Developing a GRC program is a journey, not a one-and-done task to be checked off a list. It takes time and hefty data collection along the way.
For organizations looking to optimize their GRC program, it’s helpful to determine where your organization lands on the GRC maturity spectrum.
GRC maturity model
Created by OCEG in 2016 and since expanded, this maturity model serves as a benchmark for planning and executing a GRC program.
It comprises five levels, with the first representing the lowest level of maturity and the fifth representing the highest level of maturity. Your organization should demonstrate the characteristics, practices, or capabilities of one of the levels below. If it does for levels 1-4, it can incrementally adopt the characteristics, practices, or capabilities of the next level to improve its maturity over time.
Level 1: Initial
Minimal activities are in place to track governance, risk, and compliance. Most are improvised and those that do exist are siloed.
In previous versions of OCEG’s GRC maturity model, this level was called “ad hoc.”
Level 2: Managed
GRC is more strategic with defined and managed practices, but this is sometimes done informally. As a result, information is not consistently shared between departments and success is not well-measured.
In previous versions of OCEG’s GRC maturity model, this level was called “fragmented.”
Level 3: Consistent
At this level, the business operates off of a common framework, with formally documented and consistently managed practices. Silos between departments begin to break down, and information is shared.
In previous versions of OCEG’s GRC maturity model, this level was called “defined.”
Level 4: Measured
All departments are aligned with the GRC strategy, and communication and data sharing is ongoing. As a result, GRC practices are measured and managed with data-driven evidence and decision making. Typically, automation has also been introduced to streamline processes, and business benefits are measured.
In previous versions of OCEG’s GRC maturity model, this level was called “integrated.”
Level 5: Optimizing
At this level, a system of continuous monitoring has been established so GRC practices are consistently improved over time. Risk-first decision-making is seen company-wide, and risks are managed in real-time.
In previous versions of OCEG’s GRC maturity model, this level was called “agile.”
How to Build Information Security Maturity: Models + Best Practices Explained