What is the difference between ERM and GRC? Look no further than Friday’s news headline Fraud charge deals big blow to Goldman’s image. In a statement, Goldman called the commission’s accusations “completely unfounded”.
A GRC approach does little to protect the organization’s brand reputation, prevent litigation or protect intellectual property infringement. Witness Goldman Sachs. Goldman has adamantly denied the SEC’s allegation by claiming their technical “compliance”, but in the investor and customer community, their failure to address reputation risk has resulted in a share price drop of 13 percent and more than a $10 billion drop in the company’s market value.
In my post SEC Proposes Accountability for ERM, I detailed the new regulation anticipated from the SEC requiring in–depth risk disclosures from examining the activity level where performance incentives may affect the company’s risk profile. That regulation went into effect on February 28, 2010. Many firms still take a “wait and see” attitude. Many unfortunately believe that continuing business as usual by filing the required compliance documentation that their firms are protected. The investments they made in GRC systems that just automate the compiling this documentation have done little to address the root cause of risk and protect their company’s interests.
Increasingly boards are asking the question, What measures do we have in place to collect information on our reputation risk? What is the business measurement for compliance activity that connects to EBITA?
How would ERM have made a difference? In addition to the compliance aspects of the transaction, ERM would have taken the impact of reputational risk as well as the cost of litigation and adjusted these with the expected profit of the transaction. ERM would also have identified the conflict of interest of the vendor partner and suggested a disclosure to cover the risk as is now required under the SEC regulation. In summary, ERM would have brought a holistic picture of all sides of this transaction in terms of risk, performance and compliance which would have made clear that the return on investment in risk adjusted terms would have been negative and the activity would not have been pursued. To baseline your organization’s risk management capabilities, do a free assessment from the Risk and Insurance Management Society.
Organizations that pursue an ERM approach rather than a GRC approach to compliance look at corporate strategic imperatives and how compliance efforts contribute in “readiness” to maximize their contribution. The General Counsel and their teams that lead compliance efforts with an ERM value protection approach instead of a GRC “form over substance approach” take a broader view to compliance and risks and better protect their organizations. Goldman Sachs is just one of many examples.