Home > Risk > A good argument by EY for improved ERM, but a poor one for GRC

A good argument by EY for improved ERM, but a poor one for GRC

Last year, EY published an interesting thought leadership piece titled “The multi-billion dollar black hole: Is your governance, risk and compliance investment bring sucked in?” I recommend downloading the complete report rather than the summary on the web page.

This is how the Executive Summary starts:

“For years, companies have invested heavily in governance, risk management and compliance (GRC), increasing the size, magnitude and reach of their GRC functions and activities.”

It sounds as if they are going to talk about GRC. But, the next paragraph shows that is not correct; they are talking about risk management and not GRC as we know it (see my posts on what GRC is all about – referenced below).

“Now, in the aftermath of the most severe economic crisis in a generation, they are acutely conscious of the need to demonstrate sound risk management. They believe that their reputations, customer loyalty and even their credit rating and access to capital depend on it. Some reports suggest that financial institutions alone will spend up to US$100 billion globally on mitigating risk in 2010; others indicate that US companies alone will invest US$29.8 billion over the same period.”

So before looking at the great stuff in the report, let me repeat my plea that we, as a community, use a common definition of GRC (I prefer the OCEG definition).

Rant: If we are talking about risk management, talk about risk management and not GRC. Using the term GRC when people really are only talking about managing risk, or risk and compliance, is just confusing everybody. Boards, executives, and practitioners leave a presentation by consultants muttering that GRC is just hype, because the presentations are not about GRC at all – but risk management.

With that behind us, EY have some interesting and useful points. I recommend that as you read the report you replace the term GRC with risk management or ERM. These quotes are in the order they appear in the report, numbered for convenience (I replaced ‘GRC’ with ‘risk management’ or ERM).

  1. Being seen to invest in risk management is… one way of communicating to stakeholders that their businesses are safe and reliable investments
  2. Of most concern are the views held by external stakeholders – regulators, investors, analysts, academics and journalists – who have become a critical interest group in the post-crisis environment. External stakeholders are more dissatisfied with the quality of [risk management] than companies’ own operational management and business leaders, with 79% stating they believe that companies’ [risk management] need to be enhanced.
  3. 69% of companies believe that investors and shareholders increasingly look to [risk management] as a measure of their corporate stability. Companies are unwilling to tolerate and unable to afford lapses in risk management and, as a result, they spend even more on shoring up their [ERM] capabilities as a defence against failure.
  4. Those that attempt to bridge gaps with increased expenditure on governance, risk and compliance end up with uncoordinated GRC initiatives that are bolted together, rather than clearly focused or integrated. Much of this spending is a knee-jerk reaction rather than a considered one, leading to a haphazard approach, disconnected from the wider business strategy, as well as duplication, overlaps and gaps in risk coverage.
  5. In 2009, an Ernst & Young-sponsored research survey by the Economic Intelligence Unit (EIU) found: (a) 73% of survey respondents had seven or more risk functions; (b) 67% had overlapping coverage in two or more risk functions; (c) 50% reported gaps in coverage between risk functions; and (d) 62% believe they can get better risk coverage for less spend
  6. Today, companies are increasingly alert to the need to transform their [ERM] capabilities not only to manage today’s risk environment more effectively, but to sustain and improve business performance.
  7. Regardless of pressures and appetite for change, what they need to recognize, however, is that reinvention cannot be achieved with incremental improvements. Without a well thought-out strategy, they will chip away at the exterior of a function that is not working effectively. Consequently, good investment risks slipping away because companies do not take a holistic view of enterprise risk and cannot deliver the value expected of them. Therein lies the multi-billion dollar black hole.
  8. An Ernst & Young survey of 137 global institutional investors found that 82% will pay a premium for companies that demonstrate successful risk management. Meanwhile, 61% will not invest where there is evidence of poor risk management and 41% would withdraw investment where there is a perceived lack of appropriate risk management.
  9. Companies would not ordinarily part with billions of dollars without the expectation of a healthy return. That is why risk expenditure needs to be treated as a strategic investment or business enabler – much like spending on plant or equipment. It has to be capable of protecting and delivering value by way of improved business performance and an acceptable return on investment (ROI).
  10. Evidence from Ernst & Young’s 2010 survey of 567 companies across Europe, the Middle East, India and Africa… Two out of three respondents acknowledge the need to enhance their risk management capabilities.
  11. An effective [ERM] capability provides value by giving organizations the confidence to take on risk, rather than avoid it. By effectively managing the right risks, management has more timely, comprehensive and a deeper understanding of risk which, in turn, facilitates better decision-making and confidence to take on new ventures or even to accept higher levels of risk. The upshot of this investment includes a greater competitive advantage, reduced cost of capital and a steady share price.

It’s always useful to have information with statistics, such as the point about 73% of respondents had seven or more risk functions, or that 82% of global investors would pay a premium for companies with demonstrated successful risk management.

I also like EY’s points about taking a strategic approach to implementing ERM rather than doing it in pieces (#7 above), and the comments about risk management enabling sustained, optimized performance and not just protecting value (#6, #9, and #11).

I welcome your thoughts.

GRC posts:

GRC Survey: The Results Are In

A Word From the GRC Guru on 2011: His Gripes and Expectations

Is There Value in the Term “GRC”?

The heart of GRC continues to beat – but what is it?

Selecting the right GRC solution for your organization

Why I hate the term “GRC platform”

How Does SAP Enable World-Class GRC Processes?

  1. Larry Brown
    May 13, 2011 at 7:02 PM

    Norman – I think you may have missed the forest for the trees on this one. Both ERM and GRC are marketing terms developed by consulting firms to sell services and software.

    Everyone jumped on the ERM bandwagon when it came out many years ago, and when GRC “blossomed” – some would argue out of ERM – many jumped on the GRC bandwagon.

    I have no doubt that the consultants are already brewing up the next acronym de jour. I also have no doubt that many of those on the GRC bandwagon will hop to that fad. Our running joke is that the next acronym cannot include the letters G, E, R, M, or C.

    A rose (well-run business) by any other name would smell as sweet.

    I do appreciate your thought-provoking posts. Keep up the good work!


  2. Laszlo Csuport
    May 14, 2011 at 8:01 AM

    I think it is very important topic!

  3. May 14, 2011 at 8:45 AM

    The entire concept of GRC is a bit misleading, in that risk management and compliance should really be considered as subsets of the strategic governance plan. For far too many years, companies have spent billions on compliance initiatives which were not wholistic in nature and have, consequently, created pockets of compliance without providing comprehensive risk mitigation, compliance, or strategic differentiation within the market. That does leave reputation and operational functionality in jeopardy across the organization.

  4. May 15, 2011 at 1:28 PM

    I very much agree with Larry, its important that GRC be seen as the next panacea much as ERM was. Rather as the next buzz word from a consulting perspective.

    Compliance is a noble activity but pretty useless if governance constructs are not keeping pace with the corporate risk environment in any evident way.

    I’ve been a risk manager for long enough to see the difference between real risk evolution in the financial services space and another opportunity for consulting spend.

    Thank you for posting, is an important discussion.

  5. May 16, 2011 at 11:11 AM


    An interesting and useful article on ERM. However, my point is that ERM done properly is GRC. G=the setting of corporate objectives (explicit and implicit), including corporate policies, cascaded in an hierarchy throughout the organisation. R=risk (obviously). C=provided by the internal control framework linked to identified risks.

    I’m sure you can hang additional activities off the G layer of GRC but in essence GRC=ERM.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: