The governance process itself can start small in a fairly ad hoc manner and can mature to where the governance processes are truly optimized. The IT Policy Compliance Group, an industry and advisory consortium adapted the Capability Maturity Model first published by The Carnegie Mellon Software Engineering Institute to the GRC Domain. It has provided a way for companies to measure where they are on the spectrum, and give themselves a sense of how far they have to go and the costs and benefits in getting there.

The following figure shows the levels in the Capability Maturity Model and the process characteristics at each of the levels:

We will be revisiting the Capability Maturity Model to see how different pieces of our GRC solution help move us along the spectrum towards optimizing our controls footprint, minimizing the costs, maximizing the repeatability, and ensuring we have measurable results that can be expressed in terms of business value. The IT Policy Compliance Group provides standardized assessments to help companies measure where they are.