Gartner Blog Network


What Ever Happened to GRC?

by John A. Wheeler  |  November 12, 2018  |  Submit a Comment

In our ongoing coverage of Integrated Risk Management (IRM) technology and service providers, the relevance and frequency of client inquiry related to Governance, Risk & Compliance (GRC) continues to decline. In 2017, 28% of our relevant client inquiry related to GRC topics. This year, the percentage of GRC client inquiry has slipped to just 15%. So, why are we seeing GRC continue to fade as a client inquiry topic? The answer is found in Gartner’s Hype Cycle (see below).gartnerfullhcgrc

When Gartner began its coverage of GRC back in the middle-aughts, GRC was spawned (see “Innovation Trigger” in Gartner’s Hype Cycle) by the relentless number of regulatory mandates that organizations had to quickly interpret and seek to address. Major compliance activities associated with the likes of Sarbanes-Oxley, PCI, HIPAA, as well as unique requirements such as Conflict Minerals and FCPA, drove GRC to the heights of the “Peak of Inflated Expectations” as reflected in our Hype Cycle.

However, GRC quickly fell into the “Trough of Disillusionment” as we suffered from the impacts of the global financial crisis. In the early part of this decade, GRC climbed the “Slope of Enlightenment” into the “Plateau of Productivity” as customers matured their risk management and compliance programs. This maturity led many customers to recognize that chasing the next regulatory mandate with another GRC technology or service investment simply was not sustainable.

Thus, our coverage shifted to keep pace with our clients’ expectations. Rather than invest in compliance-driven, proprietary solutions, our clients are now demanding risk-focused, integrated solutions that can adapt to the dynamic, ecosystem-driven environment that is quickly evolving. The outdated, legacy GRC solutions simply are too costly and inflexible to meet the challenges of digital business transformation.

As a result, GRC has now fallen into the “Swamp of Diminished Returns”.  As described by my Gartner colleagues in “Mastering the Hype Cycle”, the “Swamp” is characterized by the fact that further investment is “no longer appropriate for new applications, but replacing it would take time, effort and money”. So, many organizations continue to maintain these outdated GRC solutions rather than seeking a better way. This stage is what my colleagues aptly describe as “legacy”.

What’s next for GRC?  According to the Hype Cycle, the last and final stage is the “Cliff of Obsolescence”.  The “Cliff” is not what it might sound like. It is not a “dramatic precipice that solutions tip over to crash to their doom”.  It is what my colleagues rightly describe as a “crumbling escarpment where erstwhile innovations begin the often long and drawn-out, and always irreversible, slide into oblivion.” So, as IRM’s expectations continue to increase, the likely outcome for GRC is an irreversible slide into oblivion. The question to be answered is when do you shift your investment to IRM?  Well, that’s what we at Gartner are equipped to do – help you find that answer.  To learn more, check out my latest research and read more of my blog posts on IRM. Also, read more about IRM and related innovative technologies in our latest “Hype Cycle for Risk Management, 2018” (Gartner subscription required).

Category: cyber-risk  cyber-security  digital-risk  enterprise-risk-management  grc  integrated-risk-management  irm  risk-management  strategic-risk  trends-predictions  

John A. Wheeler
Senior Director, Advisory - Integrated Risk Management
8 years at Gartner
29 years IT Industry

John A. Wheeler leads analyst coverage of integrated risk management (IRM) technology solutions and professional services. His areas of specialty include risk management, executive leadership and corporate governance. Follow him on Twitter @JohnAWheeler Read Full Bio




Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.