The debate continues: Which is better, GRC or ERM? At Rochdale, we say neither.
Our industry has a not-so-secret obsession with acronyms. There’s ERM and GRC, of course, but also eGRC, IRM, ORM and something I like to call WYCI — Whatever You Call It. Jokes aside, it’s easy to get lost in the alphabet soup of risk management programs when trying to decide which approach is best for your credit union.
Worse still, no one seems to agree on their meaning. A study of 23 countries from the IIA Research Institute found a wide range of perceptions surrounding GRC and ERM programs. While most internal auditors describe ERM as a component of GRC (60%), a significant proportion had the opposite viewpoint—that GRC was a component of ERM (24%).
With so much confusion over the definition of ERM and GRC, I’d like to discredit any misinformation surrounding their similarities and differences and explain how we at Rochdale see these terms and the concept of risk management as a whole.
Breaking down the terms
First thing’s first, it’s important to start by saying the difference between ERM and GRC is not a versus/either-or issue. Largely a product of flashy marketing and consulting, there is a notion in the industry that you are either on Team ERM or Team GRC. Yet, both ERM and GRC serve specific functions that depend on each other.
Practically speaking, both support enterprise-wide risk management, covering everything from HR to finance. Their difference lay not in their collective goal – increasing your chances of achieving organizational objectives – but in their approach.
Defining GRC
Early GRC solutions sought to identify and integrate what they considered to be the most critical organizational functions – governance, risk management and compliance – across all departments and within all industries.
Evolving beyond spreadsheets, GRC is somewhat synonymous with software modules that are designed to increase efficiency between an organization’s disparate departments and systems. By synchronizing information sharing across all governance, risk and compliance activity, GRC aims to keep all parts of the organization on track.
Now, GRC encompasses everything from regulatory compliance, auditing, policy management, to business continuity, among others. But when it comes down to it, GRC is about maintaining the status quo and retaining value. It is inherently more compliance-based and process-focused than ERM, which concentrates on high-level strategic efforts. While GRC keeps the machine well-oiled and running smoothly, ERM drives the organization forward through strategic decision-making.
It makes your organization ambidextrous. If you’re only concerned about preserving old value, you’re never driving toward anything new. You have to take risk. We’re regulated entities though, so we have to take measured risk, and that’s where ERM comes in.
Defining ERM
Some argue that ERM – enterprise risk management – rounds out the ‘R’ in GRC. However, ERM and GRC take a distinct approach to managing risk. While GRC tends to focus on a compliance-related checklist when it comes to risk, ERM seeks to not only manage the downside of risk, but to identify the upside, too.
As opposed to the value-preservation approach of GRC, ERM focuses on value creation. From assessing your organization’s risk appetite to developing a risk strategy, ERM is about maximizing favorable outcomes and discovering opportunity.
We take it one step further at Rochdale by building strategic and comprehensive risk frameworks for our clients. This elevates risk management to the executive level, interpreting all the data in the organization and making it usable. For Rochdale, we see these risk frameworks as the umbrella which covers all elements of ERM and GRC.
The integration of all the GRC functions is only so useful. If you can’t turn your data into something meaningful or actionable, it means nothing for your organization.
Building a risk framework requires a much more forward-thinking approach, anticipating the effect of different forces on organization members — from default risk to fires, floods or even pandemics.
In fact, all of our clients actually had ‘pandemic’ in their risk matrix before COVID-19 hit the United States early in 2020. None of our clients were caught off guard because we had already discussed the variables associated with an outbreak and outlined the process for managing each.
When we see clients returning to us, it’s usually because our approach to ERM and risk frameworks makes us more prepared to weather uncertainty and act based on data and predictive models.
Choosing what works for your organization
With so much uncertainty in the last year due to COVID-19 and last November’s election, it’s integral to right your organization’s risk posture. Nuanced definitions aside, having a program that analyzes both the downside and upside of risk will be crucial to navigating the year ahead.
What’s important is choosing a solution that will work with all the unique aspects of your organization. After all, our industry is about putting people first, and finding an individualized program for your organization can help you serve your members better. It takes more than software to meet their needs, a key reason Rochdale places so much emphasis on our services as well as software.
Above and beyond debates over GRC and ERM, we believe there’s a human element that drives it all. And having the right partner to navigate the future is critical.
Reimagining the way your organization approaches risk can open new opportunities, especially as we reimagine what 2021 will bring. One thing is for certain, though: Rochdale will continue to keep the “human” aspect of the acronyms, first.
To learn more about building a comprehensive risk framework for your organization, reach out to us today. We offer free consultations to understand your gaps and pain points, and tailor custom risk management programs accordingly. Contact us to learn more.
Jeff Owen is the COO of Rochdale with more than 20 years of experience in the financial services arena. He’s passionate about the credit union movement, and utilizes his breadth of experience and analytical expertise to reimagine risk as opportunity for his clients. To learn more about how Rochdale reimagines risk, visit reimaginerisk.com