and Performance
Assessment Methodology in Appendix 4.
RP 2. Inspect the GRC Strategic Plan, GRC Assessment Plan, and GRC Business
Case and confirm that they are developed in accordance with the Management
Narrative obtained in Requested Information Item 2.1 and the GRC Design and
Performance Assessment Methodology in Appendix 4.
and confirm that it conforms to the requirements of the Third-Party Risk
Management Development, Implementation, and Management Framework.
and confirm that the GRC Information Management Plan obtained in Requested
Information Item 1.2 was developed in accordance with the Information
Management Plan Development & Maintenance Methodology in Appendix 4.
and confirm that the GRC Technology Plan obtained in Requested Information
Item 1.3.3 conforms to the requirements of the GRC Technology Plan
Development Methodology in Appendix 4.
RP 6. Calculate the percentage of Key Risks in the Prioritized Risk Matrix, obtained in
Requested Information Item 1.1, that utilize a single risk optimization tactic.
Report the result.
RP 7. For the sample selected in Review Procedure 4, confirm that the designed
monitoring activities are being performed.
RP 8. Inspect the organization’s master Information Management Plan obtained in
Requested Information Item 3.1 and confirm that it includes:
8.1. A process for handling of information subject to litigation hold, internal
investigations, confidentiality, and “privileged” (e.g., client attorney
privileges, work product)
8.2. Policies and procedures for creating departmental plans
8.3. A process for communicating with and educating stakeholders on policies
and procedures
8.4. A process for measuring compliance with policies and procedures
RP 9. Inspect the GRC Information Management Plan obtained in Requested
Information Item 1.1 and confirm that it complies with the requirements in the
organization’s master Information Management Plan obtained in Requested
Information Item 3.1 relating to departmental information management plans.
RP 10. Trace each initiative in the GRC Technology Plan obtained in Requested
Information Item 1.6 to the organization’s technology plan obtained in Requested
Information Item 3.1, and, if not included, inquire of management the rationale for
exclusion.
RP 11. Select a sample of initiatives in the GRC Technology Plan obtained in Requested
Information Item 1.6 and confirm that currently available organization technology
was considered in developing each initiative.
© 2004-2016 Page 30
P – PERFORM
Address threats, opportunities, and requirements by encouraging desired
conduct and events, and preventing what is undesired, through the
application of proactive, detective, and responsive actions and controls.
P1 Controls
Establish a mix of management, process, human capital, technology, information,
and physical actions and controls that serve governance, management, and
assurance needs.
● Establish Proactive Actions and Controls – Encourage desirable conditions
events, and conduct, and prevent those that are undesirable.
● Establish Detective Actions and Controls – Determine progress toward
objectives and identify the actual or potential occurrence of desirable and
undesirable conduct, conditions, and events.
● Establish Responsive Actions and Controls – Recover from undesirable
conduct, events, and conditions; correct identified weaknesses; execute
necessary discipline; recognize and reinforce desirable conduct and deter future
undesired conduct or conditions.
Proactive Actions and Controls
Objectives
1. Unless mandated, capability actively considers layering a variety of proactive,

detective, responsive, and corrective risk treatment options without unnecessary
overlap to minimize the opportunity for a single point of failure.
2. Capability implements and consistently applies an appropriate mix of proactive,
detective, responsive and corrective actions and controls consistently across multiple
instances, and comparable types, of populations, technological and physical
environments, and third-party relationships when variation is not mandated by
jurisdictional differences and adapts the mix and nature of actions and controls when
they are.
3. Capability recognizes when differing mandates have created conflicting or
inconsistent actions and controls.
4. Capability tests proposed actions and controls to identify potential weaknesses,
opportunities for manipulation or circumvention and areas for improvement before
accepting them into the control ecosystem.
5. Capability routinely and consistently tests implemented actions and controls to
confirm that in design and practice the actions and controls maintain desired
behavior and compliance through the extended enterprise.
6. Capability establishes segregation of duties to remove incentives and opportunity for
self-dealing and avoidance of established controls.
© 2004-2016 Page 31

1.2. GRC Technology Data Model Description
2.1. Describe the process defining and modifying proactive, detective, and responsive
actions and controls both for the core and the extended enterprise.
2.2. In the absence of documented Background Check Methodology as requested
under Item 3b, describe the Background Check Methodology as it applies to
hiring and promotion of GRC personnel.
2.3. Describe the key actions and controls implemented as part of your ongoing third-
party extended enterprise oversight program (e.g., vendor and/or partners
oversight), including organizational and individual due diligence during the entire
relationship life cycle and any variances depending on physical presence or
technological access.
3.2. Background Check Methodology for GRC Personnel
3.3. Listing of contractors or supplier/vendor personnel who
have access to the organization’s technology environment

Review Procedures
RP 1. Judgmentally select one proactive control related to each of the sample key risks
identified in Pre-Requisite Procedure 2, and confirm that the control was issued
and modified (if applicable) in accordance with the process described in
Requested Information Item 2.1.
RP 2. From the sample of proactive controls selected in Review Procedure 1,
judgmentally select a subset and confirm that for each selected proactive control:
2.1. There is documented evidence of a defined testing approach and
monitoring activities to ensure the control is operating effectively, on an on-
going basis, within defined tolerances
2.2. There is documented evidence of the testing and monitoring activities being
performed, on an on-going basis, and that action was taken on the results
of such activities, if appropriate.
RP 3. Select a sample of individuals from the Segregation of Duties Matrix obtained in
Requested Information Item 3.1 and
3.1. Inquire of each what they identify as activities they are not permitted to
perform based on segregation of duty specifications and document the
responses
3.2. Compare the responses to the individual’s information in the Segregation of
Duties Matrix obtained in Requested Information 3.1
© 2004-2016 Page 32
RP 4. Inspect the Background Check Methodology for GRC Personnel obtained in
Requested Information Item 3.2 or the Management Narrative obtained in
Requested Information Item 2.2 and confirm that it includes all the criteria
specified in Background Check Methodology in Appendix 4.
and confirm that it conforms to the requirements in the Third-Party Risk
Management Framework in Appendix 4.
RP 6. Select a sample of the list of contractors or supplier/vendor personnel obtained in
Requested Information Item 3.4 and confirm that due diligence was performed as
described in Requested Information Item 2.3.
RP 7. Select a sample of the Key Risks from the Prioritized Risk Matrix (including the
Risk/Control Matrix) obtained in Requested Information Item 1.2 that do not utilize
technology controls and interview risk owner and other identified stakeholders
who participated in risk optimization strategizing for the specific risk to confirm
that technology controls were considered as a risk optimization strategy and why
they were not utilized (such as, non-automated application, cost/benefit non
acceptable, etc). Report only Key Risks in which technology controls are not
used and were not considered for use.
RP 8. Select a sample of the Key Risk from the Prioritized Risk Matrix (including the
Risk/Control Matrix) obtained in Requested Information Item 1.2 that do not utilize
physical controls and interview risk owner and other identified stakeholders who
participated in risk optimization strategizing for the specific risk to confirm that
physical controls were considered as a risk optimization strategy and why they
were not utilized (such as, not applicable, cost-benefit not acceptable, etc.)
Report only Key Risks in which physical controls are not used and were not
considered for use.
Detective Actions and Controls
Objectives
7. Capability establishes, performs, and creates mechanisms to monitor detective
actions and controls for priority risks, opportunities and requirements.
8. Capability considers the appropriate level of detail/abstraction in reports for various
levels in the authority hierarchy to minimize the cost of finding information and
increase the ability to respond and escalate efficiently.
9. Capability feeds the collected information into other GRC Elements (i.e., analysis and
aggregation, risk assessment, investigation or systemic improvement).
1.6. Findings & Recommendations Reports
© 2004-2016 Page 33
2.4. Describe the process utilized to determine appropriate detective controls,
including
2.4.1. Authority to determine application of detective controls (human capital,
process, physical, and technology)
2.4.2. Criteria for determining the utilization, intensity, and frequency of a
detective control
2.4.3. Criteria for determining which detective controls will be monitored for
proper application
2.4.4.Criteria for aggregation and reporting of information gathered by detective
controls
3.4. Policies and procedures for establishing and maintaining controls inclusive of
detective controls.
Review Procedures
RP 9. Inspect the policies and procedures obtained in Requested Information Item 3.4
and confirm that the process described in them conforms to the Management
Narrative obtained in Requested Information Item 2.4.
RP 10. Select a sample of Key Risks in the Prioritized Risk Matrix (including the
Risk/Control Matrix) obtained in Requested Information Item 1.4 that utilize
detective controls and confirm that the process described in Requested
Information Item 2.4 was followed, especially in defining:
10.1. Intensity of the control and frequency of its application
10.2. Monitoring of application of the control
10.3. Aggregation and reporting of information generated by the control
RP 11. Select from the Prioritized Risk Matrix (including the Risk/Control Matrix) obtained
in Requested Information Item 1.4 all Key Risks that do not utilize detective
controls as defined in the Control Taxonomy in Appendix 4, and confirm that the
process for determining the utilization of detective controls described in the
Management Narrative obtained in Requested Information Item 2.4 was followed.
RP 12. Select from the Integrated Plan obtained in Requested Information Item 1.5 all
initiatives with detective controls as defined in the Control Taxonomy in Appendix
4, and confirm that the process for determining the utilization of detective controls
described in the Management Narrative obtained in Requested Information Item
2.4 has been followed.
RP 13. Select one detective control from each Key Risk identified in Review Procedure
10 and confirm that there is documented evidence the control is being performed.
RP 14. Inspect the most recent reports (optionally including alerts and dashboards) of
information derived from detective controls obtained in Review Procedure 10 and
trace any recommendations for implementing detective controls to initiatives in
the Integrated Plan obtained in Requested Information Item 1.2.
© 2004-2016 Page 34
Responsive Actions and Controls
Objectives
10. Capability establishes actions and controls for correcting detected undesirable
events and conditions and recovering from the effects of detected undesirable events
and conditions.
11. Capability maintains an audit trail of actions performed to correct undesirable events
and conditions and capability failures and changes to responsive and corrective
controls.
12. Capability provides feedback to appropriate operating management for identified
undesirable events and conditions as to immediate adverse effect, root cause,
likelihood, impact, timing, duration, frequency, and velocity of similar future
occurrences.
13. Capability provides feedback to the GRC capability improvement process for
recommended systemic corrective actions.
14. Capability continues to monitor all detected undesirable events and conditions and
capability failures until responsive actions and controls are complete and all capability
improvements have been implemented.
15. Capability’s responsive actions and controls include rewarding desirable conduct.
1.8. Corrective Control Activity Plan
1.9. Corrective Action Reports for a sampling of loss events and systemic control
failures across various control types (human capital, process, physical and
technological)
2.5. Describe the process for monitoring detected undesirable conduct, events and
conditions and capability failures until corrective action has been implemented,
including reporting on completion of such actions.
2.6. Describe the process for monitoring detected desirable conduct until it has been
rewarded.
3.5. None
Review Procedures
and confirm that the process includes the following:
15.1. Identification of each type of undesirable, event and condition that may be
found by proactive and detective actions and controls
15.2. Identification of the type of proactive and detective actions and controls
(process, human capital, technology, and physical) that apply to each type
of undesirable event and condition that may be identified.
© 2004-2016 Page 35
15.3. Maintenance of a record of all responsive activities and controls related to
each detected undesirable event and condition
15.4. Procedures that describe the pre-planned steps to take to correct each type
of detected undesirable, event and condition
15.5. Procedures that describe the pre-planned steps to take to restore conditions
or recover information to prior status for each type of detected undesirable
event and condition that can be restored or recovered
15.6. Procedures that describe the steps to undertake in response to a detected
undesirable event and condition that will serve as a deterrent to repetition of
the undesirable event and condition including determination of its root
cause
15.7. Procedures that provide feedback to operating management on detected
undesirable events and conditions
15.8. Procedures that provide for continuous monitoring of detected undesirable
events and conditions until all required action has been taken.
15.9. Procedures for reporting the implementation of all planned corrective
actions
RP 16. Inspect the Corrective Control Activity Plan obtained as Requested Information
1.8 and confirm that it contains the information listed in Corrective Control Activity
Plan in Appendix 4.
RP 17. Inspect the most recent Corrective Action Report obtained in Requested
Information 2.1 and confirm that it contains the information listed in Corrective
Action Report in Appendix 4.
and confirm that the process includes the following:
18.1. Procedures to publicly acknowledge the individual performing desired
conduct (when agreed to by the individual) prior to, simultaneous with, or
promptly after recognizing the reward given to serve as inspiration to others.
18.2. Procedures to acknowledge the individual performing desired conduct to
operational management prior to, simultaneous with, or promptly after
rewarding the individual.
18.3. Procedures to document performance of the desired conduct as part of
periodic personnel evaluations.
18.4. Procedures that monitor completion of the reward activity.
© 2004-2016 Page 36
P2 Policies
Implement policies and associated procedures to address opportunities, threats
and requirements and set clear expectations of conduct for the governing
authority, management, the workforce and the extended enterprise.
● Develop Codes of Conduct – Work with appropriate stakeholders to develop
codes of conduct that address the organizational mission, vision, values, key
policies, and expected business conduct.
● Establish Policy Structure – Establish an organizing structure for identifying,
creating, approving, enforcing, and updating policies and related procedures.
● Identify and Develop Policies – Use a mix of preventative and directive
policies, related procedures and standards to address opportunities, threats, and
requirements.
● Implement and Manage Policies – Implement, communicate, manage, enforce,
and audit policies, related procedures and standards to ensure that they operate
as intended and continue to be relevant.
● Champion Policies – Demonstrate genuine support for policies, procedures and
standards to ensure stakeholders understand leadership commitment to them.
● Develop and Implement Ethical Decision-Making Guidelines – Establish and
champion decision-making guidelines on how to choose a course of action when
the circumstances are not explicitly covered by the code of conduct, policies,
procedures, or standards.
Objectives
1. Capability knows whether it has all required policies, procedures, and code(s) of
conduct in place.
2. Capability has communicated throughout the workforce and the extended enterprise
expectations on compliance with code(s) of conduct and policies.
3. Policies, related procedures and standards are formalized, implemented,
communicated, and measured.
4. Policies, related procedures and standards promote desired conduct as well as
prohibit certain conduct.
5. Policies, related procedures and standards neither “under-control” nor “over-control”
risks, opportunities and requirements.
6. Capability periodically reviews and audits policies and procedures to confirm
adherence and continuing alignment.
7. Capability adapts policies, related procedures, standards, and code(s) of conduct for
audience, local culture, language, norms, legal requirements, and needs, while
staying true to the core decision-making criteria.
8. Capability provides mechanisms to support ethical decisions when explicit guidance
on an issue or scenario is not apparent.
9. Capability enforces policies, standards, and code(s) of conduct consistently.
© 2004-2016 Page 37
1.1. Code of Conduct
1.2. Ethical Decision Guidelines
1.3. Findings and Recommendations Report to the Board reflecting most recent
evidence that Code of Conduct has been published according to management
expectations
1.4. Policies and Related Procedures Matrix (reflecting at least the Policies and
Procedures within the scope of the GRC Capability Charter).
2.1. Describe the process for developing, implementing, maintaining, and enforcing
throughout the workforce and extended enterprise, including the molding of
champions and securing buy-in to:
2.1.1. The Code of Conduct;
2.1.2. Any Ethical Decision Guidelines;
2.1.3. Policies; and
2.1.4. Procedures.
2.2. Describe the substance of and process used to advise and educate members of
the workforce and Extended Enterprise of their obligation to adhere to policies
and the Code of Conduct.
2.3. Describe the process used to advise the firm’s employee base of the policies,
procedures, and codes of conduct from the members of the Extended Enterprise
to which the firm has committed to adhere.
2.4. Describe the methods used to confirm receipt of the code(s) of conduct by all
target recipient groups.
2.5. Describe the process by which the firm adapts and localizes policies, related
procedures the code(s) of conduct, and ethical decision guidelines to local
culture, language, norms, legal requirements, and needs, while staying true to the
core decision-making criteria.
2.6. Describe the process used by management to inform the board regarding
workforce (including all employees) commitment to and adherence to the Code of
Conduct, including:
2.6.1. Percentage of personnel that received the code
2.6.2. Percentage that have received training on the code
2.6.3. Percentage that have confirmed receipt and understanding
2.6.4. Passage rate statistics on any assessments of understanding
2.6.5. Number of code of conduct violations remediated by various types of
responsive actions or controls
2.6.6. Dollar value of losses experienced from violations, and
2.6.7. Dollar value of rewards for adherence to violation reporting
3.1. Obtain a copy of the employee performance review criteria
3.2. Obtain a copy of the communication to members of the Extended Enterprise
regarding their relationship (coverage and obligations) to the Code of Conduct.
3.3. If a Policies and Related Procedures Matrix is not available, obtain a list of
policies and related procedures relevant to the scope of the review.
© 2004-2016 Page 38
3.3. Policy and Procedure Development, Implementation, and Maintenance Meta-
Procedures.

Review Procedures

2.2, and 2.3 and confirm that it contains all the criteria specified in the Code of
Conduct Development and Maintenance Methodology in Appendix 4.
RP 2. Inspect the Management Narrative obtained in Requested Information Item 2.1 ,
2.2, and 2.3 and, if available, the Policy and Procedure Development and
Maintenance Meta-Procedures and confirm that the information source includes
all the criteria in the Policies and Procedures Development, Implementation, &
Maintenance Methodology in Appendix 4.
RP 3. Inspect the employee standard performance criteria obtained in Requested
Information Item 3.1 and confirm the inclusion of code of conduct assessment
criteria.
RP 4. Select a sample of employees and confirm that each employee has:
4.1. Acknowledged the receipt of the Code of Conduct and Ethical Decision
Guidelines in the past year as required in the Management Narrative
obtained in Requested Information Item 2.4; and
4.2. Received training on the Code of Conduct.
RP 5. Inspect the most recent presentation to the board regarding the publishing of the
Code of Conduct.
RP 6. Review Code of Conduct and Ethical Decision Guidelines (if applicable) obtained
in Requested Information Items 1.1 and 1.2 and confirm that they include all of
the information specified in the Management Narrative obtained in Requested
RP 7. Judgmentally select a sample of three (3) policies reflected in the Policies and
Related Procedures Matrix obtained in Requested Information Item 1.1 or the list
of policies and procedures obtained in Requested Information Item 3.1 that apply
multi-nationally, and confirm:
7.1. That each policy was developed, implemented, and is being maintained in
accordance with:
7.1.1.1. The Management Narrative obtained in Requested Information
Item 2.1;
7.1.1.2. The Meta-Procedures obtained in Requested Information Item 3.2;
or
7.1.1.3. The Policy and Procedure Development, Implementation &
Maintenance Methodology in Appendix 4.
7.2. That each policy has been adapted or localized in accordance with the
Management Narrative obtained in Requested Information Item 2.5.
RP 8. Inspect the communication to the Extended Enterprise obtained in Requested
Information Item 3.2 and confirm that it covers all elements required in the
information obtained in Requested Information Item 2.2.
© 2004-2016 Page 39
P3 Communication
Deliver and receive relevant, reliable, and timely information to the right
audiences, as required by mandates, or as needed to perform responsibilities and
effectively shape attitudes.
● Develop Reporting Plan – Establish a plan to provide desired reports to
management, the governing authority, and stakeholders, while ensuring
compliance with mandatory reporting and filing requirements.
● Process Architecture – Ensure action and control owners in the same, or
related, processes deliver and receive the necessary communication to execute
their duties and take actions consistent with the decision-making criteria.
● Develop Communication Plan – Define how the organization will manage
related communications that are not formal reports.
Objectives
1. Capability defines communication and reporting plans.

2. Capability timely communicates reliable and understandable material information
consistently to workforce, stakeholders, and members of the extended enterprise.
3. Capability meets mandatory reporting obligations.
4. Capability maintains a complete and accurate record of how communication was
managed.
5. Capability measures reporting and communication performance.
1.1. Communication and Reporting Plan
2.1. Describe the process for developing and maintaining the Communication and
Reporting Plan including how contact with stakeholders is controlled and
recorded to ensure all communications and reports are included.
2.2. Describe the process used to ensure consistent terminology in communications
and reports.
2.3. Describe how the records generated pursuant to the Communication and
Reporting Plan are developed and managed in accordance with the GRC
Information Management Plan.
3.1. Obtain a list of GRC capability reports and communications for the immediate
preceding fiscal year.

© 2004-2016 Page 40
Review Procedures
RP 1. Inspect the Communication and Reporting Plan obtained in Requested Item 1.1
and confirm that it was developed and managed in accordance with the
Management Narrative obtained in Requested Item 2.1.
RP 2. Select a sample from the list of reports and communications for the preceding
fiscal year obtained in Requested Information Item 3.1 and confirm that the
communication/report:
2.1. Was timely distributed to its intended audience;
2.2. Maintained as an official record in accordance with record retention
requirements and managed in accordance with the GRC Information
Management Plan and/or the Management Narrative obtained in Requested
Information Item 2.3;
2.3. Met all report specifications; and
2.4. Was edited for consistency of terminology as prescribed in Management
Narrative obtained in Requested Information Item 2.2.
© 2004-2016 Page 41
P4 Education
Educate the governing authority, management, the workforce, and the extended
enterprise about expected conduct, and increase the skills and motivation needed
to help the organization address opportunities, threats, and requirements.
● Define an Awareness and Education Plan – Develop a plan to educate the
governing authority, management, the workforce, and the extended enterprise
about their responsibilities and expected conduct.
● Define a Curriculum Plan – Develop a job specific curriculum and appropriate
training program for the governing authority, management, the workforce, and
the extended enterprise to fulfill their responsibilities.
● Develop or Acquire Content – Develop or acquire content that does not exist in
the current curriculum or education plan and modify any content that needs
updating in order to meet current learning objectives.
● Implement Education – Implement and manage the education program to
ensure that each target audience achieves learning objectives and can apply
knowledge and skills to their jobs.
● Provide Helpline – Establish ways for the workforce and other stakeholders to
seek guidance about future conduct and ask general questions, including the
option for anonymity in locations where that is required or allowed.
● Provide Integrated Support – Establish ways for the workforce to get integrated
support within their usual work environment.
Objectives
1. Capability educates throughout the extended enterprise on actions and controls.

2. Capability matches the rigor of the messaging and education to the nature or
significance of the underlying objective.
3. Capability matches education methods, content, and “accessibility” to needs of the
intended audience.
4. Curriculum and individual learning modules are kept fresh and relevant.
5. Capability provides resources for self-help and decision-making guidance on job
related GRC activities prior to engaging in GRC responsibilities.
1.1. Awareness and Education Plan
1.2. Helpline FAQ Descriptions
1.4. Specialized GRC Curriculum Plan
2.1. In the absence of a formal Awareness and Education Plan, describe the
components of the organization’s GRC awareness and education plan.
© 2004-2016 Page 42
2.2. Describe the assessment tools used to measure awareness, training, knowledge,
support, and understanding of the policies, procedures, and code(s) of conduct
by all target recipient groups, including members of the extended enterprise.
2.3. Describe the procedure used to train and confirm that individuals understand
how to report an issue (i.e., incident, concern, inquiry) including the curriculum
required and the frequency of refresher training. In addition, identify who has
ownership of the training process for issue notification (intake) and filtering. IN-
HOUSE
3.1. Obtain a copy of the generalized job based GRC training content.
3.2. Obtain the Key GRC Personnel listing prepared in Pre-requisite Procedure 3.
3.3. Obtain a listing of all employees who are involved in issue management with an
indication of their role or roles. IN-HOUSE
3.4. Obtain a list of hotline and intake staff. JOINT

Review Procedures
RP 1. Inspect the Awareness & Education Plan obtained in Requested Information Item
1.1 or the Management Narrative obtained in Requested Information Item 2.1 and
confirm that it contains all the criteria specified in the Awareness and Education
Plan in Appendix 4.
RP 2. Inspect the Generalized role based GRC training content obtained in Requested
Information Item 3.1 and confirm that it supports the learning objectives identified
in the Awareness and Education Plan obtained in Requested Information Item
1.1.
RP 3. Select a sample of the Employee Database and for each individual confirm that:
3.1. A Specialized GRC Curriculum Plan as defined in Appendix 4 has been
designed for their role and that it meets the guidelines in the Awareness
and Training Plan obtained in Requested Information Item 1.1 for
specialized GRC role based training
3.2. Required training was attended
3.3. Understanding of content was assessed (using a quiz or other evaluation
instrument)
3.4. Training was completed in the required time period
RP 4. Take a sample of key risks that have specific job training as an action or control
in the Prioritized Risk Matrix obtained in Requested Information Item 1.3 and
utilize the Key GRC Personnel Matrix obtained in Requested Information Item
3.2, and Awareness and Education Plan obtained in Requested Information 1.1,
to identify the training sessions and target audiences to confirm that:
4.1. Required training was conducted
4.2. Understanding of content was assessed (using a quiz or other evaluation
instrument)
4.3. Training was completed in the required time period
© 2004-2016 Page 43
RP 5. Inspect the assessment instruments used to gather evidence of awareness,
training, knowledge, understanding, and support of the Code of Conduct obtained
in Requested Information Item 2.2 and confirm that they cover at least the
following items:
5.1. Whether they know how to find the Code of Conduct and Ethical Decision
Guidelines
5.2. Whether they have reviewed the Code of Conduct and Ethical Decision
Guidelines in the last year
5.3. Whether they know what to do in the event of a violation
5.4. Whether the values reflected in the Code of Conduct align with their
personal values
5.5. Whether they agree that the prescribed conduct is appropriate for the
situations described in the Code of Conduct
5.6. Whether they believe that the conduct prohibited by the Code of Conduct
should be permitted instead
5.7. Whether they perceive the Code of Conduct as aligned to the values
articulated by management
5.8. Whether they perceive management’s actions as adhering to the Code of
Conduct
RP 6. Select a sample of employees from the list of hotline and intake staff obtained in
Requested Information Item 3.6. For each sample chosen, inspect personnel
files (including training databases) for:
6.1. A job-specific training curriculum, including handling the Helpline FAQ
Descriptions obtained in Requested Information Item 1.2 and
6.2. The Special GRC Training Curriculum has been completed. JOINT
RP 7. Select a sample from the list of employees involved in issue management
obtained in Requested Information 3.3 and verify from personnel records that IN-
HOUSE
7.1. There is a required Curriculum Plan for their position including required
training on issue notification as specified in Requested Information in 2.3.
IN-HOUSE
7.2. The Curriculum Plan has been completed.
© 2004-2016 Page 44
P5 Incentives
Implement incentives that motivate desired conduct and recognize those who
contribute to positive outcomes to reinforce desired conduct.
● Define Desired Conduct – Determine the types of desired conduct including
definitions, classifications, and procedures necessary to identify those who
contribute to positive outcomes and those who notify the organization when they
identify allegations or indications of undesirable conduct.
● Hire and Promote Based on Conduct Expectations – Articulate desired
conduct when defining jobs, career paths, and performance review criteria of
employees and business partners, using the same criteria for promoting
individuals.
● Develop and Implement Compensation, Reward and Recognition Programs
– Establish compensation, reward, and recognition programs for all employees,
business partners, and other stakeholders that recognize individuals and
organizational units for exhibiting desired conduct and do not reward undesirable
conduct.
Objectives
1. Capability establishes a simple and transparent mix of incentives and consistently

applies them to motivate desired behavior, but not encourage undesirable conduct.
2. Capability establishes a broad variety of incentives beyond just incentives tied to
performance review criteria, considering economic incentives, symbols of prestige,
status, workplace freedoms, and opportunities for advancement.
3. Capability considers the application of values in observable business conduct.
4. Capability considers evidence of an individual’s ethical conduct and consistency with
organizational values in hiring /promotion/compensation decisions.

1.1. GRC Strategic Plan
1.2. Findings & Recommendation Report
2.1. Describe the process used during the past year to recognize and reward
individuals for exhibiting ethical conduct.
2.2. Describe the ways in which adherence to ethical conduct expectations and
organizational values are considered during hiring, promotion and
compensation decisions.
2.3. Describe programs that are intended to reward or recognize other desirable
ethically agnostic conduct that mitigates firm’s risks and/or promotes the firm’s
values.
© 2004-2016 Page 45
3.1. Obtain a copy of the hiring and promotion policies and procedures of the
organization.
3.2. Obtain the Key GRC Personnel listing prepared in Pre-requisite Procedure 3.
3.3. Obtain a list of all employees who received recognition or rewards in the last
twelve months under the process described in Requested Information Item 2.1.
3.4. Obtain Performance Review and Competency criteria for Promotion and other
recognition.
3.5. Obtain a metrics report for each of the programs described under Requested
Information Item 2.3 for the last fiscal year and the current year-to-date.

Review Procedures
RP 1. Inspect the hiring and promotion policies and procedures obtained in Requested
Information Item 3.1 and 3.4, and the Management Narrative obtained in
Requested Information Item 2.2 and confirm that the process for hiring and
promoting employees includes the use of information on the ethical conduct of
candidates and the alignment of their personal values with organizational values.
RP 2. Select a sample of employees from the list obtained in Requested Information
Item 3.2 and confirm that hiring, promotion and/or current performance
evaluations that occurred in the past twelve months considered the following
organization specific criteria:
2.1. An understanding of organization values statements and how that
understanding contributed to a promotion or incentive decision
2.2. An understanding of what constitutes unethical conduct and how that might
effect a promotion or incentive decision.
2.3. Included acceptable performance of compliance responsibilities related to
their position
RP 3. Inspect the GRC Strategic Plan obtained in Requested Information Item 1.1 and
confirm that it contains ethical leadership objectives, measures, and targets.
RP 4. Inspect the Strategic Plan Year-end Progress report for the last fiscal year
obtained in Requested Information Item 1.2 and confirm that metrics on ethical
leadership were reported and targets were met.
RP 5. Select a judgmental sample of three (3) employees from the list obtained in
Requested Information Item 3.3 and confirm that the process described in
Requested Information Item 2.1 was followed.
RP 6. Inspect each of the metrics reports obtained in Requested Information Item 3.5
and confirm that metrics were reported including the targets for participation or
earmarked funds for rewards and the actual participation or awards made during
the period and whether there is an upward or downward trend in participation
between the report from the past year and the current year-to-date.
© 2004-2016 Page 46
P6 Notification
Provide multiple pathways to report progress toward objectives, and the actual or
potential occurrence of undesirable and desirable conduct, conditions, and
events.
● Capture Notifications – Implement a notification system that captures and alerts
the organization to action and control weaknesses, performance variances,
incidents or suspicions of legal noncompliance, violations of company policies,
and concerns or perceptions about perceived unethical conduct.
● Filter and Route Notifications – Prioritize, substantiate, and route notifications
for handling, regardless of the pathway through which a given notification is
initiated.
● Adhere to Data Protection Requirements – Ensure that notification pathways
comply with specific requirements established in the locale where the notice
originates and where the organization operates.
Objectives
1. The notification processes, pathways, and all enabling systems and methods are
agile with clearly defined escalation paths.
2. At least one notification method is available to each class of stakeholder.
3. Notification policies and procedures are well communicated to stakeholders, through
various means of communication.
4. The notification processes and instructions on utilizing the available methods are
understandable to the workforce and extended enterprise, including the expectation
that issues or concerns raised via informal methods and unstructured channels are
recorded and handled consistently with formal channels.
5. The notification process and all enabling system and methods adequately protect
data according to the requirements of the locale where the notice originates and the
organization operates, including the handling of privileged information.
6. Stakeholders raise concerns directly with the organization out of trust, without fear of
reprisal, that concerns are taken seriously, are promptly and objectively assessed
and addressed, providing an option of anonymity where legally permitted or required.
1.1. External Authorization IN-HOUSE (Responsibility of organization being
evaluated)
1.2. Internal Authorization IN-HOUSE
1.3. Communication and Reporting Plan IN-HOUSE
© 2004-2016 Page 47
2.1. Describe the process (test data, real time supervisory monitoring, electronic
monitoring, and analytical procedures) for monitoring issue notification (intake),
filtering, and management activities to determine that applicable policies and
procedures are consistently applied. JOINT (Responsibility of both the
organization being evaluated and any external service-provider)
2.2. Describe how differences, if any, in taxonomies and information requirements
across Operating Geographies are reconciled for aggregation, analysis, and
reporting. JOINT
2.3. Describe whether any Intake Channels are provided by a vendor(s), including the
process for integrating vendor(s) intake data with internal intake data. JOINT
3.1. Obtain a copy of the inventory of all intake channels in each Operating
Geography, the list of which was created in Pre-requisite Procedure 1. IN-
HOUSE
3.2. Obtain a copy of the list of all third-party vendors who operate intake channels.
IN-HOUSE
3.3. Obtain a copy of the inventory of all infrastructure and notification intake and
filtering policies and procedures (include protocols, criteria, etc). JOINT
3.4. Obtain a copy of the Issues Category Taxonomy(s) JOINT
3.5. Obtain a sample of reports from the Communication and Reporting Plan
obtained in Requested Information Item 1.3 related to non-privileged issues and
concerns reported in the last twelve months. JOINT

Review Procedures
RP 1. Confirm that each of the following elements or capabilities is documented in the
Management Narrative obtained in Requested Information Item 2.1 describing
the process for managing issue notification (intake), filtering and management
include the policies and procedures, infrastructure, classification schema, filtering
protocol, resolution and reporting criteria in the Issue Management Framework in
Appendix 4, including
1.1. A combination of web, telephone, and web-enabled reporting portals
SERVICE PROVIDER (Responsibility of external contractor)
1.2. 24/7/365 accessibility SERVICE PROVIDER
1.3. Auditable and documented uptime, capacity, and reliability transparency
validated by a third-party SERVICE PROVIDER
1.4. The capability to follow location specific requirements by location of reporter
and incident JOINT
1.5. Supports localization for language, culture, and regulatory differences (In-
house determined if outsourced) JOINT
1.6. The ability to integrate (or separate) the subtle design difference between
hotline and helpline awareness and feedback JOINT
1.7. The ability to extend awareness and message to all stakeholders IN-
HOUSE
© 2004-2016 Page 48
1.8. The ability to support a helpline environment by directing reporting
stakeholders to other venues where they can provide or gain information
JOINT
1.9. The ability to support different formats for gathering information, such as
JOINT
i. Question
ii. Information
iii. Accusation
1.10. The ability to interface with a variety of other intake points (including in-
house and outsourced) to coordinate or support the resolution of issues and
events across the extended enterprise JOINT
1.11. The ability to remove individuals and any of their subordinates from intake
or filtering responsibilities if they are involved in the issue or event being
reported JOINT
1.12. Maintains an audit log of all activity JOINT
1.13. The ability to define materiality in dollar or human capital terms to support
escalations and alerts (In-house defined if outsourced) JOINT
1.14. The ability to define or modify reporting and procedures and workflows,
including:
i. Required information and milestones (In-house defined if
outsourced) JOINT
ii. Identification of roles and responsibilities to speed delivery and
ensure that triage skills/authority are present for escalated issues
(In-house identified if outsourced) JOINT
RP 2. Select a sample of Operating Geographies from the Inventory of All Operating
Geographies obtained in Requested Information Item 3.1. As part of the
sampling methodology, ensure that the sample chosen includes at least 50% of
covered stakeholders. For each Operating Geography in the sample selected,
obtain the corresponding legal analysis and localization documentation. Confirm
that each legal analysis contains a response to each of the items listed under
Legal Analysis Policy & Procedures in the Infrastructure section of the Issue
Management Framework in Appendix 4. JOINT
RP 3. For each of the Operating Geographies selected in Requested Information Item
3.1, obtain the corresponding primary Intake Channel. Confirm that the primary
Intake Channel includes each of the documented required elements of the
notification (intake) and filtering process detailed in Review Procedures #1.
JOINT
RP 4. For each primary Intake Channel selected in the previous procedure that is
operated by a third-party vendor listed in Requested Information Item 3.2, inspect
a copy of the Internal Authorization and the External Authorizations obtained in
Requested Information item 1.1 and 1.2 and obtain:
4.1. A copy of the SAS 70 (or equivalent) report for the third-party operating
each selection SERVICE PROVIDER
4.2. A copy of the organization’s due diligence report on vendor operations that
need to mirror internal operations such as policies, protocols, and internal
controls IN- HOUSE
4.3. Independent assessment reports (includes audits, certifications, etc.)
obtained by the third-party vendor operating selected intake channels
SERVICE PROVIDER
4.4. A copy of the signed contract between the third-party vendor and the
organization IN-HOUSE
© 2004-2016 Page 49
RP 5. Confirm that each of the issue categories listed in the Infrastructure section of the
Issue Management Framework in Appendix 4 is listed in the Issue Category
Taxonomy obtained in Requested Information Item 3.4. JOINT
RP 6. Inspect a sample of reports from the Communication and Reporting Plan
obtained in Requested Information Item 1.3 to confirm that it the reports include
the criteria specified in the Reporting section of the Issue Management
Framework in Appendix 4 for notifications and alerts and external or internal
context changes in addition to reports and formal communications.
© 2004-2016 Page 50
P7 Inquiry
Periodically analyze data and seek input about progress towards objectives; and
the existence of undesirable conduct, conditions and events.
● Establish Multiple Pathways to Obtain Information – Define opportunities for
obtaining stakeholder views about action and control weaknesses, performance
variances, incidents or suspicions of legal noncompliance, violations of company
policies, and concerns or perceptions about perceived unethical conduct.
● Establish an Organization-Wide Integrated Approach to Surveys – Establish
an organization-wide survey approach that reduces the burden on survey
subjects and provides a consolidated view of information obtained from
stakeholders.
● Establish an Integrated Approach to Self-Assessment – Establish a self-
assessment approach that integrates assessment of performance, risk, and
compliance responsibilities and outcomes with other self-assessments imposed
on management.
● Gather Information Through Observations and Conversations – Establish
informal methods of gathering views through observations, group meetings,
focus groups, and individual conversations.
● Report Information and Findings – Provide information and findings from all
methods of inquiry to management and stakeholders.
Objectives
1. Capability creates opportunities to ask various stakeholders about concerns and

organizational culture to increase the likelihood of internally discovering issues.
2. Capability coordinates and designs efforts to avoid survey and self-assessment
fatigue.
3. Capability develops methods of consolidating, comparing and reconciling information
from various methods of inquiry to develop a holistic view.
4. Capability feeds the collected information into other GRC Elements (i.e., analysis and
aggregation, risk assessment, investigation or systemic improvement).
5. Capability maintains the integrity of the inquiry process and encourages honest
feedback by avoiding actual and perceived connections between inquiry responses
and performance assessment.
1.1. Exit Interview Checklist
1.3. GRC System Improvement Plan
© 2004-2016 Page 51
2.1. Describe the workforce and stakeholder feedback process, including all
procedures used routinely to ask stakeholders throughout the extended
enterprise for information relevant to the capability.
2.2. Describe the analysis undertaken to identify root causes of any unmet targets
from the various workforce and stakeholder surveys of the last three (3) years
and inventory the initiatives, if any, which were implemented to address those
root causes.
2.3. Describe the approach taken to protect stakeholders from survey fatigue and
avoid the appearance of connection between inquiry responses and
performance assessment.
2.4. Describe the approach taken to consolidate, compare and reconcile information
obtained from all sources of inquiry.
3.1. Obtain a list of all workforce and stakeholder surveys conducted by the
organization in the past three (3) years.
3.2. Obtain the survey calendar for the past three (3) years.

Review Procedures
RP 1. Inspect the survey calendar obtained in Requested Information Item 3.2 and
confirm that actions specified by management in the Management Narrative
obtained in Requested Information Item 2.3 to control survey fatigue are being
followed.
2.2, and 2.3, and confirm the inclusion of all criteria specified in Workforce and
Stakeholder Feedback Framework in Appendix 4.
RP 3. Select a sample of the workforce and stakeholder surveys from the list obtained
in Requested Information Item 3.1 and confirm that:
3.1. The analysis described in the Management Narrative obtained in
Requested Information Item 2.2 and 2.4 was performed on survey results
3.2. The results were communicated to the appropriate operating and oversight
management (attach copies of reports obtained in Requested Information
Item 1.2)
3.3. The specific actions (initiatives) management designed as a result of these
surveys in their Findings and Recommendations Report were considered
for inclusion in the GRC System Improvement Plan.
© 2004-2016 Page 52
P8 Response
Design and, when necessary execute responses to identified or suspected
undesirable conduction, conditions, events, or weaknesses in capabilities.
● Establish Investigation Processes – Develop internal investigation processes
to address allegations or indications of undesirable conduct, and maintain a
process for responding to external inquiries and investigations.
● Prepare to Address Crisis Situations – Develop plans for responding to
various types of crises and recovering from business disruption.
● Follow Resolution Processes – Resolve each issue and document the
outcome.
● Improve Capabilities – Ensure that information flows seamlessly into processes
for identifying and correcting action and control weaknesses, and apply
necessary changes.
● Discipline and Retrain – Apply consistent discipline to individuals at fault and
provide necessary retraining.
● Determine Disclosures – When required or appropriate, disclose resolution of
investigations to relevant stakeholders.
Responding to Issues and Concerns (Investigations and Resolutions)
Objectives
1. Capability maintains relationships and procedures that build trust with external
stakeholders to minimize the potential scope and impact of an external inquiry or
investigation.
2. Capability has procedures in place to efficiently respond to inquiries and
investigations while securing additional investigative resources or advisors (internal
and external), preserving information and privileged status, suspending certain
practices or operations during investigations, and maintaining participant trust and
cooperation.
3. Capability provides a tiered approach and clear routing and escalation procedures to
respond to issues and concerns that have different potential impacts on the
organization.
4. Capability establishes expectations regarding discipline for various types of conduct.
5. Capability implements controls designed to instill consistency in determining and
imposing discipline.
6. Capability uses skilled investigators and procedures to ascertain root causes of
issues and then incorporates that information into processes to address systemic
improvement.
7. Capability feeds information about impacts into appropriate GRC processes (i.e., risk
etc.)
8. Capability has mechanisms to apprise the board and management of the fact, status
and results of internal and external investigations, and how issues have been
resolved and remediated.
© 2004-2016 Page 53
1.1. Findings and Recommendations Report IN-HOUSE (Responsibility of
organization being evaluated)
1.2. Investigation Management Plan IN-HOUSE
2.1. Describe the approach to issue management including JOINT (Responsibility of
both organization being evaluated and any external service provider)
Infrastructure
Intake and filtering
Resolution
Reporting
2.2. Describe the nature of any routine third-party inquiries to which the capability
responds (i.e., regulatory inspections, regulatory audits, customer quality
inspections, contractual compliance audits, etc.).
2.3. Describe the process for implementing recommendations for disciplinary action
or rewards resulting from investigations and other issue resolution processes.
3.1. Obtain a listing of all investigations, including third-party investigations,
commenced and completed within the last twelve months.
3.2. Obtain a listing of non-privileged documents that the investigation team deemed
covered by the Electronic Discovery Policy and Procedures for one of the third-
party investigations identified in the listing obtained in Requested Information
Item 3.1 and a sample of the documents in the list. IN-HOUSE
3.3. Obtain copies of most recent reports to GRC management and senior
management of activities in the various Issue Management processes within the
Issue Management Framework. IN-HOUSE
3.4. Obtain a copy of the organization’s employee reward and discipline policy and
procedures.
3.5. Obtain a listing of issues reported in the past twelve months.
3.6. Obtain copies of Issues Management Framework documentation

Review Procedures
RP 1. Inspect the Management Narrative on issue management obtained in Requested
Information 2.1 and the Issue Management Framework documentation obtained
in Requested Information Item 3.6 to confirm the following elements for the
presence of the criteria described in the Issue Management Framework in
Appendix 4:
1.1. Policies and procedures related to each of the four key components for
internal investigations.
1.2. Policies and procedures related to each of the four key components for
third-party investigations.
© 2004-2016 Page 54
RP 2. Select a sample of Non-Privileged Documents obtained in Requested Information
Item 3.2 and confirm that each of the documents was processed according to the
policy obtained in Requested Information 3.6. IN-HOUSE
RP 3. For the Non-privileged Issues selected in the sample, verify that
3.1. The triage team was notified of the issue and made a resolution category
determination according to established policy and procedures IN-HOUSE
3.2. The issue was escalated according to the established escalation
procedures IN-HOUSE
3.3. An Investigation Management Plan was created consistent with the criteria
in Appendix 4.
3.4. The issue was resolved using the established procedures for the resolution
category assigned IN-HOUSE
3.5. A report of the investigation findings and recommendations was made in
accordance with the procedures for the resolution category assigned to the
issue IN-HOUSE
RP 4. Confirm by inspecting reports obtained in Requested Information 3.3 that analysis
is performed on activity in the issue database and that metrics, targets, triggers,
and trends are reported IN-HOUSE
RP 5. Select a sample from the list obtained in Requested Information Item 3.1 and
confirm that each investigation chosen has been reported to appropriate
management and the board in accordance with the process described in the
Management Narrative obtained in Requested Information Item 2.1
RP 6. Inspect the organization’s employee reward and discipline policy and procedures
obtained in Requested Information Item 3.4 and the Management Narrative
obtained in Requested Information Item 2.1 and confirm that the following are
included:
6.1. A process for rewarding individuals for reporting issues
6.2. A process for ensuring that disciplinary actions recommended are taken or
the reason for not taking the action is appropriately documented
6.3. A process for identifying, reconciling, and eliminating inconsistencies in
disciplinary/reward actions
RP 7. Select a sample from the list obtained in Requested Information Item 3.5 and
confirm that:
7.1. A resolution category was established during triage
7.2. If the resolution category established required an investigation, an
investigation was conducted
7.3. If the investigation concluded that there was creditable cause to take
remedial/reward action, recommended actions were taken or a reason for
declining to act was documented
7.4. If items in the sample had similar issues, the remedial/reward actions taken
were consistent
© 2004-2016 Page 55
Responding to Crises
Objectives
1. Capability has developed, tested, and is prepared to implement plans and required
resources to address reasonably anticipated types of crises.
2. Those designated to serve in key roles during a crisis are aware of and prepared to
meet their expected responsibilities, particularly with regard to clear, timely, and
persistent communication.
3. Capability has considered the interdependencies and relationships between crisis
response plans.
4. Capability places a high priority on protecting individuals from physical harm.
1.3. Crisis, Continuity, and Recovery Plan
2.4. Describe the process for developing the Crisis, Continuity, and Recovery plan.
2.5. Describe the process for testing the Crisis Continuity, and Recovery Plan.
3.7. Obtain documentation of the most recent test of the Crisis, Continuity, and
Recovery Plan.

Review Procedures
RP 8. Inspect the information obtained in Requested Information Item 3.7 and confirm
that
8.1. The test was performed within the past twelve months
8.2. The test was conducted as described in the Management Narrative
obtained in Requested Information Item 2.5
8.3. Corrective action was taken on any noted deficiencies
and confirm that it contains the criteria specified in Crisis, Continuity, and
Recovery Plans Development and Maintenance Methodology in Appendix 4.
© 2004-2016 Page 56
R – REVIEW
Conduct activities to monitor and improve design and operating
effectiveness of all actions and controls, including their continued
alignment to objectives and strategies.
R1 Monitoring
Monitor and periodically evaluate the performance of the capability to ensure it is
designed and operated to be effective, efficient, and responsive to change.
● Monitor and Evaluate Capability Design – Establish a schedule for periodic re-
evaluation of the capability design in light of objectives, opportunities, threats,
requirements, and changes to the context.
● Identify Monitoring Information – Identify the information to use to support the
evaluation of the performance of the risk optimizing activity(ies) and/or the overall
performance of the capability.
● Perform Monitoring Activities – Perform monitoring activities to support the
evaluation of the performance of the capability.
● Analyze and Report Monitoring Results – Analyze the results of monitoring
activities to identify weaknesses and opportunities for systemic improvements.
Objectives
1. Capability uses effectiveness, efficiency, and responsiveness performance indicators

in addition to or in lieu of project management indicators.
2. Capability uses measurement to hone performance rather than punish.
3. Capability periodically reviews policies, procedures, actions and controls,
frameworks, methodologies, plans and documentation to provide both assessment of
appropriate design and compliance with applicable requirements.
4. Capability monitoring level of effort and sophistication of resources is congruent with
the level of risk.
5. Capability feeds information about performance into appropriate processes (i.e., risk
etc.)
1.1. GRC Strategic Plan (including the GRC Assessment Plan)
1.3. Findings and Recommendations Report on GRC capability metrics for the prior
three (3) fiscal years and current year to date
© 2004-2016 Page 57
2.1. Describe the process utilized to evaluate the design and performance of the
GRC capability during the past three (3) years and the current year to date
explaining any changes or improvements implemented during that period and
how information from prior and subsequent years are compared and reconciled
to assess trends.
2.2. Describe the most recent performance evaluation including the composition of
the evaluation team.
3.1. None.

Review Procedures
RP 1. Inspect the most recent GRC Assessment Plan obtained in Requested
Information Item 3.1 in combination with the response to Requested Information
Item 2.1, and confirm that it contains the criteria in the GRC Design and
Performance Assessment Methodology in Appendix 4.
RP 2. Inspect the most recent GRC Assessment Plan obtained in Requested
Information Item 1.1 in combination with the response to Requested Information
Item 2.1, and confirm:
2.1. That the monitoring activities chosen and performed are relevant to the
scope of the assessment
2.2. That the measures were adapted over time in keeping with program
changes
2.3. That the information gathered was analyzed and reconciled to understand
trends
2.4. That the results of the analysis with recommendations were reported to
operating and oversight management
2.5. That the recommendations for improvement were incorporated by GRC
capability management in the GRC Strategic Plan obtained in Requested
Information Item 1.1 and the Integrated Plan obtained in Requested
RP 3. Inspect the Report or Presentation of the year-end results of capability metrics for
the prior fiscal year obtained in Requested Information Item 1.3 and report:
3.1. The total number of metrics per year
3.2. The percentage of metrics whose targets were met each year
3.3. Not met each year
3.4. Exceeded each year
3.5. The specific metrics from the prior fiscal year where targets were not met or
exceeded that were outside of the tolerances with the action(s) taken by
management to address the issue
© 2004-2016 Page 58
RP 4. Inspect the Report or Presentation of the year-end results of capability metrics for
the prior three (3) fiscal years obtained in Requested Information Item 1.3 and
report:
4.1. Changes in the nature or type of metrics collected
4.2. Whether those changes are tied to the management response to the issues
from the prior year’s report.
4.3. Trending between the periods for those metrics that are consistent period
over period.
4.4. Reconciliation of information or explanation of trends for measures not
qualifying under RP4.3 above.
RP 5. From the Integrated Plan obtained in Requested Information Item 1.2, select a
sample of initiatives and confirm for each that:
5.1. A method has been established to determine whether planned residual risk
is achieved or reward measure is achieved after implementation,
5.2. The controls in the optimization initiative have been implemented,
5.3. The Prioritized Risk Matrix (including the Risk/Control Matrix) obtain in
Requested Information Item 1.4 reflects the implemented controls, and
5.4. Monitoring activities have been designed and implemented to ensure
controls are operating on an ongoing basis.
© 2004-2016 Page 59
R2 Assurance
Provide assurance to management, the governing authority, and other
stakeholders that the capability is reliable, effective, efficient and responsive.
● Plan Assurance Assessment – Determine scope, procedures, and criteria
required to provide the desired level of assurance to relevant stakeholders.
● Perform Assurance Assessment – Perform procedures, evaluate results
against criteria, make relevant recommendations, and report results and
conclusions.
Objectives
1. Capability planning includes the provision of periodic, independent, and objective

assurance for activities related to managing key risks and for discrete portions of or
the entirety of the Capability model.
2. Capability uses a risk-based approach to planning and performing assurance
engagements.
3. Capability utilizes independent, objective personnel, using professional standards
with experience in the subject matter to perform engagements requiring the highest
level of assurance.
4. Capability information architecture is designed to provide a consistent, single
“version of the truth” to serve as the basis for both capability management and
assurance.

1.1. GRC Strategic Plan for the prior and current fiscal years, including
1.1.1. GRC Assurance Plans
1.1.2. GRC System Improvement Plan
1.2. Findings and Recommendations Report of the latest external quality
assessment report of the Internal Audit function.
1.3. Assurance Report
2.1. Describe the process for determining which portions of the capability will be
audited in any given year and by whom (internal auditors or external auditors),
including the purposes or risk-thresholds that distinguish the use of internal
versus external auditors.
2.2. Describe the process followed to ensure the objectivity, independence, and
competency of internal and external auditors assigned to GRC capability
engagements
© 2004-2016 Page 60
3.1. Obtain or prepare an inventory of all Findings and Recommendations Reports
from internal and external assurance engagements involving the GRC capability
activities from the prior and current fiscal years (Inventory of GRC Capability
Audits).
3.2. Obtain a list of all third-party reviewers that have conducted audits on GRC
capability activities in the prior and current fiscal years.
3.3. Obtain all quality assessment reports prepared during the prior and current
fiscal years.

Review Procedures
and confirm the input to the process for developing an audit plan for GRC
activities includes the GRC Strategic Plan, the Prioritized Risk Matrix (including
the Risk/Control Matrix), the Integrated Plan, and the GRC System Improvement
Plan.
RP 2. Confirm that all planned audits for the prior fiscal year obtained in Requested
Information Item 1.1.1 have been completed and that any findings and
recommendations in the Assurance Reports from those audits obtained in
Requested Information Item 1.3 are included in the inventory of findings and
recommendations obtained in Requested Information Item 3.1. Report all prior
year planned audits that were not completed and whether or not they have been
included in the current year planned audits obtained in Requested Information
Item 1.1.1.
RP 3. Determine that current year planned audits obtained in Requested Information
Item 1.1.1 are being conducted according to the schedule and that any findings
and recommendations in completed current year Assurance Reports appear in
the inventory of findings and recommendations obtained in Requested
RP 4. Trace recommendations from the inventory of findings and recommendations for
the current and prior years obtained in Requested Information Item 3.1 into the
prior and current year GRC System Improvement Plans obtained in Requested
Information Item 1.1.2 and confirm that resources have been allocated to each.
Report recommendations not carried to the GRC System Improvement Plans and
those carried to the GRC System Improvement Plans but not funded.
and confirm that the process includes Quality Assurance Reviews as prescribed
by The Institute of Internal Auditors.
RP 6. Inspect the quality assessment report obtained in Requested Information Item 3.3
and confirm that the Internal Audit function follows the standards of The Institute
of Internal Auditors and that the review is current as defined by those standards.
RP 7. Confirm that all third-party reviewers on the list obtained in Requested
Information Item 3.2 satisfy the requirements in the paragraph Qualifications of
Third-Party Reviewers in the Forward of the GRC Assessment Program.
© 2004-2016 Page 61
R3 Improvement
Review information from periodic evaluations, detective and responsive actions
and controls, monitoring, and assurance to identify opportunities for capability
improvements.
● Develop Improvement Plan – Develop a prioritized plan for implementing
improvements to the capability.
● Implement Improvement Initiatives – Implement the specific action plans and
initiatives intended to improve the capability.
Objectives
1. Capability uses participant, workforce, and stakeholder feedback from the extended
enterprise (across all methods of information gathering – notifications, inquiries,
lessons learned, issue management, assessments and assurance processes) in
improving capabilities and in identifying and addressing root causes of
issues/concerns.
2. Capability factors improvement opportunities and root causes into risk analysis and
prioritization of initiatives.
3. Capability allocates some resources to improvement in addition to risk response
initiatives and ongoing programs.
4. Capability measures whether projected benefits of improvement initiatives were
achieved.

1.1. Portions of GRC Strategic Plan for the prior and current fiscal years:
1.1.1. GRC Assessment Plan
1.1.2. GRC System Improvement Plan
1.3. Policies and Related Procedures Matrix
1.4. Internal Authorization
1.5. Corrective Action Report for prior fiscal year
1.6. Integrated Plan for prior and current fiscal year
1.7. Prioritized Risk Matrix (including Risk/Control Matrix)
2.1. Describe the methodology used to continuously improve the GRC capability,
including the process for identifying, prioritizing, managing, and reporting
improvement initiatives for incorporation into the Integrated Plan.
2.2. Describe the process for utilizing information learned from all channels
(notifications, inquiries, issue management, control failure/loss event root cause
analysis, crisis response after action analysis, assessment, and assurance) in
issue management, performance evaluation, rewards/recognition, and capability
improvement processes
© 2004-2016 Page 62
2.3. Describe the process for incorporating the recommendations of investigations
and other issue resolutions into the GRC capability Improvement process.
3.1. Create an inventory of procedures from the Policies and Related Procedures
Matrix that provide for feedback to the GRC capability on capability failures
and/or weaknesses.

Review Procedures
2.2 and 2.3 and confirm that it includes the elements in the Continuous GRC
System Improvement Methodology criteria in Appendix 4.
and 2.3 and the inventory of procedures obtained in Requested Information Item
3.1 to confirm that the following sources of recommendations for GRC capability
improvement are included:
2.1. Audits
2.2. Operational Data (Proactive and Detective Controls)
2.3. Industry Trends
2.4. Notifications, inquiries and other forums for workforce and stakeholder input
2.5. Issue management and responsive controls
2.6. Crisis Response after action analysis
2.7. Context monitoring
2.8. Performance monitoring and evaluation
2.9. Board self-assessment
RP 3. Trace all recommendations from the Findings and Recommendations Report
obtained in Requested Item 1.2 resulting from the last completed GRC Assessment
Plan obtained in Requested Information Item 1.1.1 and the Corrective Action Report
obtained in Requested Information Item 1.5 to the current GRC System Improvement
Plan obtained in Requested Information Item 1.1.2. From this list, confirm that:
3.1. All recommendations for GRC capability improvement were transmitted to the
Continuous GRC capability improvement process and were considered for
implementation.
3.2. Recommendations included in the GRC System Improvement Plan obtained in
Requested Information Item 1.1.2 have been implemented or are in the process
of implementation
3.3. Recommendations not included in the GRC System Improvement Plan obtained
in Requested Information Item 1.1.2 have a documented rationale for not being
included
RP 4. Select all rejected recommendations for inclusion in the GRC System
Improvement Plan obtained in Requested Information Item 1.1.2 and confirm that
the rejection has been accepted by GRC management and oversight authorities
by virtue of the Internal Authorization obtained in Requested Information Item 1.4.
© 2004-2016 Page 63
RP 5. Inspect the GRC System Improvement Plan from the prior fiscal year and trace
the initiatives to the Integrated Plan for the current fiscal year and confirm that the
inclusion/exclusion of initiatives into the Integrated Plan is in accordance with the
Management Narrative obtained in Requested Information 2.1.
RP 6. Select a sample of initiatives in progress or completed in the Integrated Plan
obtained in Requested Information Item 1.6 as refined by Review Procedure 5
above, and confirm the following information:
6.1. That a project management tool (or some other formal methodology) is
being used to track progress
6.2. That progress is being reported to appropriate management and oversight
functions
6.3. If the initiative has been completed, that an assessment has been done to
determine achievement of targeted improvements
6.4. The results of the assessment have been reported to the appropriate
management and oversight functions
6.5. The Prioritized Risk Matrix obtained in Requested Information Item 1.7 and
the GRC Strategic Plan obtained in Requested Information Item 1.1 have
been updated for any changes created by the completed initiative
© 2004-2016 Page 64
APPENDIX 1 – MAPPING IT SOLUTIONS TO RED BOOK
IT Solution (v 2.1) Element Usage Related Suggested
Documentation
IT.01 Audit & Assurance Mgt A5, R2 I.01, A.02, D.01, P.02, R.02 R.03 R.04
IT.02 Board & Entity Mgt L2, A1 A.01, A.02, P.02P.07, R.02, S.01, S.02,
S.03, S.04
IT.03 Brand & Reputation Mgt L1, L2, L3, A3, P1 P.02, R.02, R.03, S.01, S.02, S.03, S.04
IT. 04 Business Continuity Mgt P1, P8 A.02, D.01, P.02, P.03, R.02, R.03
IT. 05 Compliance Mgt L1, L2, L4, A1, A2, A3, P1, P2, P7, R1 P.02, P.07, R.02, R.03, S.01, S.02, S.03,
S.04
IT.06 Contract Mgt L4, A5, P1
IT.07 Control Activity, Monitoring & P1, P6, R1 I.01, A.01, A.02, D.01, P.09, R.02, R.03,
Assurance R.04
IT.08 Corporate Social L1, L3, L4, A1, A2 P.02, S.01, S.02
Responsibility
IT.09 Discovery/ eDiscovery Mgt P8
IT.10 Environmental Monitoring & L1, L2, L3, P1, R1 P.02, P.03, R.02, R.03
Reporting
IT.11 Environmental, Health & L1, L2, L3, A3, A4, A5, P1, P3, P6, P8 P.03, R.02, R.03
Safety
IT.12 Finance/Treasury Risk Mgt A3, A4, A5, P1 I.01, A.02, P.03, R.02 R.03
IT.13 Fraud & Corruption Detection, L2, A3, P1, P6, P8 A.02, D.01, R.02, R.03, S.01, S.02
Prevention & Mgt
IT.14 Global Trade Compliance/ L1, A3, P1, P6 A.03, P.02, R.02, R.03
International Dealings
IT.15 Hotline/Helpline A3,P1, P2, P6, P7 A.03, D.01, D.03, P.02, R.02, R.03, S.01,
S.02, S.03
IT.16 Information/IT Risk & Security A3, A4, A5, P1, P6 I.01, D.02, P.04, R.02, R.03
IT.17 Insurance & Claims Mgt L4, A3, A4, A5, P1, P8 P.02, R.02, R.03
IT.18 Intellectual Property Mgt A3, P1
IT.19 Issue & Investigation Mgt A3, P1, P5, P6, P7, P8, R1 A.02, P.02, P.06, R.02, R.03
IT.20 Matter Mgt A3, A4, A5, P1, P8, R1 P.02, R.02, R.03
IT.21 Physical Security & Loss Mgt L2, A3, A4, A5, P1, P8 R.02, R.03
IT.22 Policy Mgt, Communication & L3, L4, A1, A2, A5, P2, P3, P4, P5 M.01, P.01, P.02, P.08, S.01, S.2, S.03,
Training
S.04
IT.23 Privacy Mgt L1, L2, A3, A4, P1,P2, P4, P7, P8 R.02, R.03
IT.24 Quality Mgt & Monitoring L1, A3, A4, A5, P1, P2, P6, P8 M.03, R.02, R.03, R.04, S.04
IT.25 Reporting & Disclosure L4, A4, A5, P1, P3, P6, P8, R1, R3 I.01, P.02, R.02, R.03
IT.26 Risk Mgt L4, A3, A4, A5, P1, P2, P5, P6, P7 I.01, M.02, M.03, D.01, P.09, R.02, R.03,
S.01, S.04
IT.27 Strategy, Performance & BI L1, L2, L3, L4, A1, A2, A3, A5, P1, R1, R3 A.01, A.02, D.01, P.02, P.04, P.05, P.07,
R.02, R.03, S.03, S.04
IT.28 Third Party/Vendor Risk & L1, L2, A1, A2, A3, A4, A5, P1, P2, P3, I.01, P.02, R.02, R.03 R.04, S.01, S.02,
Compliance
P4, P7, S.03, S.04PrPr
Other – HR / ERP System P1, P7, A5, P8, A.02, D.01, D.04, S.01, S.02, S.03, S.04
© 2004-2016 Page 65
APPENDIX 2 – RED BOOK SUGGESTED DOCUMENTATION
DOC.A – Authorizations
DOC.A.01 – Charter
A document from a governing authority defining the purpose, objective, and
authorization of an individual or group to undertake activities within the specified scope
DOC.A.02 – Segregation of Duties

A document reflecting that the responsibilities of some roles or positions should be kept
distinct from the responsibilities of other roles or positions as a protective measure to
prevent fraud, error, or conflict of interest
DOC.D – Descriptions
DOC.D.01 – Role / Job Descriptions
A detailed explanation of the responsibilities and expectations of an individual in a
particular role or job, generally including:
● Accountabilities and supervisor/oversight responsibilities,
● Reporting obligations,
● Individual performance measure and objectives, and
● Skills, qualifications and experience.
DOC.D.02 – GRC Technology Data Model Descriptions

A document describing the structure and relationships among data within a key
capability Technology Component
DOC.D.03 – Helpline FAQ Descriptions

A complete, detailed description of the questions that are frequently asked to the
helpline, together with the preferred guidance and any information or related resources
to provide to the caller or of use to the helpline staff
DOC.D.04 – Exit Interview Checklist

A document listing the activities to be conducted and questions to be asked during an
interview with an internal stakeholder before his/her departure from the organization
© 2004-2016 Page 66
DOC.I – Internal Standards
DOC.I.01 – Control Taxonomy
A common vocabulary for describing the categories of controls along several
dimensions:
Dimension 1
● Proactive,
● Detective and
● Responsive controls
Dimension 2
● Process
● Human capital
● Technology
● Financial
● Physical controls
DOC.M – Matrices
DOC.M.01 – Policies and Related Procedures Matrix
A table correlating each policy to its attributes and other policies or procedures, and,
optionally, to the training, reports, or other sources for evidence of compliance
DOC.M.02 – Prioritized Risk Matrix

A table correlating each risk to its attributes such as:
● Classification or prioritization,
● Sources of risk (event, trend, requirement, etc.),
● Inherent risk analysis (likelihood, impact, duration),
● Current implemented optimization activities,
● Current residual risk analysis (likelihood, impact, duration),
● Planned optimization activities, and
● Planned residual risk analysis.
DOC.M.03 – Risk / Control Matrix

A listing of risks mapped to related proactive, detective, and responsive actions and
controls.
© 2004-2016 Page 67
DOC.P – Plans
DOC.P.01 – Awareness and Education Plan
A synopsis reflecting the order, timing, audience, and responsibility for all
communications and educational activities to be undertaken over the course of a year or
multiple years
1. to promote general awareness of:
● The organization's commitment to meeting its requirements;
● The capability capabilities;
● The avenues for resolving questions about capability responsibilities and
expectations;
● The capability activities designed to meet requirements, and
2. To educate regarding the specific responsibilities of the general workforce, the
extended enterprise, and those in capability specific roles.
DOC.P.02 – Communication and Reporting Plan

A schedule that sets out the structures, processes, and resources to deliver information
(whether to inform or to persuade) to those with authority and responsibility to act at
appropriate times to affect or monitor a program or initiative. A plan would include:
● Target audience,
● Objectives of the communication,
● Method of delivery,
● Timing of delivery,
● Who is accountable and responsible for the communication and who should
be consulted regarding the communication, and
● For a series of communications, the dependencies between them and relative
timing.
DOC.P.03 – Crisis, Continuity and Recovery Plan

A document or series of documents that sets out the structures, processes, protocols,
and resources to respond to a crisis event, to deliver interim operations pending full
resumption of business, and to recover from the impacts of an adverse event. Such
plans would include:
● Names and contact information for key response personnel,
● Identification and responsible owners of key assets, processes, systems,
supply relationships, and customer relationships,
● Designation of safety, evacuation coordinators and evacuation sites and
paths,
● Key stakeholder contact points (police, fire, utilities, media, employee
representatives, investor relations, analysts, etc.), and
© 2004-2016 Page 68
● Components of this deliverable would include:
● Succession of authority;
● Emergency operations plan;
● Interim operations plan;
● Information systems recovery plan;
● Resumption of operations plan;
● Emergency operating procedures; and
● Test plans.
DOC.P.04 – Information Management Plan

A document that sets out the structures, processes, and resources to manage
information throughout the information life cycle. Would include:
● Classification schema for records, and
● Policies and procedures related to:
● Capture of information;
● Access, use, and transfer of information; and
● Storage, retention, disposition, and retrieval of information.
DOC.P.05 – Capability Strategic Plan

A document that details the structures, processes, technologies, resources, objectives,
and measures to establish and maintain the capability needed to achieve the mission
and vision. Components would include:
● Charter,
● Mission / vision statement,
● Outcomes and maturity milestones (with correlation to business objectives)
● Business case,
● Measurement strategy (metrics, indicators, calculation method, frequency of
measurement, nature and frequency of reporting),
● Organization chart,
● Human capital / vendor relations plan (for implementation and ongoing
operations),
● Financial plan (start-up and operations),
● Technology plan,
● Assurance plan,
● Implementation plan,
● System improvement plan, and
● Internal authorization.
© 2004-2016 Page 69
DOC.P.06 – Investigation Management Plan
A document that sets out the structures, processes, protocols, and resources to perform
and conclude an investigation. Plan would include:
● Investigation governance structure,
● Investigation team,
● Communication and reporting plan,
● Operating and communication procedures,
● Budget,
● Projected schedule of activities, and
● Technology plan (for team management, investigation management, and
information management).
DOC.P.07 – Integrated Plan

A document that details the processes and resources allocated to reliably achieve
objectives while addressing uncertainty and acting with integrity.
DOC.P.08 – Specialized Capability Curriculum Plan

A synopsis reflecting the order and timing of all courses of study for each of the
capability roles and may include a detailed description of each course:
● Name of course,
● Course objectives,
● Skills to be attained, and
● Options for attendance (online, video, live) together with the skills
prerequisites for each course.
DOC.P.09 – Corrective Control Activity Plan

A plan that details the steps to stop or slow an adverse event from impacting an
organization; and restoring the system to a stable state.
DOC.R – Reports
DOC.R.01 – Filings
An official document submitted to a governmental authority (administrative, regulatory,
legislative, or judicial).
DOC.R.02 – Findings and Recommendations Report

A presentation or statement of the outcome of an activity or analysis together with
recommendations for change and/or improvement.
DOC.R.03 – Corrective Action Report

Listing of corrective control activities performed in the period under analysis, grouped by
type of corrective control as well as category of adverse event corrected. Information
from prior periods may be included for comparison and analysis.
© 2004-2016 Page 70
DOC.R.04 – Assurance Report
A report prepared by an assurance function providing conclusions on the design and
operating effectiveness of a capability, provided to management and the governing
authority.
DOC.S – Statements of Position

DOC.S.01 – Code of Conduct
A guide linking an organization's values and principles with rules of professional conduct
DOC.S.02 – Ethical Decisions Guidelines

The organization's recommendation on the factors to consider along with applicable
requirements, policies and philosophies in determining the proper course of action when
faced with an ethical dilemma
DOC.S.03 – Mission/ Vision/ Values Statement

An oral or documented description of the main aims, core beliefs, values, intended future
state, and overall plan that guide the organization's actions and inspires people to act
toward that future state
DOC.S.04 – Statement of Organizational Objectives

A declaration of the tangible results that the organization expects to achieve through
execution of its mission and vision
© 2004-2016 Page 71
APPENDIX 3 - SAMPLING AND TESTING
PARAMETERS
All samples without specific sample size specified
Population Set Sample Size
1001 or greater 35
501 to 1000 The greater of 5% or 25
101 to 500 The greater of 5% or 15
100 or less The lesser of All or 10
© 2004-2016 Page 72
APPENDIX 4 - CRITERIA FOR REVIEW PROCEDURES
This appendix contains the criteria for the execution of Review Procedures specified in
this document. They are arranged in alphabetical order. A summary of the titles of each
set of criteria appears in Appendix 2 with references to the Sub-processes in which each
is used.
© 2004-2016 Page 73
Awareness and Education Plan
A synopsis reflecting the order, timing, audience, and responsibility for all
communications and educational activities to be undertaken over the course of a year or
multiple years
1. To promote general awareness of:
a. The organization's commitment to meeting its GRC requirements
b. The GRC capabilities
c. The avenues for resolving questions about GRC responsibilities and
expectations
d. The GRC capability activities designed to meet GRC requirements
2. To educate regarding the specific responsibilities related to GRC actions and

controls of the general workforce including GRC aspects embedded into
standard job skills training or training on specific processes and systems, the
extended enterprise and those in GRC specific roles.
Referenced in: P4
Content Criteria
The Awareness and Education Plan should include sections on the following
1. General GRC Training
1.1. Content
1.1.1. GRC Mission, vision, and values
1.1.2. Alignment of GRC Mission, vision and values to organizational mission,
vision, values, and objectives
1.1.3. GRC expectations for every employee
1.1.4. General Learning Objectives
1.2. Delivery Channels for awareness and education training and communications
1.3. Localization process (if applicable)
1.4. Target audiences
1.1.5. GRC capability roles
1.1.6. Other employees
1.1.7. Extended enterprise stakeholders
1.5. General GRC Curriculum Plan
2. Specialized GRC Training
1.1. Target Audiences (job/job family or stakeholder group)
1.2. Specialized GRC Curriculum Plan (Appendix 4) for each target audience which
includes:
1.1.1. Legally required training
1.1.2. Training to manage key risks
1.1.3. Training to answer questions posed by sub-ordinates (if applicable to the
job)
1.1.4. Localization (if applicable)
© 2004-2016 Page 74
3. Support Services
3.1. Resource personnel within work units who can respond to inquiries about GRC
responsibilities and expectations
3.2. Curriculum Plan for Help Line first responders
3.3. Appropriate self-help materials:
3.3.1. Frequently Asked Questions list with answers
3.3.2. Electronic copies of appropriate policies and procedures and practice aids
3.3.3. Electronic copy of Code of Conduct and Ethical Decisions Guidelines
4. Monitoring Services
4.1. Targets, indicators, and tolerances for GRC generalized training and role
specific GRC training
4.2. Reports on Awareness and Education Plan activities to GRC oversight
personnel
5. Internal Authorization (see additional content criteria)
© 2004-2016 Page 75
Background Check Methodology
A definition of approach, processes, procedures, and requirements for background
checks for employees and defined roles or types of third-party providers and partners in
the extended enterprise
Referenced in: P1
Content Criteria
The methodology should include all of the following:
1. Apply to all new hires, promotions, transfers for any position:
2. A tiered structure for background checks that relates the robustness of the
background check with the duties, responsibilities, and risks associated with the
job/role that is being filled. Tiers may go from exempt to most robust.
3. Include the following types of background check in the most robust tier:
3.1. Work history
3.2. Criminal record
3.3. Credit history
3.4. Credentials (professional and education)
3.5. Civil legal actions
4. Standard interviewing checklist for each job/role
5. Standard interviewing checklist that probes indicators of:
5.1. Behavior consistent with the organization’s values/principles
5.2. Ethical and unethical behavior and decision-making
6. Documented approval of methodology by the organization’s Legal Counsel
7. A determination based on information gathered of:
7.1. Any history of violations of the law or unethical conduct and, if any, how recently
they occurred
7.2. How any history of violations of law or unethical conduct relate to the area of
concern for the proposed position
7.3. Patterns of violation of the law or unethical conduct
7.4. Conflict of interest
7.5. Compatibility of personal values with organization values
8. Documented signed consent of candidate for background checks
9. Documented results of background checks
10. Record retention criteria for background check materials
© 2004-2016 Page 76
Code of Conduct
A guide linking an organization's values and principles with rules of professional conduct
Referenced in: P2
Content Criteria:
1. Correlate the code of conduct to sources for requirements, principles, and values
2. Prioritize the subjects addressed in the code of conduct based on risk analysis
3. Include an endorsing statement from the Board and senior management
4. Address the goals and philosophy of the code of conduct and how they align with the
overall mission, vision, and values of the organization
5. Provide for the code of conduct to address:
5.1. Compliance with all applicable laws and regulations,
5.2. Conflicts of interest
5.3. Proper use of corporate property, information and opportunities
5.4. Fair treatment in business dealings
5.5. Transparency, timeliness and accuracy of public disclosures and regulatory
reporting
5.6. Prompt internal reporting of violations
5.7. Accountability for adherence to the code provisions
5.8. Substance abuse
5.9. Political contributions and activities
5.10. The importance of ethical values and principles in decision making
5.11. The importance of asking questions and raising issues when concerns
exist
5.12. How to report misconduct, including all channels for reporting and URLs,
emails, phone numbers, and other access points for reporting
5.13. How to report incidents and ask questions
5.14. How to access Helpline FAQ’s and other self-help
5.15. A guarantee of non-retaliation for reporting incidents
6. Define a procedure to waive and depart from the Code of Conduct
7. Provide or reference Ethical Guidelines that address determining a course of action
consistent with the organization’s mission, vision, values, key policies and expected
business conduct when the circumstances are not explicitly covered by the Code of
Conduct, policies and procedures
8. Internal Authorization in form of endorsement (see additional content criteria)
© 2004-2016 Page 77
Code of Conduct Development & Maintenance Methodology
A process utilized for developing, implementing & maintaining the code(s) of conduct
Referenced in: P2
Content Criteria
The methodology should include all of the following:
1. A repeatable methodology is in place
2. Identification and development of all codes of conduct required by legal or other
mandates (e.g., New York Stock Exchange, U.S. Sarbanes-Oxley Act, U.S.
Federal Sentencing Guidelines for Organizations, etc.) or one code that
addresses all such requirements
3. Identification of stakeholders (including those whose behavior may affect the
entity's integrity) who are target recipients of the code of conduct
4. Participation from the various stakeholder communities
5. Establish procedures for globalization and localization of the code of conduct that
consider local issues while preserving management’s intended message
6. Consistency of language and intent between like content, if there are multiple
codes of conduct
7. Review of the code of conduct and implementation approach for compliance with
mandates by appropriate experts
8. A process for periodic review of the code of conduct and Ethical Decisions
Guidelines, including triggers for immediate re-evaluation
9. A process for bringing all employees and affected stakeholders to a baseline
familiarity with the code
10. A process for ensuring that new hires are familiar with the code
11. A process for stakeholders to ask questions of trained resource personnel about
the Code of Conduct and the Ethical Decisions Guidelines
12. A process for dealing with those stakeholders who will not comply with
confirmation or training requirements
13. A process to ensure mandated codes are properly filed with the requiring
authority and that they are made available to the public
14. A process for approval of the code of conduct and the launch approach by
relevant policy owners to confirm adherence to principles.
15. Internal Authorization in form of endorsement (see additional content criteria)
© 2004-2016 Page 78
Communication and Reporting Plan
A schedule that sets out the structures, processes and resources to deliver information
(whether to inform or to persuade) to those with authority and responsibility to act at
appropriate times to affect or monitor a program or initiative
Referenced in: L2, L4, P3, P6
Content Criteria
1. The following should be included for each communication or report:
1.1. Target audience
1.2. Objectives of the communication or report (required report, informational,
actionable, etc.)
1.3. Method of delivery
1.4. Schedule or triggering event
1.5. Delivery date or due date
1.6. Content required
1.7. Location or source of the required content
1.8. Location of each report copy that will be retained in the organization
1.9. Record retention and protection rules
1.10. Method of confirmation of delivery, if required
1.11. Who is accountable and responsible for the communication decision
1.12. Who is accountable for the communication content
1.13. Who is accountable for the communication action
1.14. Who should be consulted regarding the communication before it is sent
1.15. Who must approve the report or communication prior to distribution
1.16. Who will respond to questions regarding the report or communication
1.17. Correlation with other communications to the same or other audiences
1.18. If automated, the System(s) of Record generating the report and
managing the business rules that trigger report generation.
© 2004-2016 Page 79
Continuous GRC System Improvement Methodology
A definition of the essential activities in the process to continuously improve the GRC
capability
Referenced in: L3, P7, R3
Content Criteria
Essential activities in the continuous improvement methodology should include the
following:
1. Provide a mechanism to collect and codify recommendations for capability
improvement from:
1.1. Context monitoring
1.2. Performance monitoring and evaluation
1.3. Issue management
1.4. Workforce and Stakeholder Feedback Framework
1.5. Other direct sources, such as stakeholders and the unaffiliated public
2. Develop a business case (as defined in Appendix 4) for each recommendation
3. Establish criteria for prioritizing improvement recommendations including:
3.1. Criticality of root cause issue being addressed
3.2. Criticality of business objective affected
3.3. Criticality of GRC component affected
3.4. Cost/benefit analysis (business case)
3.5. Improvement Initiative priority taxonomy that provides for
3.5.1. Immediate action initiatives (commenced immediately)
3.5.1.1. One year action initiatives (commenced within next 12 months)
3.5.1.2. Two year action initiatives (commenced within 13-24 months)
3.5.1.3. Declined recommendations (will not be implemented)
3.5.2. Rationale for declining to accept a recommendation as an improvement
initiative and acceptance of the rejection by GRC management and
oversight authority
4. Develop a GRC System Improvement Plan that:
4.1. Includes all accepted recommendations
4.2. Is updated at least quarterly
5. Obtain approval from management to execute the Improvement Plan
6. Monitor the execution of each initiative in the plan
7. Report the status of each initiative, especially:
7.1. Implementation commencement
7.2. Implementation completion
7.3. Whether or not target improvements were achieved
8. Update the GRC capability documentation including:
8.2. Prioritized Risk Matrix
8.4. GRC System Improvement Plan
© 2004-2016 Page 80
Control Taxonomy
A common vocabulary for describing the categories of controls along several dimensions
Referenced in: L2, P1
Content Criteria
1. Dimension 1 – Control Type
1.1. Proactive
1.1.1. Preventive
1.1.2. Incentive
1.2. Detective
1.3. Responsive
1.3.1. Corrective
1.3.2. Rewarding
2. Dimension 2
2.1. Human Capital Controls
2.1.1. Performance evaluation checklist
2.1.2. Exit interview checklist
2.1.3. Background Check Methodology
2.1.4. Training
2.1.4.1. GRC Curriculum Plan
2.1.4.2. Specialized GRC Curriculum Plan
2.2. Process Controls
2.2.1. Standard Approval and Exception Workflows
2.2.2. Supervisory Review and Escalation Triggers
2.2.3. Analytical Procedures
2.2.4. Segregation of Duties
2.2.5. Delegations of Authority
2.3. Physical Controls
2.3.1. Security Cameras
2.3.2. Electronic or manual monitoring of entry/exit to facilities
2.3.3. Electronic or manual monitoring of physical assets (i.e., RFID tags and
readers)
2.3.4. Safety equipment, including automated shut-down/shut-offs and electronic
or manual monitoring, isolation, restriction, or extinguishment of smoke, fire,
flood water, or hazardous chemicals
2.3.5. Emergency systems and communication equipment (i.e., lighting, alerts,
exit locks, radios) to provide for safe navigation and evacuation of facilities
2.4. Technology Controls
2.4.1. Physical access to and surveillance of technology assets
2.4.2. Electronic access to technology assets and intrusion detection
2.4.3. Master data access authority
2.4.4. Transaction authority and fraud detection
2.4.5. Audit trails and log analysis
2.4.6. Testing and quality assurance activities and scans
2.4.7. Alerts, dashboards and notifications
2.4.8. Business rules initiating triggers or shifts in automated workflows
2.4.9. Helpline/Hotline and other reporting channels
© 2004-2016 Page 81
Corrective Action Report
Listing of corrective control activities performed in the period under analysis, grouped by
type of corrective control as well as category of adverse event corrected. Information
from prior periods may be included for comparison and analysis
Referenced in: P1, R3
Content Criteria
1. Undesirable event and condition
2. Category of undesirable event and condition
3. Planned corrective and/or restorative actions
4. Planned completion date
5. Actual completion date
6. Open items
6.1. Revised completion date
6.2. Reason for delay
6.3. Responsible party
© 2004-2016 Page 82
Corrective Control Activity Plan
A plan that details the steps to stop or slow an adverse event from impacting an
organization; and restoring the capability to a stable state
Referenced in: P1
Content Criteria
1. Undesirable event and condition
2. Category of undesirable event and condition
3. Planned corrective and/or restorative action
4. Responsible party for corrective and restorative action
5. Planned completion date
© 2004-2016 Page 83
Crisis, Continuity, and Recovery Plan
A document or series of documents that sets out the structures, processes, protocols
and resources to respond to a crisis event, to deliver interim operations pending full
resumption of business and to recover from the impacts of an adverse event.
Referenced in: P8
Content Criteria
1. Names and contact information for key response personnel
2. Procedures for contact with first responder
3. Procedures for establishing a crisis response headquarters
4. Procedures to determine contractual and legal rights and take contractual and legal
actions to seek indemnification
5. Procedures to evaluate the effectiveness of crisis response and recovery operations
6. Identification of owners of key assets, processes, systems, supply relationships, and
customer relationships
7. Designation of safety, evacuation coordinators and evacuation sites and paths
8. Definition of succession of authority
9. Communication plan for dealing with key stakeholders (utilities, media, employees &
families, investor relations, analysts, etc.)
10. Emergency operations plan
11. Interim operations plan
12. Information systems recovery plan (disaster recovery plan)
13. Resumption of operations plan
14. Test plans
© 2004-2016 Page 84
Crisis, Continuity, and Recovery Plan Development & Maintenance Methodology
A process to develop and maintain a document or series of documents that sets out the
structures, processes, protocols and resources to respond to a crisis event, to deliver
interim operations pending full resumption of business and to recover from the impacts
of an adverse event
Referenced in: P8
Content Criteria
The elements that should be included in the process are:
1. Identification of types of crises or adverse events that might occur and specific
examples of each type that are likely to occur or have significant impact if they do
occur, including impacts on:
1.1. Physical facilities (weather, accidents, intentional harm)
1.2. Access to data (disruption of communications, hardware, or software)
1.3. Protection of confidential information (theft or loss of business or individual data)
1.4. Ability to operate (loss of utilities or technology, political upheaval)
1.5. Public confidence in product or services
1.6. Reputation
1.7. Workforce (health, safety)
1.8. The enterprise, community or individuals from violent criminal conduct
2. Develop procedures to continuously update the list of identified crises or adverse
events and the specific examples of each
3. Develop a business impact analysis for each identified type of crisis or adverse
event, including:
3.1. Refining internal and external risk analysis
3.2. Analyzing implications of loss, delay or inability to access or serve key
stakeholders
3.3. Analyzing anticipated key information losses
4. Develop a strategy for crisis response, including:
4.1. Recovery time objectives
4.2. Prioritization of key business processes and critical functions
4.3. Documented business continuity strategies for emergency operations, interim
operations and recovery plans
5. Prepare a detailed Crisis, Continuity and Recovery Plan for each type of crisis or
adverse event that includes the following elements:
5.1. Names and contact information for key response personnel
5.2. Procedures for contact with first responder
5.3. Procedures for establishing a crisis response headquarters
5.4. Procedures to determine contractual and legal rights and take contractual and
legal actions to seek indemnification
5.5. Procedures to evaluate the effectiveness of crisis response and recovery
operations
5.6. Identification of owners of key assets, processes, systems, supply relationships,
and customer relationships
5.7. Designation of safety, evacuation coordinators and evacuation sites and paths
© 2004-2016 Page 85
5.8. Definition of succession of authority
5.9. Communication plan for dealing with key stakeholders (utilities, media,
employees &families, investor relations, analysts, etc.)
5.10. Emergency operations plan
5.11. Interim operations plan
5.12. Information systems recovery plan (disaster recovery plan)
5.13. Resumption of operations plan
5.14. Test plans
5.15. Internal Authorization (see additional content criteria)
© 2004-2016 Page 86
Ethical Decisions Guidelines
The organization's recommendation on the factors to consider, along with applicable
requirements, policies and philosophies, in determining the proper course of action when
faced with an ethical dilemma
Referenced in: P2
Content Criteria
The elements of a process to establish ethical decision guidelines should include:
1. Stakeholder participation from across the extended enterprise and internal cultures
(sub- cultures)
2. Identification of ethical and cultural factors to be considered in reaching a decision
about a course of action, including:
2.1. Congruence with the organization’s mission, vision and values
2.2. Congruence with the organization’s requirements
2.3. Consideration of all relevant viewpoints
2.4. Completeness of all facts needed to reach a decision
2.5. Consistency with prior organization behavior and anticipated future decisions
under analogous circumstances
2.6. Comfort with others broadly knowing which individual made the decision
2.7. Consideration of likely implications to and reactions of stakeholders, influencers
or the public
2.8. Preparation of a clear and cogent explanation for the decision
3. Internal Authorization in the form of endorsement of the Board and senior
management (see additional content criteria)
4. Procedures for globalization and localization of the guidelines
5. Procedures to ensure distribution and availability of the guidelines and support
service
6. A program for awareness and education on the guidelines concurrent with
awareness and education on the code of conduct
© 2004-2016 Page 87
Exit Interview Checklist
A document listing the activities to be conducted questions to be asked during an
interview with an internal stakeholder before his/her departure from the organization
Referenced in: P7
Content Criteria
1. Verifies all organization assets are returned
2. Asks whether the individual observed or suspected any compliance failure, unethical
conduct, unequal or bias response or discipline for misconduct, uncontrolled risks
3. Inquires into feelings about the effectiveness of the GRC capability and any apparent
weaknesses
4. Determines feelings of the departing individual toward the organization, management
and immediate supervisors
5. Advises how to report concerns or issues after separation.
6. Advises of post-separation continuing GRC responsibilities
6.1. Confidentiality
6.2. Non-competition limitations
6.3. Assignment and perfection of interests in intellectual property conceived during
employment or contract period
6.4. Use of corporate identity in statement of employment history, CV, electronic
profiles
7. Advises of firm’s post-separation continuing GRC responsibilities
7.1. Continuing benefits
7.2. Employment verification and endorsements
7.3. Delivery of and procedures for completion of rewards and incentives (i.e.,
eligibility, stock option exercising, etc.)
© 2004-2016 Page 88
External Authorizations
A grant of approval, authority or acceptance from an entity or geopolitical authority
outside the control of the organization receiving it.
Referenced in: P6
© 2004-2016 Page 89
Findings and Recommendations Report
A presentation or statement of the outcome of an activity or analysis together with
recommendations for change and/or improvement
Referenced in: L1, L3, P1, P5, P7, P8, R1, R2, R3
Content Criteria
All findings and recommendation reports should contain the following (if applicable):
1. Component and element to which the report applies:
a. Objective measure being evaluated
b. Target or Indicator
c. Established tolerance
d. Actual condition or situation
e. Source of facts
f. Gap or situation analysis (i.e., Is the actual within tolerance?)
g. Recommended action
© 2004-2016 Page 90
GRC Business Case (a part of the GRC Strategic Plan)
A documented rationale for the allocation of resources to the implementation and
operation of the GRC capability
Referenced in: A1
Content Criteria
1. Desired outcomes of the GRC capability,
2. Why it is needed and how it adds value,
3. How it will be structured,
4. How it will be resourced with people, funding and technology (and how much) during
initial implementation
5. How it will be resourced with people, funding and technology (and how much) when
operating in business as usual mode,
6. How it relates to business objectives and the existing operational model,
7. When system components, elements, processes, practices, and enabling technology
will be implemented,
8. How performance will be measured, and
9. How assurance will be provided.
© 2004-2016 Page 91
GRC Capability Charter
A document from a governing authority defining the purpose, objective and authorization
of an individual or group to undertake activities within the specified scope
Referenced in: A1
Content Criteria
1. Mission and vision of the GRC capability
2. Scope (enterprise-wide or in stages by broad or narrow risk areas)
3. Objectives (mandates)
4. Authorized activities
5. Roles and Responsibilities
6. Outcomes and accountability
7. Reporting Relationship
© 2004-2016 Page 92
GRC Design and Performance Assessment Methodology
A definition of the essential activities in evaluation of GRC capability design and
operation
Referenced in: A2, A5, R1
Content Criteria
The performance assessment methodology should include the following activities:
GRC Capability Design Activities:
1. Identification of those aspects of the GRC capability design that must be re-
evaluated periodically, including:
1.1. Alignment of GRC capability and organization goals, objectives, and values
1.2. Effectiveness in preventing and detecting conduct or events that violate
mandated or voluntary requirements
1.3. Efficiency of controls established as part of the capability
1.4. Appropriateness of controls established as part of the capability relative to the
level of risk
1.5. Responsiveness of the capability
2. Identification of appropriate monitoring controls for each aspect of the GRC capability
design to be evaluated, including:
2.1. Technologies to flag incidents of non-conformance to design criteria
2.2. Review of reports and other required documentation
2.3. Review of established metrics and performance indicators
2.4. Review of testing controls information
3. Risks, Rewards and Requirements Prioritization Activities
4. Re-assessment (assessment if a newly identified risk, reward or requirement) of the
priority assigned selected risks, rewards and requirements by analyzing:
4.1. Information from proact, detect, and respond activities
4.2. Information from context monitoring activities
Management Activities and Controls:

5. Identification of Key management activities and controls:
5.1. Whose failure may not be detected in a timely manner
5.2. Whose failure may trigger failure of other management activities and controls
5.3. That may compensate for the failure of other management activities and controls
5.4. That are complex and therefore more likely to fail
5.5. That require special skills and/or training for affected staff
6. Determination of the percentage of automated to manual management activities and
controls for each Key Risk
7. Analysis of known failures of management activities and controls
© 2004-2016 Page 93
Monitoring Activities:
8. Identification of the information to be used for monitoring, including the following:
8.1. Information from monitoring of the internal and external environments
8.2. Substantiated incidents and established patterns of misconduct from the Issue
Management Framework
8.3. Results of testing controls
8.4. Information generated by the business processes for operational purposes
8.5. Information to be generated from surveys, interviews, or other direct gathering
techniques
9. Identification of testing method (review of documentation, sampling, 100% testing,
survey, interview) for each type of information
10. Preparation of a GRC Assessment Plan for each assessment to be performed that
identifies
10.1. The scope of the assessment:
10.1.1. Design assessment, performance assessment or both
10.1.2. GRC functional area (i.e., total GRC capability, compliance function,
financial reporting function, etc.)
10.1.3. GRC component or components (i.e., Context & Culture, Detect &
Discern)
10.1.4. Specific areas within component (i.e., Hotline in the Detect & Discern
component)
10.2. GRC capability manager responsible for the part of the GRC capability
being evaluated
10.3. The composition of the assessment team
10.4. Skills needed
10.5. Team members including designation of team leader
10.6. Standards for documentation and records retention
10.7. Monitoring Activities to be performed based upon scope of the
assessment
10.8. Schedule of monitoring activities
10.9. Report composition and distribution
Analysis and Reporting Activities:

11. Establishment of a process to integrate information from multiple sources
12. Establishment of a process to reconcile conflicting information
13. Identification of misconduct and/or control failures outside of established tolerances
14. Identification of a pattern of misconduct and/or control failures related to a particular
location, supervisor, or individual
15. Identification of a pattern of misconduct and/or control failures related to a particular
process, policy or technology control
16. Establishment of a process to report the results of analysis with proposed responses
to responsible GRC management and oversight functions
© 2004-2016 Page 94
GRC Information Management Plan
A document that sets out the structures, processes and resources to manage GRC
information through-out the information life-cycle
Referenced in: A5, P3
Content Criteria
The plan should include the following sections as detailed in the Information
Management Plan Development and Maintenance Methodology:
1. Information classification
2. Information collection
3. Access, use, and Transfer of information
4. Storage and Disposition
© 2004-2016 Page 95
GRC Information Management Plan Development and Maintenance Methodology
A definition of the elements of the GRC Capability information management plan
Referenced in: A5
Content Criteria
The GRC information management plan should include the following elements:
1. Information Classification Structure
1.1. Definition of GRC Capability records
1.2. Establishment of a classification schema
1.3. Establishment of requirements for each record including:
1.3.1. Type
1.3.2. Privacy requirement
1.3.3. Confidentiality requirement
1.3.4. Preservation requirement
1.3.5. Retention requirement
1.3.6. Disposition requirement
1.3.7. Availability requirement
1.3.8. Operational strategic value
1.3.9. Data owner
1.3.10. Source of information (database application, e-mail, Excel, etc.)
1.3.11. Associated business process(s)
1.3.12. Associated policy(s)
1.4. Periodic evaluation of the classification structure
2. Information Collection Structure
2.1. Establishment of processes for collecting or creating information
2.2. Establishment of policies and procedures defining information ownership
2.3. Establishment of procedures (including schedules and triggers) for reconciling
disparate information
2.4. Monitoring of the reconciliation schedule and the report on triggering events to
ensure reconciliations are performed when required or needed
2.5. Establishment of procedures for reviewing and approving the resolution of
disparate information
3. Access, Use & Transfer Structure
3.1. Establishment of processes and criteria for managing access, authorization and
authentication, including:
3.1.1. Determination of level of access required
3.1.2. Data owner approval
3.1.3. Administration of access (add, change, or remove access)
3.1.4. Password requirements
3.1.5. Authentication method
3.1.6. Access to physical storage locations
3.2. Establishment of a process for appropriately defining, tagging, handling, and
storing privileged, confidential, and other “special handling” documents,
deliverables and/or artifacts
3.3. Establishment of a process for transferring information
© 2004-2016 Page 96
3.4. Establishment of a procedure for containment and response to breaches of
information access and use procedures
4. Storage & Disposition Structure
4.1. Establishment of processes for storing and maintaining information
4.2. Establishment of processes for retention, destruction, restoration, and
disposition of information including variances for differing storage media
4.3. Establishment of off-site storage and rotation requirements
4.4. Establishment of processes for manual and automated capability deletion of
information
4.5. Establishment of a process for deletion of information on hardware, media, and
software that is being retired or recycled
4.6. Establishment of a process for identifying and halting destruction of information
4.7. Establishment of test procedures for restoration of data from back-up storage
media
4.8. Testing of restoration procedures
4.9. Establishment of a procedure for containment and response to breaches of
information storage and disposition procedures
© 2004-2016 Page 97
GRC Strategic Plan
A document that details the structures, processes, technologies, resources, objectives
and measures to establish and maintain the capability needed to achieve the mission
and vision
Referenced in: L3, A1, A5, P5, R1, R2, R3
Content Criteria
1. GRC Capability Charter
2. Mission / vision statement
3. Outcomes and maturity milestones (with correlation to business objectives)
4. GRC Business Case
5. Measurement strategy (metrics, indicators, calculation method, frequency of
measurement, nature and frequency of reporting), Communications and Reporting
Plan Organization chart
6. Human Capital Resource Plan, including outsourced/co-sourced resourcing (for
implementation and ongoing operations)
7. Financial plan (start-up and operations)
8. GRC Technology Plan
9. GRC Assessment Plan
10. Assurance plan
11. Implementation plan
12. GRC System Improvement Plan
© 2004-2016 Page 98
GRC Technology Data Model Description
A document describing the structure and relationships among data within a key GRC
Technology Component
Referenced in: P1
Content Criteria
Every technology control should have the following qualifiers:
1. Technology Control ID
2. Technology Control Description
3. Type of Control (Infrastructure, Business application, GRC core application)
4. Data Field(s) affected for each identified System
5. Control parameters/criteria
6. Role with authority to alter data field parameters/criteria
7. Exception Recovery Type (Immediate or suspense file)
8. Suspense file description
9. Role with authority to clear suspense file items
10. Suspended/exception item report frequency
11. Manual process or procedure affected
12. Job/roles affected
13. Associated Physical controls
14. Associated Human Capital controls
© 2004-2016 Page 99
GRC Technology Plan Development Methodology
A definition of the steps necessary to develop the GRC Technology Plan
Referenced in: A5
Content Criteria
Plan development should include the following steps:
1. Inventory GRC technology requirements
2. Identify available technology in the organization
3. Determine for each GRC technology requirement whether or not:
3.1. Technology will be used to meet the requirement
3.2. Existing organization technology will be used
3.3. Existing organization technology will be modified and used
3.4. New technology will be acquired
4. Determine whether to build or buy modifications and new technology
5. Develop a GRC Technology Plan (a prioritized set of initiatives to build or buy
modifications and new technology)
6. Determine who will own and maintain each GRC technology solution
7. Obtain approval for implementation including:
7.1. GRC capability management approval of the GRC Technology Plan
7.2. Organization’s Information Technology management inclusion of GRC
Technology Plan initiatives in the organization’s technology plan
© 2004-2016 Page 100

Integrated Plan
A document that details the processes and resources allocated to reliably achieve
objectives while addressing uncertainty and acting with integrity
Referenced in: L2, L3, A2, A4, P1, R1, R2, R3
Content Criteria
1. Current management activities and controls to be eliminated
2. Current management activities and controls to be revised
3. New management activities and controls to be implemented
4. Change management process for the initiative:
4.1. Communication plan
4.2. Coordination plan with other initiatives, processes, management activities and
controls
4.3. Training plan
5. Data fields for each initiative, including:
5.1. Risk, reward or conformance description
5.2. Risk, reward or conformance classification
5.3. Inherent risk value
5.4. Risk, reward or conformance prioritization scoring and rank
5.5. Current management strategy
5.6. Current management activities and controls
5.7. Current monitoring activities
5.8. Residual risk objective or reward measure, as applicable
5.9. Role/job responsible and accountable for this management activity and control
5.10. Initiative completion and acceptance criteria
5.11. Budget
5.12. Human capital plan
5.13. Technology plan
5.14. Implementation timeline, milestones and related authorization to proceed
criteria
5.15. Measurement plan (project performance and outcomes)
5.16. New residual risk objective or reward measure, as applicable
5.17. Accountability and authority for implementation of the initiative
5.18. Assurance plan
6. Internal Authorization (see additional criteria)
© 2004-2016 Page 101

Internal Authorization
A grant of approval, authority or acceptance from an individual vested with accountability
or responsibility for a particular activity, function, process, or entity
Referenced in: A1, P6, R3
Content Criteria
1. What is to be done
2. Why it is being done
3. Who is to do it
4. What authority is granted
5. Who has oversight responsibilities
© 2004-2016 Page 102

Investigation Management Plan
A document that sets out the structures, processes, protocols and resources to perform
and conclude an investigation
Referenced in: P8
Content Criteria
Plan should include:
1. Investigation governance structure
2. Investigation team (both internal and independent third-parties)
3. Communication and reporting plan
4. Operating and communication procedures
5. Budget
6. Projected schedule of activities
7. Technology plan (for team management, investigation management, and information
management)
© 2004-2016 Page 103

Issue Management Framework
A description of the attributes in the components of the Issue Management Framework,
namely
• Infrastructure
• Intake and Filtering
• Resolution
• Reporting
Referenced in: P6, P8
Content Criteria
The following criteria are required for each Operating Geography and should be uniform
across all geographies in an entity, except for localization resulting from language,
culture or legal requirements
Infrastructure:
1. Policies and Procedures
1.1. Issue Management System Policy
1.1.1. What stakeholders are covered by the system (both Hotline and Helpline)
1.1.2. What issues should be reported (incident reporting) or what subject matter
will be addressed (performance reporting)
1.1.3. Identification of which of the following intake channels are available, when
they are available, and how to access them
1.1.3.1. In person
1.1.3.2. Phone
1.1.3.3. Mail
1.1.3.4. E-mail
1.1.3.5. Web
1.2. Legal Analysis Policy & Procedures including at a minimum
1.2.1. Whistleblower protection
1.2.2. Data protection (privacy & security)
1.2.3. Anonymity (people & content)
1.2.4. Required operating licenses
1.3. Localization Policy & procedures, if necessary for:
1.3.1. Language
1.3.2. Culture
1.3.3. Regulatory (legal)
1.4. Non-retaliation and Whistleblower Protection Policy & procedures
1.5. Data Protection (privacy & security) Policy & Procedures
1.6. Confidentiality (People & Content) Policy & Procedures
1.7. Anonymity (People & Content) Policy & Procedures
1.8. Policy & Procedures on feedback to Notification party
1.9. Record Retention Policy & Procedures for all documents and data
© 2004-2016 Page 104

2. System Access and Authentication Policy & Procedures including:
2.1.1. Password strength specifications (i.e., length/character requirements)
2.1.2. Password duration specifications
2.1.3. Password reminder protocols
2.1.4. User role definitions and access rights for each identified role
3. Standard Classification Schemes
3.1. Issue Categories (Examples only: defined by organization)
3.1.1. Corruption & Fraud
3.1.2. Finance & Accounting Matters
3.1.3. Asset / Information Misuse & Access
3.1.4. Customer / Partner / Competitor Issues
3.1.5. Equal Opportunity / Affirmative Action issues
3.1.6. Human Resources / Employees
3.1.7. Environmental, Health & Safety
3.1.8. Government Activity
3.1.9. General Inquiry / Question
3.1.10. Regulatory (based on industry)
3.1.11. Items not mentioned above
3.2. Notification (Incident) Categories
3.2.1. Incident
3.2.2. Concern
3.2.3. Inquiry
3.2.4. Third-Party initiated investigation
3.3. Resolution Categories
3.3.1. Critical incident/concern (resolved through immediate action process)
3.3.2. Material incident/concern (resolved through internal investigation process)
3.3.3. Standard incident/concern (resolved through standard incident/concern
process)
3.3.4. Immaterial incident/concern (resolved through standard incident/concern
process)
3.3.5. Inquiry (resolved through Inquiry process)
3.3.6. Third-party (externally initiated) investigation
4. Standard Databases And Database Fields
4.1. Frequently Asked Questions (FAQ) database
4.1.1. Question
4.1.2. Answer
4.1.3. Subject Matter expert
4.1.3.1. Name
4.1.3.2. Position
4.1.3.3. Contact information
4.1.4. Source of answer (legal citation, policy & procedure, etc)
4.1.5. Pointers to associated questions
4.1.6. Date last revised
4.1.7. Number of “hits” in current business year
4.1.8. Associated issue category
5. Intake Channels
5.1. Intake Channel Name
5.2. Intake Channel Stakeholder Coverage (who uses it)
5.3. Intake Channel Operating Geography
5.4. Intake Channel Technical Availability representations and targets (how available
is it)
© 2004-2016 Page 105
5.5. Intake Channel Classification as “Anonymous” channel
5.6. Intake Channel Vendor Usage
5.7. Intake Channel Years in Service
5.8. Intake Channel Utilization (# incidents reported in that channel for the lesser of 5
years
5.9. Or # years in service)
5.10. Intake Channel Substantiation Rate (# incidents substantiated / #
incidents reported)
6. Issues (incident, concern, or inquiry)
6.1. Unique Report ID
6.2. Related Reports
6.3. Incident Number
6.4. Referred System report ID
6.5. Date / Time Notified
6.6. Event Date / Time
6.7. Detection Date / Time
6.8. Description of Event
6.9. Details of Event / Allegation
6.10. Chain of Authority Exclusions
6.11. Level of Previous Management Awareness and Action
6.12. Source(s) of Notification (individual or anonymous)
6.13. Channel Used to Notify
6.14. Location of Issue Occurrence
6.15. Issue Category
6.16. Special Handling Category
6.17. Code Violation
6.18. Stage
6.19. Priority
6.20. Non-retaliation Protocols
6.21. Privilege Status
6.22. Re-occurrence
6.23. Implicated Parties
6.24. Journal of Contacts with Source
6.25. Applicable Guidance
6.26. Facts/Findings/Analysis
6.27. Root Cause
6.28. Outcome Category
6.29. Discipline Taken
6.30. Location of Records
6.31. Associated Documents
6.32. Associated Loss
6.33. Individuals / Team Assigned
6.34. Work Notes
6.35. How the source became aware of the issue
6.36. Whether the source has approached the accused individual
6.37. Expected Response Time
6.38. Date(s) when source can expect next status report or contact
6.39. Unique fields required based upon particular type of report
6.40. Unique fields associated with control and risk assessment, risk
remediation and testing
6.41. Detection Lag
© 2004-2016 Page 106
6.42. Reporting Lag
6.43. Satisfaction Ratings
6.44. Availability
Intake and Filtering:

7. Notification Capture Policy & Procedures for:
7.1. Incident notification (Hotline)
7.1.1. By phone
7.1.2. By web
7.2. Performance notification (Helpline/Help Desk)
7.2.1. By phone
7.2.2. By web
7.3. Exit interview
7.4. Phone, mail, or e-mail notification to other than the Hotline or Helpline
7.5. Other internal and/or external communications
8. Intake personnel training Policy & Procedures
9. Issue filtering Protocol (Policy & Procedures)
9.1. Establish a core team to:
9.1.1. Receive all notifications
9.1.2. Triage each notification
9.1.3. Monitor routing and escalation of decisions
9.1.4. Monitor resolution of each issue
9.2. Establish a procedure to ensure the alleged perpetrators are not included in the
processing of the issue and are removed from involvement at any point at which
they are identified as the potential targets of an investigation
9.3. Define “investigation tiers” that identify who will address issue of particular scope
and/or type
9.4. Define categories of issues that are anticipated in the course of business and
establish procedures for resolving them at the line management level
9.5. Define escalation triggers to the following (for each issue category immediately
upon validation of the issue):
9.5.1. Board or a committee of the Board
9.5.2. Senior management and/or outside counsel
9.5.3. Special investigators
9.6. Establish procedure for triaging each notification to:
9.6.1. Validate Issue category determination
9.6.2. Determine resolution category
9.6.3. Validate incident or concern
9.6.4. Identify routing and escalation requirements
Resolution:
10. Immediate Action Resolution Process
10.1. Define conditions that require immediate action such as:
10.1.1. Alleged Senior management wrongdoing
10.1.2. Alleged illegal or unsafe business unit operations
10.1.3. Required immediate reporting of allegations to regulators
10.2. Identify for each condition:
10.2.1. Who will have oversight authority and render a decision
10.2.2. Who will lead the investigation (Legal, special investigator, outside
counsel)
© 2004-2016 Page 107
10.2.3. Timeline for investigation
10.2.4. How results will be reported
11. Internal Investigation Process (including investigation management plan
development:
11.1. Interviewing protocols
11.2. Required “Warnings” (Upjohn, Zar, etc.)
11.3. Procedure to notify and involve enforcement if required
11.4. Procedure to notify and involve Legal department
11.5. Procedure to notify and involve the Board if required
11.6. Procedure for escalating issues or amending previous escalations when
new facts are discovered
11.7. Procedure for issuing “Document Hold” memoranda
11.8. Procedure for securing information
11.9. Procedure to restrict or cease business activities
11.10. Procedure for developing an Investigation Management Plan including:
11.10.1. Define the scope of the investigation:
11.10.1.1. Documents to be obtained
11.10.1.2. Interviews to be conducted
11.10.1.3. Data to be analyzed
11.10.1.4. Anticipated repots
11.10.1.5. Audience for each report
11.10.1.6. Investigation budget
11.10.1.7. Rules of evidence to be followed
11.10.2. Determine the need for immediate notification (i.e., Board,
independent auditors, regulators)
11.10.3. Determine if the investigation will be conducted under the rules of
privilege
11.10.4. Define the investigation team roles and required skills for each role
11.10.5. Identify the team members, including the team leader
11.10.6. Document objectivity of team member (no conflict of interest)
11.10.7. Identify the need for outside assistance (legal, accounting,
forensic, technical)
11.10.8. Define internal management responsible for oversight of the
investigation
11.10.9. Define coordination and communication requirements
12. Standard Incident/Concern Resolution Process
12.1. Define procedures to be used by line managers to address immaterial or
standard issues anticipated to occur normally in the course of business
including:
12.1.1. Processing rules
12.1.2. Provision of counsel rules
12.1.3. Privilege rules
12.1.4. Record retention rules
12.1.5. Escalation rules
12.1.6. Reporting rules
12.1.7. Appeal of resolution rules
13. Inquiry process
13.1. Define frequently asked questions (FAQ) and responses
13.2. Identify subject matter experts for each category of issues who can
answer non-standard questions
© 2004-2016 Page 108

13.3. Provide a mechanism to vet answers to non-standard questions before
they are relayed to the inquirer
13.4. Provide a mechanism to capture answers to non-standard questions for
inclusion in FAQ database
13.5. Provide an escalation path for each issue category for use when the
question exceeds the knowledge or authority of the subject matter expert
13.6. Provide a mechanism to upgrade an inquiry to an incident/concern at any
time in the inquiry process
14. Third-Party Investigation Process (externally initiated)
14.1. Identify Third-Party Investigations
14.1.1. Establish multiple pathways for intake of third-party questions
14.1.2. Establish procedures for filtering third-party questions to determine if:
14.1.2.1. The question relates to a possible investigation
14.1.2.2. The question should be referred to in-house counsel
14.1.3. Establish procedures requiring reporting of non-standard third-party
inquiries to appropriate management personnel
14.1.4. Establish procedures to monitor external sources for potential third-party
investigations
14.2. Manage Third-Party Investigations
14.2.1. Establish an inventory of the types of possibly third-party investigations
and assign management responsibility for each type
14.2.2. Determine and document organizational rights and safeguards for each
type of third- party investigation inventoried
14.2.3. Establish policies and procedures to follow for each type of investigation if
it should materialize, including:
14.2.3.1. Procedures for establishing an internal response team and
identifying the team leader
14.2.3.2. Procedures for responding to interview requests and subpoenas
14.2.3.3. Procedures for responding to document requests and subpoenas
14.2.3.4. Procedures for responding to information that former employees or
other stakeholders have been contacted for interviews or documents
14.2.3.5. Procedures for responding to sudden on-site presence of
investigators demanding documents or seizure of premises
Reporting:
15. Establish procedures and triggers for informing the following of potential or actual
third-party investigations
15.1. Board or committee of the Board
15.2. Independent auditors
15.3. Regulatory agencies
15.4. Creditors
15.5. Insurers
15.6. Senior management
15.7. Public relations responsible party
16. Establish procedures for addressing questions of privilege, privacy and confidentiality
with investigators
17. Establish procedures for determining conflict of interest of individuals involved in the
investigation from the organization or the investigators
© 2004-2016 Page 109

18. Prepare a Response Management Plan for each type of inventoried investigation:
18.1. Collect or identify all requested documents and data and initiate document
holds to stop any routine destruction or removal
18.2. Document exactly what is provided to the third party
18.3. Track list of released items being maintained as privileged
18.4. Track information that will be released as non-privileged, indicating that
the release is intentional and controlled
18.5. Determine individuals who will need to be interviewed to fulfill
investigation requests, both current personnel of the organization and former
employees or agents
18.6. Determine if any requests for information are to be refused and develop
(under legal review)a denial of request response
18.7. Determine the need to negotiate confidentiality agreements regarding
certain information to be delivered to the third party and whether the organization
needs to seek to provide any privileged information under seal
18.8. Inform individuals involved in the investigation as witnesses, interviewees
or otherwise, that in-house and outside counsel represent only the organization
and not them individually, and document that they understand
18.9. Internally and externally communicate investigation results and
recommended actions
19. Establish a procedure for updating the issue database for third-party investigations
20. Report findings and recommendations from all resolution processes in accordance
with the procedures established for each resolution type (immediate, internal
investigation, standard, inquiry, and third-party investigation)
21. File external reports and disclosures as required by laws, contracts or agreements
22. Ensure that the results of all resolution processes are recorded in the appropriate
issue record in the Issue database
23. Analyze issue management activity and report trends or patterns by:
23.1. Issue Category
23.2. Resolution category
23.3. Geography
23.4. Location
23.5. Role/Job
23.6. Employee level
23.7. Employee type (exempt, non-exempt, temporary)
23.8. Supervisor
© 2004-2016 Page 110

Mission/ Vision/ Values Statement
An oral or documented description of the main aims, core beliefs, values, intended future
state and overall plan that guide the organization's actions and inspires people to act
toward that future state
Referenced in: A1
Content Criteria
1. What the organization will do (mission)
2. What the organization will be (vision)
3. How the organization will make business decisions
3.1. In relation to the law
3.2. In relation to ethics and integrity
© 2004-2016 Page 111

Policies and Related Procedures Matrix
A table correlating each policy to its attributes and other policies or procedures, and,
optionally, to the training, reports or other sources for evidence of compliance
Referenced in: P2, R3
Content Criteria
This matrix is an inventory of all GRC policies and related procedures. The attributes
listed for each axis of the matrix are required. Other attributes may be added to the
Horizontal Axis as identified
1. Vertical Axis contains all GRC capability policy statements
1.1. Identifier
1.2. Policy Statement Title
2. Horizontal Axis contains a separate column for each of the following elements
2.1. GRC Role Owner
2.2. Target Audience(s)
2.3. Policy Objective or purpose
2.4. Related GRC procedures
2.5. Other related GRC policies
2.6. Related Organization Policies
2.7. Affected Organization Processes (business units)
2.8. Last Updated
2.9. Next review date
3. Associated Awareness and Education Plan (optional)
4. Associated Communications and Reporting Plan(optional)
© 2004-2016 Page 112

Policy and Procedures Development, Implementation, and Maintenance Methodology
A process utilized to develop, implement & maintain relevant policies and related
procedures
Referenced in: P1, P2
Content Criteria
1. Development
1.1. Reason for policy or procedure (mandate, standards, voluntary commitment,
internally created requirement)
1.2. Developed, issued, or modified only by an appropriate authority
1.3. Defined objective
1.4. Defined target audience
1.5. Appropriate experts approve mandated policies and procedures
1.6. Affect on business model elements analyzed
1.7. Defined application to extended enterprise
1.8. Process to translate or localize policies or procedures when necessary
1.9. Correlation to interrelated or dependent policies and/or procedures
1.10. Use of templates to ensure uniformity of style and content
2. Implementation
2.1. Method for making policy or procedure available to target audience
2.2. Training of target audience and testing for understanding of policy or procedure
2.3. Confirmation required from target audience of receipt of policy or procedure
2.4. Defined awareness, education, and support practices for each target audience
2.5. Defined methods for assessing knowledge of policy or procedure existence and
understanding for each target audience
3. Maintenance
3.1. Defined procedure to notify help desk of any additions, modifications, or
expiration of policies or procedures
3.2. Defined method to assess periodically the effectiveness of each policy or
procedure in meeting its defined objective
3.3. Defined process to handle exceptions and deviations
3.4. Defined process to review, revisit, modify or expire policy or procedure
3.5. Defined process to track changes and versions
3.6. For procedures only, a defined testing approach and monitoring activities to
ensure the procedure is operating effectively within defined tolerances
© 2004-2016 Page 113

Prioritized Risk Matrix (includes the Risk/Control Matrix)
A table correlating each risk to its attributes
Referenced in: L1, L2, L3, L4, A3, A4, A5, P1, P4, R1, R3
Content Criteria
The set of attributes for each risk, opportunity or requirement includes, as applicable:
1. Classification or prioritization,
2. Source of risk, opportunity or requirement (event, trend, requirement, etc.)
3. Inherent risk analysis (likelihood, impact, duration)
4. Current residual risk analysis (likelihood, impact, duration)
5. Decision methodology for accepting opportunities (ROI, cost/benefit, etc.).
6. Level of importance (priority) assigned to initiative to implement the opportunity (for
comparison to level of inherent risk and/or desired residual risk to determine
appropriate allocation of resources)
7. Planned reward measure for the implemented opportunity
8. Current indicators and triggers
9. Current accountability
10. Planned residual risk analysis
11. Planned indicators and triggers
12. Planned accountability
13. Risk/Control Matrix - A listing of risks mapped to related proactive, detective and
responsive actions and control, including:
13.1. Current implemented management activities and controls correlated to
each risk, opportunity or requirement
13.2. Planned management activities and controls correlated to each risk,
opportunity or requirement
© 2004-2016 Page 114

Risk, Requirements & Opportunities Identification & Assessment Methodology
The process used to identify risk, requirements & opportunities that may affect the
achievement of business objectives and to assess their inherent and residual values.
Referenced in: A2, A3, A4
Content Criteria
Identification:
1. Define a taxonomy for:
1.1. Classifying risks
1.2. Classifying internal and external sources of requirements
1.3. Classifying types of requirements
1.4. Classifying internal and external sources of opportunities
1.5. Classifying types of opportunities
1.6. Classifying the impact of risk
1.7. Classifying the impact of non-compliance with requirements
1.8. Levels of impact and levels of likelihood
2. Define a common set of definitions, including:
2.1. Inherent risk
2.2. Residual risk
2.3. Impact and likelihood
2.4. Risk appetite/tolerance
2.5. Risk treatment
2.5.1. Avoid/terminate
2.5.2. Share/transfer
2.5.3. Reduce impact and/or likelihood
2.5.4. Tolerate/accept
2.6. Prioritization determination process
2.7. Threat and requirements identification process
2.8. Opportunities identification process
2.9. Top down and bottom up input
2.10. Tools used in the process
3. Define roles, responsibilities, expectations and authorities for risk, requirements &
opportunities identification
© 2004-2016 Page 115

Assessment (Likelihood and impact calculation method):
4. Define methodology including consideration of:

4.1. Industry and peers
4.2. Organization history
4.3. Geography
4.4. Changes in regulatory enforcement trends
4.5. Defined method for assigning values to likelihood and impact
4.6. Prioritization, including identification of risks requiring immediate attention and
resolution
5. Define evaluation methodology(ies) for opportunities, such as:
5.1. Force Field Analysis (benefits/risks & requirements)
5.2. Business Case (cost/benefit analysis)
5.3. ROI (Return on Investment)
6. Define levels of importance of implementation of opportunity initiative, such as
6.1. HIGH = immediate implementation
6.2. MEDIUM = within a defined time frame
6.3. LOW = if resources are available after handling all HIGH and Medium items in
the Prioritized Risk Matrix
Documentation Requirements:
7. Steps that require documentation
8. Identified risk, requirement & opportunity, where applicable:
8.1. Likelihood and impact calculation
8.2. Cost/benefit analysis to support selected treatment
8.3. Assignment of roles, responsibilities, and authority
8.4. Choice of Indicators and targets
8.5. Follow-up on Risk Optimization Plan implementations
8.6. Approvals
9. Provisions for confidentiality
10. Record retention, to include replacing previous assessments
11. Communication and training
12. Process for resolution of disagreements on prioritization
13. Approval and validation process
© 2004-2016 Page 116

Role / Job Descriptions
A detailed explanation of the responsibilities and expectations of an individual in a
particular role or job
Referenced in: Pre-requisite Procedure 4
Content Criteria
1. Title
2. Accountabilities and Responsibilities
3. Management and oversight responsibilities
4. Direct and indirect reporting relationships
5. Accountability for system outcomes, targets and indicators
6. Reporting requirements
7. Individual performance objectives, measures, and indicators
8. Skill / knowledge / qualifications / experience requirements
9. Tools / resource needs
© 2004-2016 Page 117

Segregation of Duties
A document reflecting that the responsibilities of some roles or positions should be kept
distinct from the responsibilities of other roles or positions as a protective measure to
prevent fraud, error, or conflict of interest
Referenced in: Pre-requisite Procedure 3, P1
Content Criteria
Roles/jobs that must be segregated:
1. Roles that have oversight authority (Board) from roles that have responsibility for
business performance objectives and incentives (senior management & operating
management)
2. Roles that have an interest in uncovering misconduct and weaknesses (compliance,
internal audit) from roles that have an interest in legally protecting the organization
(general counsel)
3. Roles that have an interest in uncovering misconduct and weaknesses (compliance,
internal audit) from roles that have an interest in quarterly business performance
objectives and incentives (senior & operating management) that may compromise
objectivity
4. Roles that involve implementing and operating preventive and detective controls
(finance, compliance) from roles that evaluate the effectiveness of those controls and
structures (internal audit)
5. Roles involved in investigations of alleged misconduct and weaknesses from
individuals that are alleged to have been, or have potential to have been, involved in
the alleged misconduct, and from those who have direct reporting relationships with
such individuals
© 2004-2016 Page 118

Segregation of Duties Matrix
A correlation of GRC employees to GRC roles/jobs
Referenced in: Pre-requisite Procedure 3, L1, L4, P1
Content Criteria
1. Horizontal axis – list of employees with their respective role(s)
2. Vertical axis – list of roles that must be segregated (see Segregation of Duties)
3. Indication of each employee’s responsibilities under appropriate segregated role
columns
© 2004-2016 Page 119

Specialized GRC Curriculum Plan
A document reflecting the order and timing of all courses of study for each of the GRC
capability roles and may include a detailed description of each course
Referenced in: P4
Content Criteria
1. Name of course
2. Course objectives
3. Roles/jobs targeted
4. Course source (internal, external, on-the-job)
5. Course delivery and format options (online, video, podcast, simulation, live, just in
time)
6. Skills to be attained
7. Skills pre-requisites
8. Timeline for employees to complete training.
9. Frequency of refresher/update training
10. Method of measuring understanding and comprehension
© 2004-2016 Page 120

Statement of Organizational Objectives
A declaration of the tangible results that the organization expects to achieve through
execution of its mission and vision
Referenced in: A2
Content Criteria
Measurable outcomes (Targets, indicators, and tolerances) for:
1. Strategic objectives
2. Financial objectives
3. Customer objectives
4. Operational process objectives
5. Learning and growth objectives
6. Risk objectives and thresholds/tolerances
7. Control objectives
8. Compliance objectives
9. Reporting objectives
© 2004-2016 Page 121

Third Party Risk Management Plan
A document or series of documents that sets out the structure, processes, protocols and
resources to identify, assess, monitor, and manage Third Party Relationship Risk.
Content Criteria
1. Program Charter
2. Internal Authorization
3. Classification Schema for Third Party relationships
4. Inventory of Third Party Relationships
5. Third-parties should be explicitly addressed in the following plans or specific
Third-Party Risk Management versions should exist for the following:
5.1. Awareness and Education Plan
5.2. Communication and Reporting Plan, including notifications and alerts
5.5. Crisis, Continuity, and Recovery Plan
5.8. GRC Systemic Improvement Plan (when improvements are inclusive of
third-party activities or controls)
5.10. Investigation Management Plan
5.11. Policy & Related Procedures Matrix
5.12. Prioritized Risk Matrix (including Risk/Control Matrix)
© 2004-2016 Page 122

Third Party Risk Management Framework
Structured guidelines for suggested policy, procedure, documentation, and planning in
support of a Third Party Relationship Risk Management (TPRRM) program. This
program should take into account the Capability’s Risk Profile and commitment to
addressing TPRRM as part of a comprehensive GRC compliance program and should
include the following distinct components relative to TPRRM if not already documented
within the GRC Strategic Plan:
Components include Program Infrastructure and Design and Management activities for
full life cycle of Third Party Relationships
Design Elements
• Understanding the Extended Enterprise
• Governance Infrastructure
• Relationship Classification Schema
• Relationship Inventory
• Checklist for Third-Party Risk Management Policy
• Risk Classification Schema
• Prioritized Risk/Control Matrix (Mapping)
• Third Party Risk Profile (“Book of Record”)
Initiation Elements
• Screening and Due Diligence
• Policies and Related Procedures Matrix
• Key Documents Defining Expectations of Third-Parties
• Awareness and Education Plan
Management, Measurement & Maintenance Elements

• Assessment Plan and Activities
• Monitoring and Maintaining Third Party Relationship Risk Management
• Risk Response and Corrective Control Activity Plan
• Communication and Reporting Plan (including Alerts & Notifications)
• Investigation Management Plan
Ending and Enduring Elements

• Transition Plan to Another third-party, In-house, or Ending Activities
• Manage Disposition of Data, IP and Assets
• Discontinue and Monitor All Access Points
• Protecting Information and Reputation during Transition
• Terminate according to Contract Provisions and Regulatory Requirements
• Protecting Assets, Rights and Reputation Post-termination
© 2004-2016 Page 123

Content Criteria
The following criteria are subject to the Capabilities Risk profile and during development,
should include input from resources in GRC, Finance, IT, Legal, and the Board of
Directors. It should be a repeatable methodology, standardized across the entity, taking
into account geographic regulatory, localization, and legal obligations.
DESIGN OF THIRD PARTY RELATIONSHIP RISK MANAGEMENT
1. Understanding of Extended Enterprise
1.1. Understanding of global footprint
1.2. Strategies relying on outsourcing
1.3. Strategies focused of emerging markets
1.4. Type of risks inherent in these strategies
1.5. Plan for responding to a violation or crisis associated with the extended
enterprise
2. Governance Infrastructure
2.1. Organization Chart and Accountability Matrix with personnel for:
2.1.1. Oversight
2.1.2. Strategic Management
2.1.3. Operations
2.1.4. Assessment
2.2. Policies and Procedures pertinent to all phases of the third-party relationship
life cycle as further detailed below.
2.2.1. Initiating
2.2.2. Managing, Measuring & Maintaining
2.2.3. Ending and Enduring
2.3. Technology Plan inclusive of solutions for managing third-party risk in the
following categories
2.3.1. T01 – Audit & Assurance Management (managing audits of third-
parties)
2.3.2. T04 – Business Continuity Management (managing disruption of
critical third-parties)
2.3.3. T06 – Contract Management (managing contracts with third-
parties)
2.3.4. T07 – Control Activity, Monitoring & Assurance (monitoring
controls implemented with regard to third-parties or on third-party
systems)
2.3.5. T09 – Discovery / eDiscovery Management (managing
identification, collection, and production/protection of firm records
created, maintained, archived, and disposed by third-parties outside of
firm’s network)
2.3.6. T13 – Fraud & Corruption Detection, Prevention & Management
(monitoring third-party actions and controls whether on their network or
the firm’s network)
2.3.7. T15 – Hotline/Helpline (supporting reporting and guidance for
third-parties)
© 2004-2016 Page 124

2.3.8. T16 – Information/IT Risk & Security (managing third-party access,
breaches, notifications, and corrective controls emanating within firm
network)
2.3.9. T17 – Insurance & Claims Management (managing policies of
third-parties under which the firm is a beneficiary or covered entity,
claims against those policies by the firm or its employees, and claims
against the firm’s policies by third-parties)
2.3.10. T18 – Intellectual Property Management (managing assignments
of rights from third-parties, confidentiality agreements, inventorship
declarations, and licensing arrangements with third-parties)
2.3.11. T19 – Issue & Investigation Management (managing issues
brought relative to third-parties and issues raised by third-parties)
2.3.12. T20 – Matter Management (managing due diligence of third-
parties for strategic relationships)
2.3.13. T21 – Physical Security & Loss Management (managing
credentialing and access of third-parties for firm premises and secure
areas)
2.3.14. T22 – Policy Management, Communication & Training (managing
distribution, communication and training on firm policies with which third-
parties must comply and vice versa)
2.3.15. T23 – Privacy Management (managing personally identifiable
information of third-parties)
2.3.16. T24 – Quality Management & Monitoring (managing quality
assurance/monitoring of third-party services and production)
2.3.17. T25 – Reporting & Disclosure (managing critical reporting and
disclosures outsourced to or co-sourced with third-parties)
2.3.18. T26 – Risk Management (integration of risk from Third
Party/Vendor Risk into enterprise risk management processes and
reporting)
2.3.19. T28 – Third Party/Vendor Risk & Compliance (managing
relationship inventory, policies, and customized prioritized risk matrix,
risk/controls matrix)
3. Relationship Classification Schema
3.1. Relationship types, including:
3.1.1. Agents and /intermediaries
3.1.2. Contract Manufacturers
3.1.3. Suppliers/Service Providers and Networks for Each
3.1.4. Contractors/Subcontractors and Networks for Each
3.1.5. Outsourcers
3.1.6. Insurers
3.1.7. Independent Consultants
3.1.8. Legal Advisors
3.1.9. Affiliates
3.1.10. Subsidiaries
3.1.11. Co-brand partners
3.1.12. Loyalty partners
3.1.13. Brokers
3.1.14. Distributors and Distribution Centers
3.1.15. Resellers
3.1.16. Call Centers/Sales and Customer Support Services
3.1.17. Customers/Clients
© 2004-2016 Page 125
3.1.18. Merchants
3.1.19. Merchant Payment Processing
3.1.20. Treasury Counter-parties
3.1.21. Joint Ventures
3.2. Relationship levels
3.2.1. Integrated (Multi level)
3.2.2. Enterprise
3.2.3. Line of Business Level
3.2.4. Business Unit Level
3.2.5. Department-Level
3.2.6. Initiative Specific
3.3. Product, Support, and Service Classifications
3.3.1. Understood by geography, business unit, or product family
3.3.2. Automated updates to reports, business rules and mapping to the
balance of the control ecosystem upon changes
3.3.3. Changes flagging need for risk reassessment
4. Relationship Inventory (maintained in database)
4.1. Organization Name
4.2. Key Contacts (name and contact info)
4.3. Category of Product, Support, Service
4.4. Due Diligence Results
4.5. Active Contract ID
4.6. Link to Active Contract record in Contract Management System or file directory
4.7. Links to past contracts
4.8. Performance benchmarks/metrics
4.9. Validation Criteria for Independent Assessment
4.10. Cost-benefit analysis or ROI
4.11. Documentation associated with business processes, policies, regulation, and
other factors pertinent to evaluating the Third Party Relationship Risk
4.12. Linkage to TPRRM factors such as legal obligations, localization, geo-political,
and regulatory standards
5. Checklist for Third-Party Risk Management Policy
5.1. Purpose and Contents
5.2. Policy Statement
5.3. Risk Management (including identifying Risk and assigning materiality and
business impact)
5.4. Organization, Responsibilities and Administration
5.5. Planning and Risk Assessment Process
5.6. Due Diligence Standards
5.7. Contract Standards
5.8. Ongoing Monitoring Standards
5.9. Business Continuity Standards
5.10. Termination
5.11. Relationships with Insiders
5.12. Foreign Service Providers
5.13. Managed Security Service Providers
5.14. Independent Consultants
5.15. Audit Policy
5.16. Staff Training
5.17. Retention of Documentation
© 2004-2016 Page 126

6. Risk Classification Schema
6.1. Develop a classification schema for Third Party Relationship Risk with criteria
6.1.1. Brand Risk / Reputational Risk
6.1.1.1. Unfair Business Practices
6.1.1.2. Customer Dissatisfaction
6.1.1.3. Shaken confidence
6.1.1.4. Loss of Brand Loyalty
6.1.1.5. Social Responsibility
6.1.2. Compliance / Regulatory Risk
6.1.2.1. Contract
6.1.2.2. Legal
6.1.2.3. Regulatory
6.1.3. Strategic Risk
6.1.3.1. Market changes
6.1.3.2. Geopolitical Risk
6.1.4. Financial Risk
6.1.4.1. Exchange Rate Fluctuation
6.1.4.2. Raw material Price Fluctuation
6.1.4.3. Rising Labor Costs
6.1.4.4. Bankruptcy
6.1.4.5. Share Price Volatility
6.1.4.6. Contract weakness
6.1.5. Environmental Risk
6.1.5.1. Natural
6.1.5.2. Man-made
6.1.6. Supply Chain Risk (Business Interruption)
6.1.6.1. Political stability
6.1.6.2. Process risk
6.1.6.3. Undesirable conduct
6.1.6.4. 4th Party issues
6.1.6.5. Energy/Fuel Price Volatility
6.1.6.6. Raw material Scarcity
6.1.6.7. Labor Relations
6.1.7. Quality Risks
6.1.7.1. Quality failure
6.1.7.2. Manufacturing process weaknesses
6.1.7.3. Customer dissatisfaction
6.1.7.4. Raw material and parts quality standards
6.1.7.5. Counterfeit parts
6.1.8. Information and Technology Risk (inclusive of Security & Privacy)
6.1.8.1. System failures
6.1.8.2. System compromises
6.1.8.3. Informational disclosures
6.1.8.4. Unauthorized access
6.1.8.5. Inappropriate retention
6.1.8.6. Requirements to access and protect customer data
6.1.8.7. Cross-border transfers of information
6.1.8.8. Changes in technology
© 2004-2016 Page 127

7. Prioritized Risk/Control Matrix (Mapping) -Third Party Relationship Risk
7.1. Requirements, Commitments, Policies, and Standards mapped to Risk Matrix;
defining their alignment with Business processes and Controls
7.2. Risk categories and factors
7.3. Hot spots and Cumulative risk effects
7.4. Controls to address Risk (as-is and to-be)
7.4.1. Designation of Control type (people, process, technology) and
systems
7.4.2. Classification of automated, manual, and outsourced Controls
7.4.3. Assignment of internal Control owner including ownership of
outsourced Controls
7.4.4. Variations in control frameworks, legal systems, and approaches
in location of third-party domicile and operations
7.4.5. Identification of Key Controls to address TPRRM
7.5. Procedures for Control Assessment and Self-Assessment
7.6. Criteria for Control effectiveness and Control failure
7.7. Enforcement options
8. Third Party Risk Profile (“Book of Record”)
8.1. Role in the value or supply chain
8.2. Risk Identification
8.2.1. Identification of which Risks/Controls are “inherited” from, “outsourced
to”, or shared with third-party Risks/Controls
8.2.2. Internal or external factors influencing Risk Profile for specific
Third-Party
8.2.2.1. Factors related to third-party domicile
8.2.2.2. Factors related to location where services are delivered
8.2.2.3. Permissible payment protocols
8.2.3. Identification of any third-party financing applicable to mitigating firm’s
risks
8.3. Risk Assessment, Materiality and Business Impact
8.3.1. Nature of risks managed by third-party
8.3.2. Third-party’s Risk Management Governance, Levels of Authorization
and Processes
8.3.3. Volume and Nature of Activity
8.3.3.1. Customer facing
8.3.3.2. Regulator facing
8.3.3.3. Public / Media facing
8.3.4. Materiality
8.3.4.1. Scope of assets impacted
8.3.4.2. Scope of revenue/profits impacted
8.3.4.3. Direct Contingency Plans of third-party
8.3.4.4. Indirect Contingency Plans of firm as back-up to third-
party’s plan
8.3.5. Triggers for Alerts or Changes
8.3.5.1. New regulations
8.3.5.2. Product evolution
8.3.5.3. Finances
8.4. Level of Control
8.4.1. Risk adjusted
8.4.2. Automate to provide unified approach or view of information
8.4.3. Information kept updated in light of changes
© 2004-2016 Page 128
8.4.4.Understandable by party, region or risk
8.4.5.Automated triggers for notification to internal and external parties
8.4.6.Automate revised risk assessments
8.4.7.Automate new training and other actions and controls where possible
and appropriate
8.5. Risk/Control Ownership
8.5.1. Internal and Third Party Risk owners
8.5.2. Internal and Third-Party Control owners
8.5.3. Third Party Risk/Control stakeholders
8.5.4. Allocation of execution and management responsibility/accountability to,
from or shared with third-party for actions and controls and any
subcontracting
INITIATION OF THIRD PARTY RELATIONSHIP

9. Third-party Screening and Due Diligence
9.1. Define Risk-based Approach to Screening and Due Diligence
9.1.1. Based on Risk classification (Low, Medium, High)
9.1.1.1. Allocation of Organizational and Individual Due Diligence
Scope
9.1.1.2. Method and Sources for Information
9.1.1.2.1. Low
9.1.1.2.1.1. Publicly available multi-national information
9.1.1.2.1.2. Self-completed Questionnaires and Disclosures
9.1.1.2.2. Medium
9.1.1.2.2.1. Trusted databases
9.1.1.2.2.2. In-country public records
9.1.1.2.2.3. Detailed background reports
9.1.1.2.2.4. Interviews and moderated questionnaires
9.1.1.2.3. High Risk
9.1.1.2.3.1. Audit and review of third party controls and financial
records
9.1.1.2.3.2. Detailed interviews of references, political
associates, business associates
9.1.1.2.3.3. Investigative background reports leveraging local
data sources
9.1.2. Methodology for scoring, aggregating, and ranking risks, controls
and conditions
9.1.3. Process for scoring, ranking, approvals
9.1.4. Frequency of re-evaluation when scheduled
9.1.5. Triggers for event-drive re-evaluation
9.2. Organizational Due Diligence
9.2.1. Published convictions, penalties and sanctions
9.2.2. State-owned (SOE’s) versus Independent Enterprise
9.2.3. Vision, Values, and Objectives Alignment
9.2.4. Title Assurance
9.2.5. Creditworthiness
9.2.6. Financial Stability
9.2.7. Resource Sufficiency
9.2.8. Political exposure
9.2.9. Litigation History
© 2004-2016 Page 129

9.2.10. Regulatory Scrutiny
9.2.11. Global Sanctions Lists
9.2.12. Global Watch Lists
9.2.13. Global Black Lists (Forfeitures and debarments)
9.2.14. Reputational Issues
9.2.14.1. Adverse News and Media
9.2.14.2. Challenging Public Information
9.2.14.3. Social Media
9.2.15. Sourcing Plan (Fourth parties)
9.2.15.1. Fourth Party Risk Management Plan
9.2.15.2. Relevant Data from Fourth Party Risk Management
9.2.15.3. Audit of Controls
9.2.16. Validate Third Party contacts and relationship manager
9.2.17. Review of previous performance records
9.3. Individual Due Diligence of Board and Leadership (Tone at the Top)
9.3.1. Politically Exposed Persons (PEPs)
9.3.2. Reputational Challenges
9.3.2.1. Convictions
9.3.2.2. Penalties and sanctions
9.3.2.3. Adverse News and Media
9.3.2.4. Challenging Public Information
9.3.2.5. Social Media
9.3.3. Background Check
9.3.4. Prior Organizational History
9.3.5. Financial Self-Dealing or Disgorgement of Organizational
Assets/Rights
9.3.5.1. Stock Options Outstanding/Exercised
9.3.5.2. Organizational Repurchases / Surrenders
9.4. Due Diligence as to Third-Party’s Compliance and Risk Management
Framework
9.4.1. Correlation of third-party’s risk tolerance to firm’s tolerance
9.4.2. Correlation of third-party’s inherent risk assessment to firm’s
inherent risk assessment
9.4.3. Inventory of third-party’s controls
9.4.4. Correlation of third-party’s residual risk assessment to firm’s
residual risk assessment
9.4.5. Records of control self-assessment results
9.4.6. Inventory of exceptions to self-assessment and testing plan
9.4.7. Third-party’s Due Diligence questionnaire for fourth parties
9.4.8. Changes during assessment period
9.4.8.1. Strategy, principals, and values
9.4.8.2. Financial condition and resilience
9.4.8.3. Information security and systems
9.4.8.4. Incident Management and Reporting
9.4.8.5. Human Resource Management
9.4.8.6. Conflicts of Interest
© 2004-2016 Page 130

10. Policy & Related Procedures Matrix for Third Party Relationships
10.1. Key Policies for Inclusion in Third-Party Resources
10.1.1. Code of Conduct
10.1.2. Ethical Decision Guidelines
10.1.3. Compliance with legal mandates
10.1.4. Protection of Intellectual Property
10.1.5. Protection of Proprietary and Personally Identifiable Data and
Privacy
10.1.6. Asset Utilization and Protection
10.1.7. Brand and Reputational Protection (including Social media)
10.1.7.1. Utilization of quality (non-counterfeit) goods, equipment
and parts
10.1.7.2. Labor practices
10.1.8. Mitigation of Operational Risk
10.1.8.1. Fraud Protection
10.1.8.2. Corruption
10.1.8.3. Physical Security
10.1.8.4. Financial Transactional Security (including Payment Card
Industry)
10.1.9. Protection of People
10.1.9.1. Anti-harassment
10.1.9.2. Discrimination
10.1.9.3. Safety and Health (including handling hazardous materials)
10.1.9.4. Disability Enablement
10.2. Key Procedures for Inclusion in Third-Party Resources
10.2.1. Standard Monitoring and Special Triggers for Reassessment
10.2.2. Assessing Risk, materiality, and business impact
10.2.3. Standard approach to risk ranking and prioritization
10.2.4. Testing and Documenting Control Success or Failure
10.2.5. Maintaining, changing, or updating a Controls
10.2.6. Notifications and Alerts of Risk Events, Risk Indicator Triggers and
Approaching Thresholds
10.2.7. Reporting Violations
10.2.8. Minimum Fraud Protection and Prevention
10.2.9. Discontinuation of Relationship
10.2.10. Performance Evaluation
10.2.11. ROI Assessment
10.2.12. Continuous Evaluation and Systemic Improvement
11. Key Documents Defining Expectations of Third-Parties
11.1. Contracts and Related Templates or Forms (with stricter provisions for higher
risk relationships)
11.1.1. Service Level Requirements
11.1.2. Key Performance Indicators
11.1.3. Information Management/Reporting
11.1.4. Compliance Requirements (required and prohibited)
11.1.5. Policy and Training Requirements in high risk contracts
11.1.6. Audit and Oversight Rights
11.1.7. Use of Information, IP and Technology
11.1.8. Use of Other Assets
11.1.9. Confidentiality and Integrity
11.1.10. Subcontractor Requirements and Authorizations for fourth parties
© 2004-2016 Page 131
11.1.10.1. Approval to utilize
11.1.10.2. Turnover of Fourth Party Data
11.1.10.3. Assurance of non-utilization of competitors
11.1.11. Audit controls
11.1.12. Termination Terms
11.1.13. Covenants
11.2. Business rules, automation and process triggers to facilitate control and
monitoring
11.3. Crisis and Continuity Plan
11.4. Relationship Governance and Accountability Structure (including roles
and responsibilities matrix)
11.5. GRC Information Management Plan (following standards in this Appendix)
11.6. Crisis, Continuity, and Recovery Plan (following standards in this
Appendix)
11.7. GRC Enabling Technology Platform for Risk Intelligence
11.8. GRC Systemic Improvement Plan (when improvements are inclusive of
third-party activities or controls)
12. Awareness and Education Plan
12.1. Code of Conduct and attestation process
12.2. Ethical Decision Guides
12.3. Policies and Procedures
12.4. Specific requirements, commitments, and standards with which the firm expects
the third-party to comply based on the particular process(es) the third party
performs.
MANAGEMENT, MEASUREMENT AND MAINTENANCE OF THIRD PARTY

RELATIONSHIPS
13. Assessment Plan and Activities
13.1. Scope of Third Party Relationship Risk Assessment activities
13.2. Identification of Third Party Relationships to sample for testing, decision
parameters, and evidence requirements
13.3. Identification of Controls to be tested, justification, and frequency.
13.4. Identification of testing method (review of documentation, sampling, 100%
testing, survey, interview).
13.5. Schedule for Controls testing and ownership
13.6. Procedure and policy for addressing Control failure
13.7. Frequency of Risk to Control review for accuracy and relevance.
13.8. Procedure for monitoring and reporting on effectiveness of the Third Party Risk
Management Program.
14. Monitoring and Maintaining Third Party Relationship Risk Management

14.1. Monitor and Assess Contractual compliance (SLAs and KPIs)
14.2. Legal and Regulatory Compliance
14.3. Issues have been identified and appropriately escalated for remediation
14.4. Changes to risk, obligations and business
14.5. Internal and external events
14.6. Mapping internal relationships
14.7. Continuing Due Diligence and Reevaluation
© 2004-2016 Page 132

14.7.1. Contracts and controls
14.7.2. Patterns of conduct and handling of conflicts of interest and
collusion
14.7.3. Use of third-party and internal relationships
14.7.4. Program design and operation
14.7.5. Issue investigations and resolutions
14.7.6. Timeliness of notifications
14.7.7. Completeness of information
14.7.8. Veracity of information
14.7.9. Training
14.7.10. Sales practices and fairness of customer treatment
14.7.11. Value
14.7.11.1. Cost Savings
14.7.11.2. Strategy
14.7.11.3. Efficiencies
14.7.11.4. Synergies
14.8. Document the key actions and controls implemented as part of your ongoing
third-party extended enterprise oversight program (e.g., vendor and/or partners
oversight), including organizational and individual due diligence during the
entire relationship life-cycle and any variances depending on physical presence
or technological access)
14.9. Develop policy & procedures for maintaining Third Party Relationships
14.9.1. Periodic evaluation of TPRRM Inventory classification structure
14.9.2. Skills required to perform Assessment and ongoing maintenance
14.10. Procedure and timing for validating Third Party Relationship Inventory
14.11. Policy for adding, editing, cancelling Third Party relationships
14.12. Develop policy & procedures for maintaining Third Party Relationship Risk
assignment
14.12.1. Process for confirming, adding, and updating Risk ratings
14.13. Process, decision factors, and timing for evaluating assignment of Risk
14.14. Procedure for updating Risks and ownership
14.15. Develop policy & procedure for maintaining TPRRM Risk-Control matrix
14.16. Process and timing for validating accuracy of Controls mapping
14.17. Procedure for confirming, adding, and updating Controls (to include
amending Testing schedule and retaining prior audit trail
14.18. Collect fourth party data from third parties.
14.19. Supplier self-assessment
14.20. Reporting and Issue resolution
15. Risk Response and Corrective Control Activity Plan
15.1. Mapping Response protocols to Third Party Relationship Risk
15.1.1. Define risk priority level classification schema driving response
expectations based on materiality, scope, and consequences.
15.1.2. Provide specific windows for response and document in SLA
15.1.3. Delegation of a Risk Response team and skills needed
15.2. Procedure to follow when responding to Third Party Relationship Risk
15.2.1. Identify acceptable people, process, and technology components
for responding and timing
15.2.2. Procedure for documenting Risk Response and policy on re-
assessment
15.2.3. Re-assessment criteria and timing following response
15.2.4. Sign-off on Risk response and remediation
© 2004-2016 Page 133
15.2.5. Closing the response ticket
15.3.1. Disclosure when third-party executed one or more corrective
control activities
15.3.2. Explanation of corrective control activity trigger as third-party risk
or third-party control failure
16. Communication and Reporting Plan (including Alerts & Notifications)
16.1. Communicate across enterprise and sign off by Leadership on the Third Party
Relationship Risk program (Tone at the Top)
16.2. Rewarding and recognizing resources who identify and report risky Third Party
or Third Party related behavior
16.3. Develop policy and procedures for training key stakeholders, employees, and
informing the Board about the Third Party Relationship Risk program
16.4. Develop notification protocols for maintaining Third Party Relationships
16.4.1. Procedures (including schedules and triggers) for reconciling
disparate Third Party Relationship information
16.4.2. Monitoring reconciliation schedule and reports on triggering events
to ensure reconciliations are performed when required or needed
16.4.3. Establish procedures for reviewing and approving the resolution of
disparate information.
16.5. Process to trigger alerts and notifications when Controls don’t work, new Risk is
identified, or Risk has not been documented or addressed adequately (Risk
Response Plan)
16.6. Ownership and notification recipients for above
16.7. Schedule of monitoring activities, alert and notification composition, and
distribution
16.8. Determine external reporting guidelines for media, investor relations, analysts,
etc. on Third Party Relationship Risk program
17. Investigation Management Plan
17.1. Inclusion of explicit third-party cooperation obligations
17.2. Identification of third-party indemnification and defense obligations
ENDING THIRD PARTY RELATIONSHIPS AND ENDURING OBLIGATIONS
18. Transition Plan to Another Third-party, In-house, or Ending Activities

18.1. Identification of qualified substitutes, alternatives, or augmentation, if needed
18.2. Definition of period of transition
18.3. Prioritized transition activities
18.4. Method for transitioning information
19. Manage Disposition of Data, IP and Assets
19.1. Return, transfer or certify destruction of proprietary information and audit same
19.2. Clearing ownership of IP, execution of assignments, termination or transfers of
licenses, and license revenue accounting
19.3. Return or transfer of assets and perfection of liens and residual interests
20. Discontinue and Monitor All Access Points
20.1. Badge surrender protocols
20.2. Password terminations procedures
20.3. Return of remote access equipment
20.4. Automated monitoring of post-termination access controls
© 2004-2016 Page 134
21. Protect Information and Reputation During Transition
21.1. Preparing public announcement of termination or transfer
21.2. Fielding media requests regarding relationship events
21.3. Monitoring social media or blogger “informal” reporting
21.4. Plan for analyst discussions
22. Terminate According to Contract Provisions and Regulatory Requirements
22.1. Notification and disclosure requirements
22.2. Remediation Opportunities
22.3. Pre-termination issue resolution and escalation requirements
23. Protect Assets, Rights, and Reputation Post-termination
23.1. Review post-termination period for continuing confidentiality
23.2. Confirm controls in place to enforce continuing confidentiality
23.3. Pursue any required litigation, mediation, or arbitration proceedings
© 2004-2016 Page 135

Workforce and Stakeholder Feedback Framework
A process to gather, store, analyze and report on workforce and stakeholder feedback
regarding risk, the GRC capability, occurrence of undesirable events and activities, and
organizational commitment to stated values
Referenced in: P7
Content Criteria
Gather:
1. Survey Process
1.1. Define key GRC information needs including:
1.1.1. Target audience
1.1.2. Timing
1.1.3. Content
1.2. Map the GRC information needs to existing surveys for target audience, timing,
and content
1.3. Determine gaps in existing surveys relative to GRC information needs
1.4. Identify opportunities to modify existing surveys to satisfy GRC information
needs and modify the affected surveys
1.5. Identify new surveys needed and develop those surveys
1.6. Include any new GRC survey in the integrated calendar of all workforce and
stakeholder surveys
1.7. Establish a maximum number of surveys that each target audience should
receive within a quarter
2. Self-Assessment Process
2.1. Define key GRC information needs including
2.1.1. Target audience
2.1.2. Timing
2.1.3. Content
2.2. Map the GRC information needs to existing self-assessments for target
audience, timing, and content
2.3. Determine gaps in existing self-assessments relative to GRC information needs
2.4. Identify opportunities to modify existing self-assessment content to satisfy GRC
information needs and modify the affected self-assessments
2.5. Identify new self-assessments needed and develop those self-assessments
2.6. Include any new GRC self-assessment in the integrated calendar of all
workforce and stakeholder self-assessments
3. Issue Management processes (see detailed criterion in the Issue Management
Framework
4. Exit Interview process (see detailed criterion in the Exit Interview Checklist)
5. All other processes (e.g., focus group, work unit meetings, informal conversations,
observation)
a. Develop a template or checklist for recording GRC information obtained
from focus groups, work unit meetings, informal conversations and
individual observations
© 2004-2016 Page 136

Store:
6. Maintain a database including the following for each piece of GRC information
gathered (question, risk, incident, value)
a. Source (Survey, Self-assessment or other)
b. Source ID (survey #, self-assessment # or Checklist #)
c. Target Audience
d. Date of survey
e. Period covered
f. Information content (Question asked or information requested)
g. Accumulated totals for each possible response to information content
h. Analytical procedure(s) in which data is utilized
Analyze and Report:

7. Review information from each collection method immediately upon receipt and
inform the hotline or helpline of any information received regarding specific
incidents or potential incidents
8. Develop trend analysis on all data elements captured and report the trend
analysis to the data owner
9. Compare data collected to targets, triggers and tolerances and report findings to
the data owner
10. Provide reports to senior management and the governance oversight function on
trends and performance that are outside tolerances
11. Identify opportunities for improvement in risk management, ethics, compliance
and/or GRC system design or operation and inform appropriate GRC responsible
role and GRC oversight functions
© 2004-2016 Page 137

APPENDIX 5 - CRITERIA USAGE SUMMARY
CRITERIA ELEMENTS AFFECTED
Awareness and Education Plan P4
Background Check Methodology P1
Code of Conduct P2
Code of Conduct Development & Maintenance Methodology P2
Communication and Reporting Plan L2, L4, P3, P6
Continuous GRC System Improvement Methodology L3, P7, R3
Control Taxonomy L2, P1
Corrective Action Report P1, R3
Corrective Control Activity Plan P1
Crisis, Continuity, and Recovery Plan P8
Crisis/Continuity/Recovery Plan Development & Maintenance Methodology P8
Ethical Decisions Guidelines P2
Exit Interview Checklist P7
External Authorization P6
Findings and Recommendations Report L1, L3, P1, P5, P7, P8, R1, R2, R3
GRC Business Case A1
GRC Capability Charter A1
GRC Design and Performance Assessment Methodology A2, A5, R1
GRC Information Management Plan A5, P3
GRC Information Management Plan Development & Maintenance
Methodology A5, P3
* GRC Strategic Plan L3, A1, A5, P5, R1, R2, R3
GRC Technology Data Model Description P1
GRC Technology Plan Development Methodology A5
* Integrated Plan L2, L3, A2, A4, P1, R1, R2, R3
Internal Authorization A1, P6, R3
Investigation Management Plan P8
* Issue Management Framework P6, P8
Mission/ Vision/ Values A1
Policies and Related Procedures Matrix P2, R3
Policy and Procedures Development, Implementation, and
© 2004-2016 Page 138

Maintenance Methodology P1, P2
* Prioritized Risk Matrix L1, L2, L3, L4, A3, A4, A5, P1, P4, R1, R3
Risk, Requirements & Opportunities Identification & Assessment
Methodology A2, A3, A4
Role / Job Descriptions Pre-requisite Procedure 4
Segregation of Duties Pre-requisite Procedure 3, P1
Segregation of Duties Matrix Pre-requisite Procedure 3, L1, L4, P1
* Specialized GRC Curriculum Plan P4
Statement of Organizational Objectives A2
Third Party Risk Management Framework A3, A4, A5, P1
Third Party Risk Management Plan A3, A4, A5
Workforce and Stakeholder Feedback Framework P7
* INDICATES - Key building blocks of a GRC capability.
© 2004-2016 Page 139

APPENDIX 6 - DOCUMENT COVER SHEET
A completed document sheet should accompany every document (deliverable, narrative,
report, etc.) or set of similar documents (timesheets, invoices, other items for sampling)
that is provided to an evaluator by the organization being evaluated. This should
include the following sections:
ENGAGEMENT NAME
GRC ELEMENT ID
TITLE OF DOCUMENT
APPLICABLE SECTION(S) (or indicate all)
OWNER/CONTACT PERSON
• Name
• Title
• Telephone
• Email
CREATION DATE
© 2004-2016 Page 140

APPENDIX 7 - “RED BOOK” SUGGESTED
DOCUMENTATION USAGE SUMMARY
All Red Book Suggested Documentation is inspected against the content criteria for that
item in Appendix 4 as part of Pre-requisite Review Procedure 5.
"Red Book" Suggested Documentation ELEMENTS AFFECTED

A.01 - GRC Capability Charter A1
A.02 - Segregation of Duties Pre-requisite Procedure 3, P1
D.01 - Role / Job Descriptions Pre-requisite Procedure 4
D.02 - GRC Technology Data Model Descriptions P1
D.03 - Helpline FAQ Descriptions P4
D.04 - Exit Interview Checklist P7
External Authorization P6
I.01 - Control Taxonomy L2, P1
Internal Authorization A1, P6, R3
M.01 - Policies and Related Procedures Matrix P2, R3
M.02 - Prioritized Risk Matrix (including M.03 - Risk/Control Matrix)
L1,L2, L3, L4, A3, A4, A5, P1, P4, R1, R3
P.01 - Awareness and Education Plan P4
P.02 - Communication and Reporting Plan L2, L4, P3, P6
P.03 - Crisis, Continuity, and Recovery Plan P8
P.04 - GRC Information Management Plan A5, P3
P.05 - GRC Strategic Plan L3, A1, A2, A5, P5, R1, R2, R3
P.06 - Investigation Management Plan P8
P.07 - Integrated Plan L2, L3, A2, A4, A5, P1, R1, R2, R3
P.08 - Specialized GRC Curriculum Plan P4
P.09 - Corrective Control Activity Plan P1
R.01 - Filings n/a
R.02 - Findings and Recommendations ReportL1, L3, P1, P5, P7, P8, R1, R2, R3
R.03 - Corrective Action Report P1, R3
R.04 – Assurance Report R2
S.01 - Code of Conduct P2
© 2004-2016 Page 141

S.02 - Ethical Decisions Guidelines P2
S.03 - Mission/ Vision/ Values Statement A1
S.04 - Statement of Organizational Objectives A2
* INDICATES - Key building blocks of a GRC capability
© 2004-2016 Page 142

APPENDIX 8 - GLOSSARY
Word or Phrase Definition
Capability
Design procedures Comparison of the Requested Information
provided to the criteria specified by the
Red Book as presented in Appendix 4.
Key risks Highest priority risks for the organization
as defined by it
Operating geographies Legal jurisdictions in which the
organization operates
Operational testing procedures Comparison of actual transactions or
events to the planned activities related to
those transactions or events as defined
by management in the Requested
Information provided
Policy and Procedure Development, One or more procedures that describe
Implementation, and Maintenance Meta- the methodology for development,
Procedures implementation, and maintenance of
policies and procedures (a documented
form of Policy and Procedure
Development, Implementation, and
Maintenance Methodology in Appendix 4)
Review Procedures The agreed upon procedures to be
performed by the evaluator
Red Book The OCEG GRC Capability Model 3.0
© 2004-2016 Page 143

APPENDIX 9 - SUMMARY OF REVIEW PROCEDURES
REQUIRED FOR DESIGN REVIEW
COMPONENT ELEMENT NAME ELEMENT # Review Procedure
(Total # of RP) #
LEARN External Context (4) L1 1

Internal Context (3) L2 1
Culture (5) L3 1,2,4
Stakeholders (3) L4 3
ALIGN Direction (4) A1 4
Objectives (3) A2 1,2,3
Identification (4) A3 1,4
Assessment (5) A4 1,5
Design (11) A5 1-5, 8, 9
PERFORM Controls (18) P1 4,5,9,15,16,17,18
Policies (8) P2 1-3, 6, 8

Communication (2) P3 1
Education (7) P4 1, 3.1, 5, 6.1, 7.1

Incentives (6) P5 1,3
Notification (6) P6 1,5
Inquiry (3) P7 2
Response (9) P8 1,4,6,9

REVIEW Monitoring (5) R1 1, 2.1, 5.1, 5.4
Assurance (7) R2 1,5

Improvement (6) R3 1,2
© 2004-2016 Page 144

APPENDIX 10 –TYPES OF REVIEW
There are two characteristics associated with a GRC Capability review using the Agreed
Upon Procedures (AUPs) in this document. The first is Level of Readiness and the
second is Scope of Coverage. The combination of these two characteristics dictates the
AUPs that must be performed to support the AUP report. A definition of each option in
the two characteristics and the procedures that must be performed for each combination
of options are presented here. The information in this appendix is relevant for those
seeking a formal AUP report from independent auditors, for GRC personnel performing a
self-evaluation of their GRC Capability to identify strengths and areas of potential
improvement, or for internal auditors providing information to the governance function on
the design and/or operations of the organization’s GRC Capability.
LEVELS OF READINESS
There are two Level of Readiness options:
A. Design Review – The GRC Capability to be reviewed (enterprise-wide, component
aspect, or subject area) has been planned in accordance with the Red Book and all
required deliverables have been prepared. Review items identified in Appendix 9.
B. Full Review – The GRC Capability to be reviewed (enterprise-wide, component
aspect, or subject area) has been designed in accordance with the Red Book and has
been implemented as designed for at least six months. Review all Elements and conduct
required sampling
SCOPE OF COVERAGE
There are three Scope of Coverage options for review of a GRC Capability that most
organizations will seek to use, but others may be designed on an individual basis.
A. Subject Area – a particular risk or compliance silo, such as, anti-corruption,
government contracting, privacy, or financial reporting.
B. Component Aspect – a specific view of the GRC Capability that aligns to one of the
four Components of Red Book 3.0 (Learn, Align, Perform and Review). This type of
review is useful for organizations that have evolved to a fully integrated approach for a
specific component of the GRC Capability for the enterprise or for a defined business
unit but has not fully addressed all components.
© 2004-2016 Page 145

C. Enterprise-wide - all component aspects of the GRC Capability for all subject areas
included in the GRC Capability. This full review is for organizations that have evolved to
a fully integrated enterprise-wide approach for the GRC Capability for all subject areas. It
is also useful as a gap analysis tool to evaluate completeness.
© 2004-2016 Page 146

APPENDIX 11 - AUP ENGAGEMENT REPORT CONTENT
The Agreed Upon Procedures Engagement Report should include the following
information:
1. A definition of the aspect of the organization’s GRC Capability that is covered by the
engagement; for example:
a. The organization-wide GRC Capability, or
b. A subject area of the GRC Capability, such as Anti-Corruption capability,
or
c. A customized scope defined by the client and reviewer
2. Identification of procedures that were performed, for example:

a. All procedures referenced in Appendix 9 for a Design Review, or
b. All procedures for both design and operation review
3. A definition of the client’s authority to use the report
4. A summary of the results of the performance of the identified procedures
5. A document or collection of documents evidencing completion of the engagement

accompanied by a Detailed Findings Report
6. A definition of the evaluator’s liability and responsibility in performing the

engagement, including the professional standards under which the engagement
was performed
© 2004-2016 Page 147

APPENDIX 12 - COMPANION MATERIALS
The GRC Burgundy Book is supported by the Red Book and these materials which may
be used in establishing the GRC Capability under review.
● GRC Technology Solutions Guide
The Guide defines categories of solutions for GRC capabilities and maps them to
key user roles and typical enterprise processes/functions to help owners of GRC
processes and Information Technology professionals better understand and
enable technology support.
● GRC Fundamentals
GRC Fundamentals is a collection of short online courses that offer further
insight into the meaning of Principled Performance and the details of high
performing GRC capabilities as described in each Element of the GRC Capability
Model. Viewers may also use the series to prepare for the GRC Professional
Certification (GRCP) exam offered by OCEG affiliate organization, GRC Certify.
● Additional Supporting Resources
o OCEG Guides and Handbooks
o OCEG GRC Illustrated Series
o OCEG Survey Reports
o OCEG Video Series
o GRCP Certification Exam and Maintenance
All of these resources and more are accessible with an OCEG All Access Pass. Learn
more at www.oceg.org.
© 2004-2016 Page 148

APPENDIX 13 - CONTRIBUTORS TO BURGUNDY BOOK
1.0 – 3.0 DEVELOPMENT
OCEG thanks the following individuals who substantially contributed to drafting of

the Burgundy Book v. 2.1
Principal Authors, David Crawford and Justina Crawford, and these contributors:
Eric Hespenheide, Deloitte Scott Mitchell, OCEG
Karen Gring, Ernst & Young Carole Stern Switzer, OCEG
Ken Vanderwal, (retired) Ernst & Young Kelly Ray, Tata Consultancy Services
Paul Happe, Ernst & Young (formerly OCEG)
Brian Brown, PricewaterhouseCoopers
Special thanks to the organizations that contributed hundreds of hours of time to

beta testing the Burgundy Book v 1.0 as either reviewers or review subjects:
Aon EthicsPoint
Archer Daniels Midland Staples
Deloitte PwC
Dell Ventura Foods
Ernst & Young Walmart
Thank you, as well, for the invaluable advice of the Burgundy Book v 1.0 review
committee:
Erin Mackler, AICPA Chris Ideker, Ernst & Young
Joanna David, Aon Kathryn Holt, Ernst & Young
Leanne Bradley, Aon Sara Liftman. Ernst & Young
Scott Roney, Archer Daniels Midland David Childers, Ethicspoint
Jay Martin, Baker Hughes Brin Odell, Ethicspoint
Michael Munro, Baker Hughes Edwin Hightower, Gevity HR
Worth MacMurray, Compliance Tent Gazzaway, Grant Thornton
Initiatives Jay Brietz, Grant Thornton
Paul Liebman, Dell Michael Rose, Grant Thornton
Kristi Kevern, Dell Nick Ciancio, Global Compliance
Tom McCormick, Dow Chemical Jonathan Bellis, Hildebrandt
© 2004-2016 Page 149
Rich Seleznov, Huron Consulting Group Christopher Dooley, Raytheon
Dominique Vincenti, IIA Scott Leatherman, SAP
Jack Seward, Jack Seward & Assocs. Holly Roland, SAP
Colleen O’Donnell, LRN Gabriel Romero, The Network
Guarav Kapoor, MetricStream Parveen Gupta, Lehigh University
Paul Sobel, Mirant Glenn Carleton, RSM McGladry
Barbara Kipp, PricewaterhouseCoopers John Fraedrich, Southern Illinois
Carlo DiFlorio, PricewaterhouseCoopers University
(now SEC) Bob Jacobson, RSM McGladry
Patricia Towers, Proctor & Gamble Norman Comstock, UHY
David Heller, Qwest Kristen Gantt, UHY
John Carlson, Qwest Raymie Daroga, UHY
Joe Motz, Raytheon
Note: Company affiliations are as of the time of the contribution.
© 2004-2016 Page 150

LEGAL NOTICE
This is NOT Legal or Professional Advice.
This Document, including its appendices, is provided for general information purposes only. The
application of law to individual circumstances must be addressed for each unique situation. In preparing
and providing this document, neither OCEG nor any of its Contributors are engaged in rendering legal,
tax or any other professional advice or services. OCEG and its Contributors do not purport to identify all
conceivable compliance requirements or recommended controls. It is the responsibility of each
organization to understand which legal; accounting and other compliance requirements apply to its
activities. Users of this document are advised to seek specific legal advice by contacting members of
relevant and applicable bar associations regarding any specific legal issues. Using the document or any
part herein does not create a lawyer-client relationship or any other type of professional relationship.
While OCEG and its Contributors attempt to provide accurate, complete and up to date content, errors or
omissions may occur. This document is offered AS IS, WHERE IS. Neither OCEG nor any Contributor
makes any representations or warranties regarding the completeness, accuracy or timeliness of the
contents, and each disclaims all implied warranties (including merchantability, fitness for a particular
purpose and non-infringement) and all liability for any loss, damage or claim, whether due to an error or
omission or otherwise.
To the fullest extent permitted by applicable law, neither OCEG nor the Contributors (including their
officers, directors, partners and employees, and their affiliates, related entities and successors and
assigns) warrant or guarantee the quality, accuracy or completeness of any information on this document.
Neither OCEG nor its Contributors shall be liable for any damages or costs, including any direct,
consequential, incidental, indirect, punitive or special damages (including loss of profits, data, business or
good will) in connection with use of this product, whether or not liability is based on breach of contract,
tort, strict liability, breach of warranty, failure of essential purpose or otherwise, and even if a party is
advised of the likelihood of such damages.
This document may contain links to third party websites. Monitoring the vast information disseminated
and accessible through those links is beyond our resources and neither OCEG nor any Contributors
attempt to do so. This Document provides links for convenience only and nothing herein shall constitute
an endorsement of the information contained in linked web sites nor guarantee its accuracy, timeliness, or
fitness for a particular purpose. OCEG and its Contributors disclaim all warranties and liability for the
content of any such other sources.
© 2004-2016 Page 151

OCEG GRC Burgundy Book 3 Final

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

OCEG GRC Burgundy Book 3 Final

Uploaded by

Copyright:

Available Formats

OCEG BURGUNDY BOOK

guidance for people who govern, audit and

Additional Executive and Solutions Council Members

Acknowledgements .............................................................................................................. iii

Licensing .............................................................................................................................. iii

Forward – About the Burgundy Book ..................................................................................... 1

Anatomy of the GRC Capability Model ................................................................................... 7

Assessment Procedures ....................................................................................................... 10

APPENDIX 1 – MAPPING IT SOLUTIONS TO RED BOOK.......................................................... 65

APPENDIX 2 – RED BOOK SUGGESTED DOCUMENTATION .................................................... 66

APPENDIX 3 - SAMPLING AND TESTING ................................................................................ 72

APPENDIX 4 - CRITERIA FOR REVIEW PROCEDURES .............................................................. 73

APPENDIX 5 - CRITERIA USAGE SUMMARY ......................................................................... 138

APPENDIX 7 - “RED BOOK” SUGGESTED DOCUMENTATION USAGE SUMMARY ................... 141

APPENDIX 8 - GLOSSARY .................................................................................................... 143

APPENDIX 10 –TYPES OF REVIEW ....................................................................................... 145

APPENDIX 11 - AUP ENGAGEMENT REPORT CONTENT........................................................ 147

APPENDIX 12 - COMPANION MATERIALS ........................................................................... 148

APPENDIX 13 - CONTRIBUTORS TO BURGUNDY BOOK 1.0 – 3.0 DEVELOPMENT................. 149

LEGAL NOTICE ................................................................................................................... 151

Appendix 13 identifies other contributors to this and earlier versions.

Scope and Scale

Use of the Procedures within an Organization

This section describes documents and narrative to be provided by management to the

• Management Narrative includes specific requests for written narrative to be

• Other Information is specific supplemental information needed by the evaluator

• Review Procedures are activities to be undertaken by the Evaluator in

Reporting Standards for all “Review Procedures” Performed

Figure 1 – GRC Capability Model Component View

Figure 2 – GRC Capability Model Element View

Actions and Controls

1. Capability utilizes an understanding of the external factors to determine the best

1. Red Book Suggested Documentation

4. GRC Technology Solutions with Pertinent information

1. Capability utilizes an understanding of the internal factors to determine the best

4. GRC Technology Solutions with Pertinent information

4. GRC Technology Solutions with Pertinent information

4. GRC Technology Solutions with Pertinent information

1. Capability is intentionally designed as a single program or collection of integrated

4. GRC Technology Solutions with Pertinent Information

4. GRC Technology Solutions with Pertinent information

1. Red Book Suggested Documentation

4. GRC Technology Solutions with Pertinent information

4. GRC Technology Solutions with Pertinent information

4. GRC Technology Solutions with Pertinent information

Proactive Actions and Controls

1. Unless mandated, capability actively considers layering a variety of proactive,

1. Red Book Suggested Documentation

4. GRC Technology Solutions with Pertinent information

Detective Actions and Controls

4. GRC Technology Solutions with Pertinent information

RP 1. Inspect the Management Narrative obtained in Requested Information Item 2.1,

1. Capability defines communication and reporting plans.

4. GRC Technology Solutions with Pertinent information

1. Capability educates throughout the extended enterprise on actions and controls.

4. GRC Technology Solutions with Pertinent information

1. Capability establishes a simple and transparent mix of incentives and consistently

1. Red Book Suggested Documentation

4. GRC Technology Solutions with Pertinent information

4. GRC Technology Solutions with Pertinent information

1. Capability creates opportunities to ask various stakeholders about concerns and

4. GRC Technology Solutions with Pertinent information

Responding to Issues and Concerns (Investigations and Resolutions)