The statement is an oversimplification of the GRC escalation process. While escalation is necessary when actions and controls are not implemented, immediately escalating every instance to the board is incorrect and inefficient. GRC frameworks, such as the OCEG GRC Capability Model, advocate for a structured, risk-based, and tiered escalation path. Issues are typically first escalated to the responsible process or business unit owner, then to senior management, and only to the board if the issue is of high strategic importance, poses a significant risk, or if management has failed to address it after previous escalations.

The "True" option is incorrect because it prescribes a one-size-fits-all action that bypasses established management structures and the principle of proportionality. This approach would overwhelm the board with operational details, undermine management's authority, and create "alarm fatigue," diminishing the board's ability to focus on genuinely critical strategic risks. The proper GRC process involves defined escalation criteria and paths, not an automatic and immediate report to the highest governance body for every control failure.

1. OCEG, "GRC Capability Model," Version 3.5 (2021). Section 4.3.3, "Communicate Monitoring Results," states that monitoring results should be communicated to "appropriate personnel to enable them to take timely and effective action." This refers to management and process owners responsible for remediation, not an immediate escalation to the board.

2. OCEG, "GRC Capability Model," Version 3.5 (2021). Section 3.4.4, "Proactive & Event-Driven Processes," discusses the need to "establish clear escalation paths and ownership for investigation and response." The existence of defined "paths" (plural) contradicts the idea of a single, immediate escalation point (the board) for all such events.

3. Simmons, S. S. (2017). Corporate Governance and the Board: What Works Best. John Wiley & Sons. While not an OCEG-specific document, this type of academic text on corporate governance clarifies the board's role. Chapter 5, "The Board's Role in Risk Management," emphasizes that the board's function is oversight, not direct management. The board oversees the risk management framework but relies on management to execute it. Escalation to the board is for systemic failures or strategic risks, not for every operational control deficiency.