I just returned from the MetricStream GRC Summit in Las Vegas where I presented a keynote on risk management and performance. The summit was very well planned, organized, and executed. The speakers and panel participants talked not just theory but provided practical examples of the benefits and challenges of using GRC technologies to improve their risk management and compliance programs.
Last week I made a similar keynote to the Institute of Internal Auditors Quebec chapter. In both keynotes, I focused on the ERM/GRC blueprint concept that John Wheeler and I published in March. This blueprint provides a practical approach for identifying the goals of ERM programs in terms of strategic business objectives, and linking that to an underlying GRC architecture that can drive business performance benefits. After each session, attendees asked if I could meet with their boards of directors and share this concept and the strategic drivers of GRC. It’s exciting to see this very positive reaction to the idea that GRC can positively impact business value creation.
In a sidebar conversation at the MetricStream summit, an investor told me that he’s excited that GRC is becoming a true risk management platform that can integrate with processes throughout a company – he sees it as the next ERP. I agree the GRC marketplace is a good investment, but GRC platforms are not going to become super embedded in the enterprise by orchestrating risk management – they will do so by orchestrating business performance. Some vendors are starting to recognize this, and more will follow. In less than three years, all leading GRC vendors will support integrated performance and risk management.
PS — At the MetricStream GRC summit, putting my colleague Paul Proctor on a panel with Network Frontier’s Dorian Cougias was a stroke of genius — no one in that non-IT audience could understand the security geek-speak those two got into, but they were so entertaining that no one cared.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.