The OCEG (Open Compliance and Ethics Group) GRC Capability Model defines risk management as one of its core components. This definition emphasizes a proactive approach to dealing with uncertainty. Specifically, it is the capability to identify, assess, and address uncertainties and potential obstacles that could impact the achievement of an organization's objectives. This aligns directly with the principle that risk is the effect of uncertainty on objectives, a concept central to modern risk management frameworks like ISO 31000.

A. This describes the Governance component of the OCEG GRC model, which is concerned with directing and controlling the organization by setting objectives and monitoring performance.

C. This is the definition of the Compliance component within the OCEG GRC model, which focuses on adhering to mandatory requirements (laws, regulations) and voluntary obligations.

1. OCEG. (2015). GRC Capability Model, Version 3.0. Section 2.2, "The GRC Capability Model Components," p. 16. "Risk Management: The capability to proactively identify, assess, and address uncertainty and potential obstacles to achieving objectives."

2. Racz, N., Weippl, E., & Seufert, A. (2010). A frame of reference for research of integrated governance, risk, and compliance (GRC). Proceedings of the Annual Hawaii International Conference on System Sciences, 1-10. The paper explicitly references and builds upon the OCEG definitions, stating, "Risk management is the capability to address uncertainty and to identify and assess risks to the achievement of objectives." (Section 3.2). DOI: 10.1109/HICSS.2010.354

3. University of South Florida. (n.d.). Course ISM 6328: Information Security and Risk Management. Course materials often reference the OCEG model, defining its components. The course syllabus and lecture notes distinguish between Governance (setting objectives), Risk (addressing uncertainty), and Compliance (adhering to rules), consistent with the OCEG framework.