Yanny or Laurel? Integrated Risk Management or GRC?

We have all heard it.  In one way or another.  The Yanny vs. Laurel sound clip is raging across the internet.  Mainstream media has thrown major fuel on the fire.  Jimmy Fallon spent considerable time debating on his show with Questlove throwing in his own version.  Which camp are you in?  It is amazing how an audio trick manipulating the pitch of a sound clip can get so much attention.  Clever?  Yes.  Earth shaking?  Not really, but a distraction from the normal day-to-day grind.  While not as hot of a topic – I doubt Ellen or The Today Show will pick up the story – risk management has its own Yanny and Laurel.

The term GRC has been in the industry for over 15 years and while it has been accepted and grown to represent a core business process in many organizations, it also has built perceptions around the feasibility and applicability of these programs.  In some organizations, GRC has taken hold and is an accepted term.  In other organizations, though, GRC represents a bureaucratic, complex concept requiring heavy operational processes resulting in little value.

Today, organizations are faced with a much more complex and fast moving challenge that GRC programs may, or may not, be equipped to address.  Many organizations are being overwhelmed by the magnitude, velocity and complexity of existing and emerging risks – struggling to respond to business risks, rather than seizing opportunities that drive the business forward.   The reason is that many organizations’ current risk management mechanisms are undeveloped, disconnected or ineffective.

Organizations must manage risk with more agility and integration than ever before.  The strategies driving business success – for example, technology adoption or market expansion –introduce more risk.  The interdependence of digital and business strategies have converged cybersecurity and business risks creating a complex set of problems.  Industry and government requirements fuel increased scrutiny by regulators.  Organizations have an increasing reliance on external parties including service providers, contractors, consultants and other third parties that complicate their business risks.  Executives and boards demandi the business manage risk without excessive costs affecting the bottom line.  The media is ready to pounce on any incident – from a data breach to a compliance failure to a corporate scandal.  Increasing reliance on technology exposes businesses to the explosion of dangerous cyber threats.  Any delay or setback in meeting business objectives can mean the difference between success and failure in today’s highly competitive market.

Integrated Risk Management (IRM) represents the next evolution of GRC.  IRM covers many of the same concepts as GRC but stresses the agility and flexibility needed by today’s modern enterprise.  IRM highlights the integrated nature of risk:

  • Horizontally – Risk management must integrate across risk domains (security, compliance, resiliency, etc.) since no risk today stands alone.  For example, a security issue can be a compliance issue, result in a business disruption, involve a third party and result in financial losses and reputational damage.   Establishing a common program to cross operational functions and foster a multi-disciplinary approach to risk management is the horizontal element of IRM.
  • Vertically – Risk management must connect operational risks to the business strategies and vice versa.  Taking that same security issue as an example, if you can articulate the business impacts of a security incident, you are creating a more relevant starting point for the business to understand what is going on.  As risk and security teams are being asked to protect the business, they must then understand the business they are protecting.  Connecting strategic objectives to operational events, risks and controls are the vertical element of IRM.

As risk management programs mature in these two directions – horizontally and vertically – the organization starts building a truly integrated view of risk and is better positioned to adjust risk management strategies to address the volatile nature of risk in today’s enterprise.

So which do you hear when your organization says ‘we need to deal with emerging issues and the uncertainty related to strategic business objectives”?  GRC?  Or Integrated Risk Management?  It’s unlikely this dispute will become fodder for late night talk shows, but it is worthy of a discussion in your organization today.  Now if we could only settle the Blue Dress/Gold Dress argument