Blog post

Looking Ahead With Gartner’s GRC Hype Cycle

By John A. Wheeler | July 16, 2015 | 2 Comments

Technology and Emerging TrendsStrategic riskSecurity of Applications and DataSecurityRisk ManagementOperational risk managementLegal riskIT vendor risk managementIT risk managementInformation technologyGRCEnterprise risk managementDigital riskCyber risk

Last week, Gartner released its annual Hype Cycle for Governance, Risk & Compliance (GRC) Technologies. In the report, we analyze the trends in the evolving GRC market and what end-users of GRC technologies can expect in the next few years. Simply put, GRC technologies support the simplification, automation, and integration of enterprise, operational, and IT risk management processes and data. Risk and security professionals should use Gartner’s Hype Cycle for GRC Technologies to identify solutions to fulfill this need.

According to Gartner’s 2015 CIO Survey, digitalization is creating new and higher levels of risks. In fact, 89% of CIOs in the survey reported that the “digital world” is creating new types of risk, while 69% reported that investments in risk management are not keeping pace. Companies will need to invest in new and innovative GRC technologies, while effectively maintaining their current GRC application portfolios. 

These new risks require a shift in how GRC is viewed by most companies. As GRC technology has evolved over the past decade, most companies used the software to support a “rear-view mirror” approach to risk management that focused primarily on compliance. This approach led to a backwards view of GRC (see picture below) with risk and governance following compliance in both emphasis and importance. However, as we have seen with many recent digital risk events like the Target data breach, simply complying with industry standards like PCI is not sufficient.

Our hype cycle highlights GRC vendor solutions that provide a “forward-looking” approach to risk management that goes beyond simply complying with the latest regulation or industry standard. Areas such as IT risk management (ITRM), vendor risk management (VRM) and digital GRC are critical components of the evolving digital business landscape.

At the same time, companies continue to struggle with the ever-increasing complexity of regulatory compliance and legal requirements. Areas such as managed GRC services, privacy management and enterprise legal management are driving the demand for GRC technologies to support organizations’ legal and compliance functions.

The need for GRC technologies is rapidly increasing as more companies transition to the new digital business world. At Gartner, we are here to guide our clients along the path to managing their digital risks successfully.




Leave a Comment


  • Credential-to-vuln mapping is one of these areas, but there are many more. With the popularization of credential stuffing by threats, we have not yet seen periphery areas, such as common account take-over (ATO) solved in VM solutions, e.g., brute-force automata, et al. Some others I can think of are infrastructure-to-web (or vice versa), web-to-db, data classifiers, etc. And what of cloud? What of mobile device? What of mobile app? Web Services, Microservices, SOA, micro apps, DevOps, infrastructure-as code, and containers? How about social media security?

  • Task of thinkers & powerful people.
    I hope u will provide me with more knowledge.