Blog post

Why Leading Organizations Adopt IRM Over GRC

By John A. Wheeler | June 01, 2021 | 0 Comments

Technology and Emerging TrendsTech and Service ProvidersSecurity and Risk Management LeadersLegal and ComplianceIRMintegrated risk managementGRCEnterprise risk managementAudit and RiskEmerging Technologies and Trends Impact on Products and ServicesEnterprise Risk Management Program ManagementRisk Management Process

Gartner continues to receive high client demand for integrated risk management (IRM) insights and what IRM offers beyond the typical governance, risk and compliance (GRC) technology deployments. As evidence of the increasing interest in IRM, a recent Gartner survey of leading enterprise risk management (ERM) organizations showed more than half were engaged in developing an IRM approach with almost a third having completed their build. Only 13% were not planning to complete an IRM build (see figure below).  ERM Teams Building an Integrated Risk Assessment

So, why are leading organizations seeking to adopt an IRM approach and set of technologies rather than GRC? The answer can be found in an adage as old as GRC technology itselfnever put the cart before the horse.

Now, it is quite clear what happens when the cart is placed before the horse. You do not get very far and grow very frustrated at the lack of results. That’s exactly what we hear from organizations who look to GRC as a solution for their risk management challenges.

Yet, leading organizations who adopt an IRM view and set of technology solutions experience the opposite. Their overall risk understanding increases and is aligned to the changing nature of their business operations and the surrounding environment. Why is this the case?

Well, the horse in this analogy is the business outcome-driven approach associated with IRM. The cart is the compliance-driven approach found at the heart of GRC.  In other words, IRM starts with an understanding of what drives the business – the risks associated with the performance targets that will fuel a growing, successful enterprise. If the horse is not healthy or cannot be adequately equipped, then nothing else matters.

A recent Gartner survey of leading enterprise risk management (ERM) organizations showed more than half were engaged in developing an IRM approach with almost a third having completed their build.

On the other hand, GRC starts with a heavy focus on compliance – the risks associated with regulations intended to help avoid problems of the past. This compliance-driven approach may serve to create an elaborate cart with a smooth ride, but it will not necessarily take you where you want to go as a business.

Gartner recommends adopting the IRM path to success by following the “PRACtical” approach (see figure below).  “PRAC” refers to the IRM balanced sequence of risk objectives to assess – performance, resilience, assurance and compliance. Organizations that take the GRC compliance-driven path most often fail to anticipate risks that are most impactful to the business. Too much effort and time is spent trying to meet compliance requirements that may not be relevant and/or tend to focus more on prior events that only provide a historical risk perspective.irm grc diverging paths To learn more about building an IRM approach and set of technology solutions, please check out other IRM related posts on the Gartner Blog Network. Gartner subscribers also can read my latest research note, “Emerging Technologies: Critical Insights for Integrated Risk Management”, or access our ever-growing compendium of IRM research via


The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Leave a Comment