Christina Kite has spent the last three years crafting an enterprise risk management (ERM) program at Cisco Systems Inc.–one that her peers will quickly tell you they envy. Kite's ERM strategy–and Cisco's– is not so much about eliminating or reducing risk. Instead, it is predicated on the goal of quantifying risks, so that Cisco can take on more and better risks. "Risk for us is just as much about growth and optimization as it is about protection," observes the vice president of workplace resources and enterprise risk management at the San Jose, Calif.-based Cisco. "It's about knowing your risks and your risk tolerance."

With this philosophy, it's not surprising that Kite objects to recent efforts to substitute best-practices GRC–governance, risk and compliance–for ERM, or even to treat them as interchangeable. "We see GRC really as a tool, a technology module, and not ERM per se," says Kite. "We're very conservative in governance and compliance, but risk-takers in the business model area. ERM is not about being compliance-driven or regulatory-driven. [ERM and GRC] are two different things."

That said, there is a move afoot–driven substantially by technology vendors, consultants and the newer governance converts–to integrate GRC and ERM in a not quite merger of equals. GRC would be the umbrella philosophy, with ERM one methodology within it. The holistic approach to the functions makes sense. "For starters, managing compliance initiatives separate from risk initiatives results in increased staffing requirements, complexity and costs," says Brian Cleary, vice president of marketing at OpenPages. "Managing risk holistically can reduce this duplication of efforts"–and ultimaitely costs.While this seems benign enough, the mindset could result in certain inadvertent consequences as the two roll out over the next years, including the possibility of risk management getting hijacked by compliance. The question of which executive will call the shots is also at stake since the competition between the two methodologies pits risk overseers in traditional risk management against risk overseers in internal audit and compliance. In the meantime, however, experts search for what aspects the two have in common besides an 'R' in the middle of their acronym.

Continue Reading for Free

Register and gain access to:

  • Thought leadership on regulatory changes, economic trends, corporate success stories, and tactical solutions for treasurers, CFOs, risk managers, controllers, and other finance professionals
  • Informative weekly newsletter featuring news, analysis, real-world cas studies, and other critical content
  • Educational webcasts, white papers, and ebooks from industry thought leaders
  • Critical coverage of the employee benefits and financial advisory markets on our other ALM sites, PropertyCasualty360 and ThinkAdvisor

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.