Rasmussen on choosing enterprise-grade GRC/IRMS

By Riaan Bekker, Force Solutions Manager at thryve

Michael Rasmussen is a name you might know if you take an interest in GRC/IRMS systems. I mention both titles, because Rasmussen not only coined the amalgam Governance, Risk & Compliance (GRC) to identify new risk-management technologies. He also recently went to war against the term ‘Integrated Risk Management System’ (IRMS), saying it’s just a different name for modern GRC systems.

You can explore that argument in more detail through a series of blogs we released during the IRMSA conference last year. The nub of that argument, though, is that it’s not about a name but the features you get in the GRC/IRMS service you use. This brings us to a new flank in the debate, again raised by Rasmussen – and this time he’s going after his former employer, Forrester, where he coined GRC.

The blog is interesting, though mainly an attack on ‘leader’ charts such as the Forrester Wave and Gartner Magic Quadrant. Rasmussen questions whether all companies included in these charts are really suited for the enterprise customers that Forrester and Gartner call their customers.

It’s an open question and not one I’m looking to answer. However, I’d add that the best of today’s leading GRC/IRMS platforms, such as Riskonnect, is a good fit for all sizes of companies. The difference is in the planning, implementation and scaling of the right features. This is why I often highlight that your choice of provider is as crucial as the software platform. Naturally, I promote thryve’s capabilities in this view: we have designed, deployed and grown numerous different platform services for clients ranging from SMEs to global enterprises.

But back to Rasmussen’s views. After lambasting the research firms, he turns to how can a large enterprise choose the best GRC/IRMS for its risk-management needs? To give guidance, he compiled a set of questions:

  • What actual client references can a solution provider deliver that are using the solution for a true enterprise view of risk (not an IT-focused view of risk)?
  • How do these solutions do risk normalisation and aggregation (which is ‘table stakes’ for an accurate enterprise view of risk)?
  • What are the solution’s capabilities for risk analytics and modelling?
  • How does the solution show risk interrelationships or interconnectedness?
  • How does the solution support a top-down approach to risk management aligned with objectives?
  • Does the solution have the data and application architecture to scale?
  • Does the solution support business process modelling?
  • How does the solution do quantitative risk modelling?
  • Does the solution truly integrate and support an enterprise view of risk?
  • How does the solution bring together both a top-down and bottom-up view of risk?

These are interesting questions. Individually they will match many different company scenarios, even for medium enterprises. Collectively, they demonstrate the various capabilities of a modern GRC/IRMS platform. To provide many of the above features, a system needs to be integrated with company data sources, flexible in its reporting methods, available to different groups within the company (and possibly outside of it), and align easily with enterprise strategy.

Not all GRC/IRMS systems have the ability to provide those features, especially if they aren’t flexible and modular. Platform solutions have those features in their DNA. The above features also again show the importance of using a skilled provider who can understand your business. It’s not a matter of flipping the right switches on the software. In essence, integrated risk management needs context and nuance that software can’t intuitively recognise. Human experience is the critical ingredient for that.

GRC/IRMS gives a massive strategic advantage to the organisations that use it. But this is not technology for technology’s sake. That approach won’t work and simply forces your business to walk a line set by the system. True integrated risk management systems come to the business, connect with its processes and people, and elevate risk awareness to unbelievable levels.

If your proposed GRC/IRMS system and provider can’t answer Rasmussen’s questions to your satisfaction, shop around a little more. You’ll be happy you did.