The Institute of Internal Auditors (IIA) released a great series of articles on Enterprise Risk Management (ERM), “Real-world ERM” and “12 Key ERM Challenges”, that convey the struggles of implementing ERM and some great insights on how to ‘make it real.’

A quote that stuck out to me was, “there is no shortage of guidance to explain what ERM is and how to implement it, though most of this information is written for risk and control specialists. To succeed, ERM efforts need to include people with other priorities.”

Getting buy-in from management is a top roadblock to successfully implementing an ERM program – or at least to implementing an ERM program that won’t fizzle out quickly. Fortunately, as noted above, there is a multitude of documentation on the concept and benefits of ERM…. and in a later post, I’ll identify the most relatable ways to talk about ERM with management.

“Enterprise Risk Management (ERM) and Governance, Risk, and Compliance (GRC) are pretty similar in definition and are often sited interchangeably. I’ve often asked what the difference was, so I’m sure you may have asked the same question.

After some quick web searching, I found this interesting article on the difference between ERM and GRC.

In it’s simplest form, the difference is simply in their names. ERM includes identifying risk appetite, assessing risk, integrating risk management in daily decisions, and monitoring risks. GRC is an umbrella philosophy that includes risk management, governance, and compliance. GRC may include ERM as the methodology of managing risk, but it may not. If an ERM program is linked to governance and risk, then it might transition into a true GRC program.

There is certainly more to ERM and GRC programs, but that is the nuts and bolts difference between the two.

Are you interested in implementing ERM or GRC programs successfully?  If you’ve already implemented these programs at your organization – what pitfalls have you faced?  What success stories do you have?”