Are GRC Tools too Narrow in Scope?
Updated: Sep 23, 2019
Technology Risk management has too much potential as a value-creating function to be viewed as primarily a box ticking compliance activity with no direct linkage to the attainment of enterprise objectives. Most executives today recognize risk management’s importance in achieving strategic goals, however, the perception of risk talent within technology teams is low. To capture the value of enterprise risk management, technologists need to be aligned on business expectations. CISOs and technology risk teams need to rise to the occasion by equipping themselves with a suite of strategic tools to provide business-focused insight.
Gartner has focused on the lack of strategic capabilities within existing Governance Risk and Compliance (GRC) tools for the last several years. Attendees at their global series of 2019 Security & Risk Management Summit Conferences have informed them that GRC tools are quickly fading in use. Gartner predicts 2020 as the year of final demise of GRC technology and migration to Integrated Risk Management (IRM) technology. Here is an excerpt from their blog:
"Unfortunately, GRC technology limits an organization’s ability to move beyond a siloed approach because it remains rooted in myopic solutions designed for individual risk and compliance programs. Gartner sees legacy GRC technology providers evolving their product sets to link three primary risk management program areas – enterprise, operational and IT/cybersecurity (see figure below). By doing so, technology can enable better visibility and understanding of the dynamic set of risks across the entire organization."
Legacy GRC technology providers typically are strong at keeping the business “out of compliance trouble" due to the box ticking approaches encouraged. Integrated Risk Management technology providers provide a wider focus on the emerging technology risks associated with digital business, vendors/third-parties and business continuity.
We've stated that it is important to understand that evidence of regulatory compliance does not ensure that a business is actually cyber secure. Maybe it's time to move on to enterprise IRM technology to reflect that ethos.