Gartner Blog Network

4 Reasons Why GRC Is a Useless Term

by John A. Wheeler  |  March 6, 2019  |  Submit a Comment

It has been 5 years since Gartner embarked on the journey to enhance our coverage of the risk management technology marketplace. That journey included in-depth survey research and countless interactions with our end-user clients to understand their need to better manage strategic, operational and IT/cybersecurity risks. These end-user needs and resulting demand led to the definition of a new technology marketplace – integrated risk management (IRM). While it has been over 2 years since we defined this new IRM marketplace, a few other analyst firms and technology providers still question Gartner’s shift away from the use of governance, risk and compliance (GRC) as a market term. To help clarify for those still questioning the shift, here are 4 reasons why GRC is a useless market term.

1. GRC is not a relevant term for senior leadership and board members

According to a 2017 KPMG survey of more than 800 audit committee and board members, the top challenge is the effectiveness of the risk management program. Yet, 42% of survey respondents report that their risk management program and processes still require “substantial work.” KPMG notes that the board members surveyed are increasingly focused on “key operational risks across the extended global organization — e.g., supply chain and outsourcing risks, information technology (IT) and data security risks, etc.” To manage the diversity of these extended risks, organizations require an integrated approach to risk management. Yet, nowhere in this survey is there mention of the term “GRC”.  In fact, in our own surveys of CEOs and senior leaders, the top investment priorities are related to risk management, with no mention of “GRC”.

2. GRC has a negative connotation for many risk management practitioners

Gartner’s 2017 Risk and Security Survey indicates that more organizations are acknowledging that the risk landscape is becoming more complex and interconnected (see figure below). At the same time, organizations believe their current risk management practices are not keeping up with the new and higher levels of risk arising in a more digital world, resulting in greater exposure for their business. 88% of the survey respondents agreed that agility is required for risk management to add value. Unfortunately, in my thousands of client interactions, end-user views of GRC technology effectiveness are not compatible with this need for agility. GRC technology is viewed either as a customized software monstrosity or a fragmented set of tools offering little value to the broader organization.

3. GRC is overly compliance-focused and not risk-based

The term “GRC” was spawned in the early 2000s from the need for better internal control and governance within large enterprises. Much of this need was driven by the compliance requirements associated with the U.S. Sarbanes Oxley Act of 2002, better known globally as SOX. Over time, GRC grew and evolved to become associated with many compliance-driven initiatives designed to improve corporate governance and internal control. However, risk management — in particular, operational and IT risk management — continues to mature as a discipline and is becoming a more practical approach to improve corporate governance and internal control. As such, Gartner and other organizations have recognized a need for new thinking on the subject. For example, in early 2014, NIST released its Cybersecurity Framework recommending the development of IRM programs within organizations to support the reliable functionality of critical infrastructure.

4. GRC as a market term is meaningless

As analyst firms and technology providers capitalized on the compliance frenzy of the early 2000s, GRC as a market term became ubiquitous. As its use to market technology solutions increased, GRC became associated with any compliance related software offering. Thus, the market itself began to lack structure and meaning.  At Gartner, this became increasingly evident when we experienced significant difficulty forecasting the GRC market size and demand – it could not be readily defined as a marketplace.  Also, when our clients requested information on GRC technology, it required extensive follow-up questions to determine their exact need.

While the term GRC is useless, it will undoubtedly be promoted by analyst firms and technology providers seeking to defend their relevance by focusing on the past. However, as end-users look for better risk management solutions to add value and increase performance for their organizations, IRM continues to be embraced.

Additional Resources

Five Board Questions That Security and Risk Leaders Must Be Prepared to Answer

As board members realize how critical security and risk management is, they are asking leaders more complex and nuanced questions. This research helps security and risk management leaders decipher five categories of questions they must be prepared to answer at any board or executive meeting.

Read Free Gartner Research

Category: audit-and-risk  business-continuity-management  compliance-management  cyber-risk  cyber-security  digital-risk  enterprise-risk-management  enterprise-risk-management-program-management  grc  integrated-risk-management  irm  legal-and-compliance  operational-risk-management  risk-management  risk-management-process  security  security-and-risk-management-leaders  strategic-risk  technology-and-emerging-trends  third-party-risk-management  

Tags: cybersecurity  digital-risk-2  gartner  grc  integrated-risk-management  irm  operational-risk  risk-management  

John A. Wheeler
Global Research Leader - Risk Management Technology
9 years at Gartner
30 years IT Industry

John A. Wheeler is global research leader for risk management technology solutions and professional services. His areas of specialty include integrated risk management, executive leadership and corporate governance. Follow him on Twitter @JohnAWheeler Read Full Bio

Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.