GRC and ERM as uneasy bedfellows

GRC and ERM as uneasy bedfellows: different, quite separate but clearly interrelated.

From Robert J Toogood, Senior Partner – Chaordic Solutions:

This week I have had the pleasure of working with some close colleagues from the Institute of Risk Management (IRM) GRC Special Interest Group, to start looking at the relationship between what is commonly referred to as GRC and ERM.

From my own experience, it is clear that activities associated with an integrated approach to governance, risk management and compliance (aka GRC) can sometimes have an uneasy relationship with what is known as enterprise-wide risk management (aka ERM).  There are even some views that go as far as suggesting that GRC is simply just another term for ERM.

So what is this thing we call GRC?

The acronym GRC was first used over ten years ago … however, based on the research of Racz, Weippl and Seufert, there does not appear to be a universally accepted definition of what GRC actually is.  The findings from their research are unfortunately confirmed by frequent discussions in various LinkedIn and other collaborative spaces, where attempts are periodically made to reach consensus on what GRC actually is.

As a starting point, the Open Compliance and Ethics Group (OCEG) defines GRC as being a:

“Capability that enables an organization to reliably achieve objectives while addressing uncertainty and acting with integrity; including the governance, assurance and management of performance, risk, and compliance.”

The US-based but globally focused Risk and Insurance Management Society, Inc. (RIMS) have a view of this definition/approach in their “An Overview of Widely Used Risk Management Standards and Guidelines” document.  They conclude that when comparing the OCEG view of GRC against Risk Management frameworks such as COSO and ISO 31000:

“The major difference for the OCEG approach is the formal integration of the governance, risk and compliance processes, ideally supported by a common technology platform. In this framework, risk is given a limited role focused on identification and measurement. The primary directive for risk, though not exclusively, is to measure the likelihood of an event that has an adverse effect on objectives. The OCEG Capability Model relies heavily on an integrated technology platform as an enabling tool to identify and assess risk for prevention and/or remediation purposes.”

The outcome from the literature review based research of Racz, Weippl and Seufert was a single-phrase definition of:

“GRC is an integrated, holistic approach to organisation-wide governance, risk and compliance ensuring that an organisation acts ethically correct and in accordance with its risk appetite, internal policies and external regulations through the alignment of strategy, processes, technology and people, thereby improving efficiency and effectiveness.”

But how does this and other definitions compare with what is referred to as ERM?  It is interesting to see that COSO (2004) defines enterprise risk management as a:

 “Process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”

If we then look at ISO 31000, risk is defined as the:

“Effect of uncertainty on objectives” whereas risk management is “coordinated activities to direct and control an organization with regard to risk”.

In addition, ISO 31000 sees the risk management process as a:

“Systematic application of management policies, procedures and practices to the tasks of communication, consultation, establishing the context, identifying, analysing, evaluating, treating, monitoring and reviewing risk”.

What seems to emerge from a comparison of these definitions is that the main distinguishing feature of GRC is that it formally integrates governance and compliance with an associated risk management framework such as COSO or more recently, ISO 31000.

However, we are all products of our own experiences.  It is because of these unique experiences, and therefore quite often perceptions, that when we look at something as complicated as GRC, it is easy to misunderstand/misinterpret what is actually going on … it just depends on how you and your organisation are viewing things, and more importantly, what your expectations are.

So from the research this week, it is clear to me that GRC and ERM are different, quite separate but clearly interrelated.  However, the creator of the term GRC, Michael Rasmussen, in his blog post “Rethinking GRC” believes the time may have come for a rethink of what GRC means.

But what are your views?

PS If you would like to join the recently formed Institute of Risk Management (IRM) GRC Special Interest Group, then just let me know – it would be good to have you onboard!

References

An Overview of Widely Used Risk Management Standards and Guidelines – A Joint Report of RIMS Standards and Practices Committee and RIMS ERM Committee from RIMS

A Frame of Reference for Research of Integrated Governance, Risk & Compliance (GRC) from Racz, Weippl and Seufert

Enterprise Risk Management —Integrated Framework, Executive Summary, September 2004 from COSO

The Risk Management Toolbox from ISO

Rethinking GRC from Michael Rasmussen

Is ERM GRC? Or Vice Versa? from Treasury and Risk

A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 from IRM