John Wheeler, lead analyst at Gartner for integrated risk management (IRM) solutions, penned a piece calling for an evolution from compliance-aware to risk-aware governance programs. What does that mean for the risk management programs of the world?
This post was originally published in 2017. John Wheeler recently gave it a shout-out on Twitter (see below).Doubling down on GRCs failures John identifies the genesis of Governance, Risk and Compliance (GRC) as meeting the need for improved controls management. That means understanding:Thus, a software industry was born.
10 years later, the failure mode for GRC-oriented programs is all too obvious: disconnection from risk. The tell-tale sign is visible in John Wheeler’s summary of Integrated Risk Management (IRM): "Simply put, IRM is a set of practices and processes supported by a risk-aware culture and enabling technologies, that improves decision making and performance through an integrated view of how well an organization manages its unique set of risks.”
GRC-oriented risk programs hone in on compliance objectives. The unintended consequence is risk goes by the wayside. Shifting culture from compliance to risk-aware allows the core tenant of risk management to take back the limelight. This is not a total indictment of GRC-oriented programs. The awareness of the problem space is forcing organizations to mature in spaces such as:
The cost was ineffective decision making based on poor risk measurement.
Can IRM succeed where GRC failed?
Organizations do not explicitly make these trade-offs when orienting risk management around GRC tenants. But, it becomes evident once we accept that evolving GRC into IRM means identifying a risk-aware culture. Compliance-aware risk management implies that when we are compliant we have no risk. This is the failure-mode of GRC-oriented programs. Compliance to any standard does not remove risk.
Gartner’s evolution from GRC towards IRM seeks to remedy the situation. This is a positive step towards encouraging organizations to focus on what the business cares about: risk. A risk-aware program leveraging the IRM attributes brings the focus out of compliance and into risk management in a way that can support better decision making.
The Failure of #GRC - “Gartner’s evolution from GRC towards #IRM seeks to remedy the situation. This is a positive step towards encouraging organizations to focus on what the business cares about: #risk.” #riskmanagement #notGRC https://t.co/CbJmm6sawy
— John A. Wheeler (@JohnAWheeler) February 15, 2019
Read more:
Gartner Names Risk Quantification a Critical Capability of Integrated Risk Management
How ADP Gets Business Value from Its Risk Register with FAIR and RiskLens
RiskLens is the only cyber risk quantification solution purpose-built on FAIR, the international standard for cyber risk quantitative analysis. Some 30% of Fortune 1000 companies are represented among the 4,000 members of the FAIR Institute, the non-profit group dedicated to FAIR education.