Why IRM matters – the IRM cloud story

By Riaan Bekker, Force Solutions Manager, thryve

There is a bit of a storm in the GRC – that being the Governance, Risk and Compliance – world. Recently Gartner announced that it will no longer rate all GRC technology services in the same category. Instead, it has created a new category, IRM or Integrated Risk Management, and declared this is the future of the market.

But not everyone agrees. Firstly, there is the not-inconsequential point that GRC was coined by Forrester, a rival of Gartner’s. So some see this as a savvy marketing land grab. Others counter that there is a significant difference between the two – Gartner even goes as far as to declare it the end of the GRC era.

What is going on here and how does it impact your risk management? To get the definite answer, please join me at IRMSA’s 2019 conference, where I’ll give a presentation on the debate and its consequences.

But I won’t leave you in the cold. Until the conference, I’ll be exploring this topic in a little more depth. In this first part, let’s look at what is meant by IRM.

Risk management is a discipline that formally goes back to the 1970s and no doubt informally for much longer. But market crashes and burst bubbles throughout the 2000s have created many doubts about risk management’s capabilities, especially in the fast-moving connected world.

That connected world stands on the back of many new and improved technologies. It’s a place where systems interconnect and data is contextualised by what it’s needed for. We take this world for granted. But every time you swipe a card for a purchase or sit at a service desk while your customer record is recalled, you participate in that connected world. It’s getting better and faster all the time, but risk systems aren’t keeping up.

Then something crucial happened. All that connectivity and interconnection paved the way for modular systems we popularly call the Cloud, as well as high degrees of integration. IRM emerges from these two factors. 

IRM takes the view that since risk data is drawn from across an organisation, why not integrate those data sources into a central risk management environment? This doesn’t just mean plugging different databases into the risk data pool but also adjusting risk capturing processes to involve employees more organically. Processes can be automated, so weighing risk data is much simpler and doesn’t require reinventing the wheel at every capture point.

This is the crux of an IRM, most often found in a cloud deployment model. This means the IRM environment can be introduced as a service (consumption-based operational costs) and can interact with current business systems without replacing them or forcing radical changes to your IT environment. 

At thryve we are partnered with Riskonnect, a leading IRM recognised by both Gartner and Forrester, built on the leading business cloud platform, Salesforce. We frequently start our projects with a POC that grows as our customers see the value of their IRM and want to expand it further across their operations. That’s the power of modern platforms.

Some argue that these distinctions are enough to warrant a new category to GRC systems, while others say IRM is the logical marriage between GRC and new technologies. Both make interesting points, so don’t miss our presentation at the annual IRMSA Conference, 2-3 October at Gallagher Estate, Midrand, Johannesburg.

In the meantime, stay tuned for the next column in a week, where we’ll take a quick look at the history of GRC, itself a pretty modern idea.