Which Enterprise Risk Management Program, GRC or IRM?

Needless to say, any kind of transformation will become more and more complex in every market where there is a free economy. While talking about the same subject in the last 10 years, GRC (Governance, Risk and Compliance), IRM (Integrated Risk Management), 3 Lines, Secure Operations Map, and many other acronyms that I probably don’t know have been used. Anyone who looks at the current terminology from a different angle gives a new name to the product/approach that is correct in their own opinion or tries to show what they are doing as more important than anything else. Especially in large organizations, creating a solution map at optimum cost has become an extremely important skill.

Therefore, I think it is useful to examine the roots of the subject before following a predetermined and defined program. I’ll write here the definitions given by the inventors of two different terms (GRC & IRM) and ask you to consider the difference for a while:

Governance, Risk and Compliance (GRC): GRC is the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty, and act with integrity.

Integrated risk management (IRM): IRM is a set of practices and processes supported by a risk-aware culture and enabling technologies, that improve decision making and performance through an integrated view of how well an organization manages its unique set of risks.

One of these practices focuses on the reliability of the methods, while the other aims to establish organizations with high-risk awareness to increase performance and potential.

We have already said that creating confusion about a problem is an inevitable end. So, let’s look at the basics to uncover the business value lost in this mess. If I ask you what the definition of risk is, you will probably think of hundreds of different definitions. My favorite definition is: “Human interaction with uncertainty”. Cline (2015) – Namely: Human interaction with uncertainty. In other words, it is more accurate to think about risk as the interaction of people and organizations with potential results, rather than the possibility of something bad that can be happen.

Another misconception about risk management is to confuse risk and uncertainty. I think this definition of the difference between risk and uncertainty is great: Risk is the situation under which the decision outcomes and their probabilities of occurrences are known to the decision-maker, and uncertainty is the situation under which such information is not available to the decision-maker.

Better yet, it’s best to remember Donald Rumsfeld’s famous quote about risk and uncertainty: Reports that say that something hasn’t happened are always interesting to me, because as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns—the ones we don’t know we don’t know. And if one looks throughout the history of our country and other free countries, it is the latter category that tend to be the difficult ones.

To summarize with an analogy, it is an uncertainty whether there is life in the universe and whether extraterrestrial life poses a threat to humanity. There is an infinite dimension of information here that we do not know that we do not know yet. However, the deterioration of the ecological balance and the consequences of global warming and the action plan of the public are something we do not know, and it is imperative to take precautions about this risk. The issue of global warming is a widely spoken topic, but in order to understand the value of risk management, we can increase the important risks we know from the chart I saw on the World Economic Forum website.

Governing Disruption

In the image above, I exemplified the subject of “Governing Disruption”, which focuses on the changes in audit and risk management after digital transformation, which touches my own expertise. However, I strongly recommend you to review this web page, which is a great example for integrated risk management, for different topics. As for the necessity of risk management, take ten seconds to think that no one in your country is doing anything about the issues discussed here. I think it’s scary to even think about. The story is similar for the institutions we work and operate.


If you want to establish a risk-based decision-support system and get the maximum benefit from technology, but if you are thinking about which risk program to implement, I think you should pay attention to the following issues;

  1. In free economies; service/product providers try to create a center of attention by exaggerating a little bit of minor tweaks to acceptable methods or the potential effects of a known problem. Those who do this are not evil capitalism armies, but people like you and me who care about their own interests. Therefore, the current economy may lead you to make huge investments for smaller problems. Investing in a giant program like GRC and IRM, which is supposed to be suitable for everyone, can often be the right but expensive method. It will always be more advantageous to invest in issues that touch the root of the problem, without breaking away from programs such as GRC or IRM.
  2. Uncertainty and risk are separate concepts. Uncertainty is a much, much larger set than risk. However, using the magnitude of uncertainty as an excuse and not thinking on the basis of risk are the same as saying how big the universe is and ignoring the world. Agnosticism or fatalism is hardly a risk management method.
  3. I think it is nonsense to say that risk analysis is a new or fashionable concept. Because the virtues we call “trust” or “experience” are the result of risk analyzes made with a limited human mind. The idea that we call the risk-based approach has been one of the most important issues of trade for thousands of years.

Let me close; while the world is developing from all directions, approaches that will manage this development and manage the dark side of development always lag behind. This approach was the same in the French Revolution, and also in the Industrial Revolution. We say we are now in the era of digital revolution/transformation, but again little is done about the risks and threats. Of course, waging a war against the unknown is similar to Don Quixote’s war against windmills, but it is now a necessity for both the world and the organizations to design a multidimensional decision tree based on issues that we can see the alternative results of, and to rely on numbers, not feelings, for this.


Supporting your business processes with emerging technologies is the main goal of our business.