The Next Generation of Risk Management
I've been silent on the blogosphere for quite a few months. In a number of lunch conversations and discussions with the graduate accounting students taking my GRC course at the University of Houston, I've been asked to compare and contrast Enterprise Risk Management and Governance, Risk, and Compliance. On more than one occassion, I am asked what is the difference between ERM and GRC.
First, let me say that Enterprise Risk Management is not Governance, Risk & Compliance; ERM <> GRC. ERM is a management process while GRC is a management system.
Secondly, ERM is a significant management process within a GRC management system. Risk management frameworks like COSO ERM do much to organize objectives, risks, responses, and monitoring activity, a framework does not execute the processes nor discern when the efforts require a resource allocation change. People embody the capabilities to evaluate the subtle nuances but can become overwhelmed, fatigued, even complacent about consistent approach and rigorous attention. Generally speaking, technology has a place in enablng a robust GRC system. Note, I did not say technology enables a robust ERM process. It can; however, I believe that is suboptimal. In fact, there are many seemingly periferal activities and systems that need "Governance" to aggregate, correlate, forecast, predict, report discrete "Risk" issues (key risk indicators which are the inverse of key performance indicators) that are in "Compliance" with mandatory boundaries (laws, regulations) or voluntary boundaries (policies, procedures). While technology is not a panacea (no Easy button), it certainly can enable the evolution and architecture of a GRC management system.
The following is a UHY International circular that addresses some of these issues.
http://www.uhy.com/media/PDFs/UHY%20International%20Business%20Issue%2018.pdf

0 Comments:
Post a Comment
<< Home