What Ever Happened to GRC?

In our ongoing coverage of Integrated Risk Management (IRM) technology and service providers, the relevance and frequency of client inquiry related to Governance, Risk & Compliance (GRC) continues to decline. In 2017, 28% of our relevant client inquiry related to GRC topics. This year, the percentage of GRC client inquiry has slipped to just 15%. So, why are we seeing GRC continue to fade as a client inquiry topic? The answer is found in Gartner’s Hype Cycle (see below).

When Gartner began its coverage of GRC back in the middle-aughts, GRC was spawned (see “Innovation Trigger” in Gartner’s Hype Cycle) by the relentless number of regulatory mandates that organizations had to quickly interpret and seek to address. Major compliance activities associated with the likes of Sarbanes-Oxley, PCI, HIPAA, as well as unique requirements such as Conflict Minerals and FCPA, drove GRC to the heights of the “Peak of Inflated Expectations” as reflected in our Hype Cycle.

However, GRC quickly fell into the “Trough of Disillusionment” as we suffered from the impacts of the global financial crisis. In the early part of this decade, GRC climbed the “Slope of Enlightenment” into the “Plateau of Productivity” as customers matured their risk management and compliance programs. This maturity led many customers to recognize that chasing the next regulatory mandate with another GRC technology or service investment simply was not sustainable.

Thus, our coverage shifted to keep pace with our clients’ expectations. Rather than invest in compliance-driven, proprietary solutions, our clients are now demanding risk-focused, integrated solutions that can adapt to the dynamic, ecosystem-driven environment that is quickly evolving. The outdated, legacy GRC solutions simply are too costly and inflexible to meet the challenges of digital business transformation.

As a result, GRC has now fallen into the “Swamp of Diminished Returns”.  As described by my Gartner colleagues in “Mastering the Hype Cycle”, the “Swamp” is characterized by the fact that further investment is “no longer appropriate for new applications, but replacing it would take time, effort and money”. So, many organizations continue to maintain these outdated GRC solutions rather than seeking a better way. This stage is what my colleagues aptly describe as “legacy”.

What’s next for GRC?  According to the Hype Cycle, the last and final stage is the “Cliff of Obsolescence”.  The “Cliff” is not what it might sound like. It is not a “dramatic precipice that solutions tip over to crash to their doom”.  It is what my colleagues rightly describe as a “crumbling escarpment where erstwhile innovations begin the often long and drawn-out, and always irreversible, slide into oblivion.” So, as IRM’s expectations continue to increase, the likely outcome for GRC is an irreversible slide into oblivion. The question to be answered is when do you shift your investment to IRM?  Well, that’s what we at Gartner are equipped to do – help you find that answer.  To learn more, check out my latest research and read more of my blog posts on IRM. Also, read more about IRM and related innovative technologies in our latest “Hype Cycle for Risk Management, 2018” (Gartner subscription required).