How GRC Fails to Capture Enterprise Risk

8028226857?profile=originalGovernance functions are designed to manage risks that organizations face in operational and back office silos - financial misstatements, fraud, vendor management, disaster recovery, and other activities are all designed to address a subset of an organization’s risk profile. The concept of Enterprise Risk Management is not to create another function that exists in parallel to these areas, but rather creates a standardized methodology and language to objectively prioritize across functions and levels.

In other words, Enterprise Risk Management is a framework.


GRC often positions risk as side-by-side, squished in between Governance and Compliance. Ideally, risk should be the overarching theme across all business areas, of which non-compliance is one of many risks that organizations face.   


When ERM is misunderstood and instead treated as a silo, an additional governance area that focuses on high level assessments and interviews with senior management, the result is that ERM inevitably fails to live up to the expectations of Senior Management. High level risk assessments , while a valuable tool, cannot be all that risk management provides because it does not accomplish the bottom line results management is look for.


Instead, ERM’s goal should be to leverage all of the risk information that is already known (though probably not explicit) in other governance areas. This is accomplished by creating a common language and structure so that business areas can better transfer knowledge to each other where beneficial. This provides transparency and a true risk profile to senior management, allowing business’s to uncover risks and mitigation information in process areas that are less formalized, and revealing overlapping controls where governance areas should be working together.


This approach to enterprise risk management is what results in efficiency, engagement, and the risk culture that’s evident in successful organizations. The ERM process helps process owners do their own jobs better, while adding their own insight and expertise into the larger risk picture.

It sounds like a big challenge, but we have experience implementing ERM frameworks, and we're happy to share our insights. Check out our educational video on Integrating Governance with ERM to learn more.

Votes: 0
E-mail me when people leave their comments –

Steven Minsky, CEO and Founder of LogicManager, is a recognized thought leader in risk management. Steven is well known for his precinct abilities to guide organizations through future risk events. Steven is a frequent speaker in the Energy, Financial Services and Cyber industries. While the first wave of COVID-19 caught many organizations by surprise, Steven predicted the pandemic impacts in January of 2020 and swiftly published action plans to help organizations prepare.

You need to be a member of Global Risk Community to add comments!

Join Global Risk Community

    About Us

    The GlobalRisk Community is a thriving community of risk managers and associated service providers. Our purpose is to foster business, networking and educational explorations among members. Our goal is to be the worlds premier Risk forum and contribute to better understanding of the complex world of risk.

    Business Partners

    For companies wanting to create a greater visibility for their products and services among their prospects in the Risk market: Send your business partnership request by filling in the form here!