GRC vs ERM vs IRM vs Connected Risk vs ORM vs SRM vs TPRM

Key Takeaways

• GRC Defined: Governance, Risk, and Compliance (GRC) is an integrated approach to managing operations, aligning them with strategic goals, addressing risks, and ensuring regulatory compliance.
• GRC’s Broad Scope: GRC includes internal audit, compliance, risk, legal, finance, IT, HR, and the board. It’s not about creating a centralized GRC department but ensuring coordination across functions.
• GRC vs Risk Management: GRC focuses on achieving objectives by managing risks and ensuring compliance. It’s not a substitute for risk management but incorporates it within the broader context of organizational goals.
• ERM, IRM, and CRM: Enterprise Risk Management (ERM), Integrated Risk Management (IRM), and Connected Risk Management (CRM) all focus on managing risks but differ in their scope and emphasis on interconnectedness. ERM and IRM seem largely interchangeable, while CRM highlights how risks are interrelated and affect the broader organization.
• Avoiding Silos in Risk Management: While different aspects of risk management like SRM, ORM, and TPRM are important, they should not be managed in isolation. A holistic approach ensures more effective and informed decision-making across the organization.

Deep Dive

In Norman Marks' latest article, he explores the complexities of risk management and governance frameworks, shedding light on the often-confusing acronyms that are commonly used in the industry. From Governance, Risk, and Compliance (GRC) to Enterprise Risk Management (ERM), Integrated Risk Management (IRM), and beyond, Marks provides clarity on how these terms interconnect and why understanding their nuances is crucial for effective risk management in today’s business environment.

Demystifying Risk Management Frameworks: Understanding the Key Acronyms and Their Roles

Do all these acronyms make you want to run and hide? Do they help anyone understand and implement effective processes for managing risk? Does it make sense for a risk officer to call themselves a GRC person? How about an audit, compliance, InfoSec/cyber, or risk practitioner? Are they all GRC practitioners?

What exactly is a “GRC function”? Let me see if I can make sense of the technobabble. I will start with GRC and then move on to ERM, IRM, and CRM, before touching on ORM, SRM, TPRM, and the rest.

What is GRC?

This is how Google’s AI answered the question 'What is GRC?', "GRC stands for Governance, Risk, and Compliance. It represents an integrated approach to managing an organization’s operations, ensuring they align with strategic goals, address risks, and comply with regulatory requirements. OCEG, a non-profit think tank, is known for pioneering GRC as a unified framework."

While debates on who invented the term continue, it was probably either Scott Mitchell of OCEG or Michael Rasmussen (an OCEG Fellow). Lee Dittmar, formerly of Deloitte and another OCEG Fellow, has also claimed credit/blame.

Michael uses the OCEG definition for GRC, which is the one I like. As another OCEG Fellow, but independent from them, I find it most fitting, “A capability to reliably achieve objectives (Governance), address uncertainty (Risk Management), and act with integrity (Compliance).”

I like to use this OCEG image. It illustrates the focus on optimizing performance and achieving objectives, while navigating risks or obstacles.

The OCEG Definition of GRC

OCEG explains that GRC goes beyond the critical roles of governance, risk, and compliance. GRC encompasses other key areas such as internal audit, compliance, risk, legal, finance, IT, HR, as well as the lines of business, the executive suite, and the board itself.

Integrating GRC capabilities does not mean creating a mega-department of GRC and eliminating programmatic approaches to risk and compliance management. Nor does GRC require using only one technology system or platform—though there are some GRC platforms built to address the broad range of capabilities.

Rather, it’s about ensuring the right objectives are set, and that the right actions and controls are implemented to address uncertainty and act with integrity. It’s about creating a process that ensures the right people receive the right information at the right times.

Historically fragmented and siloed departments need to get on the same page and understand how they interrelate. These departments must coordinate their efforts to minimize the impact of audits and information requests on business operations and key value drivers.

In the best-case scenario, the orchestration of GRC becomes part of the business itself—“baked into” the business—so that operators “do GRC” as part of “doing business.”

I discussed this concept of orchestration in a 2011 blog post.

GRC vs Risk Management

I like the OCEG definition because it focuses on achieving objectives. It is not a substitute for effective risk management; rather, it incorporates risk management within the context of achieving objectives.

So, any arguments about abandoning GRC for IRM, Connected Risk (CR), or other risk frameworks make no sense at all.

Does this mean I’m endorsing OCEG’s frameworks and guidance? Not exactly, but I do recommend them as valuable resources to consider.

Before moving on, let me answer a question, “Does it make sense for a risk officer to call themselves a GRC person? How about an audit or risk practitioner?”

The answer is no. Almost everyone is involved in GRC, at least in some aspect. This includes members of the board, the General Counsel and their team, the CEO and management, risk and compliance officers, finance, information security and physical security functions, internal audit, and more.

Rather than labeling audit, risk, InfoSec, or compliance practitioners as “GRC” practitioners, let’s call them what they are: audit, risk, InfoSec, or compliance practitioners.

Clarifying GRC

A lot of people talk about GRC without truly understanding what it entails. Many confuse it with risk management. Others mistakenly think it’s about compliance, possibly because OCEG initially focused on compliance. Still, others present it as an IT activity.

GRC is about setting and then achieving the right enterprise objectives (a governance activity) by taking the right risks (“addressing uncertainty”) through informed decisions and complying with laws, regulations, and the organization’s values (“acting with integrity”).

What it brings to the table is the message that every part of the organization must work together to achieve common goals. This is why the concept of orchestration is so important.

The Limits of “GRC Solutions”

By the way, few (if any) so-called “GRC solutions” incorporate all aspects of GRC. Most cover risk management, but do they include objective-setting, board packages, legal case management, and policy management? Few cover all compliance requirements, let alone aggregate disparate sources of risk and opportunity to see the bigger picture.

These solutions typically offer part of GRC, not all of it.

Enterprise Risk Management (ERM), Integrated Risk Management (IRM), and Connected Risk Management (CRM)

Let’s now compare some other frameworks, using definitions from Google’s AI:

• Enterprise Risk Management (ERM):
  A strategic, organization-wide approach to identifying, assessing, and managing risks that could impact an organization’s ability to achieve its objectives. It integrates risk considerations into all aspects of decision-making, from strategic planning to daily operations, to enhance resilience and long-term success.
• Integrated Risk Management (IRM):
  A holistic, organization-wide approach to managing risk. It involves identifying, assessing, and responding to risks across all business functions and levels. Unlike traditional, siloed risk management, IRM aims to integrate risk management into the overall business strategy and culture.
• Connected Risk Management (CRM):
  Refers to the interconnectedness of various risks within an organization, including those that are systemic, cumulative, and cascading, impacting financial, operational, and reputational aspects. It’s a holistic approach to managing risks by considering how different risks within a business can impact each other and the broader organization.

ERM, IRM, and CRM: Where’s the Difference?

I don’t see any real difference between ERM and IRM. Perhaps the creators of IRM wanted to present something new.

Connected Risk Management introduces the idea that “Risks are not isolated but are linked and influence each other, creating a ripple effect.”

While that’s an interesting notion, it doesn’t seem sufficient to distinguish it from ERM. After all, risks are not only linked but their treatment competes with each other. Investing resources to address one source of risk often competes with investing in another.

Focusing on Effective Risk Management

Rather than focusing too much on ERM, IRM, or Connected Risk, let’s focus on effectively managing risk so that:

• There is an acceptable likelihood of achieving enterprise objectives.
• Decisions are informed and intelligent.
• The right levels of the right risks are taken for success.

SRM, ORM, TPRM, and Other Risk Disciplines

What about Strategic Risk Management (SRM), Operational Risk Management (ORM), Third-Party Risk Management (TPRM), Credit Risk Management, Cyber Risk Management, Project Risk Management, and so on?

These are all aspects of effective risk management. While they may benefit from focused attention, with their own frameworks and software solutions, we must be careful not to manage risk in silos.

My friend Alexei Sidorenko, like me, emphasizes the need to enable informed and intelligent decisions. However, I wouldn’t go as far as he does in suggesting that we need “decision-based risk management.”

Every so often, we need to step back and assess the sources of risk that could affect multiple objectives or deserve special attention from top management and the board.

Let’s do both: focus on informing decisions with tailored information for decision-makers, and regularly step back to look at individual risks that merit attention.

I also worry that individual decisions, while optimal for specific situations, might lead to outcomes that are sub-optimal for the enterprise as a whole. I’ve seen this many times over my career.

One example was at Solectron Corp., where a subsidiary decided to sell most of its production to another company rather than to another Solectron subsidiary. While this optimized the results of the enclosures company, it caused major issues for the other subsidiary, which struggled to source enclosures at a reasonable price, impacting Solectron as a whole.

Another example involved information security at Solectron, which was managed locally by over a hundred operating units. The corporate information security function was under-staffed and lacked the necessary information to assess risk across the enterprise. While each unit focused on their piece of the puzzle, no one was looking at the bigger picture, which created a serious problem.

This brings us back to Enterprise Risk Management. I see no reason to replace ERM as a concept. But I do see a need to ensure that we have effective risk management (as defined above). What do you think?

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.