Integrated Risk Management — Should It Replace GRC?
In late 2017, John Wheeler, Gartner’s Global Research Leader for Risk Management Technology, claimed that Governance, Risk, and Compliance (GRC) had become obsolete. In a blog, he announced that Gartner would shift its focus from GRC to Integrated Risk Management (IRM).
Gartner defines IRM as “a set of practices and processes supported by a risk-aware culture and enabling technologies that improves decision making and performance through an integrated view of how well an organization manages its unique set of risks.” The research firm also predicts that the number of large enterprises using an IRM solution set will rise from 30% in 2017 to 50% in 2021.
Wheeler believes IRM can shift from GRC’s compliance focus to an analysis of how risk affects all business operations. But is IRM really all that different from GRC? And is a new term necessary for GRC programs that already have a complementary enterprise risk management (ERM) focus?
Is a shift from GRC to IRM necessary?
The increasing emphasis on Big Data and the Internet of Things (IoT), as well as globalization and the growing utilization of third-party vendors, are all motivations for concern over organizational risks. But wasn’t a GRC program — when combined with ERM — already capable of managing these evolving risks?
Although the goals of both GRC and ERM are the same, the approaches have traditionally been very different. GRC is more of a conceptual approach to governance and compliance issues. By contrast, ERM is the quantifiable process of measuring risk.
Many organizations struggle when combining several different platforms to meet compliance and risk needs. But what if there is a solution that rests at the intersection of both? While Gartner says prioritizing compliance can hurt risk management, the right ERM-GRC solution can help your organization focus on both.
Combine GRC and ERM in one solution
More organizations are turning to adaptable, configurable, and intuitive ERM-GRC solutions to meet the needs of integrated risk management. The best of these allow them to master compliance and risk with fully integrated and turnkey functionality.
Their policies and controls can be linked to federal and state laws, guidelines, and compliance requirements within an ERM-GRC system that has compliance policy management features. These supply a central hub to manage policies, procedures, and enterprise documentation for regulatory, legal, and compliance requirements as well as audits and examinations.
ERM-GRC software offers a solution for an organization’s risk and compliance environment, no matter what acronym it’s given. An organization can take firmer control with a balanced combination within a structured framework.