A popular acronym is GRC — for governance, risk, and compliance. One can consider governance (G) as the stewardship of executives to behave in a responsible way, such as providing a safe work environment or formulating an effective strategy, and consider compliance (C) as operating under laws and regulations. Risk management (R), the third element of GRC, is the element more associated with enterprise performance management.

Governance and compliance awareness from government legislation such as Sarbanes-Oxley and Basel II is clearly on the minds of all executives. Accountability and responsibility can no longer be evaded. If executives err on compliance, they can go to jail. As a result, internal audit controls have been beefed up.

The “R” in GRC has characteristics similar to those of performance management. The foundations for both risk management and performance management share two beliefs:

1. The less uncertainty there is about the future, the better.

2. If you cannot measure it, you cannot manage it. If you cannot mange it, you cannot improve it.

A strong case can be made that risk management is a subset under the much broader umbrella of enterprise performance management. An example is Lora Bentley’s blog, “Risk Management Should Be Part of Strategic Planning, Performance Management.”

Performance management is typically perceived too narrowly as just better financial reporting and a bunch of dashboard dials. It is much broader and is better defined as the integration of multiple methodologies (e.g., strategy maps, customer relationship management, activity-based costing), with each methodology embedded with business analytics such as segmentation analysis, and especially predictive analytics. Their collective purpose is to achieve the strategy and to ebable better decisions. (I describe this in my book, Performance Management – Integrating Strategy Execution, Methodologies, Risk, and Analytics.)

Risk management is not about minimizing an organization’s risk exposure. Quite to the contrary, it is all about exploiting risk for maximum competitive advantage. A risky business strategy and plan always carry high prices. Effective risk management practices are comprehensive in recognizing and evaluating all potential risks and determining the balance in an organization’s risk appetite. Its goal is less volatility, greater predictability, fewer surprises, and arguably most important, the ability to bounce back quickly after a risk event occurs.

A simple view of risk is that more things can happen than will happen. If an organization can devise probabilities of possible outcomes, then it can consider how it will deal with surprises – outcomes that are different from what they expect. They can evaluate the consequences of being wrong in their expectations. In short, risk management is about dealing in advance with the consequences of being wrong. ###