GRC Assessment Tools (Burgundy Book)

The purpose of the Burgundy Book is to provide GRC professionals, as well as those responsible for providing assurance, with a common set of assessment procedures that align with the OCEG GRC Capability Model (Red Book) and a common understanding of what can be expected during a capability assessment of a GRC Capability.

OCEG’s goals in creating the GRC Capability Assessment Tools are to:

1. Help organizations evaluate the design and operating effectiveness of their GRC capability(s)
2. Reduce the cost of such evaluations by eliminating the time and expense of creating procedures
3. Raise the overall level of maturity and quality of organizational GRC globally by helping individual organizations create their prioritized improvement plans
4. Provide external judgment and recognition of sound practices.

The GRC Assessment Tools are designed to be scalable. The toolkit can be applied to a review of individual risk-specific programs (i.e., anti-fraud program, privacy program, etc.), discrete business units, sub- capabilities (i.e., hotline, risk management, values management, training, etc.) and the entire enterprise. It is also designed so that the same procedures may be used for self-assessment by GRC personnel, internal assurance to the Executive suite and the Board by Internal Audit, or external assurance for the Board and other stakeholders by third-party evaluators, generally CPAs or their equivalents.

Please note the current downloadable version of the Burgundy Book is based on the GRC Capability Model v2.1(Red Book). The Burgundy Book for the GRC Capability Model v3 will be available soon.