GRC vs IRM: Looking beyond names and acronyms

By Riaan Bekker, Force Solutions Manager at thryve

Is there a difference between Governance, Risk & Compliance (GRC) and Integrated Risk Management (IRM)? This topic has sparked furious debate among different practitioners and technologists. It’s also the topic thryve presented at the recent IRMSA conference held in Midrand, Johannesburg. Do we have an answer?

If you have been following my series of articles on this topic, you will know about the controversy around GRC vs IRM. But here’s a summary: in 2016, the research firm Gartner announced that IRM should be distinct from GRC. In effect, GRC is the old way and IRM is the new way. But many, including the person who coined the GRC acronym, disagreed.

GRC gained prominence in the early 2000s. The name doesn’t just loosely pool governance, risk and compliance. It specifically refers to frameworks and technologies that exploit the overlaps between these three areas. Michael Rasmussen, the former Forester analyst who coined the term, did so exactly because he started seeing those overlaps in different presentations. Whether companies were selling a governance, compliance or risk system, it tended to cover all three anyway.

Hence GRC was born. Then the technologies evolved. Platforms, cloud services and new levels of data integration introduced capabilities that were once impractical. While older GRC systems helped better manage risk information, data integration started creating richer pictures to work from. Data could now be drawn from different sources inside a business, from databases to spreadsheets.

Integration was joined by another transformative force: web services. This made it possible to extend and tailor GRC interfaces into a browser window. Now anyone in an organisation could access, contribute and interpret risk, compliance and governance data. Risk managers still sit at the centre of this world, but others now also leverage and appreciate risk data.

Integration and access made risk information more current and relevant to specific roles. Annual report are making space for dynamic electronic dashboards that can drill down into the details.

This collection of features is what prompted Gartner to change its definition, as you can see from this table the firm released:

As partners and implementers of Riskonnect, thryve is securely in the IRM camp. Riskonnect, built on the Salesforce platform, is recognised by both Gartner and Forrester as a leader in the sector, offering extensive integration and collaboration features. It ticks every box in the IRM column and then some.

But does that mean we agree with Gartner? No. While IRM is a great name, we arrived at this point because GRC evolved. We didn’t assign new names to evolving business systems such as ERP or CRM. Modern GRC systems and IRM systems are the same thing with different names.

As Riskonnect’s Sales Executive Adelani Adesida, my co-presenter at the conference, quipped: we have GRC, IRM, ERM and more acronyms and will probably keep going until we run out of letters!

But the question is not about GRC vs IRM. It’s whether a GRC/IRM solution ticks the boxes in that right-hand column. This is an emotive topic – we had some spirited debates during our presentation. However, ultimately it’s not about what we call it. It’s about what these services do and how they deliver value.

GRC? IRM? What you should be asking:

  • Does it assist you in building a risk-aware culture within your organisation?
  • Can it be used for developing a risk strategy?
  • Does it improve your critical decision making?
  • Does it integrate with multiple data sources?
  • Does it promote the digitisation of risk information?
  • Does it improve access and use of risk, governance and compliance data?
  • Does it promote collaboration around GRC functions among different groups and silos in the organisation?
  • Is it easy to deploy and scale?
  • Can it balance risk information from different input sources?
  • Can it apply your preferred frameworks?
  • Can it be adjusted to meet specific business and process requirements, without locking you in to that design?
  • Can it easily offer different functions, such as artificial intelligence or self-service portals, without compromising the underlying system or causing further lock-in?
  • Is it intuitive, available through different devices and easily administered?
  • Does it make your organisation smarter, faster and turn GRC data into strategic assets?

If the answer is no, then whatever you are using does not meet the criteria for a modern, transformative governance, risk and compliance system. You are not using modern GRC or IRM capabilities.