It has been 5 years since Gartner embarked on the journey to enhance our coverage of the risk management technology marketplace. That journey included in-depth survey research and countless interactions with our end-user clients to understand their need to better manage strategic, operational and IT/cybersecurity risks. These end-user needs and resulting demand led to the definition of a new technology marketplace – integrated risk management (IRM). While it has been over 2 years since we defined this new IRM marketplace, a few other analyst firms and technology providers still question Gartner’s shift away from the use of governance, risk and compliance (GRC) as a market term. To help clarify for those still questioning the shift, here are 4 reasons why GRC is a useless market term.
1. GRC is not a relevant term for senior leadership and board members
According to a 2017 KPMG survey of more than 800 audit committee and board members, the top challenge is the effectiveness of the risk management program. Yet, 42% of survey respondents report that their risk management program and processes still require “substantial work.” KPMG notes that the board members surveyed are increasingly focused on “key operational risks across the extended global organization — e.g., supply chain and outsourcing risks, information technology (IT) and data security risks, etc.” To manage the diversity of these extended risks, organizations require an integrated approach to risk management. Yet, nowhere in this survey is there mention of the term “GRC”. In fact, in our own surveys of CEOs and senior leaders, the top investment priorities are related to risk management, with no mention of “GRC”.
2. GRC has a negative connotation for many risk management practitioners
Gartner’s 2017 Risk and Security Survey indicates that more organizations are acknowledging that the risk landscape is becoming more complex and interconnected (see figure below). At the same time, organizations believe their current risk management practices are not keeping up with the new and higher levels of risk arising in a more digital world, resulting in greater exposure for their business. 88% of the survey respondents agreed that agility is required for risk management to add value. Unfortunately, in my thousands of client interactions, end-user views of GRC technology effectiveness are not compatible with this need for agility. GRC technology is viewed either as a customized software monstrosity or a fragmented set of tools offering little value to the broader organization.
3. GRC is overly compliance-focused and not risk-based
The term “GRC” was spawned in the early 2000s from the need for better internal control and governance within large enterprises. Much of this need was driven by the compliance requirements associated with the U.S. Sarbanes Oxley Act of 2002, better known globally as SOX. Over time, GRC grew and evolved to become associated with many compliance-driven initiatives designed to improve corporate governance and internal control. However, risk management — in particular, operational and IT risk management — continues to mature as a discipline and is becoming a more practical approach to improve corporate governance and internal control. As such, Gartner and other organizations have recognized a need for new thinking on the subject. For example, in early 2014, NIST released its Cybersecurity Framework recommending the development of IRM programs within organizations to support the reliable functionality of critical infrastructure.
4. GRC as a market term is meaningless
As analyst firms and technology providers capitalized on the compliance frenzy of the early 2000s, GRC as a market term became ubiquitous. As its use to market technology solutions increased, GRC became associated with any compliance related software offering. Thus, the market itself began to lack structure and meaning. At Gartner, this became increasingly evident when we experienced significant difficulty forecasting the GRC market size and demand – it could not be readily defined as a marketplace. Also, when our clients requested information on GRC technology, it required extensive follow-up questions to determine their exact need.
While the term GRC is useless, it will undoubtedly be promoted by analyst firms and technology providers seeking to defend their relevance by focusing on the past. However, as end-users look for better risk management solutions to add value and increase performance for their organizations, IRM continues to be embraced.