John Wheeler of Gartner penned a piece calling for an evolution from compliance-aware to risk-aware governance programs. What does that mean for the risk management programs of the world?
Doubling down on GRCs failures
John identifies the genesis of Governance, Risk and Compliance (GRC) as meeting the need for improved controls management. That means understanding:
- What governance processes should exist within organizations.
- What risks do they face.
- To what degree are they compliant with regulatory expectations.
Thus, a software industry was born.
10 years later, the failure mode for GRC-oriented programs is all too obvious: disconnection from risk. The tell-tale sign is visible in John Wheeler’s summary of Integrated Risk Management (IRM): "Simply put, IRM is a set of practices and processes supported by a risk-aware culture and enabling technologies, that improves decision making and performance through an integrated view of how well an organization manages its unique set of risks.”
GRC-oriented risk programs hone in on compliance objectives. The unintended consequence is risk goes by the wayside. Shifting culture from compliance to risk-aware allows the core tenant of risk management to take back the limelight. This is not a total indictment of GRC-oriented programs. The awareness of the problem space is forcing organizations to mature in spaces such as:
- Cybersecurity posture.
- Operational resilience.
The cost was ineffective decision making based on poor risk measurement.
Can IRM succeed where GRC failed?
Organizations do not explicitly make these trade-offs when orienting risk management around GRC tenants. But, it becomes evident once we accept that evolving GRC into IRM means identifying a risk-aware culture. Compliance-aware risk management implies that when we are compliant we have no risk. This is the failure-mode of GRC-oriented programs. Compliance to any standard does not remove risk.
Gartner’s evolution from GRC towards IRM seeks to remedy the situation. This is a positive step towards encouraging organizations to focus on what the business cares about: risk. A risk-aware program leveraging the IRM attributes brings the focus out of compliance and into risk management in a way that can support better decision making.