- IRM vc GRC. Gartner has to invent new terms to make themselves feel relevant. John Wheeler came out with several blogs stating how GRC has failed and is dead and organizations should look to IRM. First off, technology evolves and changes. GRC today is not the same as GRC 10 years back. Same with other areas of technology such as ERP and CRM, these technology categories have evolved and not remained the same . . . but we still refer to them as ERP and CRM. Gartner is actually 5 years behind. What John Wheeler states as IRM in his blog GRC vs. IRM Solutions – What’s the Difference? is what I talked about in GRC 3.o in my research and blogs back in 2013:
- GRC 3.0 – A History of GRC
- Characteristics of GRC 3.0
- And now I have published on GRC 4.0, perhaps Gartner should read this soon and not follow suit in another five years, GRC 4.0 – the Next Generation of Cognitive GRC Technology
- If GRC is dead, where is the difference in the MQ? Let’s get right to the point. Gartner has made a big push in their research, blogs, and speeches that GRC is dead and failed now we have IRM. If this is the case, then why are the Leaders in the Magic Quadrant for IRM the same Leaders that were in the last several Magic Quadrants for GRC by Gartner. What has failed if the exact same solutions that dominate the market are getting the leading accolades from Gartner in their old GRC research h and now their new IRM research? The answer is simple, IRM is a marketing ploy by Gartner and the technologies they say have failed in GRC they now praise as leaders in IRM are the same solutions and must not have failed as Gartner originally stated.
- What is with Gartner changing all these terms? It is not just GRC that Gartner is trying to change. They also talk about Digital Risk Management. What is Digital Risk Management? Organizations do not use this term. They talk about information security, or IT security. Gartner has some need to rebrand things to make their analysts feel relevant.
- Can Gartner make the hard calls? I must applaud Forrester in their most recent GRC Wave, they had the ‘cojones’ to knock back one of the leaders out of the leaders area. You can compare the Wave and MQ to figure out who I am talking about; it is the solution that I get more complaints on than any other solution in the market by a significant amount.
- Gartner IRM use cases are incomplete. Gartner defined in their IRM MQ six IRM use cases: Digital Risk Management, Vendor Risk Management, Business Continuity Management, Audit Management, Corporate Compliance & Oversight, and Enterprise Legal Management. My prominent question – where is Enterprise and Operational Risk Management (ERM, ORM)? There are defined capabilities and needs for enterprise and operational risk management that are not covered and brought out. Most of Gartner’s research has a large IT security bent to it, oops, I mean digital risk management, that permeates everything and fails to see the broad range of enterprise and operational risks. Also, they bring Enterprise Legal Management into the IRM which I see in about 5 to 10% of Enterprise GRC (IRM) RFPs. I am not against this, but they failed to mention Environmental, Health & Safety (EH&S) which is in over 50% of Enterprise GRC (IRM) RFPs. In fact, Gartner has completely discontinued their coverage of EH&S technology.
- The Magic Quadrant process has serious issues. What is extremely concerning about the Gartner Magic Quadrant for IRM is the process. Some issues are:
- Video demos and not live demos. Gartner did not want to have live demonstrations of the solutions, they wanted organizations to submit video demos. Anything can be mocked up in a video. Forrester, on the other hand, requires live demos and even requires a sandbox to work with the solution themselves. I have advised solution providers in the Forrester GRC Wave and have seen the audit trail of Forrester analysts going through the solution and testing it themselves. Not so with Gartner, they do not want a sandbox or even a live demo . . . just a video. And organizations around the world are relying on the Magic Quadrant? This is down right scary.
- Lack of transparency. Further, Gartner does not publish the criteria, scores and weightings of the Magic Quadrant. It is exactly what it says it is . . . MAGIC. Forrester publishes a full spreadsheet with each of the hundreds of criteria measured, the vendor score on each, and the weighting. You might disagree with Forrester’s findings, I do at tines, but Forrester is transparent and Gartner is not.
- Client reference checks. Client references are also a concern, while Gartner got on the phone with a few client references they are overly reliant on web surveys for client references. To get real answers you have to talk and interact with a range of client references and ask the hard questions. You also have to talk to the individuals using the solution every day and not just the decision maker.
- Inconsistency in Strengths and Cautions. For each solution evaluated Gartner publishes strengths and weaknesses of each, usually 3, but sometimes 2. But these are not consistent. For example, Gartner calls out negatives on some solutions that they do not do Enterprise Legal Management, but in others that also do not have it they do not call it out. These are not an apples to apples comparison.
GRC 20/20’s Research Briefings on the GRC Market . . .
Most Recent On-Demand Recorded Buyers Guide:
Upcoming Live Buyer Guides
- Buyers Guide: Audit Management & Analytic Solutions, Aug 21st
- Buyers Guide: IT GRC Management Solutions, Sept 17th
- Buyers Guide: Enterprise GRC Platforms, Oct 23rd
Other On-Demand Buyer Guides
- How to Purchase Policy Management Solutions
- How to Purchase EH&S Solutions
- How to Purchase Compliance Management Solutions
- How to Purchase Third Party Management Solutions
- How to Purchase Risk Management Solutions
Other Research Briefings