Enterprise risk management is not just a function of an organization. It's a culture that can be developed and enhanced. Each leader already plays a risk management role for its organization. ERM is the organization's umbrella effort of risk management, and it is three dimensional because it:
A common set of definitions, process framework and system solutions allows the ERM team to bring all risk management efforts together to: (1) set the appropriate risk tolerance levels for the organization and each functions (2) bring transparency on risk management efforts and resource allocations (3) create synergy in risk management efforts and renders more effectiveness.
- Integrates all risk efforts under one set of common definitions, process framework, and system solutions;
- Brings together the different types of risks, the time spectrum and the organization's decision frame;
- Is a continuous process and evolves and matures with the organization.
Each function will identify and treat risks associated with its functional orientation. There is a benefit in synchronizing the risk types, with its time character and the organization's decision frame to provide a more holistic and integrated coverage.
And finally, risk management is a process, not a project. Thus, should be customized to your organization's culture and risk appetite. Just like any process, it needs to continuously refine and revaluate its approaches, seek feedback, be supported by a common system solution, and celebrate successes along its journey.
A GRC program is designed to support a holistic view of governance, risk, compliance and business strategy execution to minimize redundancy while anticipating future circumstances and heading off any conflicts to meeting goals. GRC programs promote the timely, consistent and accurate capture and maintenance of all material issues, arising during the course of business, in an auditable system of record. GRC, like ERM, is three dimensional, and is comprised of:
- Performance management, which addresses reliable achievement of objectives through effective management of business processes that are visibly and objectively measured
- Risk management, which addresses managing the uncertainty associated with the pursuit of objectives
- Compliance, which addresses voluntary promises that must be kept and laws and regulations that must be obeyed as objective are pursued
Together, ERM and GRC promote transparency, contingency, and risk appetite aspects of the corporate planning and strategy process by:
- Addressing considerations that fall beyond the boundaries of business/economic scenarios;
- Substantiating, or eliminating, any contingencies;
- Helping to accurately shape objectives to ensure the Board-directed risk return trade-offs are reflected.