ERM vs. GRC: Business Performance vs. Myopic Compliance

Steven Minsky | Feb. 23, 2011

ERM is all about delivering measurable business value by tying operational activities to organization goals.  By organizing risk activities at the business process level, ERM can reach the front-line where risks actually occur and connect those risks across business silos all the way to the enterprise level.  This approach also links the consequences and dependencies between risks so managers can fill gaps and eliminate redundancies; increasing business performance.

GRC on the other hand, operates at the business unit level far from the front-line and isolated to single business silos.  Organization at this level makes adapting to the inevitable reorganization nearly impossible and doesn’t tie operational activities to business strategy.  When risk activities and organizational goals are misaligned gaps remain hidden and effectiveness cannot be assured.

Although GRC claims to address the same problems as ERM and has exploited the right buzzwords, the execution and results between GRC and ERM are very different.  ERM empowers managers from the mail room to the board room and provides a holistic view of organization risk.  In contrast, GRC solutions embrace compliance as a separate activity for each business silo resulting largely in form over substance compliance.

To illustrate this difference let’s look at this satellite image of the border between Haiti and the Dominican Republic (DR). The two countries share one island and the same goal of preventing deforestation, but their differences of execution are yielding very different results.

As a matter of policy both countries claim addressing deforestation is a priority.  However Haiti’s once lush forests are turning to desert while the DR has effectively preserved the value of its natural resources.  The difference is in aligning activities with governance policy.  While both countries share a similar policy, the DR has aligned its activities with its governance policy.

Most corporations say they handle their risks well, but actually executing on those policies is a very different story.  ERM helps you create a sustainable business by identifying what matters and aligning all your organization’s activities to manage risks and achieve business goals.

Enterprise Risk ManagementGovernance, Risk, and Compliance
  • Holistic picture of risk
  • Links risks to strategic imperatives
  • Focus on business performance
  • Risks restricted to business silos
  • Links risks to compliance requirements
  • Focus on compliance areas
Request Demo | LogicManager Blog

Integrate Governance Areas

Learn how to integrate governance areas in this free eBook!

2018-02-01T10:41:50+00:00

About the Author:

Steven is a recognized thought leader in ERM, CEO of LogicManager, and co-author of the RIMS Risk Maturity Model. Follow him on Twitter at @SteveMinsky