Gartner Blog Network


3 Resolutions to Turn GRC Failure Into IRM Success

by John A. Wheeler  |  January 3, 2018  |  Submit a Comment

As we begin the new year, many of our clients are searching for ways to turn their failures with Governance, Risk and Compliance (GRC) technology into successful Integrated Risk Management (IRM) solution deployments. I talk to organizations from across the globe on a daily basis about their struggles to manage risks more effectively – particularly as it relates to the convergence of digital and physical environments. Past GRC approaches and technology solutions are ill-equipped to address these new and increasingly pervasive digital risks because they are rigid and compliance-driven. IRM offers flexibility and risk-based insight needed to manage the expanding digital business landscape.

Here are three new year’s resolutions to avoid GRC failures of the past and deploy a successful IRM solution set.

1) Do not lead with technology

Most GRC failures are typically a result of organizations first seeking the answer to their risk management challenges via technology. Unfortunately, risk management technology is simply an enabler of mature risk management programs. It is imperative to develop a solid risk framework first that will help define and facilitate communication at all levels, from the strategic to the tactical.

2) Break down the silos

Too many organizations do not have a comprehensive risk view, particularly as it relates to the intersections of cybersecurity, IT, operational and enterprise risk. The primary reason is the lack of clear vision and leadership across these risk management domains. Executive management must take the lead in breaking down the organizational silos and establishing key metrics to promote the management of risks that will have the greatest impact on the most important enterprise-wide objectives. While many of our clients will say they have an enterprise risk management (ERM) program, it typically is only a broad, horizontal view of risk categories. What it lacks is tight, vertical integration of risk management domains down through the organization (see figure below).

riskconnectivetissue

3) Focus on content and usability

The ultimate keys to successful use of risk management technology are found in the content and usability of the solution. Content is end-user driven and takes the form of robust risk assessments, metrics, policies, standards and controls. Without continuous end-user input, the content quickly becomes stale and ineffective. One of the primary reasons for weak content is the difficulty end-users face in using risk management technology.  The difficulty is not only rooted in poor user interface design, but also in the multitude of stand-alone GRC applications that are compliance-driven and single-purpose. A common compliant is the need for maintaining and reconciling multiple risk assessments across different technology platforms. An integrated approach will greatly reduce effort and improve quality of risk management practices.

To learn more about IRM and the use of these technology solutions, read our recently published research: “Market Trends: GRC Era Is Over as Customers Adopt Integrated Risk Management” (Gartner subscription required).

 

Category: cyber-risk  cyber-security  enterprise-risk-management  grc  integrated-risk-management  irm  operational-risk-management  risk-management  security  strategic-risk  trends-predictions  

Tags: grc  irm  risk-management  

John A. Wheeler
Senior Director, Advisory - Integrated Risk Management
8 years at Gartner
29 years IT Industry

John A. Wheeler leads analyst coverage of integrated risk management (IRM) technology solutions and professional services. His areas of specialty include risk management, executive leadership and corporate governance. Follow him on Twitter @JohnAWheeler Read Full Bio




Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.