Which one should you adopt: ERM or GRC?

Which one should you adopt: ERM or GRC?

Enterprise risk management (ERM) and governance, risk, and compliance (GRC) are hot topics among firms—but what are they and who knows the difference?

There has long been controversy over the purpose and definition of ERM and GRC, though both are associated with risk management and both serve to minimize or mitigate a firm's risk in an optimized way. Even though the objectives and goals of these two frameworks center around the same idea, the approach of ERM and GRC are entirely different. It is very important for any firm to understand the underlying principle between ERM and GRC before adopting either, or both frameworks.

"The objective of ERM is to minimize the unexpected volatility," says James Lam, President James Lam & Associates and Senior Advisor to Workiva. Through adoption of an ERM framework and process, firms are freed up to look at the risks worth taking. "GRC is really a philosophy and a framework for communicating around governance and compliance issues. ERM, on the other hand, is the measurement and qualification of risk, and the establishment of individual risk ownership," says Michael Rasmussen, Vice President of Enterprise Risk and Compliance at Forrester Research, in Is ERM GRC? Or Vice Versa? from the June issue of Treasury and Risk.

One difference between GRC and ERM lies in the approach to risk—a conceptual idea versus a quantifiable process and outcome. Reporting requirements around GRC require an enormous amount of data. Reporting on the state of the business and risk exposure, requires a large amount of data that is synthesized and understood in context, and is an aggregate of all other business interests. GRC systems are often used to facilitate this data aggregation and analysis, so it can be consumed by appropriate individuals. With a clear dictate from the top down, the information gathered through meeting GRC statutes can add value well beyond simple compliance.

On the other hand, having a clear and repeatable process to gather and analyze information that can be used to limit unexpected volatility is invaluable. The answer to selecting the correct balance can only be determined by each firm. Pairing GRC and ERM is ultimately more powerful for a firm. The upside to either approach and how a firm chooses to balance these warrants close consideration.

Ernest Anunciacion

About the author

Ernest Anunciacion, Senior Product Marketing Manager, brings over 15 years of experience in internal audit, risk management, and business advisory consulting to Workiva. Ernest is a Certified Internal Auditor and Six Sigma Black Belt. He holds an undergraduate degree and an executive M.B.A. from the Carlson School of Business at the University of Minnesota.