My response to Steven Minsky’s blog on: ERM vs GRC? SEC Says No to Myopic Approach: Costly Example from Goldman Sachs


You are struggling with understanding GRC. Everything you describe about ERM represents the R in GRC. ERM is the R in GRC if GRC processes (and supporting technologies) are done right. That is the simple truth of it. In fact, ERM that is disconnected from Governance is a failure. Boards and executives need to govern risk. ERM done separate from compliance fails. Risk appetite and tolerance, as well as the culture, of risk taking, is established in policies. I recently interacted with one large bank that had 200 credit risk policies that they are looking to consolidate and track compliance to.

Notice I have not brought up GRC technology. GRC is about collaboration and cooperation between grovernance, risk, and compliance activities. Technology can support and enable this. However, there are bad technologies out there. And some are stronger in one area than another.

Your post leads me to believe that goverance of risk and monitoring compliance to risk policies and culture are irrelevant. I am sorry to hear this from you.

Leave a Reply

Your email address will not be published. Required fields are marked *