Integrated Risk Management (IRM)/Governance Risk and Compliance (GRC)

GRC is an organization's coordinated strategy for managing the broad issues of corporate governance, enterprise risk management, and corporate compliance with regard to regulatory requirements. It describes technology platforms and business processes applied to monitor, inform, and manage an organization's: 1) governance relative to specific legal, contractual, internal, social, and ethical parameters, 2) comprehensive risk management efforts; 3) compliance with relevant industry regulations.


IRM is an approach to risk management that integrates risk activities from across an organization to enable better and more sustainable strategic decision making. Gartner coined the term in 2016 to describe the evolution of technologies and processes beyond what the firm now considers to be “legacy” GRC (Governance, Risk, and Compliance) approaches. Gartner differentiates IRM from GRC by suggesting GRC is primarily compliance-focused, confined within organizational silos and used by technical practitioners. By contrast, IRM is risk-focused, comprehensive, and used by business leaders. IRM considers comprehensive operational and IT risk posture to drive strategic decision making.


Seeking Clarity?

View the Cybersecurity Dictionary for top terms searched by your peers.