Integrated Risk Management (IRM) vs Governance, Risk & Compliance (GRC)
When managing the concept of risk or compliance, it is crucial to understand that (1) the products and services that a business sells, (2) the partnerships it enters into and (3) the locations of its operations are the business decisions that dictate the statutory, regulatory and contractual obligations that cybersecurity & privacy teams are tasked to enforce. Cybersecurity and privacy personnel do not dictate the requirements - they are merely the messenger by pointing out the controls that need to exist to satisfy those business requirements.
In the early 2000s, the term “Governance, Risk and Compliance (GRC)” was coined to describe the overall governance function for a cybersecurity program. Today, there is a marketing effort to shift away from the term of GRC for “Integrated Risk Management (IRM).” Essentially, this re-branding is a disingenuous marketing attempt to sell new products and services under a different name. GRC is not dead, just hyped as IRM in an attempt to create new sales opportunities and remain relevant. Weak or non-existent processes are not magically fixed by GRC/IRM, since those tools only help automate existing processes. The same pitfalls that doomed many GRC rollouts and tainted the reputations of several GRC providers equally apply to IRM initiatives, since the same underlying content requirements exist. This is where "content is king" in the GRC/IRM space, since that underlying content is what makes a GRC/IRM roll out successful in the long-term.
The hype is that IRM is designed to be a “risk-focused, integrated solution” whereas GRC is solely focused on compliance. If you honestly look at it, both GRC and IRM both manage risk and address compliance requirements.
Both GRC and IRM rely upon comprehensive governance documentation to be efficient – policies, control objectives, standards, guidelines, controls, metrics and procedures (control activities). Without those fundamental components, a GRC/IRM deployment will, at best, result in mediocre results.
Furthering the hype about IRM is the focus on “integrated solutions” that can adapt to the dynamic, ecosystem-driven environment that is quickly-evolving. This makes it appear that only IRM offers Key Performance Indicators (KPIs), or performance goals, to provide management-level oversight of performance. Unfortunately for IRM marketing efforts, the facts are that traditional GRC suites offer these metrics and reporting capabilities, as well as API integration with point solution tools (e.g., vulnerability scanners, ticketing systems, change control, etc.).
In reality, either a GRC or IRM tool can be used to manage a cybersecurity program from strategic, to operational, to tactical aspects.