The time has come for a new viewpoint on the maturing discipline known as governance, risk and compliance (GRC). The term GRC was spawned from the need for better internal control and governance within large enterprises in the early 2000’s. Much of this need was driven by the compliance requirements associated with the U.S. Sarbanes Oxley Act of 2002, better known across the globe as SOX. Over time, GRC grew and evolved to become associated with many compliance driven initiatives designed to improve corporate governance and internal control.
As risk management (in particular, operational and information technology risk management) continues to mature as a discipline and becomes a more practical approach to improve corporate governance and internal control, Gartner recognizes a need for new thinking on the subject. In late 2015, Gartner conducted a survey of Gartner clients to better understand the use of GRC software to support the ever-growing importance of risk management across the enterprise. In that survey, nearly 40% of clients surveyed are not using GRC software. In addition, 65% of those same clients are not even familiar with the term “GRC.” However, in Gartner’s 2015 CEO survey, 65% of global CEOs and senior executives view the level of investment in risk management tools and practices as falling behind (see “2015 CEO Survey: Committing to Digital”).
So, to better address the needs of global CEOs and senior executives, Gartner is redefining its coverage of GRC as Integrated Risk Management (IRM). Simply put, IRM is a set of practices and processes supported by a risk-aware culture and enabling technologies, that improves decision making and performance through an integrated view of how well an organization manages its unique set of risks. Under the Gartner definition, IRM has certain attributes:
- Strategy: Enablement and implementation of a framework, including performance improvement through effective governance and risk ownership
- Assessment: Identification, evaluation and prioritization of risks
- Response: Identification and implementation of mechanisms to mitigate risk
- Communication and reporting: Provision of the best or most appropriate means to track and inform stakeholders of an enterprise’s risk response
- Monitoring: Identification and implementation of processes that methodically track governance objectives, risk ownership/accountability, compliance with policies and decisions that are set through the governance process, risks to those objectives and the effectiveness of risk mitigation and controls
- Technology: Design and implementation of an IRM solution (IRMS) architecture
To understand the full scope of risk, organizations require a comprehensive view across all business units and risk and compliance functions, as well as key business partners, suppliers and outsourced entities. Developing this understanding requires risk and security leaders to address all six IRM attributes.
Additional IRM insights can be found within Gartner’s recently published note, “Transform Governance, Risk and Compliance to Integrated Risk Management“.