We use cookies and other similar technologies (Cookies) to enhance your experience and to provide you with relevant content and ads. By using our website, you are agreeing to the use of Cookies. You can change your settings at any time. Cookie Policy.

Manage Tomorrow's Surprises Today

Steven Minsky

ERM vs GRC? SEC Says No to Myopic Approach: Costly Example from Goldman Sachs

Vote 0 Votes
What is the difference between ERM and GRC? Look no further than Friday's news headline Fraud charge deals big blow to Goldman's image. In a statement, Goldman called the commission's accusations "completely unfounded".

A GRC approach does little to protect the organization's brand reputation, prevent litigation or protect intellectual property infringement. Witness Goldman Sachs. Goldman has adamantly denied the SEC's allegation by claiming their technical "compliance", but in the investor and customer community, their failure to address reputation risk has resulted in a share price drop of 13 percent and more than a $10 billion drop in the company's market value.

In my post SEC Proposes Accountability for ERM, I detailed the new regulation anticipated from the SEC requiring in-depth risk disclosures from examining the activity level where performance incentives may affect the company's risk profile. That regulation went into effect on February 28, 2010. Many firms still take a "wait and see" attitude. Many unfortunately believe that continuing business as usual by filing the required compliance documentation that their firms are protected. The investments they made in GRC systems that just automate the compiling this documentation have done little to address the root cause of risk and protect their company's interests.

Increasingly boards are asking the question, What measures do we have in place to collect information on our reputation risk? What is the business measurement for compliance activity that connects to EBITA?

How would ERM have made a difference? In addition to the compliance aspects of the transaction, ERM would have taken the impact of reputational risk as well as the cost of litigation and adjusted these with the expected profit of the transaction. ERM would also have identified the conflict of interest of the vendor partner and suggested a disclosure to cover the risk as is now required under the SEC regulation. In summary, ERM would have brought a holistic picture of all sides of this transaction in terms of risk, performance and compliance which would have made clear that the return on investment in risk adjusted terms would have been negative and the activity would not have been pursued. To baseline your organization's risk management capabilities, do a free assessment from the Risk and Insurance Management Society.

Organizations that pursue an ERM approach rather than a GRC approach to compliance look at corporate strategic imperatives and how compliance efforts contribute in "readiness" to maximize their contribution. The General Counsel and their teams that lead compliance efforts with an ERM value protection approach instead of a GRC "form over substance approach" take a broader view to compliance and risks and better protect their organizations. Goldman Sachs is just one of many examples.  


| Leave a comment

Both GRC and ERM lack a complete solution. The main barrier to effective risk management is a lack of uniform understand of what is at risk. The second barrier is assurance hubris in the belief that what they measure and communicate is the whole solution to effective ERM. I wager that hubris has led to a language of risk management which is not easily understood by managers. Neither GRC not ERM are an effective tool at this point for preventing future issues. The solution will come from management with some insight of the assurance world...

I believe the solution is based on seperating operational capabilities at reaching objectives and measuring them for vulnerabilities, then evaluating all risks as threats to these vulnerable or strong processes...


You are struggling with understanding GRC. Everything you describe about ERM represents the R in GRC. ERM is the R in GRC if GRC processes (and supporting technologies) are done right. That is the simple truth of it. In fact, ERM that is disconnected from Governance is a failure. Boards and executives need to govern risk. ERM done separate from compliance fails. Risk appetite and tolerance, as well as the culture, of risk taking, is established in policies. I recently interacted with one large bank that had 200 credit risk policies that they are looking to consolidate and track compliance to.

Notice I have not brought up GRC technology. GRC is about collaboration and cooperation between grovernance, risk, and compliance activities. Technology can support and enable this. However, there are bad technologies out there. And some are stronger in one area than another.

Your post leads me to believe that goverance of risk and monitoring compliance to risk policies and culture are irrelevant. I am sorry to hear this from you.


I agree that a myopic approach to safeguarding the organisation (in any form) has its flaws and that what is required is a holistic view.

A potential weakness to an ERM program is an over reliance on a risk based approach at the expense of due diligence. A successful ERM program must find the correct balance between a risk based approach and due diligence, given that the nature of risk is dealing with uncertainty which is of course unknown. I agree with Michael that GRC if correctly applied equally focuses on the governance and compliance aspects in addition to risk, however I also agree with Dan that management and assurance also have important contributions to make here.

A holistic view requires that the management of all the critical components of an organisation's corporate defence program be addressed in a coordinated and integrated manner. This means focusing on the management of these critical components which include governance, risk, compliance, intelligence, security, resilience, controls and assurance. The interdependence of these components needs to be recognised and its needs to be appreciated that each of these components both, impacts on, and is impacted by, each of the other components. For more information see papers http://ssrn.com/author=904765

These multidimensional components therefore need to be managed in a coordinated and coherent manner in order to help ensure that they are strategically aligned, tactically integrated and operating in unison towards common objectives. Until this is achieved an organisation does not have a truly holistic view.


Sean Lyons

I bet Goldman Sachs has a state of the art GRC system and it did not keep them out of trouble. GRC in theory is intended to cover companies from global risk similar to ERM. However, unfortunately in practice people tend to focus (or are equipped well to focus) only on addressing individual compliance risks.

It is good news that GRC advocates understand the importance of holistic risk management. The bad news is that GRC solutions trace their history from one single silo whether that be technology compliance, internal audit, SOX compliance or regulatory compliance specific areas. Although they have intentions to broaden from that starting point, the reality is they have not made much progress from the silo from which they were born. It is just too difficult to overcome the architecture challenge of a common platform without a full restructuring from the ground up. Think about renovating an antique home to fit today's standards of living vs. building a new energy efficient residence from scratch. GRC is a “gut rehab?.

To make effective decisions, organizations need balanced information from the front line and across silos. ERM and those better ERM tools that were built with holistic approach from the start already provide solutions to achieve that holistic view setting common standards and common evaluation criteria so that all risk, compliance, governance and business performance aspects of a company can be compared on an apples to apples basis. As for GRC, it may be a distant future target, but realities show, that they are just not there yet, making companies using those tools venerable to exposures which could and should have been covered.


You keep wanting to make this a tools issue. Process, commitment, and accountability come before tools. GRC is about process and collaboration - tools can enable this. You have not addressed my point that what you describe as ERM encompasses everything that the R in GRC is about. ERM needs governance and compliance to be completely effective. There are risk tolerances and policies that need to be communicated and complied with. There is governance objectives and culture that impact risk taking. Their is board governance oversight for risk. That is what GRC is about.

Your points work against you. You might fault GRC technologies for not adequately addressing an enterprise view of risk. The fact is that this is the failure of ERM which is the R in GRC. I have seen many ERM programs that are labeled ERM that are nothing more than SOX on steroids, just a slightly expanded view of financial controls and not really enterprise risk. The faults you lay at GRC are those owned by ERM as well. ERM implementations that I have seen have largely failed in risk governance and compliance to risk tolerance appetite.

You are trying to force a view because Logic Manager has hung its hat on ERM and not GRC because your primary competitors use that label. ERM is the R in GRC. There are successful solutions for both ERM and GRC as well as successful processes. The reality of success is understanding the interrelationship of governance, risk, and compliance as they are three legs to a stool.

As for your comment to Goldman having a GRC system - your comment is unfounded as you state you 'bet.' The fact is I am not aware of Goldman having a GRC process and system, I am aware of several risk management systems at Goldman.

It looks like we have a soulful debate among an Audit Services provider, a GRC Strategy Advisory firm, a Management Consulting firm and an ERM solutions provider. Most of these debate points are definitional in nature.

The point about Goldman Sachs is that they chose to focus on compliance while disregarding their reputational and other risks. I look forward to hearing from a practitioner at Goldman Sachs on the challenges within their organization of addressing their complex risk, compliance and business performance issues.


My experience with Goldman is that they have extremely strong risk management, risk culture, and risk governance. They have been noted on this - articles have been written (Economist magazine had one a while back), references in presentations, as well as interactions. I know of nearly a 1/2 dozen ERM and GRC related vendors that were used at Goldman across different areas of their business. While they have a compliance department - I have not seen as much written or brought forth to the public on this function. If anything, Goldman was extremely focused on risk and not enough on compliance and governance.


I agree with Michael and am not sure why there is the suggestion that GRC = compliance only.
Traditionally, it is true that many GRC products were driven by Sox and therefore compliance but in the last few years, the R has become far more prominent and companies are now looking for complete GRC solutions including Policy Management, Risk management, compliance management, audit management etc.


So much debate. So little definition. My guess is that it is likely to continue until a regulator commands an outcome. And then, ironically, we will all be working to comply.

Isn't the point here about GRC practices (and ERM within it) being often too static and isolated from the other activities of companies today?
Still recently I met Risk Managers in pretty big organisations working hard to "look good" and show the board that there's an ERM system in place, that risks are documented extensively, and re-assuring the big shots with a bunch of flashy dashboards built on... excel sheets.
My view is that GRC at all levels (tools I'd agree only a part of that) still needs to progress and become much more "embedded" into the fabric of enterprises and their operations, becoming much more of a dynamic process, that's not only documenting and analyzing risk and compliance, but is also able to monitor what's really happening, or could potentially happen.

Leave a comment

In this blog, risk expert Steven Minsky highlights the differences between traditional risk management and true enterprise risk management, which is about helping things happen rather than preventing them from happening. Manage Tomorrow's Surprises Today is designed to help you think about risk in new ways and learn how to benefit practically from this rapidly evolving field.

Steven Minsky

Steven Minsky is the CEO and Founder of LogicManager. the recognized leader of enterprise risk management solutions and is also the developer of the RIMS Risk Maturity Model for Enterprise Risk Management™. LogicManager provides a common, intuitive software-as-a-service platform of scientifically validated enterprise risk management decision and diagnostic tools for more effective corporate governance, risk and compliance.

Recently Commented On

Monthly Archives