The Institute of Risk Management


The Relationship between

Enterprise Risk Management (ERM)


Governance, Risk and Compliance (GRC)




Raida M. Mashal



International Diploma in Risk Management

Level 3 Practical Assignment


1.   Executive summary

Risk Management practitioners have two major methodologies for applying best risk management practices: ERM and GRC. However, there is a big debate between risk management people regarding the importance, role, benefit and coverage of each method. Moreover, software solutions have contributed greatly in GRC approach diffusion. Also, organisations are exhaustively encouraged to adopt GRC by vendors to achieve their objectives and improve their performance without a sufficiently impartial view. Consequently, there is no answer to whether organisations need both for the best results.Also, it is ambiguous whether one of these methods could cover an organisation’s needs. 

Building a comparison between ERM and GRC will help organisations to identify the two methods. It will provide an objective description and impartial stand point for both methods that will reveal some suspicions about GRC, and allow organisationsto make better decisions for adoption, developing or retaining their approach to managing risks to achieve their objectives and improve their performance.

1.1. The study benefit

Studying this issue will help a large number of risk management practitioners and organisations to distinguish between both approaches, and be able to identify the benefit of each approach to provide mature decisions about their risk management methodology.

Also, the research will provide impartial information to help in evaluating GRC market offers.

1.2.       aims and objectives

1.2.1.      The aim of the study

Identify and analysethe GRC approach and its added value in comparison with the ERM approach.

1.2.2.      The objectives of the study

  1. Identify the ERM and GRC approaches.
  2. Identify the relationship between the ERM and GRC approaches.
  3. State the holistic nature, effectiveness and efficiency of the GRC approach and whether it could replace the ERM approach or not.

1.3.       Methodology

The research built a comparison between ERM and GRC to underline the relationship between both methods by pointing out the differences and similarities between both in their definitions, objectives, and tools and techniques.

To achieve that, the research conducted a qualitative descriptive and explanatory research method. Secondary data were collected for the theoretical research part, and primary data (explanatory analysis; survey) were applied and distributed to a focus group of risk management practitioners (appendix 2).

1.4   Study Conclusions

The study concluded that ERM methodology and GRC methodology are similar in definitions, objectives, and tools and techniques, and the relationship between both approaches is integration.

The EMR approach is better than the GRC approach in several points, thus there is not sufficient evidence to prove or deny GRC effectiveness and efficiency.

Accordingly, the study concluded that GRC could not replace ERM and, GRC could be listed under ERM frameworks or as an ERM technology provider.

Finally, the study makes a call for researchers to research GRC to define clearly its approach and conduct empirical studies to criticise its effectiveness and efficiency. Moreover, the study recommends organisations to exclude the GRC approach until researchers validate it. 

For more details please contact me via comments

Raida Mashal