Value Creation vs. Value Protection: How ERM and GRC are More Effective Together

ERM is value creation

Essentially, ERM is a risk-focused comprehensive look at an organization that shares the same end goal as GRC: the continued achievement of a company’s objectives. ERM, thus, encompasses every function, including governance and compliance, simplifying it to a common framework that includes the identification and assessment of goals, requirements, and root-cause risks.

Some risks have cross-functional implications, which means that certain mitigation activities can have benefits for more than one department. That means an effective ERM framework allows the streamlining of controls, reduces redundancy, and strengthens controls by ensuring they mature cross-functionally.

ERM is, therefore, value creation. If risk management is independent and value driven, ERM can contribute to GRC goals and the bottom line simultaneously. When the focus is compliance or there’s too much concern with checking boxes, it is less likely to do more than maintain the status quo. But if the focus is risk management, your organization can achieve an effective risk management culture and a sustainable competitive advantage.

GRC is value protection

GRC is often defined as the compliance-focused alternative approach to ERM, an industry term largely used to describe a software solution. It’s an overarching term that encompasses all the governance, risk, and compliance efforts, including ERM.

The term “GRC” has been used as a wide-ranging classification of an organization’s efforts — across these three distinct disciplines — to ensure continued satisfaction of short- and long-term objectives. The traditional approach involves classifying GRC components as their own sets of processes. Naturally, this means each component — risk, compliance, and each governance function, such as audit, IT security, and policy management — is treated as its own silo, with its own practitioners, subject-matter experts, and managers.

More recently, GRC programs have begun to diverge from the traditional siloed approach. An enterprise approach (“eGRC”) keeps the overall program more in line with enterprise risk management solutions, which aim to break down silos and eliminate redundancies and other inefficiencies.

GRC is, consequently, value protection. In a GRC-focused organization, priority is given to executive, governance, and compliance objectives over solid risk-based business intelligence. Due to this focus, GRC alone struggles to effectively and efficiently drive a risk-centric organization. Instead of being proactive, it often functions as a reactive program for record-keeping.

You can’t do ERM without GRC

ERM and GRC are growing closer. eGRC is pushing a more ERM-like approach to GRC, and the Three Lines of Defense (3LOD) model of risk management suggests you can’t do ERM without doing GRC anymore. This model inherently integrates compliance, executive oversight, and audit into risk management and is being pushed by regulators, taught by associations, conferences, experts, and consultants.

Already prevalent in larger financial institutions, it’s also now working its way down into smaller banks. The 3LOD model may not be a hot topic outside the financial services industry, but it can often be found in the foundation of more complex models of risk management that are prevalent in other industries, like RCSA.

The important takeaway of the natures of ERM and GRC is that risk management requires a holistic view and effective collaboration and coordination across your company. You need to have an organized, intelligent way to consistently assess risk, manage compliance, and coordinate audits.

Contact Us