Blog post

Gartner’s New IRM Magic Quadrant Signals End of GRC Era

By John A. Wheeler | August 16, 2017 | 8 Comments

Technology and Emerging TrendsTech and Service ProvidersStrategic riskSecurity and Risk Management LeadersRisk ManagementOperational risk managementLegal riskLegal and ComplianceIT vendor risk managementIT risk managementInformation technologyGRCEnterprise risk managementDigital riskCyber securityCompliance managementBusiness Continuity ManagementAudit managementAudit and RiskEnterprise Risk Management Program ManagementRisk Assessment Process and MethodologiesRisk CoverageRisk Response Strategies

Over the past several years, Gartner has evolved its research of Governance, Risk and Compliance (GRC) technology solutions to meet the increasingly complex needs of the security and risk management leaders it serves. In addition, Gartner continues to enhance its groundbreaking research associated with the future of digital business. As a result, Gartner is shifting focus away from GRC and expanding its risk technology research through the planned publication of the first Magic Quadrant for Integrated Risk Management (IRM).

As we outlined last year in our research publication (subscription required), Transform Governance, Risk and Compliance to Integrated Risk Management, IRM enables simplification, automation and integration of strategic, operational and IT risk management processes and data. IRM goes beyond the traditional, compliance-driven GRC technology solutions to provide actionable insights that are aligned with business strategies, not just regulatory mandates.

The new Magic Quadrant for Integrated Risk Management will evaluate technology providers who serve the needs of security and risk management leaders across a spectrum of use cases. These providers offer integrated solution sets via a single platform offering or across an array of software modules.

Key to the success of IRM is the ability to provide a vertically integrated view of risk starting with an organization’s strategy through its business operations and ultimately into the enabling technology assets. To do this, technology providers must deliver horizontally integrated capabilities across a set of six primary use cases (see figure 1 below). The use cases include:

Digital Risk Management (DRM)

DRM technology integrates the management of risks specifically associated with digital business components, such as cloud, mobile, social and big data, as well as third-party technology, such as artificial intelligence and machine learning, operational technology (OT), and the Internet of Things (IoT).

Vendor Risk Management (VRM)

Vendor risk management programs help organizations manage the risks of third parties with adequate controls for business continuity management, vendor performance, vendor viability security and data protection. Failure to comply with these mandates can have significant audit-related, and, for some industries, regulatory repercussions, which can undermine shareholder value and corporate viability. The VRM market addresses risks related to regulatory compliance, information security and vendor performance that arose from enterprises’ increased use of, and reliance on, service providers and IT vendors. Solutions in this market have capabilities ranging from risk assessment to risk monitoring and risk rating.

Business Continuity Management (BCM)

Business continuity management is the practice of coordinating, facilitating and executing activities that ensure an enterprise’s effectiveness in identifying risks that can lead to business disruptions, implementing disaster recovery solutions and recovery plans, responding to disruptive events and recovering mission-critical business operations. BCM software automates processes such as risk assessment, business impact analysis (BIA), and recovery plan development, exercising and invocation. BCM tools can greatly benefit organizations by jump-starting their BCM programs and quickly improving their overall continuity capability.

Audit Management (AM)

Internal auditors have three roles: auditing, providing advice to middle and senior management, and providing consultation to business process stakeholders. When risk owners and management do not identify risk or adequately mitigate the risk, it is imperative for the internal auditors to provide independent and objective insight on risk. The audit management solution market caters to this need by automating internal audit operations. These solutions automate audit planning, scheduling, work paper management, time & expense management, reporting and issue management.

Corporate Compliance & Oversight (CCO)

The scope of compliance management programs continues to increase. Regulatory compliance and change management gets more and more complicated. The recent increase in focus on commercial compliance (increasingly required by business partners) and organizational compliance requirements (such as ethics and corporate social responsibility) has made the compliance manager’s role ever more challenging. Corporate compliance and oversight software supports the goals and activities of compliance leaders, providing automated policy development and management, compliance risk assessment, control rationalization, assessment and attestation, regulatory change management and investigative case management.

Enterprise Legal Management (ELM)

Enterprise legal management software applications are focused on supporting legal and compliance departments, corporate secretaries, boards of directors and senior management. They provide support through better documentation, spend management, information availability and collaboration via an integrated set of applications that include matter management, e-billing, financial/spend management, legal document management and business process management.

Through this integrated risk management approach, organizations can reach higher levels of program maturity and deliver real value in the form of stronger performance, increased resilience, better assurance and more efficient compliance.

We plan to kick-off our IRM research process in September 2017 with planned publication of the Magic Quadrant report in Q2 2018.  If you are a technology provider that is interested in participating as part of our research effort, please send your contact information (company name, primary and secondary contact persons, phone and email) to by August 31, 2017.

If you are interested in learning more about IRM, I will be speaking at our upcoming Security & Risk Management Summits in Sydney and London. Hope to see you there!


Figure 1 – Gartner’s New Focus on IRM

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed


  • Sam Abadir says:

    John –

    Looking forward to talking to you about the new diagram you have in Figure 1. I like how you are evolving the thought process and modeling.


  • John, I am trying to understand why you have separated IT risk from the Operation Risk in your model. IT Risk is a sub-set of Operational Risk and so are the other things such as People, Suppliers & Stakeholders, Information..etc.

    • I agree completely that IT risk is a subset of operational risk. It is separated in the model because organizations typically manage it separately. However, it need to be integrated – hence the need for IRM!

  • Lory DuMenil says:

    Great article and interesting trend. What is the best way to stay informed on developments in the IRM space?

  • Dakota Alexyn says:

    Hi John,

    An integrated platform that successfully manages ALL of these risks seems ambitious to me. Is there anyone in market that offers such a comprehensive solution today? Or is this something people are striving to create?

    Are companies that offer solutions that cover multiple but not all of these risks included in this market?


  • Guna Appalaraju says:

    John, Now that Q2-2018 has started, is there any updated information on the Magic Quadrant for Integrated Risk Management (IRM) release date?

    Also, will this integrated approach continue to include traditional audit compliance areas such as SOX, fraud detection, etc.?

    Thank you,