Developing a GRC program is a journey, not a one-and-done task to be checked off a list. It takes time and hefty data collection along the way. 

For organizations looking to optimize their GRC program, it’s helpful to determine where your organization lands on the GRC maturity spectrum.

GRC maturity model

Created by OCEG in 2016 and since expanded, this maturity model serves as a benchmark for planning and executing a GRC program.

It comprises five levels, with the first representing the lowest level of maturity and the fifth representing the highest level of maturity. Your organization should demonstrate the characteristics, practices, or capabilities of one of the levels below. If it does for levels 1-4, it can incrementally adopt the characteristics, practices, or capabilities of the next level to improve its maturity over time. 

Level 1: Initial

Minimal activities are in place to track governance, risk, and compliance. Most are improvised and those that do exist are siloed.

In previous versions of OCEG’s GRC maturity model, this level was called “ad hoc.”

Level 2: Managed

GRC is more strategic with defined and managed practices, but this is sometimes done informally. As a result, information is not consistently shared between departments and success is not well-measured.  

In previous versions of OCEG’s GRC maturity model, this level was called “fragmented.”

Level 3: Consistent

At this level, the business operates off of a common framework, with formally documented and consistently managed practices. Silos between departments begin to break down, and information is shared.

In previous versions of OCEG’s GRC maturity model, this level was called “defined.”

Level 4: Measured

All departments are aligned with the GRC strategy, and communication and data sharing is ongoing. As a result, GRC practices are measured and managed with data-driven evidence and decision making. Typically, automation has also been introduced to streamline processes, and business benefits are measured. 

In previous versions of OCEG’s GRC maturity model, this level was called “integrated.”

Level 5: Optimizing

At this level, a system of continuous monitoring has been established so GRC practices are consistently improved over time. Risk-first decision-making is seen company-wide, and risks are managed in real-time.

In previous versions of OCEG’s GRC maturity model, this level was called “agile.”