How ERM adds Context to Governance, Risk, and Compliance (GRC)

The Baker/baker complex, as illustrated in Joshua Foer’s Moonwalking with Einstein, states that if you ask one person to remember a baker and another to remember a man named Baker; the person asked to remember the proper noun will struggle far more than the person asked to recall the bread maker.

Same word, two very different outcomes because one provides your memory with context, while the other floats independently, devoid of the connections and methodology that improve our recall.

At LogicManager, we’re often asked how Enterprise Risk Management can be used in accordance with governance, risk & compliance tools. Why isn’t ERM just a component of the GRC analysis, rather than the solution itself? The answer is that governance programs can benefit from the context that an Enterprise Risk Management methodology provides.

The GRC Software Challenge…

The challenge that most GRC professionals face is in how to communicate cross functional information between silos. When departments like vendor management, business continuity, or IT governance are operating independently; they are devoid of context and standardization, which impairs decision making. Is it more important to secure additional suppliers, or to sure up IT infrastructure? How does a failed business continuity test effect the priorities of the other two functions? These types of questions go unanswered because the business doesn’t have a means of comparing or contextualizing silo specific information.

Enterprise Risk Management is a methodology that provides that context.

… and ERM’s Solution

ERM works because risk is the underlying link between GRC functions. If we recognize that each silo’s function – regardless of whether its labeled risk, compliance, or governance – is actually working to mitigate a subset of the organization’s enterprise risk, we suddenly begin to see commonalities and realize efficiency that results in bottom line value.

The job of an ERM or GRC software is to provide the tools to execute these types of activities at the tactical level, while ensuring the methodology is in place to aggregate this information and compare it across silos.