What’s in a name?
Quite a lot apparently, but also nothing at all.
John Wheeler at Gartner and Michael Rasmussen from GRC 20/20 have been having a rather public battle recently that goes to the heart of what Governance, Risk & Compliance (GRC) really is.
In the blue corner, Gartner are claiming that GRC is too narrow and has failed. What is needed now is their snazzy sounding Integrated Risk Management (IRM) model. Gartner rightly states that the two critical needs of any organisation are to ‘Stay in Business’ and ‘Stay out of Trouble’. GRC, according to Gartner, can keep you ‘out of trouble’, but only IRM will keep you ‘In Business’ and ‘out of trouble’
In the red corner, GRC20/20 have opened the bonnet of the IRM model and done a deep dive on its component parts – their conclusion being that IRM is effectively ‘old wine in new bottles’ i.e. at substance IRM covers exactly the same things as GRC does, the only thing that’s different is the Acronym. The King is dead, long live the King.
Here at ICE we have more sympathy for GRC 20/20’s position.
It appears that Gartner are categorising GRC too narrowly, confining it purely to the world of Compliance related activities. This is a very narrow and unfair view and ignores the rather large elephant in the room being the words ‘Governance’ and ‘Risk’ within the GRC acronym.
As Michael point out, the official definition of GRC is ‘a capability to reliably achieve objectives [Governance] while addressing uncertainty [Risk Management] and act with integrity [Compliance]’
Michael focuses in on the three areas that Gartner break IRM into:-
- Business Outcome Centric
- Operation Centric
- Compliance Centric
After analysing what each of these component parts constitute, he finds that they map exactly into: –
- Governance
- Risk Management
- Compliance
So after all that we find that IRM = GRC
Regardless of whether you think you are looking for an IRM or a GRC solution, if you are looking for something that engages all three lines of defence, and which significantly reduces the cost and complexity of internal control and compliance, then have a look at ICE today.
We don’t mind what you call us, just call us!