What Does a Gartner Shift From GRC to IRM Mean for Risk Management Programs?

By Isaiah McGowan | February 25, 2019


John Wheeler, lead analyst at Gartner for integrated risk management (IRM)  solutions,  penned a piece calling for an evolution from compliance-aware to risk-aware governance programs. What does that mean for the risk management programs of the world?

This post was originally published in 2017. John Wheeler recently gave it a shout-out on Twitter (see below).
Doubling down on GRCs failures John identifies the genesis of Governance, Risk and Compliance (GRC) as meeting the need for improved controls management. That means understanding:
  • What governance processes should exist within organizations.
  • What risks do they face.
  • To what degree are they compliant with regulatory expectations.

Thus, a software industry was born.

10 years later, the failure mode for GRC-oriented programs is all too obvious: disconnection from risk. The tell-tale sign is visible in John Wheeler’s summary of Integrated Risk Management (IRM): "Simply put, IRM is a set of practices and processes supported by a risk-aware culture and enabling technologies, that improves decision making and performance through an integrated view of how well an organization manages its unique set of risks.”

GRC-oriented risk programs hone in on compliance objectives. The unintended consequence is risk goes by the wayside. Shifting culture from compliance to risk-aware allows the core tenant of risk management to take back the limelight. This is not a total indictment of GRC-oriented programs. The awareness of the problem space is forcing organizations to mature in spaces such as:

  • Cybersecurity posture.
  • Operational resilience.

The cost was ineffective decision making based on poor risk measurement.

Can IRM succeed where GRC failed?

Organizations do not explicitly make these trade-offs when orienting risk management around GRC tenants. But, it becomes evident once we accept that evolving GRC into IRM means identifying a risk-aware culture. Compliance-aware risk management implies that when we  are compliant we  have no risk. This is the failure-mode of GRC-oriented programs. Compliance to any standard does not remove risk.

Gartner’s evolution from GRC towards IRM seeks to remedy the situation. This is a positive step towards encouraging organizations to focus on what the business cares about: risk. A risk-aware program leveraging the IRM attributes brings the focus out of compliance and into risk management in a way that can support better decision making.

Read more: 

Gartner Names Risk Quantification a Critical Capability of Integrated Risk Management

How ADP Gets Business Value from Its Risk Register with FAIR and RiskLens

RiskLens is the only cyber risk quantification solution purpose-built on FAIR, the international standard for cyber risk quantitative analysis.  Some 30% of Fortune 1000 companies are represented among the 4,000 members of the FAIR Institute, the non-profit group dedicated to FAIR education.