Gartner Blog Network

Why Risk Management Needs an IT Application Strategy Now

by John A. Wheeler  |  December 4, 2013  |  4 Comments

Everyone has one. Somewhere in their kitchen or garage at home is the infamous “junk drawer”. Over time, the drawer fills up with gadgets, tools, scraps of paper with to do lists and various other items that vary in their usefulness. However, invariably there are moments when you rush to the drawer looking for that one item that you need and it becomes a struggle to find. Then, when you rifle through the drawer, you begin to wonder how all these items found their way to the drawer in the first place. More often than not, the items do have a specific use and value or they would not have been placed in the drawer. It becomes junk when we forget why we needed the item or how it can be used on a regular basis.

This junk drawer analogy is a perfect description of the state of the Risk Management IT Application Portfolio at many companies today. During the past decade, risk management has matured as a formal discipline and the related software applications have also evolved. It has resulted in the creation of a software category commonly known as GRC – governance, risk and compliance.

Similar to ERP software solutions that support financial management or supplier management functions, GRC software solutions run the gamut from broad based risk and compliance platforms to purpose-built risk analytics applications. As companies have built their risk management programs across the enterprise, they have filled their GRC “junk drawer” with a range of applications that vary in their usefulness and relationship to one another.

At Gartner, we have recognized a clear desire by companies and risk management organizations to clean out their GRC “junk drawer”. To do this, risk management organizations need an organized, structured IT application strategy. What we recommend is a pace-layered application strategy for GRC that classifies your software applications into three primary layers – systems of record, systems of differentiation and systems of innovation.

By doing so, you can begin to manage the applications at the pace of change demanded by the risk management program as well as the business at large. You will also be in a much better position to maximize the usefulness of your risk-related applications and prevent your GRC “junk drawer” from filling up again.

GRC junk drawer

Category: enterprise-risk-management  grc  it-risk-management  

Tags: grc  pace-layered-application-strategy  

John Wheeler
Research Director
4 years at Gartner
25 years IT Industry

John A. Wheeler is a Research Director with responsibility for covering risk management and executive leadership topics. His areas of specialty include enterprise risk management, internal audit, corporate governance and IT/operational risk. Follow him on Twitter @JohnAWheeler Read Full Bio

Thoughts on Why Risk Management Needs an IT Application Strategy Now

  1. Hi John,

    Well said about Management and IT. Totally kick off post thanks for sharing this great post with us and great points about ERP & GRC software’s.

    I’ll wait for your new post.

  2. AS says:

    A “bit” more than “an organized, structured IT application strategy”.

    1) Proper use of entarch –

    2) Use the power of BPM –


  3. Cynthia J. Vazquez says:

    Thanks john! It was a great read. Like any other industry IT applications play major role in Risk management also. But the question is up to which extend it can influence the needs.

  4. Totally agree that there’s a growing desire to ‘clean out the junk’. Our experience in dealing with clients is that they view portfolio analysis as a monolithic task that rarely has funding. Trying to find fast ways that don’t cripple the budget and resources has been an effective first step towards a pace-layered strategy. Here’s more about a bite-sized approach

    Good post – thanks.

Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.