Blog post

3 Resolutions to Turn GRC Failure Into IRM Success

By John A. Wheeler | January 03, 2018 | 0 Comments

Technology and Emerging TrendsTech and Service ProvidersStrategic riskSecurity and Risk Management LeadersSecurityRisk ManagementOperational risk managementLegal and ComplianceIRMintegrated risk managementGRCEnterprise risk managementCyber securityCyber riskBusiness Continuity ManagementAudit and RiskEnterprise Risk Management Program ManagementRisk Assessment Process and MethodologiesRisk CoverageRisk Response Strategies

As we begin the new year, many of our clients are searching for ways to turn their failures with Governance, Risk and Compliance (GRC) technology into successful Integrated Risk Management (IRM) solution deployments. I talk to organizations from across the globe on a daily basis about their struggles to manage risks more effectively – particularly as it relates to the convergence of digital and physical environments. Past GRC approaches and technology solutions are ill-equipped to address these new and increasingly pervasive digital risks because they are rigid and compliance-driven. IRM offers flexibility and risk-based insight needed to manage the expanding digital business landscape.

Here are three new year’s resolutions to avoid GRC failures of the past and deploy a successful IRM solution set.

1) Do not lead with technology

Most GRC failures are typically a result of organizations first seeking the answer to their risk management challenges via technology. Unfortunately, risk management technology is simply an enabler of mature risk management programs. It is imperative to develop a solid risk framework first that will help define and facilitate communication at all levels, from the strategic to the tactical.

2) Break down the silos

Too many organizations do not have a comprehensive risk view, particularly as it relates to the intersections of cybersecurity, IT, operational and enterprise risk. The primary reason is the lack of clear vision and leadership across these risk management domains. Executive management must take the lead in breaking down the organizational silos and establishing key metrics to promote the management of risks that will have the greatest impact on the most important enterprise-wide objectives. While many of our clients will say they have an enterprise risk management (ERM) program, it typically is only a broad, horizontal view of risk categories. What it lacks is tight, vertical integration of risk management domains down through the organization (see figure below).


3) Focus on content and usability

The ultimate keys to successful use of risk management technology are found in the content and usability of the solution. Content is end-user driven and takes the form of robust risk assessments, metrics, policies, standards and controls. Without continuous end-user input, the content quickly becomes stale and ineffective. One of the primary reasons for weak content is the difficulty end-users face in using risk management technology.  The difficulty is not only rooted in poor user interface design, but also in the multitude of stand-alone GRC applications that are compliance-driven and single-purpose. A common complaint is the need for maintaining and reconciling multiple risk assessments across different technology platforms. An integrated approach will greatly reduce effort and improve quality of risk management practices.

To learn more about IRM and the use of these technology solutions, read our recently published research: “Market Trends: GRC Era Is Over as Customers Adopt Integrated Risk Management” (Gartner subscription required).


Comments are closed