Gartner Resets Approach to GRC

Gartner’s new approach to GRC will deemphasize the presence and demonstrability of features and functions while increasing the weight of implementation and production use of GRC products against specific use cases.

Last year I blogged about Why I Hate the Term GRC and then about resetting our definition of IT GRC. This clearly did not go far enough, so in 2014 we are changing the game entirely. We are doing this for multiple reasons:

• The term GRC is the most overused term in the risk and security lexicon. Vendors use it to describe whatever they are selling and our clients use it to describe whatever problem they have.
• The delineation of IT-GRC vs EGRC is almost meaningless because all of the IT-GRC vendors claim to do everything the EGRC vendors do and vice versa.
• When a client calls us and asks to discuss GRC vendors, our first question is always “what are you trying to accomplish?”
• The features and functions of the vendors are becoming indistinguishable. For example, they all have a survey function and there is no material difference in implementation.
• Every vendor demo looks exactly like every other vendor demo and they can all demonstrate excellent capability against a wide range of GRC requirements.

The bottom line is that our current approach to this market is not helping our clients match their needs to appropriate technologies. So we are going to change it.

There are good differentiating characteristics of vendors.

• All basic functions look the same in demonstration, but not all function the same against specific requirements. For example, a survey function may work well for gathering data internally for product teams, but not function well at all trying to gather vendor risk data externally from 3^rd parties.
• Some vendors have subject matter expertise and implementation experience that makes them stronger for some requirements and not others.
• Architecture issues may not be obvious in a marketecture diagram, but the limitations become obvious in certain environments.
• Level of required customization, cost, and satisfaction with those services vary greatly across various implementations.

What all of these have in common is that differences are implementation and requirement dependent. Also, our clients start out asking for generic GRC software and then quickly narrow it to the use cases, requirements, and workflows they are actually going to go implement. Therefore…

Gartner’s new approach to GRC will deemphasize the presence and demonstrability of features and functions while increasing the weight of implementation and production use of GRC products against specific use cases.

Implementing our approach we have defined 6 use cases. We know there are more, but we need to start somewhere.

Use case 1: IT Risk Management (ITRM). The use of GRC tools for management, measurement, and reporting against IT risk. While this may include security operations data and processes, implementations that are primarily focused on security operations, analysis, and reporting will be considered “below the line” and not part of this use case. See this blog post for more information.

Use case 2: Operational risk management (ORM). The use of GRC tools for management, measurement, and reporting against operational risk. There is a bright line between the ORM and ITRM use cases which is beyond the scope of this blog post, but fundamentally ORM addresses IT and OTHER operational risks with deeper risk management capabilities like capital allocation, predictive analytics, and statistical modeling.

Notably, my colleague John Wheeler and I have decided to explicitly exclude enterprise risk management (ERM) as a use case because our definition of ERM includes credit and market risk, which we do not believe is currently a credible capability for any of the GRC vendors.

Use case 3: Audit management. Audit solutions used by internal audit teams that document and track phases of the audit cycle — audit planning, audit risk assessment, audit project management, time and expense management, issue tracking, audit work paper management, audit evidence management, and reporting. Implementations primarily for the benefit of non-audit functions are excluded.

Use case 4: Vendor risk management (VRM). The use of VRM tools for management, measurement, and reporting against vendor and third party related risk.  This will include capabilities to identify, classify, monitor, and recommend risk mitigation to support business operations and regulatory requirements.

Use case 5:  Business continuity management (BCM). Supporting the coordinating, facilitating and executing activities that ensure an enterprise’s effectiveness in identifying and mitigating operational risks that can lead to business disruptions, and recovering mission-critical business operations after a disruptive event turns into a disaster.

Use case 6: Corporate Compliance and Oversight. Compliance management and reporting associated with corporate governance codes, ethics, and financial reporting integrity regulations, such as Sarbanes-Oxley, Turnbull and others, and other regulations, standards and policies that materially affect the compliance posture of the overall enterprise.

The Process (for vendors and references)

Reference surveys:

Our research process is going to emphasize references (both those the vendors give us, and those that we speak to as Gartner clients). The reference process will be fully automated and only take 15 minutes to fill out by a knowledgeable person at the implementing organization.

If you have implemented any of the use cases we have identified with a GRC product, please tweet me @peproctor and we can arrange to send you a link to the survey.

Vendor surveys:

We are seeking to create a single unified vendor survey that will serve the entire process regardless of home many use cases a vendor supports. That means one survey, not six surveys.

The Deliverables

We are discontinuing the IT-GRC marketscope and EGRC Magic Quadrant. We are replacing these with seven new documents, one for each use case and a top down document. Some of these deliverables will include vendors who specialize in a use case but do not traditionally position as GRC vendors. For example, the business continuity management magic quadrant will only be made up of about 50% GRC vendors with the rest focusing exclusively on BCM.

• Market Guide for Audit Management
• Magic Quadrant for Operational Risk Management
• Magic Quadrant for Security & IT Risk
• Critical Capabilities for GRC
• Magic Quadrant for Business Continuity Planning
• Magic Quadrant for Vendor Risk Management
• Market Guide for Corporate Compliance and Oversight

Timing for Vendors

These times are rough approximations:

–          Feb – Send out a cover letter to engage vendors

–          Mar – Request reference lists

–          Mar -May – Gather reference surveys

–          May-June – Vendor surveys

–          Fall – Documents publish for each use case.

Gartner Client Benefit

The single largest advantage to this change is that our clients will better be able to identify appropriate technologies to match their specific requirements.

The benefit to vendors is fewer surveys to fill out and a more accurate accounting of your strengths and weaknesses based on production deployments.

If you have implemented any of the use cases we have identified with a GRC product, please tweet me @peproctor and we can arrange to send you a link to the survey.

Follow me on Twitter (@peproctor)