In the ALIGN component of the GRC Capability Model, mission, vision, and values serve as the foundational elements that guide organizational direction and decision-making.
* Role in ALIGN:
* Mission: Defines the organization's purpose and reason for existence.
* Vision: Articulates long-term aspirations and desired future state.
* Values: Establish ethical and cultural principles that influence behavior and decision-making.
* Significance:
* These elements provide clarity and alignment across all levels of the organization.
* They ensure consistency in decision-making and communication of goals and priorities.
* Why Other Options Are Incorrect:
* A: Mission, vision, and values guide decisions but do not dictate specific processes or tools.
* B: Financial resource allocation is influenced by strategic priorities but not directly determined by mission, vision, and values.
* C: Legal and regulatory requirements are external obligations, not the focus of mission, vision, and values.
References:
* OCEG GRC Capability Model: Describes mission, vision, and values as integral to alignment.
* Balanced Scorecard Framework: Emphasizes their role in defining organizational strategy.

The PERFORM component includes reactive, preventive, and corrective actions and controls, which are essential for executing governance, risk, and compliance processes effectively.
* Types of Actions and Controls:
* Reactive Controls: Respond to events or risks that have already occurred (e.g., incident response).
* Preventive Controls: Aim to avoid or mitigate risks before they materialize (e.g., access controls).
* Corrective Controls: Address issues or gaps identified after an event (e.g., remediation plans).
* Integration in the PERFORM Component:
* These controls ensure that the organization performs effectively while minimizing risks and achieving compliance.
* Why Other Options Are Incorrect:
* A: Internal, external, and hybrid controls describe types of oversight, not action types.
* B: Mandatory, voluntary, and optional actions relate to obligations, not control types.
* C: Proactive, detective, and responsive controls mix similar concepts but do not fully describe the PERFORM component.
References:
* OCEG GRC Capability Model: Defines the types of actions and controls used in the PERFORM component.
* ISO 31000 (Risk Management): Discusses risk management controls as preventive, reactive, or corrective.