How GRC Fails to Capture Enterprise Risk
Steven Minsky | April 23, 2014
Governance functions are designed to manage risks that organizations face in operational and back office silos – financial misstatements, fraud, vendor management, disaster recovery, and other activities are all designed to address a subset of an enterprise risk profile. The concept of Enterprise Risk Management is not to create another function that exists in parallel to these areas, but rather creates a standardized methodology and language to objectively prioritize across functions and levels.
In other words, Enterprise Risk Management is a framework.
GRC often positions risk as side-by-side, squished in between Governance and Compliance. Ideally, risk should be the overarching theme across all business areas, of which non-compliance is one of many risks that organizations face.
When ERM is misunderstood and instead treated as a silo, an additional governance area that focuses on high level assessments and interviews with senior management, the result is that ERM inevitably fails to live up to the expectations of Senior Management. High level risk assessments , while a valuable tool, cannot be all that risk management provides because it does not accomplish the bottom line results management is look for.
Instead, ERM’s goal should be to leverage all of the risk information that is already known (though probably not explicit) in other governance areas. This is accomplished by creating a common language and structure so that business areas can better transfer knowledge to each other where beneficial. This provides transparency and a true risk profile to senior management, allowing business’s to uncover enterprise risk and mitigation information in process areas that are less formalized, and revealing overlapping controls where governance areas should be working together.
This approach to enterprise risk management is what results in efficiency, engagement, and the risk culture that’s evident in successful organizations. The ERM process helps process owners do their own jobs better, while adding their own insight and expertise into the larger risk picture.