Reframing Integrated Risk Management: A Historical Perspective on GRC’s Evolution

Key Takeaways

• GRC’s Origins and Evolution: GRC began as a business objective and risk-driven framework, was hijacked by compliance with SOX, but has realigned as a strategic, performance-oriented model that integrates governance, risk management, and compliance.
• IRM’s Role Within GRC: Integrated Risk Management (IRM) is not a replacement for GRC but a core component of the risk management pillar (also called ERM, ORM), helping organizations address risk within the context of governance, which defines objectives.
• The Misconception of IRM: Despite some claims, IRM does not stand apart from GRC; it is part of the risk management function within the GRC framework—the R in GRC—making it more integrated and comprehensive.
• OCEG’s Emphasis on Integration: OCEG has always emphasized that the R in GRC, which is IRM, is integral to GRC, reinforcing governance while managing risk in alignment with organizational objectives.
• Certifications Supporting GRC and IRM: OCEG’s suite of certifications, such as Certified GRC Professional and Integrated Risk Management Professional, underscores the importance of understanding how IRM fits within the larger GRC strategy and context.

Deep Dive

Over the years, the term Integrated Risk Management (IRM) has increasingly become a focal point in discussions around governance, risk management, and compliance (GRC). While IRM gained limited traction in some circles, it’s important to remember that the concept of GRC is deeply rooted in a decades-long evolution, beginning with early work in risk management, compliance, and IT security. To understand where IRM fits, it's crucial to first understand how GRC came to be and why it continues to play a central role in managing risk and uncertainty to organizational objectives while ensuring integrity in organizations today.

My journey into framing GRC began in the mid-1990s when I worked in risk management and compliance at a life sciences firm, where I identified the need to move beyond spreadsheets to document and manage risks and controls. By the late 1990s, I had taken on the practice leader role in risk and compliance consulting at Denmac Systems, where I worked with Lou Bevente and Andy Denenberg, the owners of Denmac. During this time, we explored the possibility of developing a software solution to address risk and control needs, what would eventually be recognized as GRC.

Andy Denenberg’s prior work on AlertPage, a product he created that was later acquired by Computer Associates, was a motivator to explore doing it again for risk and internal control management. Although we explored developing what I would later call GRC, the project didn’t materialize as I moved into the analyst world at GiGa (started by Gideon Gartner from Gartner Group. The GiGa stands for Gideon Gartner and not gigabyte), which was subsequently acquired by Forrester. While the GRC software initiative at Denmac didn’t come to fruition, it laid the foundation for the work that would follow.

In February 2002, while at Forrester, I attended a briefing with Telos Xacta, a company that aimed to adapt its government accreditation platform to commercial applications for risk, control, and compliance. The capabilities demonstrated in that meeting were precisely what had resonated with me earlier at Denmac—the ability to map risks, controls, and compliance requirements in a unified solution. This was what I had envisioned, and it catalyzed my thinking about the emerging market that could tie these disparate elements together.

Following that briefing, I spent considerable time reviewing my notes, doing additional briefings with other solutions coming to the market for this, and conceptualizing a name for this market. I ultimately introduced the term Governance, Risk Management, and Compliance, i.e., GRC. What I saw was the potential for a more integrated and holistic approach to managing governance, risk, and compliance processes in an integrated fashion. Over the next several months, I added other solution providers like Aventis, BPS, BWise, QUMAS, Paisley, and TeamMate to my list, and the market quickly evolved into what I refer to as GRC 1.0, shaped largely by the Sarbanes-Oxley Act (what I refer to as the SOX captivity of GRC). This initial wave of solutions featured other players I began covering, such as OpenPages, Certus, Archer, and MetricStream.

However, I found myself frustrated with how compliance-centric this early market became and how misaligned it was with what I saw as true GRC bringing value to the business and its objectives and performance. I realized that GRC had to be communicated and educated as more than just a checkbox for compliance; it needed to be strategically aligned with business objectives and performance. This realization led me to collaborate with OCEG, who was gathering other thought leaders to address this, where we worked together to develop the GRC Capability Model, which emphasized not just governance, risk, and compliance but also performance—what OCEG defines as Principled Performance. In parallel, I authored the first two Forrester Waves assessing GRC solutions, intentionally emphasizing platforms that demonstrated strength in risk management beyond compliance, which was becoming a critical gap in the early solutions. The second Wave, published in 2007, had a Wave graphic specifically on those stronger in risk management.

More Than Just Compliance

The GRC framework, the GRC Capability Model, developed collaboratively with OCEG and the broader industry, continued to evolve, and the core concept has always been clear: GRC is not just about compliance. It’s a comprehensive framework designed to help organizations manage risk while achieving their strategic goals. The three key components, Governance, Risk Management, and Compliance, are designed to work in tandem, each supporting the others in a dynamic and integrated way.

• Governance (G) is about setting strategic objectives and aligning the organization around those goals. In this context, it also includes performance against those objectives. Without clear governance, organizations lack a sense of direction, which makes it difficult to assess risk and compliance effectively. Risk requires the context of objectives. ISO 31000, the international standard on risk management, states, “risk is the effect of uncertainty on objectives.”
• Risk Management (R) focuses on identifying, assessing, treating, and mitigating risks that could prevent the organization from meeting its objectives. It ensures that risks are not only identified but also managed in a way that aligns with the organization’s governance framework to achieve its objectives.
• Compliance (C) ensures that the organization’s activities remain within legal, regulatory, ethical, and voluntary boundaries (such as values). Compliance doesn’t operate in isolation; it’s part of the broader governance structure, ensuring that governance objectives and risk management activities stay within acceptable limits. This enables the organization to act with integrity in its commitments and obligations.

Misinterpretation of GRC’s Scope

Despite the long-standing success and clarity of the GRC framework, a small number of voices within the analyst community has pushed the idea that Integrated Risk Management (IRM) should replace traditional Governance, Risk Management, and Compliance (GRC). This argument typically claims that GRC is overly focused on compliance and fails to account for broader organizational risks. However, this narrative is fundamentally flawed for several critical reasons, which we need to explore in more depth.

The concept of IRM originated at Gartner. Since then, however, Gartner has stated that it no longer recognizes IRM as a distinct category, "Gartner no longer recognizes IRM as a market and future work from Gartner analysts will no longer reference it as such."

During the period when Gartner did recognize it, some analysts began claiming that GRC technology had failed, and that IRM was the way forward. Yet the first IRM Magic Quadrant featured nearly the same solutions, in nearly the same positions, as the prior GRC Magic Quadrant. Which raises the obvious question: what, exactly, had failed—a question I'm still looking for an honest answer to.

Some of the more vocal IRM evangelists, misguided or perhaps even disingenuous, redefine GRC narrowly as compliance, yet still retain the GRC label within their own frameworks to support their argument. This only adds confusion to the industry and reflects a fundamental misunderstanding of what governance (the G) and risk management (the R) actually represent. The framework would be far clearer if they simply dropped the attack on GRC and labeled their model for what it truly is: a compliance framework.

In this context, the most common misconception among IRM proponents is that GRC is solely concerned with compliance. This simplification misrepresents the true nature of the GRC framework within the GRC Capability Model, which is, at its core, a holistic approach to managing governance, risk, and compliance as interconnected, integrated, but distinct elements.

GRC is not just about following rules and regulations. It is about enabling organizations to achieve their objectives, managing uncertainty and risk, and acting with integrity. Governance, risk management, and compliance work together to create a comprehensive strategy for managing an organization’s operations in a dynamic and sometimes uncertain environment.

Thus, GRC is a strategic and integrated approach that encompasses much more than compliance. It brings governance and risk management together in a structured, aligned way, driving Principled Performance and resilience across the organization. To limit GRC to compliance alone is to ignore the broader, more valuable benefits it provides in terms of strategic oversight and risk mitigation, and the great work that has been in place for over two decades that defines GRC in the OCEG GRC Capability Model.

IRM Is Not Separate from GRC

Another critical flaw in the IRM evangelist argument is the assumption that IRM represents something fundamentally different from the GRC framework. In reality, IRM is not a replacement for GRC; it is a core component of the GRC framework, specifically within the Risk Management function.

IRM, when implemented properly, refers to a structured, integrated approach to managing risk throughout the organization. It aligns risk management efforts with governance (objectives) and compliance to ensure that all aspects of risk, ranging from strategic, operational, financial, and compliance-related, are addressed in an integrated and cohesive way. It’s simply the “R” in GRC.

By positioning IRM as a standalone concept, IRM proponents overlook the reality that risk management, as a function, has always been a core element of GRC. In fact, the very foundations of GRC were built with the understanding that risk management cannot be separated from governance and compliance. Each function is interdependent: Governance defines the organization's objectives, risk management ensures those objectives can be achieved despite uncertainty, and compliance ensures the organization operates within legal and ethical boundaries.

In short, IRM doesn’t replace GRC, it enhances it by bringing a more integrated, enterprise-wide approach to managing risk, ensuring that risk management is aligned with strategic goals and compliance requirements.

Overemphasis on Technology

One of the most troubling aspects of the IRM narrative is the tendency to focus disproportionately on technology as the solution. Some advocates of IRM make the case that IRM technology is something distinct and superior to existing GRC solutions. However, this misses a fundamental point: IRM technology is simply an evolution of the risk management capabilities that already exist within GRC solutions. The same solutions that Wheelhouse Advisors covers in IRM are the same solutions that Gartner, Forrester, Chartis, and Verdantix cover as GRC.

In practice, many of the technologies marketed as "IRM" tools overlap significantly with traditional GRC solutions. Many platforms have long provided robust risk management modules within their GRC offerings. These platforms already offer the ability to integrate risk management with governance and compliance, which is precisely what IRM advocates claim to be offering as a "new" solution. Whereas some newer solutions start specifically with business strategy, performance, and objectives and address risk management in this context.

The overemphasis on IRM technology as something separate or revolutionary creates confusion. It’s not the technology that matters; it’s how risk management is integrated across the organization’s entire governance and performance strategy. Compliance comes in to make sure we stay within mandatory (e.g., legal, regulatory) and voluntary (e.g., ethics, values, commitments) boundaries. A fragmented approach, where IRM tools are seen as distinct from GRC, risks creating silos that hinder collaboration and alignment across business functions.

To be clear, technology plays an important role in streamlining and automating risk management processes to make them more efficient, effective, resilient, and agile. But the solution isn’t in labelling technology as "IRM" and promoting it as something outside of GRC (and misrepresenting GRC); the solution lies in how technology supports and enhances the integration of risk management within the broader GRC framework, making it easier for organizations to understand and manage risks in the context of their overall governance and compliance strategy.

OCEG’s Commitment to a Unified GRC Approach

OCEG has long recognized that IRM is integral to the broader GRC strategy, not an alternative to it. As the global leader in GRC, OCEG has been at the forefront of developing frameworks and certifications that reinforce this point. The introduction of the Integrated Risk Management Professional Certification complements other certifications such as:

• Certified GRC Professional
• Certified GRC Auditor

These certifications help professionals understand the interconnected nature of governance, risk management, and compliance, emphasizing that IRM is a tool within this integrated framework, rather than a replacement for it.

The push for IRM as a standalone framework misses the point: effective risk management exists within the larger structure of GRC. Governance, risk management, and compliance must work together to ensure that organizations can not only manage risk but also achieve their strategic objectives with integrity.

For organizations to fully realize the benefits of GRC, they must reject the narrative that IRM stands apart. Instead, they should embrace a holistic approach that integrates risk management with governance and compliance to create a resilient, performance-driven organization.

For more clarity and guidance, organizations are encouraged to explore OCEG’s frameworks and certifications. You can also refer to the original article, Putting IRM in Its Proper GRC Context.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.