We’ve all heard the old adage “what gets measured, gets done,” and this applies equally to GRC management actions and controls, which must be reviewed for operational effectiveness. Beyond that, we must consider that changes to the external and internal context may render our current actions and controls ineffective, so we must review the designs we have put in place. When operational effectiveness is poor, or context changes are significant, the organization must redefine acceptable actions and controls or reconsider and refine its objectives and strategies. We should be asking ourselves:

How can we best monitor and measure the performance of all defined actions and controls?

When and where should we establish feedback loops and “lessons learned” assessments?

What steps do we take to improve design and operations of actions and controls?

Are we able to provide assurance to governing authorities about the design and operating effectiveness of actions and controls and their contribution to the achievement of objectives?

These are just some of the questions addressed in OCEG's latest infographic, which focuses on the “Review” component of the new GRC Capability Model 3.0 (Red Book). Download your free copy now.