OCEG Red Book, GRC Capability Model, Framework v2
www.oceg.org

P1: Codes of Conduct [Ethics Code]
“Implement a code of conduct for the Board, the workforce and the extended enterprise.”
Practice P1.1 Develop the Code of Conduct, Sub-Practice 13:
“Provide for the code of conduct to address:
- compliance with all applicable laws and regulations,
- conflicts of interest,
- proper use of corporate property, information and opportunities,
- fair treatment in business dealings,
- transparency, timeliness and accuracy of public disclosures and regulatory reporting,
- prompt internal reporting of violations,
- accountability for adherence to the code provisions,
- substance abuse,
- political contributions and activities,
- the importance of ethical values and principles in decision making,
- the importance of asking questions and raising issues when concerns exist,
- how to report misconduct
- how to report incidents and ask questions, and
- a guarantee of non-retaliation for reporting incidents.”

P4 Awareness and Education [Ethics Awareness and Ethics Training]
Principle 01 “Awareness, education and ongoing support enables individuals to:
- know what is expected,
- reduce the likelihood of errors and criminal behavior, and
- be comfortable about reporting misconduct or GRC system flaws.”

D1 Hotline and Notification [Ethics Hotline]
“Provide multiple pathways to report suspicions or incidents of noncompliance or unethical conduct, or to identify concerns about GRC system weaknesses.”