He’s been talking about it for almost a year now, and this week we are starting to see some of the progress from the effort. For those of you who have followed the GRC (governance, risk management, and compliance) space, you’ll know that it’s a bit of a nightmare. It’s been sub-divided, historically, between “IT GRC” and “EGRC” (“E” being for “enterprise”). There are also a couple other potential categories, like “Legal GRC” and “Financial GRC,” but those have been far less prominent.
The problem, however, is that it’s incredibly difficult to define products under these generic headers, let alone compare and contrast them. Take, for example, our own EGRC Magic Quadrant. It compares companies like SAS and SAP to RSA Archer and MetricStream to a bunch of other companies, all of which have a wide range of functions, use cases, userbases, and so on. Trying to fit vendors into these spaces has been a headache and a half. But, we have an idea for how to fix it…
Under Paul Proctor’s leadership, and described in more detail in his blog post, “Gartner Resets Approach to GRC,” Gartner is setting out to redefine the marketplace. Instead of focusing on functionality, we’re going to try something different: focusing on use cases. What problems are clients trying to solve when they solicit bids from vendors?
To that end, Gartner will be starting with 6 use cases:
- IT Risk Management (ITRM)
- Operational risk management (ORM)
- Audit management.
- Vendor risk management (VRM)
- Business continuity management (BCM)
- Corporate Compliance and Oversight
Read Paul’s blog post for more details on each of these. If you’re a vendor in the space, look for a survey request from Gartner. If you’re a client with interest in these use cases, you will have a potential opportunity to contribute, too.
Overall, this is an exciting development for the GRC space and for Gartner. We hope to finally bring some sensible definition to the market, and to help both clients and vendors start achieving better success. These tools have a lot to offer, but they only work well when the customer knows their use case, and when the vendors are well-matched to those needs.