The leadership of any well-managed company knows the difference between compliance and risk management as concepts. But the difference between “governance, risk, and compliance” and “enterprise risk management”—not so much.
Sure, dictionary definitions of each acronym are relatively easy to find and easy to grasp. Real world applications of GRC and ERM, however, are much murkier to discern. They do have similar goals, but amid increasing risks and regulatory demands, understanding how GRC and ERM differ, how they can be used, and how to integrate them well is no easy feat.
“There is a lot of confusion over what GRC is, and what ERM is,” says Jim DeLoach, managing director at Protiviti. “ERM has been an enigma over the years. Boards tell CEOs they want ERM implemented, but CEOs don’t know what exactly that means. You ask 10 people in a room what ERM is and you will get 10 different answers.”
Traditionally, GRC has been technology-driven, with a variety of providers offering wares to meet a variety of problems. “It has been in search of a value proposition for a long, long time,” DeLoach says. Over time, the focus has shifted from GRC’s inherently siloed approach to the need for greater integration. Enter ERM, with its focus on elevating risk management to a strategic level.
“The definition around GRC continues to shift,” says Shawn Dahl, a principal at RSM, recently rebranded from its past identity as McGladrey. “It depends on who you ask and whether you are a technology person, or in compliance. When you go in and look at providers they all do something a little different. GRC is one of those things where there is no clear definition around what it is.”
In contrast, ERM has the benefit of being shaped by risk management frameworks like ISO 31000 and a 2004-era framework published by COSO (likely to be updated in 2016).
“They help define what ERM should be for organizations that are looking to implement it,” Dahl says. “To me, when you look at ERM, it is about how organizations identify and manage critical upside and downside risks through those frameworks, and is aligned to achieving business objectives.”
Steven Minsky, CEO of software provider LogicManager, blames the marketplace and marketing materials for GRC/ERM confusion. For example, he has seen a virus prevention software company market its narrowly focused product as GRC. “They are putting whatever label on it they can to sell their stuff,” he says. “People are getting swept up in a lot of very misleading vendor material.”
In Minsky’s view, what distinguishes ERM from GRC is that the former gives companies a grasp on the unknown, while the latter is more of a compliance-related checklist. Regulators are holding companies, boards, and auditors liable for is not knowing things that they could have known about.
“ERM has been an enigma over the years. Boards tell CEOs they want ERM implemented, but CEOs don’t know what, exactly, that means. You ask 10 people in a room what ERM is and you will get 10 different answers.”
Jim DeLoach, Managing Director, Protiviti
“At the end of the day that’s what risk-based means,” Minsky says. “Compliance is typically what 90 percent of GRC software does. But at the end of the day, when you are taking a risk-based approach with ERM, you are looking for something that hasn’t happened yet, and need to be able to put a process in place where you can identify those things as down deep into the organization as they go, across every function and region.”
He uses the example of a tsunami striking Japan or some similar coastal country. No compliance exercise can help a company account for unpredictable weather. In contrast, ERM would be better suited to help a company anticipate the risk of supply chain disruption. Failing to do so shows negligence and a lack of due diligence, and may have a material effect on shareholders.
“You can’t put every control in the world in place,” Minsky says. “It is impossible. There are not enough resources. You need to use a risk-based approach to prioritize them.”
Compared to the siloed mentality of most GRC executions, an ERM-based approach is also cost effective, Minsky adds. Relying on GRC brings the duplicated effort of “going back to the same people over and over again” as you assess their various controls, from IT to financial.
“It is double the analysis and double the costs,” he says. “It is much more efficient to say: ‘Let’s look at this control. What’s the risk?’ If the risk is material, the control is material. If the risk is not material, then you don’t need to look at the IT behind it. When you are looking at your IT controls, if they haven’t changed in the last two years, you don’t need to look at it.”
Let’s Get Regulated
Aside from the business benefits inherent in a strategic approach to risk, businesses may eventually need to view ERM as a regulatory mandate.
In the early 2000s, in response to the Sarbanes-Oxley Act, ERM “was a hot topic as organizations looked for better ways to identify and manage risk,” Dahl says. By 2008, partly due to the economic downturn and spending reductions, those adoptions plateaued, even as companies faced greater risk profiles. Since that time the occasional debate has erupted about whether stock exchanges might add ERM as a listing requirement or credit agencies might consider it in their assessments.
GRC vs ERM
Below, a GRC software provider MetricStream details some of the inherent differences between GRC and ERM.
Tends To Be More Compliance Based
Emphasis on Transparency & Accountability
Focused on Controlled Structures
Implies Adherence to Specific Criteria
Tends to Be More Operations Based
Implemented at All Levels
Emphasis on Cross-Functional Teams & Individual Ownership of Risk
Focused on Metrics and Quantification of Risk
Advises Risk Appetite When Specific Criteria Is Absent
Those efforts never came to pass, but last year the National Association of Insurance Commissioners, as part of its Own Risk and Solvency Assessment (ORSA) framework, made ERM a requirement for insurers with more than $1 million in premiums. “ORSA is not a one-off exercise—it is a continuous evolving process and should be a component of an insurer’s ERM framework,” the association wrote in industry guidance.
“Insurance companies need to be able to substantiate critical risks that relate to their capital adequacy,” Dahl says. “Now, for the first time there is a requirement driving ERM adoption. We will need to see if that extends to other industries.”
For now, however, Minsky advises against pursuing only one or the other. “It is not ERM versus GRC anymore,” he says. “Ten years ago, ERM was risk assessments, GRC was controls and compliance. Today ERM is still risk-based but it encompasses controls, testing, and monitoring—all that sort of incident management you could have previously associated with GRC.”
Dahl dissects the words that identify GRC. “Governance, risk, and compliance are three very different things,” he says. “The governance and compliance aspects of GRC are about how an organization sets itself up not just from the top down, but bottom up with how they run the business. The ‘r’ in GRC, risk, can be specifically tied to how organizations are managing risk within the purview of their operations. ERM is almost a subset within a standard definition of GRC, if such a definition exists.”