This Is Missing From Most GRC & ERM Programs

Key Takeaways

• Bottom-Up Limits Insight: Many GRC and ERM programs start by identifying risks and mapping them to objectives, which can miss risks that significantly affect enterprise success.
• Top-Down Orientation Matters: Beginning with each enterprise objective and then identifying sources of risk and opportunity provides the necessary context for effective risk assessment.
• Context is Essential: Organizations must understand what they are trying to achieve, the value they aim to deliver, and the strategies and goals they are pursuing to make sense of risk and opportunity.
• The “G” is Often Missing: Many GRC software solutions are not truly governance-based because they do not start with enterprise objectives, making the governance component effectively silent.
• True GRC Requires Orchestration: Real governance includes coordinating board oversight, strategy management, legal case management, and performance reporting, not just internal audit.

Deep Dive

In his latest piece, Norman Marks breaks down a critical gap he continues to see across GRC and ERM programs: the absence of a true top-down, objective-focused approach. While many organizations and software platforms emphasize identifying risks first and then mapping them to objectives, Marks argues that this bottoms-up structure misses what matters most. To understand risk and opportunity in a meaningful way, he explains, organizations must start with their enterprise objectives, strategies, and goals, and then determine what could hinder or enable their achievement.

Why a Top-Down, Objective-Driven Approach Still Matters in GRC

Recently, I met with a software company that markets a “GRC” solution that analysts have rated highly. They were keen to show me what they had done. Unfortunately, I had direct words to share. They were missing an essential element of “GRC”. The ERM approach they promote will probably miss risks of significance.

How did this happen and why do I say it’s missing from most so-called GRC and ERM programs? What they were doing was identifying risks and then mapping them to objectives. This sounds good, but the problem is that this bottoms-up approach may miss risks that are significant to the achievement of those objectives. It is better, IMHO, to take a top-down approach, or at least combine the bottoms-up with a top-down approach.

That means taking each of your enterprise objectives and identifying the sources of risk and opportunity that need to be addressed if you are to achieve them. Only then can you assess whether the likelihood of achieving your objectives is acceptable.

I don’t often quote from COSO ERM 2017, but this is one area where they provide some decent guidance:

• A discussion of enterprise risk management begins with this underlying premise: every entity—whether for-profit, not-for-profit, or governmental—exists to provide value for its stakeholders.
• Risk affects an organization’s ability to achieve its strategy and business objectives.
• An organization needs to identify challenges that lie ahead and adapt to meet those challenges. It must engage in decision-making with an awareness of both the opportunities for creating value and the risks that challenge the organization in creating value.
• Enterprise risk management is integral to achieving strategy and business objectives. Well-designed enterprise risk management practices provide management and the board of directors with a rea­sonable expectation that they can achieve the overall strategy and business objectives of the entity.

I will leave my quotes there as I’m not a fan of the framework. As I have written in earlier blog posts, while the ISO 31000 risk management standard has issues, I much prefer it to the COSO ERM framework. But the point remains.

We need to understand and address risk and opportunity within context, and an essential part of that context is what are we trying to achieve? Where are we trying to go? What value are we trying to deliver? These are generally expressed in the objectives, strategies, and goals of the organization.

So we need to know what the risks and opportunities for each of those objectives, strategies, goals, and (adding to the list) plans are. Thinking about what we are trying to achieve and what lies in its way or will enable success is more likely to identify everything that matters than simply thinking about “what are the risks?”

Yet most GRC software solutions don’t start with enterprise objectives. They are purely bottoms-up. We need to know what the likelihood is of achieving each of our objectives so we can take action if that likelihood is unacceptable. You can’t do that if you don’t know what all the sources of risk and opportunity are to your objectives.

So these solutions are not really GRC at all. They are missing the “G” because they are not objective- and strategy-based. The “G” is silent.

The vendor said they have governance because they include something for internal audit. That’s hardly enough! True GRC includes the orchestration of all parts of the organization, including much of the governance area such as board meeting agenda and materials (board package) management, strategy management, legal case management, and performance management and reporting.

So I have two questions for you: Are you able to assess the likelihood of achieving each of your enterprise objectives and strategies? Or are you taking only a bottoms-up approach? Do you call your program “GRC” and your people “GRC analysts, etc.? If so, why?

The problem with the first of these is that if you have not identified the sources of risk and opportunity for each objective you may well have a problem achieving enterprise success.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.