He’s been talking about it for almost a year now, and this week we are starting to see some of the progress from the effort. For those of you who have followed the GRC (governance, risk management, and compliance) space, you’ll know that it’s a bit of a nightmare. It’s been sub-divided, historically, between “IT GRC” and “EGRC” (“E” being for “enterprise”). There are also a couple other potential categories, like “Legal GRC” and “Financial GRC,” but those have been far less prominent.
The problem, however, is that it’s incredibly difficult to define products under these generic headers, let alone compare and contrast them. Take, for example, our own EGRC Magic Quadrant. It compares companies like SAS and SAP to RSA Archer and MetricStream to a bunch of other companies, all of which have a wide range of functions, use cases, userbases, and so on. Trying to fit vendors into these spaces has been a headache and a half. But, we have an idea for how to fix it…
Under Paul Proctor’s leadership, and described in more detail in his blog post, “Gartner Resets Approach to GRC,” Gartner is setting out to redefine the marketplace. Instead of focusing on functionality, we’re going to try something different: focusing on use cases. What problems are clients trying to solve when they solicit bids from vendors?
To that end, Gartner will be starting with 6 use cases:
- IT Risk Management (ITRM)
- Operational risk management (ORM)
- Audit management.
- Vendor risk management (VRM)
- Business continuity management (BCM)
- Corporate Compliance and Oversight
Read Paul’s blog post for more details on each of these. If you’re a vendor in the space, look for a survey request from Gartner. If you’re a client with interest in these use cases, you will have a potential opportunity to contribute, too.
Overall, this is an exciting development for the GRC space and for Gartner. We hope to finally bring some sensible definition to the market, and to help both clients and vendors start achieving better success. These tools have a lot to offer, but they only work well when the customer knows their use case, and when the vendors are well-matched to those needs.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.