{"id":896,"date":"2012-11-02T12:05:31","date_gmt":"2012-11-02T12:05:31","guid":{"rendered":"http:\/\/www.chaordicsolutions.co.uk\/blog\/?p=896"},"modified":"2012-11-07T22:59:32","modified_gmt":"2012-11-07T22:59:32","slug":"grc-and-erm-as-uneasy-bedfellows","status":"publish","type":"post","link":"https:\/\/www.chaordicsolutions.co.uk\/blog\/from-our-grc-consultants\/grc-and-erm-as-uneasy-bedfellows\/","title":{"rendered":"GRC and ERM as uneasy bedfellows"},"content":{"rendered":"<p><a href=\"http:\/\/www.chaordicsolutions.co.uk\/blog\/wp-content\/uploads\/2012\/05\/businesscontinuitymini.jpg\"><img loading=\"lazy\" class=\"alignleft size-full wp-image-36\" title=\"businesscontinuitymini\" src=\"http:\/\/www.chaordicsolutions.co.uk\/blog\/wp-content\/uploads\/2012\/05\/businesscontinuitymini.jpg\" alt=\"\" width=\"97\" height=\"64\" \/><\/a><\/p>\n<p><em>GRC and ERM as uneasy bedfellows: different, quite separate but clearly interrelated.<\/em><\/p>\n<p>&nbsp;<\/p>\n<p><!--more--><\/p>\n<p><strong>From Robert J Toogood, Senior Partner \u2013 Chaordic Solutions:<\/strong><\/p>\n<p>This week I have had the pleasure of working with some close colleagues from <a title=\"the Institute of Risk Management (IRM) GRC Special Interest Group\" href=\"http:\/\/www.theirm.org\/events\/GRC_SIG.htm\" target=\"_blank\">the Institute of Risk Management (IRM) GRC Special Interest Group<\/a>, to start looking at the relationship between what is commonly referred to as GRC and ERM.<\/p>\n<p>From my own experience, it is clear that activities associated with an integrated approach to governance, risk management and compliance (aka GRC) can sometimes have an uneasy relationship with what is known as enterprise-wide risk management (aka ERM).\u00a0 There are even some views that go as far as suggesting that GRC is simply just another term for ERM.<\/p>\n<p>So what is this thing we call GRC?<\/p>\n<p>The acronym GRC was first used over ten years ago &#8230; however, based on the research of <a title=\"Racz, Weippl and Seufert\" href=\"http:\/\/www.grc-resource.com\/resources\/racz_al_frame_reference_grc_cms2010.pdf\" target=\"_blank\">Racz, Weippl and Seufert<\/a>, there does not appear to be a universally accepted definition of what GRC actually is.\u00a0 The findings from their research are unfortunately confirmed by frequent discussions in various LinkedIn and other collaborative spaces, where attempts are periodically made to reach consensus on what GRC actually is.<\/p>\n<p>As a starting point, the <a title=\"Open Compliance and Ethics Group (OCEG)\" href=\"http:\/\/www.oceg.org\/\" target=\"_blank\">Open Compliance and Ethics Group (OCEG)<\/a> defines GRC as being a:<\/p>\n<p><strong><em>\u201c<\/em><\/strong><em>Capability<strong> <\/strong>that enables an organization to reliably achieve objectives while addressing uncertainty and acting with <a title=\"Integrity\" href=\"http:\/\/www.grcglossary.org\/terms\/integrity\" rel=\"bookmark\">integrity<\/a>; including the <a title=\"Governance\" href=\"http:\/\/www.grcglossary.org\/terms\/governance\" rel=\"bookmark\">governance<\/a>, <a title=\"Assurance\" href=\"http:\/\/www.grcglossary.org\/terms\/assurance\" rel=\"bookmark\">assurance<\/a> and management of performance, <a title=\"Risk\" href=\"http:\/\/www.grcglossary.org\/terms\/risk\" rel=\"bookmark\">risk<\/a>, and <a title=\"Compliance\" href=\"http:\/\/www.grcglossary.org\/terms\/compliance\" rel=\"bookmark\">compliance<\/a>.\u201d<\/em><em><\/em><\/p>\n<p>The US-based but globally focused Risk and Insurance Management Society, Inc. (RIMS) have a view of this definition\/approach in their \u201c<a title=\"An Overview of Widely Used Risk Management Standards and Guidelines\" href=\"http:\/\/www.rims.org\/resources\/ERM\/Documents\/RIMS%20Executive%20Report%20on%20Widely%20Used%20Standards%20and%20Guidelines%20March%202010.pdf\" target=\"_blank\">An Overview of Widely Used Risk Management Standards and Guidelines<\/a>\u201d document.\u00a0 They conclude that when comparing the OCEG view of GRC against Risk Management frameworks such as COSO and ISO 31000:<\/p>\n<p><em>\u201cThe major difference for the OCEG approach is the formal integration of the governance, risk and compliance processes, ideally supported by a common technology platform. In this framework, risk is given a limited role focused on identification and measurement. The primary directive for risk, though not exclusively, is to measure the likelihood of an event that has an adverse effect on objectives. The OCEG Capability Model relies heavily on an integrated technology platform as an enabling tool to identify and assess risk for prevention and\/or remediation purposes.\u201d<\/em><\/p>\n<p>The outcome from the literature review based research of <a title=\"Racz, Weippl and Seufert\" href=\"http:\/\/www.grc-resource.com\/resources\/racz_al_frame_reference_grc_cms2010.pdf\" target=\"_blank\">Racz, Weippl and Seufert<\/a> was a single-phrase definition of:<\/p>\n<p><em>\u201cGRC is an integrated, holistic approach to organisation-wide governance, risk and compliance ensuring that an organisation acts ethically correct and in accordance with its risk appetite, internal policies and external regulations through the alignment of strategy, processes, technology and people, thereby improving efficiency and effectiveness.\u201d<\/em><em><\/em><\/p>\n<p>But how does this and other definitions compare with what is referred to as ERM?\u00a0 It is interesting to see that\u00a0<a title=\"COSO (2004)\" href=\"http:\/\/www.coso.org\/documents\/COSO_ERM_ExecutiveSummary.pdf\" target=\"_blank\">COSO (2004)<\/a> defines enterprise risk management as a:<\/p>\n<p><em>\u00a0\u201cProcess, effected by an entity\u2019s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.\u201d<\/em><\/p>\n<p>If we then look at <a title=\"ISO 31000\" href=\"http:\/\/www.iso.org\/iso\/home\/news_index\/news_archive\/news.htm?Refid=Ref1586\" target=\"_blank\">ISO 31000<\/a>, risk is defined as the:<\/p>\n<p><em>\u201cEffect of uncertainty on objectives\u201d whereas risk management<strong> <\/strong>is \u201ccoordinated activities to direct and control an organization with regard to risk\u201d. <\/em><\/p>\n<p>In addition, <a title=\"ISO 31000\" href=\"http:\/\/www.iso.org\/iso\/home\/news_index\/news_archive\/news.htm?Refid=Ref1586\" target=\"_blank\">ISO 31000<\/a> sees the risk management process as a:<\/p>\n<p><em>\u201cSystematic application of management policies, procedures and practices to the tasks of communication, consultation, establishing the context, identifying, analysing, evaluating, treating, monitoring and reviewing risk\u201d.<\/em><em><\/em><\/p>\n<p>What seems to emerge from a comparison of these definitions is that the main distinguishing feature of GRC is that it formally integrates governance and compliance with an associated risk management framework such as COSO or more recently, ISO 31000.<\/p>\n<p>However, we are all products of our own experiences.\u00a0 It is because of these unique experiences, and therefore quite often perceptions, that when we look at something as complicated as GRC, it is easy to misunderstand\/misinterpret what is actually going on &#8230; it just depends on how you and your organisation are viewing things, and more importantly, what your expectations are.<\/p>\n<p>So from the research this week, it is clear to me that GRC and ERM are different, quite separate but clearly interrelated.\u00a0 However, the creator of the term GRC, Michael Rasmussen, in his blog post \u201c<a title=\"Rethinking GRC\" href=\"http:\/\/www.corp-integrity.com\/grc-fundamentals\/rethinking-grc\" target=\"_blank\">Rethinking GRC<\/a>\u201d believes the time may have come for a rethink of what GRC means.<\/p>\n<p>But what are <strong>your<\/strong> views?<\/p>\n<p>PS If you would like to join the recently formed <a title=\"Institute of Risk Management (IRM) GRC Special Interest Group\" href=\"http:\/\/www.theirm.org\/events\/GRC_SIG.htm\" target=\"_blank\">Institute of Risk Management (IRM) GRC Special Interest Group<\/a>, then just let me know &#8211; it would be good to have you onboard!<\/p>\n<p><strong>References<\/strong><\/p>\n<p><a title=\"www.rims.org\/resources\/ERM\/Documents\/RIMS Executive Report on Widely Used Standards and Guidelines March 2010.pdf\" href=\"http:\/\/www.rims.org\/resources\/ERM\/Documents\/RIMS%20Executive%20Report%20on%20Widely%20Used%20Standards%20and%20Guidelines%20March%202010.pdf\" target=\"_blank\">An Overview of Widely Used Risk Management Standards and Guidelines \u2013 A Joint Report of RIMS Standards and Practices Committee and RIMS ERM Committee <\/a>from RIMS<\/p>\n<p><a title=\"http:\/\/www.grc-resource.com\/resources\/racz_al_frame_reference_grc_cms2010.pdf\" href=\"http:\/\/www.grc-resource.com\/resources\/racz_al_frame_reference_grc_cms2010.pdf\" target=\"_blank\">A Frame of Reference for Research of Integrated Governance, Risk &amp; Compliance (GRC)<\/a> from Racz, Weippl and Seufert<\/p>\n<p><a title=\"http:\/\/www.coso.org\/documents\/COSO_ERM_ExecutiveSummary.pdf\" href=\"http:\/\/www.coso.org\/documents\/COSO_ERM_ExecutiveSummary.pdf\" target=\"_blank\">Enterprise Risk Management \u2014Integrated Framework, Executive Summary, September 2004<\/a> from COSO<\/p>\n<p><a title=\"http:\/\/www.iso.org\/iso\/home\/news_index\/news_archive\/news.htm?Refid=Ref1586\" href=\"http:\/\/www.iso.org\/iso\/home\/news_index\/news_archive\/news.htm?Refid=Ref1586\" target=\"_blank\">The Risk Management Toolbox<\/a> from ISO<\/p>\n<p><a title=\"http:\/\/www.corp-integrity.com\/grc-fundamentals\/rethinking-grc\" href=\"http:\/\/www.corp-integrity.com\/grc-fundamentals\/rethinking-grc\" target=\"_blank\">Rethinking GRC<\/a> from Michael Rasmussen<\/p>\n<p><a title=\"http:\/\/www.treasuryandrisk.com\/2007\/06\/01\/is-erm-grc-or-vice-versa-\" href=\"http:\/\/www.treasuryandrisk.com\/2007\/06\/01\/is-erm-grc-or-vice-versa-\" target=\"_blank\">Is ERM GRC? Or Vice Versa?<\/a> from Treasury and Risk<\/p>\n<p><a title=\"A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000\" href=\"http:\/\/theirm.org\/documents\/SARM_FINAL.pdf\" target=\"_blank\">A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000<\/a> from IRM<\/p>\n","protected":false},"excerpt":{"rendered":"<p>GRC and ERM as uneasy bedfellows: different, quite separate but clearly interrelated. &nbsp;<\/p>\n","protected":false},"author":1,"featured_media":36,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[26],"tags":[34,20,18,19,83,86,84,85,29,27,28,30,81,313,36,39,37,38],"_links":{"self":[{"href":"https:\/\/www.chaordicsolutions.co.uk\/blog\/wp-json\/wp\/v2\/posts\/896"}],"collection":[{"href":"https:\/\/www.chaordicsolutions.co.uk\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.chaordicsolutions.co.uk\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.chaordicsolutions.co.uk\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.chaordicsolutions.co.uk\/blog\/wp-json\/wp\/v2\/comments?post=896"}],"version-history":[{"count":41,"href":"https:\/\/www.chaordicsolutions.co.uk\/blog\/wp-json\/wp\/v2\/posts\/896\/revisions"}],"predecessor-version":[{"id":921,"href":"https:\/\/www.chaordicsolutions.co.uk\/blog\/wp-json\/wp\/v2\/posts\/896\/revisions\/921"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.chaordicsolutions.co.uk\/blog\/wp-json\/wp\/v2\/media\/36"}],"wp:attachment":[{"href":"https:\/\/www.chaordicsolutions.co.uk\/blog\/wp-json\/wp\/v2\/media?parent=896"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.chaordicsolutions.co.uk\/blog\/wp-json\/wp\/v2\/categories?post=896"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.chaordicsolutions.co.uk\/blog\/wp-json\/wp\/v2\/tags?post=896"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}