The first assessment pillar will cover the business to know in which market space it exists and what are the services it provides to which type of customers. Although the assessment is not targeting the business specifically but the business and its strategy are affecting any GRC related improvement initiative. So to conduct the assessment effectively it should cover first the business, its services and customers. This pillar will support your organization in defining its stakeholders’ needs in a measurable manner to be used as the TO-BE level in future improvement initiative.
Business stakeholders’ needs assessment activities include:
• Business identification
• Customer identification
• Provided services/products (core or supporting to business)
• Provided services/products evaluated by customers
• Business management commitment to service provisioning/product delivery
• Quality management system identification and assessment
• Identifying needed improvement policies and activities

The second assessment pillar will cover the processes and controls which control how the work is done every day which should be in an organized, standardized and agreed upon manner. High quality processes and controls should be a motive to decrease any rework and increase the efficiency and effectiveness of the employees and their performance. In this part every process is assessed against customer selected framework/s or standard/s. This pillar will support your organization in defining and measuring the existing and needed processes and controls in a measurable manner to be used as the AS-IS level in the current work environment.
Process assessment activities include:
• Identifying existing processes and controls
• Assessing existing processes, controls and their documentation
• Measuring the conformity of existing processes and controls
• Checking change management
• Assessing process owner, manager and practitioner respective roles and responsibilities
• Assessing existing processes and controls suitability to business, service/product and customer needs
• Identifying needed improvements for existing processes or controls
• Identifying needed processes or controls and their respective roles and responsibilities

The third assessment pillar will cover people and their respective roles and responsibilities whether they are documented and organized or not. The assessment will cover the knowledge of people within scope against the customer selected framework/s or standard/s and maybe covers their technical background and skills to discover strengths and weaknesses. There will be an assessment for every responsible staff within the assessment scope. This pillar will support your organization in defining and measuring the existing and needed knowledge of responsible staff in a measurable manner to be used as the AS-IS level in the current work environment.
People Assessment activities included:
•  Awareness of top management goals and strategy
• Assessing process owner, manager and practitioner respective knowledge
• Process management communication
• GRC controls knowledge
• GRC knowledge transfer methods
• GRC training needs
• Organizational structure needed changes