Best practices for GRC implementations

The Open Compliance and Ethics Group (OCEG) has just released its Red Book 2.0, a major upgrade to this guideline for governance, risk and compliance solution implementations. More companies are using the GRC approach these days--even at a time of looming budget constraints--and the Red Book offers a valuable best practices guide (press release).  

It was beta tested at some big name companies, the likes of Dell, Wachovia, DuPont, Archer Daniels Midland, Qwest and Staples. In the initial comment period, more than 5,000 individuals weighed in. It's fair to say that the philosophy of GRC is clear: Instead of considering GRC-related issues in separate silos, why not take an integrated approach? That makes sense of course, but making that a reality is not easy, hence all those GRC solutions out there. You need a framework.  

The Red Book in a sense offers a COSO-like framework with a broader horizon. While COSO relates to internal financial controls that are in-scope from a Sarbanes-Oxley point of view, the Red Book aims to integrate compliance across a much broader regulatory spectrum (employment, information privacy, environmental and government contracts, for example).  

Scott Mitchell, CEO of OCEG, notes that most of the group's members use these guidelines for compliance programs outside of SOX. But the Red Book certainly dovetails with Sarbox efforts, and it makes sense to think about Sarbox as part of the larger regulatory fabric. Indeed, Mitchell also notes that the approach described by the Red Book would provide evidence to an auditor that the "internal environment" (a component of the COSO model) is effective.  

Ultimately, you just might see ways to turn GRC initiatives into operational and strategic benefits. - Jim