No company falls out of compliance over-night.  It’s a gradual process resulting from a combination of overlooked issues, that together create a serious problem.  Strangely enough, compliance issues often result from taking an overly compliance-focused approach to risk management; a common problem for Governance, Risk, and Compliance (GRC) programs.

Take for example J&J who, after a series of product recalls in 2009, has once again fallen out of compliance and now faces a permanent FDA injunction shutting down at least one plant and requiring at least five years of severe FDA oversight.  So what went wrong?

While J&J undoubtedly took the 2009 recalls seriously, they focused on correcting compliance issues rather than digging down to the root causes of those problems and correcting them at the source.  The result?   Manufacturing plants are once again out of compliance just two years later and the public’s trust in J&J products is beginning to wane.

Focusing on compliance is akin to adding another bilge pump because your boat has taken on too much water rather than seeking out and repairing the leak. The real solution to a company’s compliance issues is to adopt an integrated approach to risk management; one that can identify risk root causes and their impact enterprise-wide, an approach that focuses on performance management not just meeting compliance goals.

These are the hallmarks of an ERM-approach to risk management.  This approach means assessing risks at the operational process level and understanding the consequences of those risks enterprise-wide.

It doesn’t matter whether you sail under the flag of ERM or GRC, the difference is in the approach.  Does your organization take an ERM-approach to managing risk?

Visit the RIMS Risk Maturity Model assessment and learn more about evaluating your program on one of the seven key attributes that drive ERM performance.

Votes: 0
E-mail me when people leave their comments –

Steven Minsky is a recognized thought leader in risk management, CEO and Founder of LogicManager. Steven is well known for his precinct abilities to guide organizations through future risk events. Steven is a frequent speaker in the Energy, Financial Services and Cyber industries. While the first wave of COVID-19 caught many organizations by surprise, Steven predicted the pandemic impacts and published action plans to help organizations prepare.

You need to be a member of Global Risk Community to add comments!

Join Global Risk Community


  • But, as you discuss the strategic vision for ERM, let's not forget the basic processes of vendor compliance management, screening and legal due-diligence.  There are a lot of gaps and simple solutions to fill them.  The RIMS Executive Report really tells the story of just how difficult it is to keep ERM simple.  It may be the most important strategy for an international company operating in the 2010's.
  • For anyone who hasn't had a chance to read the paper Andrea is referencing, it's the RIMS Executive Report - The Risk Perspective.  The report compares a variety of standards to the 7 key attributes of the RIMS Risk Maturity Model.  It's certainly worth a read for anyone looking to adopt industry best practices.

    The report also reviews root-cause discipline best-practices across each framework.  However putting these recommendations into practice is anything but easy.  If you're looking to evaluate your risk program on any of these attributes, our organization does offer a free RIMS Risk Maturity Model Assessment on the attribute of your choice.

  • HI Steven, I couldnt agree more with your point of view. I note the reference by Ian to the diversity of risk standards and as such you might be aware that RIMS commissioned a paper on sumamrising the key risk standards "RIMS Executive Report" A Risk Perspective. Australia has been working with AS 4360 and now the ISO 31000 standard for quite some time and such integration of ERM across an enterprise to create business value is the key corner stone. However root cause analysis is an inherent weakness as the connection between risk causation and the control environment is poorly understood and applied resulting in inappropriate investment in risk mitigation and risk exposure.
  • We are on the same frequency. Strategic alignment is a critical success factor (vertical, horizontal and external - collaborative, with the value / supply chains).  I agree with that observation that "being overly focused on compliance" can be a root cause / contributing factor for an under-performing ERM program.

    We live in hope. 

    I am interested to see what the COSO ERM (audit) community does next, since their multi-dimenitonal model, which was ahead of its time in 2004 is becoming dated, and GRC, ISO 31000, and many other (specialist) risk management-related standards, etc have come on the scene.  In fact, making sense of all the risk management standards is a significant challenge for ERM.

  • Thank you for your comment Ian.  Certainly, risk management needs to be forward looking, embedded into the organization, and analyze risks across silos to really add business value.

    While any poorly executed program is going to inhibit performance, this doesn't need to be the case for ERM.  Risk is at the front-line whether you're spending resources to address it or not.  The key is aligning risk management efforts with your organization's strategic goals.  When this is the case risk management is well worth the effort.

    Creating a "static silo of information" is not what risk management is about (maybe it's a side-effect of being overly focused on compliance?).  The goal of ERM is to increase business performance, not just producing data for compliance forms.

    I'm sorry to hear that this isn't the case with some of the organization's you work with Ian.  I hope this changes in the future.

  • This is a good question.  Two things come to mind.  Risk management should be focused forward. The horizon is organization and situation-dependent.   Other components of the management system should use root cause analysis, and other analytical and communications techniques to solve problems, manage issues and make near-term decisions (e.g., when time and cost are key factors). 

    Also, understanding consequences should extend beyond the enterprise boundary and include stakeholders' perspectives (e.g., supply chain, end customer, competition). 

    A risk management system should inherently identify systemic risks, constraints and issues, but the process should not be hijacked (pigeon-holed) to become just another management and/or audit tool.  I appreciate that it is more difficult to discuss and estimate uncertainty and risk exposure in the future, but these conversations would add value to the decision making process, and they are needed now more than ever. 

    A key ingredient is governance, which I equate to leadership - throughout an organization, not just top-down.  Without leadership (and good governance), the risk is that ERM becomes just another way of looking in the rear view mirror (e.g., justifying decisions or performance, and trying to project this analysis forward; spin).  If history or boating teach us anything, it is that experience is not always a reliable teacher, especially when organizations depend on limited and/or subjective experience. 

    ERM is one element of GRC.  There is one flag, which OCEG has captured nicely - principle-based performance, which would include risk-informed decision making. 

    Most of the organizations I work with think that they are taking an ERM-approach, but their processes are still inward-looking and tactical, and they create a silo of static information that has a very short lifespan.  ERM and compliance are not adding enough value to, and increasing trust in, organizations for the amount of effort.  In some ways, ERM and/or Compliance mindsets are actually inhibiting overall performance, strategic thinking, communications, collaboration and innovation.  This is my rationale for supporting a GRC concept.  As you suggest, finding the right balance is the challenge, and organizations should not assume that it will happen by maintaining the status quo.

    "It ain't so much the things we don't know that get us into trouble, it's the things we do know that just ain't so....".  Artemis Ward (1834-1867)

  • I agree. Also, how much risk do we incur because our vendors/suppliers are not in compliance? There are easy ways to manage vendors and mitigate that risk.
This reply was deleted.

    About Us

    The GlobalRisk Community is a thriving community of risk managers and associated service providers. Our purpose is to foster business, networking and educational explorations among members. Our goal is to be the worlds premier Risk forum and contribute to better understanding of the complex world of risk.

    Business Partners

    For companies wanting to create a greater visibility for their products and services among their prospects in the Risk market: Send your business partnership request by filling in the form here!