It has been roughly one year since Gartner released the 2018 Magic Quadrant for Integrated Risk Management, the first of its kind, and as of this week the second Integrated Risk Management MQ has finally been released. The purpose of integrated risk management (IRM) is to enable organizations to simplify, accelerate, and communicate risk and compliance seamlessly up and down the chain of command, and across business functions whether technical or otherwise. A strong IRM strategy supports organizations in making better business decisions that help lower existing, new, and unforeseen risks in our new, digital world.
It’s been a big year for the risk and compliance industry and, as we’ve seen, there are significant shifts in the way that enterprises approach cybersecurity risk management. As a result, the tools they use have shifted as well, and new players outside the quadrant are starting to replace or augment market leaders, amongst other trends.
A Shift In Use Cases
In analyst John Wheeler’s benchmarking post introducing integrated risk management as the future of risk and compliance, he illustrated the new approach using seven core functions: corporate compliance and oversight, audit management, digital risk management, operational risk management, vendor or supply-chain risk management, business continuity management and planning, enterprise legal management. Six of those seven (with operational risk management at its core) served as the use cases that Gartner used to analyze members of the 2018 Magic Quadrant for Integrated Risk Management.
This year, we’ve seen a change. With Jie Zhang at the helm of this year’s report, rather than broken down by function, she has brought a new lens to the table. We now directly link risk and compliance management to business outcomes. There are three use cases based on the lens through which the platforms help customers see their cybersecurity risk and compliance: business-outcome-centric, operation-centric, and compliance-centric. These centricities illustrate how respective users can view the overall risk and compliance data gathered within a central platform:
- Business-outcome bridges the gap between technical and business-side stakeholders
- Operation-centric focuses on quantifying, managing, and mitigating risk
- Compliance-centric ensures that requirements are met to continue business operations
Simplifying these six use cases down to three indicates how enterprises are viewing risk, and more importantly, the shift that is occurring within cybersecurity organizations. Businesses are recognizing the need for a more integrated approach across all of Wheeler’s six areas. What the 2019 MQ use cases indicate is that these three use cases are the lenses that the market needs to be able to view their cybersecurity posture through.
Critical Capabilities
Where the IRM use uses saw a remarkable consolidation from six to three, the critical capabilities for integrated risk management solutions remained mostly unchanged. The primary focus on risk management over checkbox compliance remains a foundational theme in the Gartner literature and for good reason - Checkbox compliance should be the starting place for organizations, and risk and compliance management should be treated as a core business function. Compliance alone can’t be the primary focus for staying secure as digitization intensifies.
Shifts in IRM MQ Vendors Listed
The integrated risk management market saw many shifts itself since the release of the 2018 MQ. From the ACL acquisition of RSAM and the subsequent rebrand to Galvanize to the Reuters spinout of Refinitiv, the changes to the IRM market have come fast. The most significant shifts came from the Challenger and Visionary sections of the quadrant - from both mergers and acquisitions, specifically ACL/RSAM and the Nasdaq sale of BWise to SAI global. As the report notes, both of these shifts specifically indicate changes ahead for existing products and how the rest of the market will react.
Takeaways
This year we have the data points to see trends and shifts in the IRM market. From changes in use cases, to competitors, to shifts in assessment criteria, it indicates fundamental truth: cybersecurity compliance and risk management can no longer be a siloed function that exists in a vacuum, it must be seen as a business function and managed enterprise-wide. As we’ve spoken about before, it will be up to the IRM vendors to fundamentally change their modular, static approach to integrated risk management to meet market needs. We anticipate that these shifts are only the beginning, and are excited to be built on the integrated risk management vision from the beginning at CyberSaint.