Gartner Signals the End of the GRC Era

March 25, 2018

Governance, Risk and Compliance (GRC) has taken up headlines for the last decade. GRC tools allow publicly-held companies to integrate and manage IT operations that are subject to regulation and these types of software typically combine applications that manage the core functions of GRC into a single integrated package. However, as times have evolved, research leaders like Gartner have predicted that GRC is coming to an end and instead, other integrated risk management solutions will take its place. This new cybersecurity era is ushering in new era for technology platforms in specific categories, including: Digital Risk Management (DRM), Vendor Risk Management (VRM), Business Continuity Management (BCM), and others.

As we’ve previously explored, GRC is an internal framework of controls that ensure each area (governance, risk, and compliance) is working as intended and isn’t leaving the business open to unnecessary risk. Therefore, a GRC tool or a set of tools can help organizations and security teams accomplish the above internal objectives. With GRC-focused tools, vendor risk management is just one of many different “modules” offered. While a GRC tool is beneficial for internal risk and compliance use, its focus is not on evaluating external vendors. In today’s tech world, companies need integrated solutions that aren’t just focused on the internal, but rather, can help to prevent cybersecurity risks as part of holistic security approach.

In this post, we’ll take a look at 3 of the areas that Gartner, among other research firms, have turned their focus to in the new era of integrated risk management.

Digital Risk Management (DRM)

Digital risk management has emerged due to the increasing use of cloud, mobile, and social data across the enterprise. DRM platforms enable companies and InfoSec teams to manage the risk for all digital components, as well as outside risks such as those presented with IoT, artificial intelligence, and machine learning. According to Gartner, DRMs provide specific benefits that allow InfoSec teams to:

  • Prioritize the pursuit of digital business opportunities
  • Make risk treatment decisions
  • Invest in controls to optimize risk
  • Invest in insurance to transfer risk
  • Choose to accept risk
  • Isolate and avoid risk
  • Raise visibility of risks to influence decision making across a project
  • Improve governance through greater risk transparency and accountability

Vendor Risk Management (VRM)

Perhaps one of the most important new categories that Gartner is keeping track of as part of its new focus on integrated risk management is the category of vendor risk management (VRM). These platforms have become exceedingly important due to the fact that 67% of companies don’t inventory their vendors or keep track of what information they are accessing, according to a recent Ponemon Institute© Research Report. But according to Trustwave, 63% of data breaches are linked to third parties in some way.

According to Gartner’s definition, vendor risk management platforms like Whistic help organizations manage the risks of third parties with adequate controls for business continuity management, vendor performance, vendor viability security and data protection. Vendor risk management platforms help companies abide by regulations and internal InfoSec processes, but additionally serve as tools to monitor vendor performance over time, as well as keep track of compliance documentation, certifications, and more via a Security Profile.

In addition to these benefits, Whistic’s proprietary CrowdConfidence algorithm helps users quickly understand the specific areas in which a vendor requires additional attention and helps them gain visibility by benchmarking vendor risk. The proprietary scoring algorithm applies a single number to the risk potential of any company with the idea being to emulate something like a credit score, which demonstrates safety as it pertains to finances. The score is a representation of various factors that help a company quickly determine if they want to do business with a vendor or not.

According to Gartner, failure to comply with regulatory mandates can have significant audit-related, and, for some industries, regulatory repercussions, which can undermine shareholder value and corporate viability. VRM platforms are critical in not only preventing compliance issues, but protecting organizations from cybersecurity risks cause by third parties and vendors.

Business Continuity Management (BCM)

In its simplest sense, business continuity management platforms ensure that business operations can continue on and help to prevent interruptions in day-to-day performance with tools like disaster recovery plans and business impact analysis.

BCM software automates processes like risk management, business impact analysis, and recovery plan development. Gartner stated that the BCMP solutions market had an estimated $300 million global market revenue by the conclusion of 2017. It’s critical for organizations to identify BCM program processes that are mature enough for automation, or those they would like to be more standardized, and use these processes to define requirements to determine the right platform.

As the GRC era is coming to an end, InfoSec teams can achieve even greater security, governance, and compliance with an integrated risk management approach. On their own, these platforms offer stronger performance, improved visibility, and more efficiency — when several of these platforms are combined, however, they become a interlocked defence system that build on each other to protect on a much, much deeper level.

Ready to Learn More?

Check out our resources below for more third party vendor best practices and insights on how your organization can effectively respond to security assessments.


Why Third Party Security is Critically Important

Request a Live Demo with a Whistic Product Specialist

Risk Management information security vendor risk management ciso grc

About the author


The latest insights and updates on information security and third party risk management.

Hate security reviews?
Want FREE AirPods?*

Offer valid for any decision-maker/influencer in relation to your company’s third-party risk management strategy. Company size must exceed 100 employees. Exclusions apply. Limit 1 pair per company.