Security Officers Management & Analysis Project

OGRCM3 - Open Governance, Risk and Compliance Maturity Management Methodology

We understand the risk management process as a lifecycle with four steps, starting at the Compliance Scoping.


Compliance Scoping

In this step you define what authority documents you will need and for which you try to achieve compliance with.

Asset Management & Categorisation

During this step you manage your assets, you define the responsibilities and manage the changes since the last assessment.

Compliance Measurement & Documenting

This step is about measuring the compliance of the implemented controls with the requirements as described in the authority documents chosen during the Compliance Scoping step.

Different assessment measuring strategies can be used to measure the compliance level. Findings are documented for later evaluation and reporting.

Evaluation & Reporting

The last step contains the evaluation of the findings and the reporting of the facts to the upper management and other interested parties.


An older version of our methodology is published in our Guide. In the published version, the Guide describes two risk analysis methodologies. These are the qualitative and the quantitative methods. There are other methods and this Guide and the SOBF tool are both not restricted to only the current two methodologies. The project is interested to learn more about other methodologies which could be explained in a later version of the Guide and implemented with the SOBF tool.

Feedback is work in progress and any contribution is welcome. If you are interested in helping out, then please contact the project via email at