In conjunction with the start of our 2015 U.S. Security & Risk Management Summit today in Washington, DC, Gartner launched its integrated “OneGRC” research program. This year, I will be leading a select group of Gartner research analysts in evaluating the Governance, Risk & Compliance (GRC) market and its related segments. The result of our efforts will be a slate of research reports (see below) that will publish over the next 12 months.
Our “Hype Cycle for GRC Technologies” and “Market Guide for GRC Software Platforms” will highlight a number of technologies and software vendors that span the wider GRC software market. We will also publish a set of reports (Magic Quadrants, Critical Capabilities and Market Guides) focused specifically on seven market segments within GRC. These seven market segments include:
1. IT Risk Management
IT risks are those within the scope and responsibility of IT, the IT department or IT dependencies that create uncertainty in daily tactical business activities, as well as IT risk events resulting from inadequate or failed internal IT processes, people or systems, or from external events. ITRM software applications automate IT risk assessments, policy management, compliance mapping and reporting, security operations analysis and reporting, and incident management.
2. Operational Risk Management
Operational risks are those risks that “relate to the uncertainty of daily tactical business activities, as well as risk events resulting from inadequate or failed internal processes, people or systems, or from external events.” ORM software applications allow organizations to aggregate and normalize data from multiple data sources, including operational and financial systems, as well as from external sources such as regulatory alerts and loss event databases.
3. IT Vendor Risk Management
Vendor risk management programs help organizations manage the risks of third parties with adequate controls for business continuity management, vendor performance, vendor viability and data protection. Failure to comply with these mandates can have significant audit-related repercussions, which can undermine shareholder value and corporate viability. The IT VRM market addresses risks related to regulatory compliance and information security that arose from enterprises’ increased use of, and reliance on, third-party IT service providers and IT vendors. Solutions in this market have capabilities ranging from risk assessment to risk monitoring and risk rating.
4. Business Continuity Management Planning
BCM is the practice of coordinating, facilitating and executing activities that ensure an enterprise’s effectiveness in identifying risks that can lead to business disruptions, implementing disaster recovery solutions and recovery plans, responding to disruptive events, and recovering mission-critical business operations. Business continuity management planning (BCMP) software automates processes such as risk assessment, business impact analysis (BIA), and recovery plan development, exercising and invocation. BCMP tools can greatly benefit organizations by jump-starting their BCM programs and quickly improving their overall continuity capability.
5. Audit Management
Internal auditors act as auditors, consultants and advisors to the business. In general, internal auditors have three roles: auditing, providing advice to middle and senior management, and providing consultation to business process stakeholders. When risk owners and management do not identify risk or adequately mitigate the risk, it is imperative for the internal auditors to provide independent and objective insight on risk. The audit management solution market caters to this need by automating internal audit operations through its core and value-added offerings. These solutions automate audit planning, scheduling, work paper management, time and expense management, reporting, and issue management.
6. Corporate Compliance and Oversight
The scope of compliance management programs continues to increase. Regulatory compliance and change management gets more and more complicated. The recent increase in focus on commercial compliance (increasingly required by business partners) and organizational compliance requirements (such as ethics and CSR) has made the compliance manager’s role ever more challenging. Corporate compliance and oversight software support the goals and activities of compliance leaders, providing automated policy development and management; compliance risk assessment; control rationalization, assessment and attestation; regulatory change management; and investigative case management.
7. Enterprise Legal Management
Enterprise legal management software applications are focused on supporting the legal and compliance departments, corporate secretaries, board of directors and senior management. They provide support through better documentation, spend management, information availability and collaboration via an integrated set of applications that include matter management, e-billing, financial/spend management, legal document management and business process management.
The full set of these “OneGRC” research reports will give our readers the best view of the entire GRC software marketplace as they work towards integrating their GRC software solutions. More information about this “OneGRC” research program will be provided this week at our U.S. Summit as well as at our upcoming Summit events across the globe.
Category: audit-management business-continuity-management compliance-management digital-risk enterprise-risk-management grc it-risk-management it-vendor-risk-management legal-risk operational-risk-management risk-management security strategic-risk third-party-risk-management
Tags: grc grc-software risk-management
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.