Value Creation vs. Value Protection: How ERM and GRC are More Effective Together
Today, the variety of risks an organization faces makes enterprise risk management (ERM) a vital part of a governance, risk, and compliance (GRC) program.
What does ERM mean? And what does GRC mean? While ERM and traditional GRC programs aim to solve the same problems, they approach them from different angles. ERM and GRC may be viewed as competing alternatives or can hypothetically exist independently, but they are most effective when working together through risk-centric and data-grounded practices.
ERM is value creation
Essentially, ERM is a risk-focused comprehensive look at an organization that shares the same end goal as GRC: the continued achievement of a company’s objectives. ERM, thus, encompasses every function, including governance and compliance, simplifying it to a common framework that includes the identification and assessment of goals, requirements, and root-cause risks.
Some risks have cross-functional implications, which means that certain mitigation activities can have benefits for more than one department. That means an effective ERM framework allows the streamlining of controls, reduces redundancy, and strengthens controls by ensuring they mature cross-functionally.
ERM is, therefore, value creation. If risk management is independent and value driven, ERM can contribute to GRC goals and the bottom line simultaneously. When the focus is compliance or there’s too much concern with checking boxes, it is less likely to do more than maintain the status quo. But if the focus is risk management, your organization can achieve an effective risk management culture and a sustainable competitive advantage.
GRC is value protection
GRC is often defined as the compliance-focused alternative approach to ERM, an industry term largely used to describe a software solution. It’s an overarching term that encompasses all the governance, risk, and compliance efforts, including ERM.
The term “GRC” has been used as a wide-ranging classification of an organization’s efforts — across these three distinct disciplines — to ensure continued satisfaction of short- and long-term objectives. The traditional approach involves classifying GRC components as their own sets of processes. Naturally, this means each component — risk, compliance, and each governance function, such as audit, IT security, and policy management — is treated as its own silo, with its own practitioners, subject-matter experts, and managers.
More recently, GRC programs have begun to diverge from the traditional siloed approach. An enterprise approach (“eGRC”) keeps the overall program more in line with enterprise risk management solutions, which aim to break down silos and eliminate redundancies and other inefficiencies.
GRC is, consequently, value protection. In a GRC-focused organization, priority is given to executive, governance, and compliance objectives over solid risk-based business intelligence. Due to this focus, GRC alone struggles to effectively and efficiently drive a risk-centric organization. Instead of being proactive, it often functions as a reactive program for record-keeping.
You can’t do ERM without GRC
ERM and GRC are growing closer. eGRC is pushing a more ERM-like approach to GRC, and the Three Lines of Defense (3LOD) model of risk management suggests you can’t do ERM without doing GRC anymore. This model inherently integrates compliance, executive oversight, and audit into risk management and is being pushed by regulators, taught by associations, conferences, experts, and consultants.
Already prevalent in larger financial institutions, it’s also now working its way down into smaller banks. The 3LOD model may not be a hot topic outside the financial services industry, but it can often be found in the foundation of more complex models of risk management that are prevalent in other industries, like RCSA.
The important takeaway of the natures of ERM and GRC is that risk management requires a holistic view and effective collaboration and coordination across your company. You need to have an organized, intelligent way to consistently assess risk, manage compliance, and coordinate audits.