The governance, risk, and compliance (GRC) approach to risk management is proving insufficient as companies grapple with myriad tools amid a false sense of security. Instead they now are turning to integrated risk management (IRM) and risk quantification to inform strategies.
“What we are seeing, and have seen over the last five years, is a pivot away from more of a compliance-focused approach around IT and security risk that you’d typically find in a GRC program, or even in utilizing GRC technology,” says John Wheeler, global research leader for Gartner’s Risk Management Technology division. His focus is on IRM, which involves different ways to address risk and potentially transfer risk vehicles; for example, cyber insurance.
GRC, now around for nearly two decades, stemmed from a growing need to address the broad landscape of compliance mandates security pros face year after year, Wheeler says. While helpful in meeting said mandates, companies that invested more in GRC-specific tools found themselves in a “potpourri” of products either…
