Gartner opened 2018 with a call for the market to shift its solution focus from governance, risk and compliance (GRC) to integrated risk management (IRM). We at Protiviti agree with the basic proposition that organizations today are focused on reducing business risk, and that they want flexible, open solutions that allow them to more easily adapt to a rapidly evolving external environment and the changing needs of the business. We also agree that the vendors who understand this will have a competitive advantage over those who don’t.
At the same time, I don’t believe we should completely abandon the focus on governance. In fact, as progressive companies are starting to think more digitally, they are realizing that everything in their operations demands governance. For example, in light of the impending start date of the EU’s General Data Protection Regulation (GDPR), many organizations I talk to are looking at their governance processes as fundamental to ensuring compliance.
Another important area is automation. One of the key drivers of digital transformation is the automation of end-to-end business processes. However, automating processes across an organization requires a focus on governance – even beyond what traditional GRC systems have done in the past – to ensure that the needs of every stakeholder in those processes and the departments or organizations impacted by them are considered.
To that extent, I agree with Gartner that organizations need a comprehensive view of their requirements and risks, both horizontally across the business and vertically through their operations. This is the only way to ensure compliance and risk reduction when building and changing automated processes.
So, yes to integrated risk management. But let’s be sure that as we evolve our understanding of IRM solutions, governance and compliance remains a key driver and focus.