We use cookies and other similar technologies (Cookies) to enhance your experience and to provide you with relevant content and ads. By using our website, you are agreeing to the use of Cookies. You can change your settings at any time. Cookie Policy.

Manage Tomorrow's Surprises Today

Steven Minsky

How GRC Fails to Capture Enterprise Risk

Vote 0 Votes
Integrating Areas.jpg

Governance functions are designed to manage risks that organizations face in operational and back office silos - financial misstatements, fraud, vendor management, disaster recovery, and other activities are all designed to address a subset of an organization's risk profile. The concept of Enterprise Risk Management is not to create another function that exists in parallel to these areas, but rather creates a standardized methodology and language to objectively prioritize across functions and levels.


In other words, Enterprise Risk Management is a framework.


GRC often positions risk as side-by-side, squished in between Governance and Compliance. Ideally, risk should be the overarching theme across all business areas, of which non-compliance is one of many risks that organizations face.   


When ERM is misunderstood and instead treated as a silo, an additional governance area that focuses on high level assessments and interviews with senior management, the result is that ERM inevitably fails to live up to the expectations of Senior Management. High level risk assessments, while a valuable tool, cannot be all that risk management provides because it does not accomplish the bottom line results management is look for.


Instead, ERM's goal should be to leverage all of the risk information that is already known (though probably not explicit) in other governance areas. This is accomplished by creating a common language and structure so that business areas can better transfer knowledge to each other where beneficial. This provides transparency and a true risk profile to senior management, allowing business's to uncover risks and mitigation information in process areas that are less formalized, and revealing overlapping controls where governance areas should be working together.


This approach to enterprise risk management is what results in efficiency, engagement, and the risk culture that's evident in successful organizations. The ERM process helps process owners do their own jobs better, while adding their own insight and expertise into the larger risk picture.

It sounds like a big challenge, but we have experience implementing ERM frameworks, and we're happy to share our insights. Check out our educational video on Integrating Governance with ERM to learn more.

Enhanced by Zemanta

Leave a comment

In this blog, risk expert Steven Minsky highlights the differences between traditional risk management and true enterprise risk management, which is about helping things happen rather than preventing them from happening. Manage Tomorrow's Surprises Today is designed to help you think about risk in new ways and learn how to benefit practically from this rapidly evolving field.

Steven Minsky

Steven Minsky is the author of the RIMS Risk Maturity Model for Enterprise Risk Management and CEO of LogicManager, the recognized leader of enterprise risk management solutions. LogicManager provides an integrated, intuitive software-as-a-service platform that helps companies make better decisions through risk intelligence for more effective corporate governance, risk and compliance management.

Recently Commented On

Monthly Archives