If you have any familiarity at all with internal control concepts, you probably have an understanding of the traditional designations of preventive, detective, and corrective controls that relate to discouraging, finding, or correcting errors and irregularities. In the modern business world, I submit that this approach to internal control is simply not enough, and both the names for these groups of controls and the definitions of them must evolve.
Today, organizations are seeking Principled Performance—defined as reliably achieving objectives while addressing uncertainty and acting with integrity—and they want to address both downside threats and the upside offered by identifying and grasping opportunities. Nowhere is this clearer than in the context of the controls we establish for governance, risk management, and compliance (GRC) capabilities. The OCEG GRC Capability Model notes:
