Blog post

What Is In Your GRC “Junk Drawer”?

By John A. Wheeler | March 03, 2015 | 1 Comment

Tech and Service ProvidersSecurity of Applications and DataSecurity and Risk Management LeadersSecurityRisk ManagementOperational risk managementIT vendor risk managementIT risk managementIRMintegrated risk managementGRCEnterprise risk managementData and Analytics StrategiesBusiness Continuity ManagementAudit managementAudit and Risk

Everyone has one. Somewhere in their kitchen or garage is the infamous “junk drawer”. Over time, the drawer fills up with gadgets, tools, scraps of paper with to do lists and various other items that vary in their usefulness. However, invariably there are moments when you rush to the drawer looking for that one item that you need and it becomes a struggle to find. Then, when you rifle through the drawer, you begin to wonder how all these items found their way to the drawer in the first place. More often than not, the items do have a specific use and value or they would not have been placed in the drawer. It becomes junk when we forget why we needed the item or how it can be used on a regular basis.

This junk drawer analogy is a perfect description of the state of risk management software at many companies today. During the past decade, risk management has matured as a formal discipline and the related software applications have also evolved. It has resulted in the creation of a software category commonly known as GRC – governance, risk and compliance.

Similar to ERP software solutions that support financial management or supplier management functions, GRC software solutions run the gamut from broad based risk and compliance platforms to purpose-built risk analytic applications. As companies have built their risk management programs across the enterprise, they have filled their GRC “junk drawer” with a range of applications that vary in their usefulness and relationship to one another.

At Gartner, we have recognized a clear desire by companies and risk management organizations to clean out their GRC “junk drawer”. To do this, risk management organizations need an organized, structured IT application strategy. What we recommend is a pace-layered application strategy for GRC that classifies your software applications into three primary layers – systems of record, systems of differentiation and systems of innovation.

By doing so, you can begin to manage the applications at the pace of change demanded by the risk management program as well as the business at large. You will also be in a much better position to maximize the usefulness of your risk-related applications and prevent your GRC “junk drawer” from filling up again. To learn more about crafting a GRC application strategy, read our groundbreaking research on “How to Use Pace Layering to Build a GRC Application Strategy” at

GRC junk drawer

Comments are closed

1 Comment

  • Phil says:

    Great post, John! I enjoy reading your stuff – concise, clear and valuable thought leadership. Look forward to reading more.