April 24, 2014

ERM vs GRC: The Right Tool for the Job

What is the best way to build a birdhouse? You may be able to use one tool with multiple functions, such as a multi-tool (a type of Swiss Army knife). However, the convenience afforded by these tools is achieved by reducing the effectiveness and efficiency for more complex projects. Most of us would rather have a tool belt with specific tools suited to the project, such as a hammer, screwdriver and utility knife. Why? Independent tools with specific uses are more powerful, more efficient and more effective at completing the tasks for which they were specifically designed. The tool belt acts as an integrator, a common platform on which the other functions are based.

ERM is the tool belt on which specific governance and compliance functions can be based. These two functions can exist independently, but when driven by risk-centric and data-grounded ERM practices, they become more efficient and effective.  ERM-driven governance divisions utilize risk intelligence to promote risk awareness and attitude throughout an enterprise.  ERM-driven compliance divisions utilize risk intelligence to bring all levels of enterprise into agreement with regulations, audit recommendations and corporate policies.

In today’s “risk-centric” business landscape, why is the combined approach of governance, risk and compliance (GRC) favored over ERM? GRC, like the multi-tool, has the capability to serve several functions — governance, risk management and compliance — in a holistic manner. This is meant to integrate silos and reduce redundancy, bureaucratic conflicts and work overlaps. However, reality has shown that these benefits are often rarely or never realized. Real-world GRC implementations have been marred by repeated failures to anticipate or mitigate adverse risk events. These events occur due to failures caused by the priority given to executive, governance and compliance objectives over solid risk-based business intelligence. Unable to effectively and efficiently drive a risk-centric organization, GRC is a tool weakened by its complexity.

The problems with multi-tools are the same problems faced by GRC. Most people — in this case, organizations — use only one or two tools, regardless of effectiveness or efficiency. More often than not, in current business implementations, GRC has a tendency to be driven primarily by regulations and largely bureaucratic objectives. The priority given to governance and compliance objectives over risk management has reduced the effectiveness and efficiency of ERM divisions. ERM has been demoted to an endorsement tool, one that is used to validate executive, governance and compliance processes and functions. This reversal of priorities costs organizations billions of dollars.

Don’t believe me? From the infamous Ford Pinto memo, to BP Deepwater Horizon, to the$6 billion JPMorgan debacle and most recently Hurricane Sandy, we have seen how the focus on governance and compliance above real risk has substantially increased the effect of adverse risk events. These failures point to fundamental problems within GRC framework and implementation.

These problems suggest:

  1. There is not enough attention paid to the exhaustive discovery of risk, how risks are connected, and how risks are integrated into all business processes, functions and strategies.
  2. If governance and compliance functions continue to be given priority over enterprise risk management, organizations can expect to pay massive penalties to cover mistakes.
  3. Third, but by no means last, truly risk-centric organizations should have a belt of effective and efficient tools, each specifically suited to a task and driven by risk intelligence.

Without addressing these points, all-too-frequent and massive failures will continue to be a factor in business environments and a continued source of material for news media outlets. These failures should be anomalies. Driven by proper ERM implementation, a successful governance and compliance function can produce effective and sustainable benefits for all stakeholders.

Risk Management Magazine and Risk Management Monitor. Copyright 2014 Risk and Insurance Management Society, Inc. All rights reserved.

About the Author

Risk Management Magazine  is the premier source of analysis, insight and news for corporate risk managers. RM strives to explore existing and emerging techniques and concepts that address the needs of those who are tasked with protecting the physical, financial, human and intellectual assets of their companies. As the business world and the world at large change with increasing speed, RM keeps its readers informed about new challenges and solutions....


Boost: AJAX core statistics

Legal Disclaimer

You are responsible for reading, understanding and agreeing to the National Law Review's (NLR’s) and the National Law Forum LLC's  Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.  

Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. The National Law Review is not a law firm nor is  intended to be  a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional.  NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us. 

Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.

The National Law Review - National Law Forum LLC 4700 Gilbert Ave. Suite 47 #230 Western Springs, IL 60558  Telephone  (708) 357-3317 If you would ike to contact us via email please click here.