From the June 2007 issue of Treasury & Risk magazine

Is ERM GRC? Or Vice Versa?

Christina Kite has spent the last three years crafting an enterprise risk management (ERM) program at Cisco Systems Inc.--one that her peers will quickly tell you they envy. Kite's ERM strategy--and Cisco's-- is not so much about eliminating or reducing risk. Instead, it is predicated on the goal of quantifying risks, so that Cisco can take on more and better risks. "Risk for us is just as much about growth and optimization as it is about protection," observes the vice president of workplace resources and enterprise risk management at the San Jose, Calif.-based Cisco. "It's about knowing your risks and your risk tolerance."

With this philosophy, it's not surprising that Kite objects to recent efforts to substitute best-practices GRC--governance, risk and compliance--for ERM, or even to treat them as interchangeable. "We see GRC really as a tool, a technology module, and not ERM per se," says Kite. "We're very conservative in governance and compliance, but risk-takers in the business model area. ERM is not about being compliance-driven or regulatory-driven. [ERM and GRC] are two different things."

That said, there is a move afoot--driven substantially by technology vendors, consultants and the newer governance converts--to integrate GRC and ERM in a not quite merger of equals. GRC would be the umbrella philosophy, with ERM one methodology within it. The holistic approach to the functions makes sense. "For starters, managing compliance initiatives separate from risk initiatives results in increased staffing requirements, complexity and costs," says Brian Cleary, vice president of marketing at OpenPages. "Managing risk holistically can reduce this duplication of efforts"--and ultimaitely costs.
While this seems benign enough, the mindset could result in certain inadvertent consequences as the two roll out over the next years, including the possibility of risk management getting hijacked by compliance. The question of which executive will call the shots is also at stake since the competition between the two methodologies pits risk overseers in traditional risk management against risk overseers in internal audit and compliance. In the meantime, however, experts search for what aspects the two have in common besides an 'R' in the middle of their acronym.

The overriding goal with either GRC or ERM is to assure that all risks dogging a company are identified, analyzed and quantified to determine where best to invest a company's resources. "GRC is really a philosophy, and a framework for communicating around governance and compliance issues," says Michael Rasmussen, vice president of enterprise risk and compliance at Forrester Research. "ERM, on the other hand, is the measurement and qualification of risk, and the establishment of individual risk ownership. In effect, GRC encompasses ERM."

Like ERM, GRC calls for a common infrastructure with collaborative processes to manage risks. While GRC owes its very existence to the 2002 Sarbanes-Oxley Act, ERM-- already more than five years old when SOX arrived--can still thank the new law and the Enron Corp. scandal for a burst of popularity that drove ERM implementations into high gear. Many consultants and software vendors attempt to straddle both worlds. But for companies, it frequently boils down to allocation of resources--and currently GRC would tend to win that battle given the high priority most companies place on remaining in compliance with regulations. "For industries or companies with a narrow definition of risk management, if GRC resonates with the board and senior executives, that's fine," says ERM consultant James Lam, who actually doesn't see the need for the term GRC. "Call it whatever you want--the approach is more critical than the label. At the end of the day, both are all about risk management."

There are, however, some critical differences. Whereas ERM is more a methodology for managing the entire spectrum of risk, GRC is more a technology platform for illuminating governance and compliance risk. "It's useful to think about GRC in terms of an IT platform," Lam says. "The technology helps you centralize and organize your policies, procedures, documentation requirements, risk assessment analyses and other content [for] dashboard reporting."

And the fact that there are many more tools related to GRC than to ERM is not irrelevant to GRC's increasing momentum. "A lot of research and work is going on right now to help companies put together business cases to prove the value of integrated GRC (IGRC)," says Brett Curran, vice president of GRC and privacy practices at Axentis Inc. But because IGRC brings together so many silos, systems, resources and other elements, companies are starting with single issues like SOX or privacy to create quick tangible results.
While the technology is impressive, users say there is a risk of GRC co-opting ERM, relegating all non-compliance risks to the back burner. "My biggest concern is that ERM will devolve to focus exclusively on regulatory compliance and governance," says James Clendenen, leader of the governance and risk management practice at Parsons Consulting. "GRC is not a substitute for ERM. While GRC modules from Oracle and SAP purport to be more than just a SOX tool for handling financial controls, the reality is that they are 95% geared toward SOX. You're given a list of significant financial accounts with risk factors like materiality and volatility and how business processes match up with these accounts. It's real specific to what your current business processes are and how they match up to financial statement elements. The big picture--what ERM addresses--is missing."
Can GRC live with ERM without one displacing the other? Some experts believe redundancies or omissions might result. "Many risks one addresses through ERM don't necessarily fit into a compliance model," explains Beaumont Vance, senior enterprise risk manager at Sun Microsystems Inc. "If the ERM function is not integrated with governance and compliance, then GRC makes sense. Conversely, if ERM is integrated with governance and compliance, then GRC is gilding the lily."

Brian Merkley, risk financing manager at Huntsman Corp., a diversified chemical manufacturer based in Salt Lake City, agrees. "ERM for us already includes governance and compliance, and is all-encompassing," he says. "We're breaking down silos and looking at risks across the organization. And we're doing this in communication with treasury, internal audit, legal and our compliance team, all members of our Treasury Council."
But there are those like Mike Epstein, senior vice president of insurance broker Willis North America, who think a parallel approach has merit. "The issue is where do you put your SOX resources and response--in risk management or something separate and apart?" Epstein asks. "Governance is how the organization is run from the top; compliance is ensuring what you do is legal and appropriate; and risk is a third thing. While you can bring them all together in ERM, they're really different animals."

Rather than think of GRC as encompassing ERM or vice versa, organizations should look for intersections. "If you think of your SOX and internal audit teams as GRC, then they're the ones that catch the fish and we're the ones that clean them," says Lance Ewing, vice president of risk management at Harrah's Entertainment Inc. "We're given risks to evaluate and measure, and we have to come up with solutions. It's not internal audit's job to come up with solutions--they're the gatekeepers. We don't want a turf war. We'll advocate for them when they carry the water to senior management."

Comments