GRC vs IRM: Looking at Risk Management Through a New Lens
The Governance, Risk, and Compliance (GRC) field has been around for a long time. The Open Compliance and Ethics Group (OCEG) included the term in a published article in 2007, and many solutions have been developed since to help organizations manage this aspect of their cybersecurity strategy.
In 2018, Gartner coined the term Integrated Risk Management (IRM) and is developing Magic Quadrants and other resources based upon this term. While IRM and GRC cover similar areas of cybersecurity, the potential rebranding could significantly impact an organization’s cybersecurity strategy.
Potential Industry Impacts of “IRM”
GRC and IRM are both about managing risk, which is one of the primary goals of an organization’s cybersecurity program. Despite this overlap, GRC and IRM have slight differences that can impact how the field is viewed and approached. Some of the major differences include:
Field of Focus: GRC includes an organization’s governance and compliance management strategies alongside risk management. IRM, on the other hand, is focused primarily on managing cybersecurity risk to the organization (which can include governance and regulatory risks).
Scope of Responsibility: Traditionally, responsibility for cybersecurity risk management has been primarily with the organization’s GRC team. With IRM’s integrated approach to risk management, responsibility is shared throughout the entire organization.
Mental Models: The IRM model for considering riskis better aligned to the concept of the three lines of defense. The first line of defense includes functions that own and manage risk; the second incorporates functions that oversee or specialize in risk management and compliance; and the third involves functions providing independent assurance (such as internal audits).
While it isn’t certain if and how the new IRM term will be adopted throughout the cybersecurity industry, it could have significant impacts on how the industry works. Some potential changes and opportunities that may arise as a result of Gartner’s creation of the IRM term include:
Openings for New Cybersecurity Product Offerings: The creation of the IRM brand and Gartner IRM Magic Quadrant opens opportunities for vendors to create products tailored to this particular approach to risk management. Additionally, recent legislative attention around consumer compliance and privacy litigation creates an opening for tools supporting an organization’s privacy, risk, and compliance management programs.
Wider Scope of Responsibility for Security/Risk: The IRM model makes the entire organization responsible for risk management, not just the security team. This creates a basis for greater collaboration and communication across the organization and enables an organization to achieve competitive advantage and cost savings through an integrated approach to risk management.
Organizational Realignment: Currently, many security models place risk management as a subset of cybersecurity. Under the IRM model, security may become one of the functions carried out by “risk” teams instead of vice versa.
How MorganFranklin Can Help
It’s currently unknown if the IRM term will gain widespread adoption. As long as an organization is effectively managing all functions that fall under the GRC and IRM models, then the precise model being used only impacts its structure, policies, and procedures.
At the end of the day it is about overall risk management, how you identify risk profiles, and the appetite of the company. They all work around controls (either technical or administrative), and the lines of defenses, people, and processes that are in place.
If your organization needs help designing or reviewing your integrated risk management program or you wish to share your thoughts on the GRC/IRM branding, please reach out. MorganFranklin consultants have extensive experience in designing cybersecurity risk management programs and can help identify the tools, processes, and models that work best for your organization’s unique business and security needs.