Gartner GRC vs IRM: What’s in a Name?

“What’s in a name? That which we call a rose, by any other word would smell as sweet.”

— Romeo and Juliet, Act II, Scene II by William Shakespeare

Like scores of current and former high school students, I had the chance to read my fair share of Shakespeare. Because I was a bit of an underachiever and not in the honors class, we sometimes “cheated” and read the abridged version of his plays rather than the complete versions, but I enjoyed them nonetheless. My favorite was Romeo and Juliet, a beautiful yet tragic tale of young love pitted against insurmountable odds.

What does Shakespeare have to do with Onspring? Well, being a software company, particularly one that offers solutions focused on Audit Management, Risk Management, Controls and Compliance Management, Policy Management, and the like, we couldn’t help but notice a recent stir in our world—namely, the brewing debate of GRC vs. IRM.

For those of you who may not be aware, GRC stands for Governance, Risk and Compliance (or Controls, depending on who you ask) and IRM stands for Integrated Risk Management.

I realize that many people may be unaware that either of these terms exist, but having worked in the software industry for the last eight years, the term “GRC” has been uttered more times than I can count. The GRC market, GRC solutions, GRC practitioners, GRC conference, GRC analysts, GRC pundits—if you are someone who practices in any of the areas I referred to before, you have probably been inundated with the GRC acronym in recent years.

Anyone reading this likely works for a company that brands, markets and sells products and/or services to a targeted group of customers. GRC has been the term used by those of us in this corner of the software world to brand, market and sell our products and services. And the analyst community, which is comprised of firms that brand, market and sell software evaluation services, has used the term GRC for years.

But in 2018, we saw a shift. One of the most well known analyst firms (Gartner) came out with a new acronym: Integrated Risk Management (IRM). Gartner analyst John Wheeler explains their logic on the Gartner blog, arguing that “IRM goes beyond the traditional, compliance-driven GRC technology solutions to provide actionable insights that are aligned with business strategies, not just regulatory mandates.”

This ignited a fiery response from another pillar of the analyst community, Michael Rasmussen, founder of the analyst firm GRC 20/20. In his blog The IRM Emperor (Gartner) Wears No Clothes, Mr. Rasmussen goes into great detail about the shortcomings of Gartner’s rebranding strategy as he perceives them. I won’t go into detail here, I’ll let you read for yourself.

A third key player in the analyst market, Forrester, seems to simply ignore the IRM “phenomenon” and continues to market its GRC Wave report as it always has.

Who knew the GRC software world could be as intriguing as a Shakespeare play? It’s like the Montagues vs. the Capulets! Again, because Onspring plays a part in this industry full of ever-changing acronyms, I can’t help but sit rapt as this all unfolds. Given that we do offer solutions in this space and that we do not currently work with any of the aforementioned analysts, I can’t help but make a few independent observations:

Observation 1

Gartner says that GRC solutions are outdated because they only focus on compliance-driven mandates, not actionable insights aligned with business strategies. Having gone through the GRC software evaluation process, I believe risk management solutions and strategies are a part of their evaluation process (as were the other process areas called out in their new IRM strategy). 

Observation 2

Coming from a practitioner background, I was always squarely focused on my particular area of practice (internal audit). In fact, the first time I ever heard the term GRC was when I joined a software company that marketed GRC solutions. To this day, many of the practitioners I speak with use the term “GRC” only when talking about software, and not in reference to the work they do. This leads me to wonder just how critical this branding change is to the practitioner community. And though I speak with practitioners every single day, I’m still waiting for one to drop “IRM” in a conversation.

What does this all mean?

For many, it means learning a new language and making old terms taboo. For others it means straddling both sides of the fence, depending on who you’re talking to. For others, it doesn’t mean very much at all.

At Onspring, we are always willing to speak in terms that resonate with our customers. We are interested in empowering our clients to take control of their critical Policy, Audit, Risk, Compliance and other business processes and do their best work. We do this by providing a tool that delivers world-class performance, that gives them the flexibility to work the way that best suits their needs and that is actually enjoyable to use. We do this by constantly innovating and delivering new and better ways to manage their critical processes. We do this by listening to them and understanding their needs. We do this by partnering with them and caring about their success. That which we call GRC or IRM, by any other word would still smell as sweet.

Learn more about our GRC solutions here

Let's demo

When you’re ready, we’re ready.

See what Onspring can do for your GRC plans.
Let's demo

About the author


Jason Rohlf
Vice President at Onspring
20 years internal audit & GRC experience