Regulatory Alphabet Soup Part 2: The Predicted Death of GRC
Last year I told you not to worry about buzzwords like GRC, also known as Governance, Risk and Compliance. The idea behind GRM is that governance, risk and compliance are interdependent, but often siloed—leading to shortfalls. GRC typically seeks to unify interdependent areas across an institution including audits, controls, policies and procedures, compliance and risk management. GRC is not a term used by regulators, but a phrase created by marketing departments.
While these functions described above are critical for any financial institution, GRC isn’t breaking new ground. It’s putting a new name on an existing practice: enterprise risk management (ERM).
Apparently, I’m not the only one who feels this way. Earlier this month leading research company Gartner announced the company is “is shifting focus away from GRC and expanding its risk technology research through the planned publication of the first Magic Quadrant for Integrated Risk Management (IRM).”
“IRM enables simplification, automation and integration of strategic, operational and IT risk management processes and data,” Gartner says in its press release. “IRM goes beyond the traditional, compliance-driven GRC technology solutions to provide actionable insights that are aligned with business strategies, not just regulatory mandates.”
Gartner’s Magic Quadrant divides IRM into four parts: performance, resilience, assurance and compliance. One application is using the quadrant to evaluate technology providers in use cases, including digital risk management, vendor management, business continuity management, audit management, corporate and compliance oversight, and enterprise legal management.
Is the term IRM going to catch on? It is much closer to accurately capturing the risk management practices leveraged by sophisticated organizations. While IRM sounds awfully similar to ERM, which is defined as the process used by the board of directors and management to identify and manage potential risks including the interrelationship of those risks. The goal of ERM is to ensure the institution is within its risk appetite and meeting strategic goals. It’s about viewing risk in a comprehensive, integrated manner. That goes beyond strategic, operational and IT risk to include all kinds of potential risk from cybersecurity and reputation to credit risk and compliance risk.
I’m glad to see the industry moving away from the GRC term, which was often used to sell stand-alone compliance solutions as a substitute for a comprehensive ERM program. Success depends on an institution’s ability to recognize potential threats and opportunities and execute strategies to contain or exploit them. Institutions need to focus on the basics of ERM, particularly board involvement in understanding the interrelationship of risk. Only then can they find solutions that can help them accomplish their goals.
Meanwhile Gartner reminds us once again that vendor management is an essential element of any ERM program, seeking to identify and mitigate the potential risks specific vendors pose to an institution and whether and how those risks measure up against institution’s strategic risk appetite.
Call it ERM. Call it IRM. Just make sure you do it correctly.
Don’t focus on the jargon. Focus on best practices. That includes enterprise risk management.