“What do you think the difference is between GRC and IRM?” That’s a question we seem to hear over and over, and with good reason. I just heard that question again this week, and if you ask the internet, the answer you’ll get is underwhelming and will likely keep you wanting. In the first five results you’ll get software companies claiming without much context that IRM is newer, and therefore better, and they have an “IRM solution” that’s unlike those old GRC solutions. You’ll also hear consultants weighing in on what the shift from GRC to IRM means for the industry, as if this shift has signaled a sea change. I’ve also overheard some responses from professionals that were delivered with the best of intentions, but that I just don’t think give the full story. From everything I’ve been able to gather that’s just what this is — a story. The story goes something like this…
Somewhere around the year 2002, Michael Rasmussen, while employed at Forrester Research, starts using the term Governance, Risk, and Compliance (GRC) in his publications. This was around the time new technology solutions were hitting the market that provided centralized technological support of risk and compliance activities, improving upon the old methods of keeping policies, controls, risk registers, and risk assessments in documents and spreadsheets. The term “GRC” caught on, and coincided with businesses increasing the priority of risk and compliance activities spread across various departments including IT, legal, compliance, and others. The idea of “lines of defense” begins to form, and the IIA eventually released a position paper describing these functions as the second line of defense in 2013.
During this period, both Forrester Research and Gartner annually publish a “magic quadrant”, which lists and compares GRC technology solutions, and ranks them each on overall vision and ability to execute. These lists become the de-facto standard companies use when considering purchasing GRC technology solutions.
In 2017, John Wheeler and Gartner declare “the end of an era”, and state that GRC is “outdated”. They announce they are now releasing a new “Magic Quadrant for Integrated Risk Management (IRM)”.
John Wheeler and Gartner define IRM as, “a set of practices and processes supported by a risk-aware culture and enabling technologies, that improves decision making and performance through an integrated view of how well an organization manages its unique set of risks”. He goes on to say it includes elements like strategy, assessment, response, communication and reporting, and monitoring. An initial reaction might be, “Are we no longer governing and complying?” Not to speak for them, but I think Gartner would respond by saying that governance and compliance both address risks, and therefore are inherently included. Further, they’d say that governance and compliance activities should be prioritized by considering effort vs. their impact on the organization’s risk environment. They then go on to apply their IRM vs GRC logic to the software solutions in the space.
There are some problems with this. First, there are some definite differences between the risk and compliance areas. I’ll expand in a later article, but for now, it should suffice to say it requires a deep understanding of the nuances between the two to successfully plan and execute each. These nuances are confusing enough, and I don’t think it does anyone in the industry a favor to cloud them even further. Second, governance is critical, and insufficient governance is back-breaking for an organization’s risk environment. I’ll also expand on that in a later article, but burying its importance deep in your new acronym’s paragraph long definition probably does not take things in the right direction if you’re really trying to help the community succeed. Another item of note is that many of the “IRM” technology solutions on their new Magic Quadrant are the same as those previously on their “GRC” Magic Quadrant. How could that be if, as John states, “the software end-user community is excited about IRM rather than outdated governance, risk and compliance (GRC) solutions”? Finally, and probably most important, the problem with the term IRM and the way it has been defined to this point lies in the question: How is it not synonymous with a well planned, enterprise-wide, successful GRC program? Even the 6 core elements of IRM as described (strategy, assessment, response, communication and reporting, and monitoring) are the same things you’d expect to see in a good GRC program. In fact, our GRC Roadmap service focuses on evaluating current state and properly planning for a successful GRC (IRM?) function and it covers all of these things plus a few others.
I’m definitely not the first to call these things out. In fact, Michael Rasmussen did that and much more in his article, “The IRM Emperor Has No Clothes“. Based on the reactions I’ve heard at recent industry conferences I’ve attended, and the fact that he even went so far as to call out specific persons and organizations, he created quite a stir.
So, what’s the conclusion? First, it’s amazing how a pundit (granted, with a very large and influential company behind them) can create a term like GRC or IRM and cause the industry to regularly use it. Second, once the story is told, it becomes clear that the terms IRM and GRC and the arguments for each from industry insiders appear to have more to do with politics and the struggle for influence than they do for introducing a new concept that truly redefines the industry.
Nevertheless, it appears the term IRM is here to stay. Despite my obvious leanings, I’d actually prefer not to take sides on this issue, and if the term “IRM” starts being used synonymously to “successful GRC program”, then eventually we’ll all follow suit. I’ve told the story, at least as I’ve been able to gather it, and the next time I hear the question, “What do you think is the difference is between GRC and IRM?”, I’ll be able to point here, where someone can read the story, see the history and underlying publications, and judge for themselves.
If you’d like to learn more about proper planning, governance, and technology architecture to support your GRC/IRM program, contact us.
The IIA’s 3 Lines of Defense White-paper
Gartner’s Definition of IRM
Gartner’s application of IRM vs GRC to the Software Solutions in the Space
Michael Rasmussen’s History of GRC
The IRM Emperor (Gartner) Has No Clothes Published on August 1, 2018 Michael Rasmussen GRC Economist & Pundit