Demystifying the Many Terms in Risk Management
Previously, we discussed the history of GRC and ERM, and new developments that are shaping the future of risk management (RM). With all of these developments, it’s clear that the risk management landscape is becoming increasingly complex. You’ve likely searched terms only to encounter a plethora of information on the subject. And now, there’s a new term in the mix – Integrated Risk Management (IRM). So, what exactly are the differences between all these terms and how do they apply to your RM program?
First, let’s turn our focus toward RM, which is the core element or practice within each of the current GRC/ERM frameworks. An organization’s RM procedures and practices must integrate horizontally across all functional areas, including HR, finance, IT, operations, product development, accounts payable, accounts receivable, legal, marketing/sales, procurement, cybersecurity and more. In addition, RM procedures and practices must also integrate vertically – from C-Level management’s strategic, high-level perspective down to middle management’s tactical, granular perspective. This horizontal and vertical integration opens up communications and understanding around a common risk language between all levels of management, ensuring that senior management has accurate and timely information to quickly develop proper responses to address all identified risks.
When it comes to GRC, the initial ask is often, “Do you have or are you using GRC?” The assumption here is that GRC is solely a software solution and that GRC software plays a leading role in risk management. However, GRC is more about an organization having: 1) a solid understanding of its policies, procedures and practices; 2) skilled RM professionals; and 3) horizontal and vertical integration of its risk and communications practices. GRC software only plays a supporting role in this scenario, providing an automated solution for the risk management practice. So the real question should be, “What GRC practices and procedures have you implemented to ensure your organization can achieve its strategic goals and objectives, as well as your risk management and compliance requirements?”
The misconceptions around ERM are similar. There’s also confusion between GRC and ERM in regards to which framework is a higher level or ‘umbrella’ framework. In fact, the two frameworks (GRC and ERM) are very similar. Some practitioners would argue that the COSO Cube-based ERM framework is a higher level framework with GRC functioning under ERM. However, the important thing is that the intent of both GRC and ERM frameworks is to address the failings of traditional risk management, specifically the lack of integration.
As many organizations struggle to successfully implement GRC/ERM frameworks into their organizations, the newest framework, IRM, is supposed to answer all the shortcomings of both GRC and ERM and deliver on the expectations of integration. However, not everyone is marching toward IRM, as some are rebranding their products and methodologies as Integrated Governance Risk and Compliance (IGRC).
While software tools can improve the effectiveness and efficiencies of RM by automating the process, it’s important to understand that the business benefits and objectives of implementing GRC/ERM/IRM will only be achieved when there is a thorough understanding of: 1) the underlying business processes and practices; 2) risk management practices, including a common organizational risk lexicon; and 3) organizational structure and alignment to support and ensure full vertical and horizontal risk management integration. It’s also critical to note that such organizational changes should made on the basis of supporting the fundamental principles of ERM/GRC/IRM rather than being driven by a GRC software requirement. Secondly, the technology supporting GRC/ERM frameworks have been evolving since the early 2000s and will continue to evolve over the years. We now expect that GRC/ERM/IRM will continue maturing and evolving in a similar manner as their supporting technologies.
At the end of the day, “Rose is a rose is a rose is a rose,” and while the names and acronyms may overlap or cause confusion, what matters most is what you’re doing to protect your organization from exposure to risk.