ERM vs GRC: Which adds more value?
Steven Minsky | April 29, 2013
Businesses began with Enterprise Risk Management (ERM) from the dawn of civilization. The first businesses were small and therefore one person knew all their customers, suppliers and processes. They knew all the risks within their business how they were connected to affect their business goals, which made it easy to manage both the upside and downside “impact of uncertainty on objectives”.
However, as the size of organizations grew in the industrial age, everyone became a specialist and groups of specialists were organized into departments. Risk began to be managed primarily within these departments resulting in a compliance type approach of just enforcing standards or buying insurance to limit this downside. The software industry in the 1980’s produced thousands of individual software applications that focused on just one small piece of risk or compliance activity, and as a result, organizations grew increasingly complex and business processes were disconnected from each other. The concept of Enterprise Risk Management for most became ad hoc and disorganized. Very few had mature and aligned enterprise-wide risk management practices, meaning resources were allocated based on “squeaky wheel” or “ghosts of Christmas past” principals rather than “bang for the buck” of business impact priorities to corporate goals.
Technology changes everything
In 2005, a new kind of software became possible which works across departments and business silos to discover the relationships to manage the complexity and automatically reconnect people, processes, goals and assets they use. Working much like social network platforms like Facebook or LinkedIn, Enterprise Risk Management Software helps make the connection between risk in every job description and the allocation of resources to control these risks based on the priority of impact to the business goal of the organization.
This was a huge threat to the thousands of incumbent traditional software providers that were being used within businesses and they reacted by adopting the term GRC Software, without changing the core design of their products. GRC stands for Governance, Risk and Compliance but is really a disparate, disconnected and overlapping collection of 28 primary single functions (with with numerous sub-categories). Sometimes these stand-alone applications are bolted together, with each component still an isolated software module, designed to do only one type of compliance with risk as an afterthought, or yet another separate module that compounds the isolation problem. When you add up the different single function software packages (estimated to be over 400), you end up with a random collection of vendors dating back over the past 25 years of incumbent, outdated technologies now renaming themselves under a banner of GRC software\ without agreeing on any standards. No apples-to-apples comparisons can be made across modules.
How does an organization make sense of all of this? How do you know what you are buying is the right platform and right vendor for your organization?
With Enterprise Risk Management software is about using standards to bridge departmental silos to gain efficiencies and manage all risks from the mail room to the board room and everywhere in between, while linking them all to the business goals of the organization.
GRC Software is a dying platform
Industry analysts agree that titling these as “GRC software” is a myopic Band-Aid approach to putting these things under one governance umbrella, and as a result is shrinking in adoption, whereas the ERM common platform, architected from the start to take advantage of the synergies and empower collaboration across business silos, is forecasted to almost double in the next 2-3 years from 14% to 25%. Boards, regulators and shareholders understand that with GRC, you can’t see the forest through the trees, and are requiring a holistic ERM analysis and reporting approach.
ERM software adoption is rapidly increasing because, just as Facebook and LinkedIn have quickly become ubiquitous social networks, ERM software provides a corporate network to help understand and manage the complexity of organizational relationships, as well as align everyone to common goals and reduce unnecessary redundancies and overlap between activities, so resources can be better applied, with more transparent decision making, to better manage risk and achieve performance.