Enterprise Risk Management, ERM, and Governance, Risk and Compliance, GRC, often seem identical. There can be confusion over what they mean; this may create gaps in risk oversight or compliance. The term GRC usually references a system used by organisations to report on governance, risk management and regulatory compliance. GRC is intended to help organisations align performance activities to business goals while managing enterprise risk and meeting compliance regulations, navigating uncertainty, and maintaining integrity via a holistic reporting system.
Governance is necessary for the setting of direction through strategy and policy, monitoring performance, and evaluating outcomes. Risk management ensures the identification of what may prevent the achievement of objectives. Compliance guides the organisation in taking the correct measures and implementing controls to ensure regulations and legal requirements are consistently met, and the proper practices are being employed. But GRC and ERM are two different concepts, although the definition of holistic GRC management could look identical to that of ERM.
GRC includes the creation of sustainable structures and processes, supported by appropriate technology to fulfil stakeholder requirements and enable the company to respond to new requirements flexibly and efficiently. The objective of ERM, on the other hand, is to ensure proper approaches and processes are in place to support organisational sustainability, agility and resilience, in order to meet organisational objectives and improve the quality of decision-making. Although holistic GRC management could look identical to ERM, the first major difference between ERM and GRC is GRC’s emphasis on technology rather than processes.
Technology plays a key role as integrated reporting is difficult without it. Technology makes a significant contribution to GRC by ensuring that all GRC-relevant information is available to management to assist in defining and implementing the company’s key objectives and strategies. There is a heavy reliance and emphasis on compliance rather than risk. Risk management, under GRC, is identifying and compensating for potential events that could prevent the fulfilment of the company’s objectives. However, effective risk management processes go beyond this.
They include risk identification and documentation, risk analysis, definition and execution of risk management measures, and ongoing monitoring of their effectiveness. Compliance, too, has to be defined and understood more broadly than mere regulatory conformance. It involves understanding and delivering on the expectations of all internal and external stakeholders, taking into consideration legal obligations and voluntary standards. Stakeholder requirements must be identified and prioritised, and the effectiveness of the measures must be monitored.
This will allow weaknesses to be addressed, and the appropriate compliance reporting done. Experts note that GRC presentations talk about rapid digital transformation, growing digital risk, rising cost of global compliance, greater reliance on third and fourth parties, increasing reputational risk, disengaged employees, disconnected tools, systems and processes, and people – which are all ERM issues. ERM is actually a wider concept than GRC, and the risk management component under GRC is incomplete, compared to risk management under ERM.
From the ERM perspective, a holistic approach must be taken when it comes to risk whereas from the GRC perspective, it is about leveraging technology to drive governance and compliance, linking the two via risk – but with the emphasis being on Compliance. Risk is the means to an end, without clear emphasis on risk management. ERM is not a part of GRC, as GRC tends to be driven primarily by regulations. Risk acts as a force on all enterprise inputs, outputs, processes and assets; it has a critical influence throughout an enterprise but this is not reflected when the GRC approach is used. GRC is thus a part of ERM, not separate from or replacing it. ERM goes way beyond GRC.
