The governance, risk, and compliance (GRC) approach to risk management is proving insufficient as companies grapple with myriad tools amid a false sense of security. Instead they now are turning to integrated risk management (IRM) and risk quantification to inform strategies.
"What we are seeing, and have seen over the last five years, is a pivot away from more of a compliance-focused approach around IT and security risk that you'd typically find in a GRC program, or even in utilizing GRC technology," says John Wheeler, global research leader for Gartner's Risk Management Technology division. His focus is on IRM, which involves different ways to address risk and potentially transfer risk vehicles; for example, cyber insurance.
GRC, now around for nearly two decades, stemmed from a growing need to address the broad landscape of compliance mandates security pros face year after year, Wheeler says. While helpful in meeting said mandates, companies that invested more in GRC-specific tools found themselves in a "potpourri" of products either purpose-built to address a specific compliance requirement or limited in its ability to understand risks unique and specific to the organization.
"For many organizations, they may have a false sense of security," he adds. "If they think they are compliant with regulations, risks are addressed … [this] couldn't be further from the truth."
It is imperative companies understand their individual risk profile, Wheeler continues; out of that will come a greater ability to meet compliance mandates that are relevant to the business. Rather than focus on GRC, many are turning to IRM so they can comprehend how IT risk, and cybersecurity requirements and posture, fits in ..
Support the originator by clicking the read the rest link below.
