ERM vs GRC: What’s the Difference?
ERM vs. GRC: Overview
Today, organizations face a variety of operational risks. While ERM and traditional GRC programs aim to solve the same problems, they approach them from different angles.
There is a well-documented history of these two very different approaches. For example, the GRC movement was started and most closely associated with the AS2 “Auditing Standard No2” brought about by Sarbanes-Oxley. GRC was born and mimicked the tedium of Sarbanes-Oxley AS2 which has a prescriptive auditor focus where all controls and tests were considered equal and testing went down into the minutia and the phrase “in the weeds” become popular along with the words “burdensome” and “costly”.
Enterprise Risk Management, however, was created later and was a fundamentally more modern approach characterized by a principles-based focus that introduced the concept of incorporating risk assessments much more profoundly than AS2 with an evaluation of “materiality” and “priorities” to focus only on what matters most.
LogicManager’s ERM approach, for example, is based on the use of regular, standardized risk assessments. These assessments help align governance, compliance, and other initiatives.
Our legal system codifies protections for a risk-based approach as a foundation for determining liability. For example,
- A driver is determined to be negligent if they fail to exercise the amount of caution a reasonable person would under the same circumstances.
- Generally speaking, the driver in back will be found at fault for a rear-end collision. Inattentive driving is a top contributor to rear-end collisions
- Contracting parties frequently use terms such as “commercially reasonable efforts,” “reasonable efforts,” “best efforts” or similar standards when describing their expectations regarding the performance of a party’s obligations.
No one can guarantee they will be in compliance 100% of the time, but customers using LogicManager have a large degree of protection from lawsuits and regulatory penalties. This is because of our incorporation of risk assessments in every solution package you use which provides you the evidence you need to demonstrate you took the appropriate commercially reasonable effort.
Our software creates a repeatable, sustainable process that:
- Links risks to consequences holistically across functional silos
- Connects process-level activities to strategic goals
- Has all the framework content you need to provide transparency into operational activities, linking them directly to board objectives
On the other hand, traditional GRC systems taking a prescriptive-based approach typically focused on just one compliance area in a silo.
The result is that traditional governance, risk and compliance software cannot prioritize operating controls and business metrics by the degree of risk they protect against. This increases costs due to duplication of effort. More importantly, it blocks a direct connection to the achievement of business goals.
GRC stands for “governance, risk management, and compliance.” Traditionally, the term “GRC” has been used as a wide-ranging classification of an organization’s efforts – across these three distinct disciplines – to ensure continued satisfaction of short- and long-term objectives.
The traditional approach involves classifying GRC components as their own sets of processes. Naturally, this means each component –risk, compliance, and each governance function, such as audit, IT security, and policy management – is treated as its own silo, with its own practitioners, subject-matter experts, and managers.
Enterprise risk management, or ERM, is a business discipline that shares the same end goal as GRC: the continued achievement of the organization’s objectives. ERM’s main distinction from GRC is the fact that it “encompasses all areas of organizational exposure to risk (financial, operational, reporting, compliance, governance, strategic, reputational, etc.),” according to the Risk Management Society.
Enterprise risk management addresses every function, including governance and compliance, and boils it down to a common framework approach. This common framework includes the identification and assessment of a series of goals, requirements, and root-cause risks, which are the common denominator of every organizational silo. It then helps document mitigation strategies and lets the user monitor their effectiveness. By doing this, ERM programs encourage the development of an enterprise-wide risk culture.
When every department is able to use its own risk assessment tools, perform risk reporting, and design controls – while at the same time easily granting access to the appropriate individuals – identifying and eliminating duplicative work is simple. Some risks have cross-functional implications, which means that certain mitigation activities can have benefits for more than one department. With an ERM framework, for example, compliance managers can easily be made aware of a beneficial initiative, even if it originated in operations.
Download Our Complimentary eBook
Learn how to apply a common ERM framework to streamline all governance, risk and compliance activities in our Integrating Governance eBook!
Enterprise Risk Management (ERM) vs. Governance Risk and Compliance (GRC)
- Focus on performance management
- Engage managers across silos and levels
- Links risks to activities and the goals they impact
- Forward looking view on risk
- Pay as you go with results in less than 90 days
- Myopic compliance structure
- Lack of transparency to business process level
- Lack of alignment across business silos
- Historical view on risk
- High start-up costs and long delivery time frames