I was reminded of this Dilbert classic by the material I discussed in my previous post – Feeling lost? Try EGRC. I borrowed that line from a running gag in the original Muppet Movie – except they suggested you try Hari Krishna. Perhaps the adherents of this EGRC cult will start to chant and hang out at airports.
I actually see ERM as being in the same category of things that add an “E” – just to claim a new and improved discipline.
It is a little ironic that in one breath somebody would propose an approach based on ISO standards, then put a label on the approach that is reminiscent of non-ISO models. The international Risk Management standard is ISO 31000 – which is very strongly derived from the previous Australian Standard on Risk Management, AS 4360.
For me, ERM is about a different model of risk management – that COSO Framework. If you are from the USA, or work for a US company bound by Sarbanes-Oxley – then you may need to apply this specific model. For the others, ISO 31000 is much easier to understand, and easier to apply across the enterprise. Here is a quick comparison of the two standards from Riskczar (and Felix Kloman).
You can also find an interesting post on Norman Marks’s excellent blog entitled “10 reasons not to like the COSO ERM framework“. This post is derived from a conversation with Grant Purdy – a highly regarded risk pundit and the chair of the committee that developed the original AS 4360. (So yes, he is biased).
Risk Management needs to be applied across the enterprise and be able to be applied to individual contexts, across strategic, tactical and operational areas. Risk Management done properly deals with all required areas of decision making in the enterprise – it does not need the E added for that purpose. A practice or approach labelled as ERM but done badly and only in silos is just poor risk management.
ISO 31000 can accommodate the ERM demand, but is also able to allow the same model to be applied to silo or project risk management – if that is what you need to do. It is also very scalable, so will have no trouble being able to expand to meet the needs of the larger enterprise.
It is fascinating to read the various writings available on the internet that debate the need for GRC at all – and in the US context where the debate rages about why you need GRC when you already have ERM. This post, again from Norman Mark’s blog has some very heated debate on the need for GRC. And a further post, again with input from Purdy, “Whats wrong with GRC“.
Wikipedia lists GRC as “Governance, Risk Management and Compliance” – which is interesting as one of its main defenders, Michael Rasmussen, on his own web site refers to it as Governance, Risk and Compliance – no Management, E or otherwise. However he does highlight that “technology plays a critical role” – and perhaps this is the key to where Alvord (the technology vendor from the earlier post) is deriving his inspiration.
We need many different areas of the enterprise to collaborate to avoid doing the same thing in repeatedly with different approaches and models. We also need the contributions these various disciplines make to the concept of resilience.
We need to achieve synergy of their effort – not convergence of the different disciplines.
We do not need any more areas where we mistake the tool/technology for the process.
Having said all that, eResilience has a nice ring to it.
Think I might copyright that!
A whole new discipline – coming soon.