Regulatory Alphabet Soup – GRC vs ERM

In offices and on conference calls across America, salespeople are plotting to baffle financial institutions with an acronym created not by regulators, but by marketing personnel.

It’s not hard. Compliance and risk management are already mysterious—up there with Big Foot, the Loch Ness monster, the origin of Stonehenge and whether or not your cat actually likes you.

Or at least it can feel that way. That’s because salespeople are constantly coming up with creative jargon to confuse you about actual requirements and what you really need. GRC. ERM. CMS. It all sounds so imposing and important. But when you cut out the jargon and focus on guidance, compliance and risk management seem a lot simpler.

View the Recorded Webinar: GRC vs ERM

Let’s take a few minutes to separate fact and fiction and break down these terms.

ERM. Also known as Enterprise Risk Management. ERM is the process used by the board of directors and management to identify and manage potential risks—and the interrelationship of those risks—across an institution to ensure the institution is within its risk appetite and meeting strategic goals. It’s about “viewing risk in a comprehensive, integrated manner.

The key word here is interrelationship. In the Corporate and Risk Governance booklet of the Comptroller’s Handbook updated this July, the OCC describes ERM as “the interrelationship of the bank’s risks and the potential impact on its earnings, capital, and strategic objectives” which require enterprise-wide assessment, evaluation and management. NCUA guidance explains that ERM is a process “to encourage organizations to take a broad look at all those factors, understand the interrelationships among those factors, define an acceptable level of risk, and continuously monitor functional areas to ensure that the defined risk threshold is maintained.”

Other regulators such as the Federal Reserve and the FDIC don’t use the term ERM much in specific guidance, but have offered insights in several speeches, suggesting ERM is an integral banking best practice—one that should be unique to each institution based on its size and complexity. They also refer to the Committee of Sponsoring Organizations of the Treadway Commission, or COSO, which provides a framework for ERM. ERM is also frequently mentioned in guidance on third-party vendor relationships.

Effective ERM is about breaking silos to think, for example, about how interest rate risk interplays with cybersecurity risk and compliance risk. It’s developing a culture where those governing the institution identify risks as part of the institution’s overall strategy to ensure goals are reached. It impacts everything from profitability and growth to regulatory compliance and business continuity.

GRC. Also known as Governance, Risk and Compliance. The idea behind GRM is that governance, risk and compliance are interdependent, but often siloed—leading to shortfalls. GRC typically seeks to unify interdependent areas across an institution including audits, controls, policies and procedures, compliance and risk management.

Let’s take a quick look at the three elements.

  • The structure and practices of how an institution is organized and managed. An institution’s governance approach should evolve with its size, risk profile and complexity.
  • Risk Management. Risk management is the management of specific risks. These include credit risk, strategic risk, transaction risk, compliance risk, reputation risk, operational risk and cyber risk.
  • At its core, compliance is following applicable laws and regulations.

Sounds a lot like enterprise risk management, doesn’t it?

That’s because it basically is. The term GRC is essentially made up. If you’re having trouble understanding what it means, it’s not you. Different people use different definitions—often depending on what they are selling. Check regulatory guidance for the FDIC, FFIEC, OCC, Federal Reserve, CFPB and NCUA. Run a search on their websites. The regulators don’t mention it a single time.

Vendors use this invented term to make their systems sound more sophisticated. They’ll argue that GRC is about managing risk not just at an enterprise level but at the management and execution level—but the truth is that best practices for ERM already cover this territory.

As the OCC sates, “ERM helps the board and management view the bank’s risks in a comprehensive and integrated manner.”

The problem is that not every institution is using effective ERM practices. While 92 percent of banks worldwide report having an ERM program, 22 percent of them aren’t approved at the board level, according to a Deloitte survey. And while 92 percent of intuitions said they had a chief risk officer, less than half of them reported to the board.

What about CMS?

CMS. Also known as a Compliance Management System. A CMS is the method an institution uses for managing the entire compliance process. While it may include a technology component, it’s not just a software solution.

After all, compliance isn’t limited to compliance risk—it touches nearly every type of risk at the bank.

Cutting through the jumble of risk management and compliance acronyms, it’s easy to see how discussions about risk, compliance, monitoring, policies, procedures, and findings are complicated by too many acronyms. But why is there so much chatter about GRC? It’s because vendors are trying to provide a label for having one software platform that attempts to do everything. The vendors want to sell everything in their bag including governance tools, risk tools, and compliance tools in the name of integration. The challenge is that governance, compliance, and risk management are particularized by each financial institution and their regulators, which minimizes the opportunity for GRC suites to be successful.

Compliance isn’t the most scintillating topic. Putting a new spin on an old task makes a system sound more exciting—and, dare I say, more expensive as vendors mark up the cost of products that serve something need.

But following fads is no way to handle risk management or compliance. Institutions need to focus on the basics of ERM—particularly board involvement in understanding the interrelationship of risk—and then find solutions to help accomplish this goal.

Don’t let a new acronym guide you about the next big thing—focus on the foundational elements and the guidance from the regulators.