While the formal discipline is less than 30 years old, it has expanded and evolved considerably in this short time frame.
Risk management 30 years ago was an insurance procurement function often managed by purchasing departments with a narrow scope focused on insurable risk transfer.
Recently, after the focus grew to enterprise-wide risk management, the concept of integrating risk with compliance and governance has emerged as the latest approach in this evolution. Unfortunately, I see this phase as more related to and driven by solution providers. There is limited evidence that many practitioners have actually adopted or have committed to adopt this broader definition of the future state.
This is not to say that the integration of these three functions is not a good strategy. It is only to suggest that to accomplish such a vision the strategy must be preceded by senior management and board-level mandate. As so many progressive risk managers have experienced, achieving a broader vision is likely doomed to failure without such a commitment.
There is a growing army of solution providers who have smoothly moved from marketing ERM solutions to relabeling them GRC (Governance, Risk, Compliance) solutions, ostensibly perceiving their chance of mission accomplishment more likely, by tying risk to compliance and governance. This is not to suggest that risk managers should not have already established close and aligned strategies and partnerships with these functions. However, true integration remains a significant challenge.
Compliance, a separately managed function in most companies, is just one type of operational risk, albeit a very significant one in many industries. It typically requires its own resourcing, and leaders often see it separate from other functions. Arguably, to manage operational risk management well, including compliance is a must.
Governance on the other hand is quite different. The most common view of "governance" is that it is how entities are run; the policies, procedures and practices that cover everything important to successfully managing an enterprise. While failure to do that well is a risk in itself, the value proposition of integration with risk and compliance is unclear. It seems logical to consider its relationship to the typical externally focused compliance function.
However, the risk management function is so broad and potentially complex in its fullest practice, that bringing all three together, especially under one leader, is a job for which no one person is likely to easily succeed.
Yet some GRC proponents argue for all three elements to come under a single leader. In fact, the louder voices for this combination are often consultants and service providers who have limited interest in how the accountabilities for results are distributed.
Like the risk management function and unlike the compliance function, accountability for the "governance function" may not be obvious among any one senior leader, though the general counsel is often a natural choice.
So is GRC just marketing spin or can it be the next phase of progressive risk management? I view the potential for GRC to be that overarching integration point between these overlapping interests, with ERM and ORM (Operational Risk Management) as subsets of the bigger strategy.
CHRIS MANDEL is the enterprise risk manager for a leading financial institution and a former president of the Risk and Insurance Management Society.
September 15, 2009
Copyright 2009© LRP Publications