Exposing IRM for What it Really is: GRC Light
Gartner, particularly John Wheeler, is hard at work trying to convince the world that their Integrated Risk Management (IRM) is something new to replace Governance, Risk Management & Compliance. You can check out John’s latest post mischaracterizing and misleading organizations in: GRC May Keep You “Out of Trouble” ,But IRM Will Keep You “ In Business”
The first thing to note is that every solution in Gartner’s IRM Magic Quadrant and IRM Critical Capabilities reports have been and are GRC solutions. Every one of them has been marketing GRC, most for some time. These are the same platforms that have been calling themselves GRC that Gartner is now calling IRM.
The second thing to note is that Gartner mischaracterizes what GRC is about by pushing it solely to compliance. I have refuted this time and time again by citing the long-standing official definition of GRC found in the OCEG GRC Capability Model that GRC “is a capability to reliably achieve objectives [GOVERNANCE] while addressing uncertainty [RISK MANAGEMENT] and act with integrity [COMPLIANCE].” I went into great detail on what GRC is in my recent article ‘Navigating Chaos‘ published in Enterprise Risk magazine published by The Institute of Risk Management (the real IRM). GRC since its inception has been focused on Principled Performance with an aim for the organization to reliably achieve objectives.
If you peel back IRM in Gartner’s reports what do you find? GRC. It is not just the same technology, but the same pillars. Though I would argue it is GRC light as Gartner misses the boat in risk areas of quality, environmental, health and safety, sustainability, corporate social responsibility, and more that impact the modern organization.
Take a look at the recent Gartner IRM MQ and the IRM Critical Capabilities. It breaks IRM into three areas:
- Business Outcome Centric. Gartner says this is “an integration-optimization-based risk practice designed to automate the linkage among relevant insights on key corporate performance-related risks.” Interesting, this sounds like the Governance pillar in the GRC definition in the capability to reliably achieve objectives.
- Operation-Centric. Gartner says “resilience is an adaptability-based risk practice focused on operational and IT risks offering an agile risk program in response to and re3cover form key business disruptions.” Interesting, this sounds like the Risk Management pillar in the GRC definition with the capability to “manage uncertainty.” ISO 31000 defines risk as the effect of uncertainty on objectives.
- Compliance-Centric. Gartner says “compliance is a regulation-based risk practice providing evaluation and evidence in support of relevant legal and regulatory requirements.” Interesting, this even mentions Compliance but only in a limited way focused on regulations. The GRC Capability Model which is about 15 years old now, defines compliance as the “capability to act with integrity.” This is more than regulatory compliance but includes compliance to the risk boundaries of the organization (e.g., tolerance, appetite, capacity); the policies of the organization; the values, ethics, corporate social responsibility commitments of the organization; and the contractual obligations of the organization.
There you have it – IRM at its core is really GRC.
What really strikes me as interesting is that Gartner puts a lot of effort into stating there is a difference in these pillars from a technology perspective. I would agree, but Gartner’s research does not. You look at the IRM Critical Capabilities research and you have the same list of solutions in nearly identical order in each of these three areas. Same solutions on top same solutions on the bottom with very little movement between these areas. Why even break this out Gartner? From this research, you are stating that the same solutions that score high in Business Outcome also are the top for Operation Centric and Compliance Centric. Same solutions and nearly the same order in each of the three areas. It does not make sense.
But what is really ironic, is that I have been discussing this for 15 years this differentiation. My last GRC Wave I wrote at Forrester in 2007 had four Wave graphics. One for overall GRC combined, one for Governance focused on outcomes and objectives, one for Risk Management focused on operational risk, and one for Compliance. They say there is nothing new under the sun, Gartner proves this. They are just taking my approach in 2007 and using it in 2019. Just relabeling/renaming its areas. HOWEVER, if you look at the 2007 Forrester GRC Wave you will find a completely different ranking of solutions in each of the areas and not the same ranking.
Gartner, drop the IRM facade. I don’t care if you want to call GRC IRM. You can call it ERM, ABC, XYZ. It does not matter what you want to call your category. Just stop misleading the world that saying GRC has failed when you are evaluating the same exact technology solutions that have called themselves GRC. Look at how you break out and define IRM, it maps to how GRC is defined and broken out.
Interesting post. Do you think that is why Gartner seem to have retired the IRM Magic Quadrant/Critical Capabilities reports? They won’t do a 2020 report by the looks of it.