ERM vs. GRC
Companies today face a diverse array of operational risks. Multiple frameworks and technologies exist to help them address these risks, including governance, risk and compliance (GRC) and enterprise risk management (ERM).
While both frameworks aim to help companies mitigate risk and achieve similar objectives, they are based on entirely different approaches. GRC can be thought of as a framework to help organizations create strategies to address enterprise risk management, governance, and compliance activities. ERM can be thought of as a subset of GRC, focused on the “risk management” component of GRC.
Organizations need to understand the differences between these frameworks before adopting either one or both.
What Is ERM?
Enterprise risk management (ERM) is a business discipline that serves to manage organizational risk. COSO, which stands for the Committee of Sponsoring Organizations of the Treadway Commission, formally defines ERM as “a process, effected by an entity’s board of directors, management and other personnel, applied in strategy-setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
Instead of focusing on specific threats or risks, like product safety or natural disasters, ERM helps companies craft a strategic layer that identifies and anticipates risk of all kinds, including strategic, financial, operational, reputational, and more. It provides a quantifiable process and framework, which often includes:
- Identifying circumstances that could prove to be a threat to or opportunity for the organization
- Assessing all risks and sorting them by likelihood and magnitude of impact
- Developing a strategy to mitigate and respond to these risks
- Monitoring the overall process
A Focus on Root-Cause Risks
ERM focuses on identifying and assessing the organization’s goals, requirements, and, most importantly, root-cause risks. Root-cause risks are essentially threats that are common to every silo. This encourages organizations to adopt an enterprise-wide risk culture, which contrasts with how some organizations approach GRC.
Avoid Wasting Resources on Duplicate Activities
As a result of their emphasis on reducing silos, ERM frameworks help operational leaders become more aware of useful initiatives being developed in other departments. This helps companies avoid duplicating efforts across multiple functions.
Prioritize Risks More Effectively
An ERM strategy also involves identifying risks that may impact multiple departments, which can help organizations prioritize mitigation activities that can benefit more than one function.
Rather than focusing on a checklist of compliance activities, ERM focuses on responding in real-time to an organization’s changing needs and risk landscape.
Enterprise Risk and Compliance: 5 Best Practices to Optimize the Relationship
What Is GRC?
Formally, the Open Compliance & Ethics Group defines governance, risk and compliance as “the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity.” GRC has been a fundamental component of an organization’s operational activities for some time now.
The Three Main Areas of GRC
As the name suggests, GRC describes activities to help keep companies on track with their objectives in three main areas: governance, risk management and compliance.
Governance: This is the process of aligning all organizational activities (training, IT operations, etc.) with the organization’s primary goals and objectives. Governance activities may include internal audits, assurance reports, compliance monitoring results, and more.
- Risk management: Risk management refers to a set of processes to identify, assess and mitigate threats to an organization. These threats include cybersecurity issues, commercial and financial risks, legal liabilities, natural disasters, and more. Risk management activities rely on internal audits and risk assessments to identify areas of uncertainty.
- Compliance: Compliance involves meeting a set of stated requirements. These requirements may or may not be legally enforced. For example, technology companies operating in the European Union must comply with GDPR, and healthcare companies in the United States must comply with HIPAA. Compliance activities include:
- Identifying relevant requirements
- Assessing the state of compliance across the organization
- Determining the potential costs and risks of non-compliance
- Audit: While not explicitly mentioned in the official definition, internal auditing is also an important element of GRC. Internal audits provide assurance and consulting to the board, management, and other stakeholders on whether the organization meets its goals and objectives. Effective audits lie at the heart of GRC and help boards evaluate risks, assess controls, ensure accuracy, improve operations and promote ethical decision-making.
These activities exist across various functions, including IT, HR, finance, legal, risk, compliance, the lines of business, the board, and the executive suite.
A Siloed Approach
Typically, GRC activities have taken place in a very siloed way. Each component — risk management, compliance, and each governance function — is treated as its own silo, and each of these silos has its own managers, subject-matter experts, and practitioners.
GRC activities can run the risk of turning into a compliance checklist that helps maintain the status quo rather than conduct effective risk-based business intelligence.
The Advent of Integrated GRC
However, many companies have begun to shift away from this traditional approach to GRC towards an integrated GRC approach, also known as enterprise GRC (eGRC). Although it is not the same thing as ERM, integrated GRC helps keep all GRC activities more aligned with enterprise risk management activities. This helps organizations reduce silos and get rid of redundant and inefficient initiatives.
More Than Just Risk
ERM and integrated risk management (IRM) can be thought of as a subset of GRC, as it deals with the “risk management” component of GRC. Integrated GRC, however, doesn’t just look at risk. Instead, it combines multiple functions across governance, risk, and compliance to ensure better governance.
Governance, Risk, and Compliance (GRC) vs. Enterprise Risk Management (ERM): A Summary of Differences
ERM has been celebrated for encouraging enterprise-wide risk culture and its quantifiable frameworks for identifying key risk areas, but ERM’s true focus is on risk management only.
ERM places a heavy emphasis on addressing root cause risks and prioritizing risks effectively. It can be viewed as a proactive, responsive strategy that emphasizes risk-based intelligence.
Older models of GRC approaches may have been seen as siloed, more a philosophy than a framework. A modern approach to GRC addresses more than just risk management and brings all the departments together to ensure better governance.
ERM can be thought of as a subset of GRC, as risk management is a crucial component of GRC. An organization-wide GRC strategy could hypothetically include several elements of ERM as well.
Ultimately, the framework you end up choosing will depend on your organization’s unique needs and business objectives. It can help to view ERM as a subset of GRC, while integrated GRC goes beyond just risk and combines multiple functions across governance, risk and compliance to build a more robust and well-rounded strategy. No matter what choice you make, however, technology can significantly aid you in achieving your goals.
GRC technology can help you take a data-driven approach to risk, reducing the likelihood and impact of human error and providing you with the tools you need to monitor, analyze and adjust your strategies. A robust GRC platform can help you visualize your data effectively and come up with actionable insights.
Diligent is the world’s largest GRC SaaS company and provides a range of solutions that can help boards and executives:
- Track their goals
- Benchmark governance practices
- Identify and evaluate risks and red flags
- Comply with essential standards and regulations
- Gather business intelligence from a variety of news sources