Recently, I met with a software company that markets a “GRC” solution that analysts have rated highly.
They were keen to show me what they had done. Unfortunately, I had direct words to share.
They were missing an essential element of “GRC”.
The ERM approach they promote will probably miss risks of significance.
How did this happen and why do I say it’s missing from most so-called GRC and ERM programs?
What they were doing was identifying risks and then mapping them to objectives.
This sounds good, but the problem is that this bottoms-up approach may miss risks that are significant to the achievement of those objectives.
It is better, IMHO, to take a top-down approach – or at least combine the bottoms-up with a top-down approach.
That means taking each of your enterprise objectives[1] and identifying the sources of risk and opportunity that need to be addressed if you are to achieve them.
Only then can you assess whether the likelihood of achieving your objectives is acceptable.
I don’t often quote from COSO ERM 2017, but this is one area where they provide some decent guidance.
- A discussion of enterprise risk management begins with this underlying premise: every entity—whether for-profit, not-for-profit, or governmental—exists to provide value for its stakeholders.
- Risk affects an…
