A Documentary-Based GRC Maturity Assessment Using OCEG Practices: Single Case of PT Kereta Api Indonesia
DOI:
https://doi.org/10.31098/jgrcs.v6i1.3682Keywords:
Keywords: GRC, OCEG v3.5, strategic alignment, ISO 31000, ISO 37001, state-owned railway company.Abstract
This article assesses the maturity of PT Kereta Api Indonesia (Persero)'s Governance, Risk, and Compliance (GRC) capabilities through the lens of strategic alignment. The research uses documentary analysis of 2024 documents (Annual and Sustainability Reports, Company Profiles, and Financial Reports) mapped to 23 OCEG practices (12–7–4) with a maturity scale of 1–5. The procedure includes audit trail evidence mapping and a double scoring scheme to improve replicability. The results indicate Levels 3 to 4 in several practices: Governance (KPIs & reporting, transparency/PPID, SPI/ICS effectiveness statements), Risk (digitalized ISO 31000 cycle through SMARTKA/RCSA and its correlation with RKAP/RJPP and safety/IBPR), and Compliance (implementation of SMAP ISO 37001, WBS updates and their integration with national authorities, and compliance reporting discipline). The Strategic Alignment Model analysis indicates a Path B (Technology Transformation) pattern with Path D (Service Level) elements through the integration of GRC solutions into the performance infrastructure (KPI/ICS). This study offers a replicable GRC assessment protocol with the case of state-owned railway companies. The findings reinforce the evidence that integrated GRC can improve the total performance of public service organizations.
References
1. OCEG. (2024). GRC capability model (Version 3.5, English; rev. 2024-01-22). Phoenix, AZ: OCEG. https://www.oceg.org/
2. PT Kereta Api Indonesia (Persero). (2024a). Annual and sustainability report 2024. Jakarta, Indonesia: PT KAI. https://www.kai.id/hubungan_investor/laporan/
3. PT Kereta Api Indonesia (Persero). (2024b). Company profile 2024. Jakarta, Indonesia: PT KAI. https://www.kai.id/corporate/about_kai/
4. PT Kereta Api Indonesia (Persero) and Subsidiaries. (2024c). Consolidated Financial Statements 2024 (Audited). Jakarta, Indonesia: PT KAI. https://www.kai.id/hubungan_investor/laporan/
5. EY (2025). Results of the Risk Maturity Index Assessment of PT Kereta Api Indonesia for 2024. Jakarta, Indonesia
6. Shahim, A., Batenburg, R., & Vermunt, G. (2012). Governance, risk and compliance: A strategic alignment perspective applied to two case studies. In IFIP Advances in Information and Communication Technology (Vol. 386, pp. 202–212). Springer. https://doi.org/10.1007/978-3-642-33284-5_20
7. Henderson, J. C., & Venkatraman, N. (1999). Strategic alignment: Leveraging information technology for transforming organizations. IBM Systems Journal, 38(2–3), 472–484. https://doi.org/10.1147/sj.382.0472
8. Bouteska, A., & Mili, M. (2022). Does corporate governance affect financial analysts’ stock recommendations, target prices accuracy and earnings forecast characteristics? An
empirical investigation of US companies. Empirical Economics, 63(4), 2125–2171. https://doi.org/10.1007/s00181-022-02297-3
9. Wahyuningrum, I. F. S., Chegenizadeh, A., Humaira, N. G., Budihardjo, M. A., & Nikraz, H. (2023). Corporate Governance Research in Asian Countries: A Bibliometric and Content Analysis (2001–2021). Sustainability, 15(8), 6381. https://doi.org/10.3390/su15086381
10. Rehman, H., Ramzan, M., Haq, M. Z. U., Hwang, J., & Kim, K.-B. (2021). Risk Management in Corporate Governance Framework. Sustainability, 13(9), 5015. https://doi.org/10.3390/SU13095015
11. Beasley, M. S., Branson, B. C., Braumann, E., & Pagach, D. (2022). Understanding the Ecosystem of Enterprise Risk Governance. Accounting Review: A Quarterly Journal of the American Accounting Association, 1–30. https://doi.org/10.2308/tar-2020-0488
12. Gerwing, T., Kajüter, P., & Wirth, M. (2022). The role of sustainable corporate governance in mandatory sustainability reporting quality. Journal of Business Economics, 92(3), 517– 555. https://doi.org/10.1007/s11573-022-01092-x
13. Bantleon, U., d’Arcy, A., Eulerich, M., Hucke, A., Pedell, B., & Ratzinger-Sakel, N. V. S. (2021). Coordination Challenges in Implementing the Three Lines of Defense Model. International Journal of Auditing, 25(1), 59–74. https://doi.org/10.1111/IJAU.12201
14. Banke, M., Lenger, S. F., & Pott, C. (2022). ESG Ratings in the Corporate Reporting of DAX40 Companies in Germany: Effects on Market Participants. Sustainability, 14(15), 9742. https://doi.org/10.3390/su14159742
15. Fisher, L., & Sandberg, A. (2022). A Safe Governance Space for Humanity: Necessary Conditions for the Governance of Global Catastrophic Risks. Global Policy, 13(5), 792–807. https://doi.org/10.1111/1758-5899.13030
16. Garcia-Lacalle, J., & Torres, L. (2021). Financial Reporting Quality and Online Disclosure Practices in Spanish Governmental Agencies. Sustainability, 13(5), 2437. https://doi.org/10.3390/SU13052437
17. Kurniawan, K., Sugandi, Y., Widianingsih, I., & Nurasa, H. (2024). Governance, risks, and compliance in fulfilling the new and renewable energy mix at the state electricity company (pln). Journal of Ecohumanism, 3(8). https://doi.org/10.62754/joe.v3i8.4749
18. Vicente, P. and Silva, M. (2011). A conceptual model for integrated governance, risk and compliance., 199-213. https://doi.org/10.1007/978-3-642-21640-4_16
19. Katz, B., Louw, L., & Preez, N. (2016). Alignment of internal and external business and innovation domains. The South African Journal of Industrial Engineering, 27(1). https://doi.org/10.7166/27-1-1247
20. Imgharene, K., Baïna, S., & Doumi, K. (2019). Extended the SAM model - proposed a synchronize model -.. https://doi.org/10.33965/is2019_201905l019
21. Sabherwal, R., Sabherwal, S., Havaknor, T., & Steelman, Z. (2019). How does strategic alignment affect firm performance? The roles of information technology investment and environmental uncertainty. MIS Quarterly, 43(2), 453-474.
https://doi.org/10.25300/misq/2019/13626
22. Tejada-Malaspina, M. and Jan, A. (2019). An intangible-asset approach to strategic business-it alignment. Systems, 7(1), 17. https://doi.org/10.3390/systems7010017
23. Adama, H., Popoola, O., Okeke, C., & Akinoso, A. (2024). Theoretical frameworks supporting IT and business strategy alignment for sustained competitive advantage. International Journal of Management & Entrepreneurship Research, 6(4), 1273-1287. https://doi.org/10.51594/ijmer.v6i4.1058
24. Alves, L., Gomes, C., Silva, F., Santos, M., & Lucas, S. (2023). Proposal of a new multi- criteria methodology sapevo-waspas-2n applied in prioritizing the implementation of compliance processes. Operations Research, 43. https://doi.org/10.1590/0101- 7438.2023.043.00267691
25. Abdurrahman, A., Gustomo, A., & Prasetio, E. (2023). Enhancing banking performance s through dynamic digital transformation capabilities and governance, risk management, and compliance: insights from the Indonesian context. The Electronic Journal of
Information Systems in Developing Countries, 90(2). https://doi.org/10.1002/isd2.12299
26. Sardana, D., Terziovski, M., & Gupta, N. (2016). The impact of strategic alignment and responsiveness to market on manufacturing firm's performance. International Journal of Production Economics, 177, 131-138. https://doi.org/10.1016/j.ijpe.2016.04.018
27. Omotayo, T., Awuzie, B., Kenechukwu, V., Ajayi, S., Obi, L., Osobajo, O., … & Oke, A. (2022). The system dynamics analysis of cost overrun causations in UK rail projects in a COVID- 19 epidemic era. Sage Open, 12(2). https://doi.org/10.1177/21582440221097923
28. Attalansyah, A. and Anshori, M. (2023). Adaptive policy education in the VUCA era for Jetis Sidoarjo batik craftsmen. Journal of Business Management and Economic Development, 2(01), 323-336. https://doi.org/10.59653/jbmed.v2i01.494
29. Siahaan, M., Suharman, H., Fitrijanti, T., & Umar, H. (2022). Will the integrated GRC implementation be effective against corruption? Journal of Financial Crime, 30(1), 24-34. https://doi.org/10.1108/jfc-12-2021-0275
30. Wiesche, M., Berwing, C., Schermann, M., & Krcmar, H. (2011). Patterns for understanding control requirements for information systems for governance, risk management, and compliance (GRC IS)., 208-217. https://doi.org/10.1007/978-3-642-22056-2_23
31. Makaš, A. (2023). Governance, risk and compliance frameworks applicability in the organizations. International Journal of Science and Research Archive, 10(2), 716-724. https://doi.org/10.30574/ijsra.2023.10.2.1024
Downloads
Published
Citation Check
How to Cite
Issue
Section
License
Copyright (c) 2026 Canna Divertana Hernama
This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.
Content Licensing, Copyright, and Permissions
1. License
Journal of Governance Risk Management Compliance and Sustainability (JGRCS) has CC-BY NC or an equivalent license as the optimal license for the publication, distribution, use, and reuse of scholarly work for non-commercial purpose. The non-commercial use of the article will be governed by the Creative Commons Attribution license as currently displayed on Creative Commons Attribution-NonCommercial 4.0 International License
Creative Commons License
2. Author’s Warranties
The author warrants that the article is original, written by stated author(s), has not been published before, contains no unlawful statements, does not infringe the rights of others, is subject to copyright that is vested exclusively in the author and free of any third party rights, and that any necessary written permissions to quote from other sources have been obtained by the author(s).
3. User Rights
Journal of Governance Risk Management Compliance and Sustainability (JGRCS) objective is to disseminate articles published are as free as possible. Under the Creative Commons license, this journal permits users to copy, distribute, display, and perform the work for non-commercial purposes only. Users will also need to attribute authors and this journal on distributing works in the journal.
4. Rights of Authors
Authors retain the following rights:
Copyright, and proprietary rights relating to the article, such as patent rights,
The right to use the substance of the article in future own works, including lectures and books, The right to reproduce the article for own purposes, The right to self-archive the article, the right to enter into separate, additional contractual arrangements for the non-exclusive distribution of the article's published version (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal (Journal of Governance Risk Management Compliance and Sustainability).
The author has a non-exclusive publishing contract with a publisher and the work is published with a more restrictive license, the author retains all the rights to publish the work elsewhere, including commercially, because she/he is not subject to the conditions of her / his own license, regardless of the type of CC license chosen.
5. Co-Authorship
If the article was jointly prepared by other authors, the signatory of this form warrants that he/she has been authorized by all co-authors to sign this agreement on their behalf, and agrees to inform his/her co-authors of the terms of this agreement.
6. Termination
This agreement can be terminated by the author or Journal of Governance Risk Management Compliance and Sustainability (JGRCS) upon two months’ notice where the other party has materially breached this agreement and failed to remedy such breach within a month of being given the terminating party’s notice requesting such breach to be remedied. No breach or violation of this agreement will cause this agreement or any license granted in it to terminate automatically or affect the definition of Journal of Governance Risk Management Compliance and Sustainability (JGRCS).
7. Royalties
This agreement entitles the author to no royalties or other fees. To such extent as legally permissible, the author waives his or her right to collect royalties relative to the article in respect of any use of the article by This agreement can be terminated by the author or Journal of Governance Risk Management Compliance and Sustainability (JGRCS) upon two months’ notice where the other party has materially breached this agreement and failed to remedy such breach within a month of being given the terminating party’s notice requesting such breach to be remedied. No breach or violation of this agreement will cause this agreement or any license granted in it to terminate automatically or affect the definition of Journal of Governance Risk Management Compliance and Sustainability (JGRCS) or its sublicensee.
8. Miscellaneous
Journal of Governance Risk Management Compliance and Sustainability (JGRCS) will publish the article (or have it published) in the journal if the article’s editorial process is successfully completed and Journal of Governance Risk Management Compliance and Sustainability or its sublicensee has become obligated to have the article published. Journal of Governance Risk Management Compliance and Sustainability may conform the article to a style of punctuation, spelling, capitalization, referencing and usage that it deems appropriate. The author acknowledges that the article may be published so that it will be publicly accessible and such access will be free of charge for the readers
