Latilla's Blog: Operational Risk related thoughts and discussions

GRC vs. ERM: Where's the Love?

 Email Article  

  

  

There seems to be a certain amount of buzz going around about GRC versus ERM. It appears that two camps seem to be evolving that perceive GRC as a spectre looming over the industry stifling individuality and progress with ERM as a lone guardian who boldly defends the rights of organisations to work prudently, if largely unfettered. However there also seems an atmosphere of myopia with the jolting days of 2008/9 becoming hazier as the days roll on and the now is once again becoming more important than the months or years to come. As a result GRC, not long ago seen as the saviour of western civilisation and the last bastion of humanity in the heartless world of commercialism, is being demonised and replaced by rationalised risk. Enterprise Risk Management even has a noble ring to it as it battles for the rights of the free thinker and the progressive, balanced mind. However, I might remind you, dear reader, that GRC (Governance Risk and Complaince) were established by the industry, yes us, and not governments in a vain attempt to win votes even though it sounds very much like a cabinet white paper. ERM has long been with us, but to be honest has failed in its duty to curb the excesses of our industry but this is also not a reason to alienate ERM as a wild child that needs a serious grounding. ERM is a natural state of business. It is the assessment that considers whether the cost of preventing loss is more than the loss event itself. However, I do not consider them mutually exclusive; to accept ERM is not to reject GRC and unfortunately that seems to be the road down which we are heading...again. I have heard and read, for example, that for individuals to bend or even break the rules is an abhorrence, one offs, and too difficult or expensive to protect against or even monitor effectively, and therefore it is more cost effective to allow these infractions to occur than to stop it in the first place. To rationalise so callously is not only damaging but also unnecessary. In some areas technology is ahead of the curve in combining GRC and ERM satisfying the calls for morality and practicality.  We all have a golden opportunity to assess not just the industry but how we work within it to the advantage of all. ERM gives us this practical ability immediately not GRC. It is ERM that dictates what systems to update and/or implement but it is GRC that gives us the impetus to do it, even if reluctantly. If GRC is the stick and the carrot is ERM and profitable progress then operational risk managers have the perfect opportunity to direct their respective organisation not to be stubborn, intractible mules. 

 To work prudently is not the opposite to growth and success. To assess risk is not going against the directive or even the concept of GRC and this holistic approach to streamlining and improving monitoring, analysing and reporting within the industry is what I, and we, support at Latilla.