Gartner Blog Network

What Is In Your GRC “Junk Drawer”?

by John A. Wheeler  |  March 3, 2015  |  1 Comment

Everyone has one. Somewhere in their kitchen or garage is the infamous “junk drawer”. Over time, the drawer fills up with gadgets, tools, scraps of paper with to do lists and various other items that vary in their usefulness. However, invariably there are moments when you rush to the drawer looking for that one item that you need and it becomes a struggle to find. Then, when you rifle through the drawer, you begin to wonder how all these items found their way to the drawer in the first place. More often than not, the items do have a specific use and value or they would not have been placed in the drawer. It becomes junk when we forget why we needed the item or how it can be used on a regular basis.

This junk drawer analogy is a perfect description of the state of risk management software at many companies today. During the past decade, risk management has matured as a formal discipline and the related software applications have also evolved. It has resulted in the creation of a software category commonly known as GRC – governance, risk and compliance.

Similar to ERP software solutions that support financial management or supplier management functions, GRC software solutions run the gamut from broad based risk and compliance platforms to purpose-built risk analytic applications. As companies have built their risk management programs across the enterprise, they have filled their GRC “junk drawer” with a range of applications that vary in their usefulness and relationship to one another.

At Gartner, we have recognized a clear desire by companies and risk management organizations to clean out their GRC “junk drawer”. To do this, risk management organizations need an organized, structured IT application strategy. What we recommend is a pace-layered application strategy for GRC that classifies your software applications into three primary layers – systems of record, systems of differentiation and systems of innovation.

By doing so, you can begin to manage the applications at the pace of change demanded by the risk management program as well as the business at large. You will also be in a much better position to maximize the usefulness of your risk-related applications and prevent your GRC “junk drawer” from filling up again. To learn more about crafting a GRC application strategy, read our groundbreaking research on “How to Use Pace Layering to Build a GRC Application Strategy” at

GRC junk drawer

Additional Resources

Five Board Questions That Security and Risk Leaders Must Be Prepared to Answer

As board members realize how critical security and risk management is, they are asking leaders more complex and nuanced questions. This research helps security and risk management leaders decipher five categories of questions they must be prepared to answer at any board or executive meeting.

Read Free Gartner Research

Category: audit-management  business-continuity-management  data-and-analytics-strategies  enterprise-risk-management  grc  it-risk-management  it-vendor-risk-management  operational-risk-management  risk-management  security-of-applications-and-data  

Tags: application-strategy  compliance  cyber-risk-2  cybersecurity  digital-risk-2  governance  grc  information-security  it-risk-management-2  operational-risk-management  risk  risk-management  

John A. Wheeler
Global Research Leader - Risk Management Technology
9 years at Gartner
30 years IT Industry

John A. Wheeler is global research leader for risk management technology solutions and professional services. His areas of specialty include integrated risk management, executive leadership and corporate governance. Follow him on Twitter @JohnAWheeler Read Full Bio

Thoughts on What Is In Your GRC “Junk Drawer”?

  1. Phil says:

    Great post, John! I enjoy reading your stuff – concise, clear and valuable thought leadership. Look forward to reading more.

Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.