One acronym after another.
An ice cream headache, for sure, trying to understand the similarities, differences and connectivity between all these terms.
You need to do it, however.
Simplify, simplify, simplify.
Break it down and truly comprehend everything.
Get ready for the proverbial elevator speech, if the need for one materializes.
Toward that goal, here are several recommendations:
- Establish Enterprise Risk Management (ERM) as Your North Star
- This is not meant to diminish or disparage other acronyms but merely to state an undeniable fact that needs to be accepted.
- ERM is the granddaddy of them all.
- Every component of all other risk-related acronyms or topics emanates from ERM or the framework established around ERM (Risk Management Framework).
- In other words, the world revolves around ERM.
- If you don’t like that fact, get over it.
- Get on with the business of managing risk.
- Don’t: Quibble, Be Smarter by Half, or Get Hypothetical, Esoteric or Academic with your Language
- Every word matters.
- Take no chances.
- Leave nothing up in the air.
- Use precision in all matters in such an important discipline.
- Several useless debates, for example:
- Three Lines of Defense vs Three Lines of Responsibility. Use the former.
- ERM vs Integrated Risk Management (IRM). Use the former.
- ERM vs Strategic Risk Management. Use the former.
- It’s All About the Risks, Stupid
- I say this with affection, and as a reminder to myself, as much as to others.
- Easy to lose sight of.
- Treat risks as if you are bare-naked; do not rely on the safety blanket of insurance.
- Remember: in the long-term, you will pay all your losses.
- Another way of saying this: if a company had the financial wherewithal, it could (and should) self-insure all risks. No insurers, no brokers – just risk managers.
- Imagine that.
- The Risk Register
- It can also be termed a Risk Universe; that’s OK
- It’s not, however, a Risk Taxonomy (ouch, that sounds painful) or a Risk Catalog (when did we end up in the library?)
- Call it Severity, not Impact, so that everyone in the organization is on the same page.
- Define Severity in multiple ways, Using a 1-5 Rating Scale (e.g. Financial (% of Capital), Brand/Reputation, Regulatory Intervention, Strategic)
- For the same reason, call it Likelihood, not Frequency.
- Define Likelihood in a temporal manner, using a 1-5 Rating Scale (e.g. significant event happening every one, 5, 10, 25 and 50 years)
- Bottom line: the fewer terms you use and the more rock solid certain those terms and definitions are, the better
- ERM vs GRC
- GRC is a well-accepted, more bite-sized, subset of ERM, plain and simple.
- The R (Risk) in both acronyms is identical – refers to ERM
- The C in GRC is Compliance, an operational risk in the ERM risk register as well as one of the foundational components (Culture and Ethics) of ERM
- Finally, G refers to both Corporate Governance, an ERM Operational risk, as well as to another ERM Foundational component, namely Governance. There, the various roles and responsibilities in the ERM equation are definitively laid out (e.g. Three Lines of Defense)
- ERM vs Compliance
- As stated above, the C refers to Compliance, an operational risk in the ERM risk register
- There is nothing to prevent the Compliance function from deciding to further break down that exposure into sub-risks, in order to better delineate and manage on a more granular basis. (The last company I worked for broke down Compliance into 62 such sub-risks)
- ERM vs Internal Audit
- Internal Audit plays a vital 3rd Line of Defense role in all risk matters
- Audit Planning should align with risk priorities
- Certain risks on the ERM risk register are more logically tied to Audit (e.g. Fraud); Head of Internal Audit could, in fact, be risk owner for those exposures
- ERM vs ESG
- The G (Governance) in ESG has already been covered, within ERM.
- The S (Social) in ESG can be tracked to the ERM foundational component of Culture (Overall Cultural Model, Ethics and Compliance).
- E, for Environmental, will align with the Climate Risk particulars enumerated on the ERM risk register.
- ERM vs DEI
- There is not a more important risk related acronym on the horizon today than DEI (Diversity, Equity and Inclusiveness)
- Start before you are ready on this – just get going.
- If it needs improving, do so tomorrow from the base of today.
- All of these items (DEI) need to be embedded in your Cultural Model, a vital ERM foundational component.
- A crucial ERM risk like Human Resources – Management Development needs to be appropriately expanded and honed to yield the type of organization you want. How do you develop diverse talent, then grow and mentor them?
- You need to operationalize DEI throughout the culture of the organization.
- Set up key risk indicators (KRIs) in your ERM risk register to allow you to monitor – and constantly improve – your controls.
- Like ERM, DEI is an iterative, evergreen process.
About the Author:
Michael Cawley is a risk management executive with a 35-year record of broad and diversified accomplishment in the strategic and tactical elements of corporate enterprise risk management (ERM). He performed day-to-day development and execution of a risk management program that covered all elements in the identification, assessment, mitigation and monitoring of all exposures within the corporate risk universe. Specific experience involved being a corporate risk manager for a service-related conglomerate (15 years) and then a biopharmaceutical manufacturer (10 years) before assuming an ERM governance and disclosure leadership role (10 years, through 2021) for a major worldwide financial entity. Currently, Mike serves as a Subject Matter Expert (SME) in an advisory role for ERM Best Practices for the advancement of DoubleCheck’s new ERM One™ application.