| Category of requirement (relevant theories) | Guidelines |
| Strategic orientation (market-based-view, resource-based-view, stakeholder theory, shareholder theory) | 1) GRC should focus on the strategic objectives of companies to secure the companies’ survivability. 2) The resources constituting the GRC-Management should support the achievement of operational potentials of benefit. To create strategic advantage through well-managed GRC, though, is at least more difficult. 3) GRC should focus on the stakeholders’ interests. The stakeholders’ interests should be balanced out on the premise of the long-term maximisation of the companies’ value. |
| Integration (transaction costs theory) | 4) The management activities being relevant for GRC should be carried out by a central approach (including integrated information systems and methods). The operational activities of GRC should be integrated into the core business processes and IT systems (hybrid approach). 5) To avoid double works as well as gaps during the implementation, GRC should be integrated by different compliance requirements as well as by the GRC disciplines. |
| Business process orientation (transaction costs theory) | 6) A process oriented point of view as well as procedures, methods and tools of business process management (BPM) should be adapted to reduce the transaction costs in GRC. |
| Management systems (transaction costs theory, institutional theory) | 7) To harmonize management systems in the context of GRC appropriate procedures, methods and tools should be developed. |
| Automation (transaction costs theory, principle-agent theory, organisational control theory) | 8) IT should be used as an enabler for GRC-Management and be supported by appropriate organizational concepts. 9) To increase the efficacy of organisational procedures of compliance and risk control as well as for reasons of cost reduction, controls should be automated to the largest extent possible. At the same time organisational procedures should complementarily support automated controls. |
| Flexible business processes and IT systems (principal-agent theory, stewardship theory) | 10) The challenge of flexible business processes and IT systems originates from the conflict between strategic achievement of objectives and regulatory GRC needs. This conflict of objectives should be balanced out depending on the individual situation. |
| Human factors (e.g. theory of reasoned action/planned behaviour, principal-agent theory) | 11) The determinants of compliance behaviour are dependent on the consideration of manifold forms of control. The control approach chosen should consider the relation between the controls as well as situation specific aspects. |