I am often asked, “Renee, what is integrated risk management (IRM), and how is it different from GRC?” You are neither misinformed nor are you horribly confused. We have been on a seven-year journey together maturing governance, risk management, and compliance (GRC) programs to eventually give you the process, program, and data to get to performance management. That is what GRC at Forrester is about. Is IRM any different from GRC? No.
IRM positions itself for customers going through the pain point of not being able to report on strategy. Inventing a new framework for risk isn’t going to help the fact that you can’t get data fast enough to make it speak to strategy. That isn’t your fault. It’s not your framework’s fault. You need software to collect the data, give it meaning, and relate it to strategy — software, not integrated risk management.
I will leave you with a few questions: If you haven’t been relating all your risk data, what have you been doing? Rhetorical question . . . you have been maturing your processes. If IRM is integrated, why are all the assessments done at the feature level? Why does it deliberately fragment the market in the name of integration? You don’t need a new risk framework to mature your program — you just need software. In the end, you will find all the same vendors in the Forrester Wave™ evaluation on GRC — because IRM is GRC.
We are standing at the edge of a cliff. Sure, we can back up 500 yards and rethink the whole thing, but how about we strap on a wingsuit and jump? We have been training for this jump for years. We are more than ready; we just have to do it. I encourage you to stay with us on this journey. You’re ready, and we are ready to help. Upside? We’re more fun than most compliance people. It’s not the only reason to love GRC, but it’s a reason, right?
Stay the course, and let’s tweet careful out there.