Well it’s good to see Gartner admit that the GRC market was a bust … basically just selling software for managing lists of 1) regulations, etc. organizations must comply with, 2) risks associated with not effectively meeting them them, and 3) controls for managing those and other risks.  Amazing how vendors can sell databases with just a different spin in terminology.

So IRM (integrated risk management) is supposed to be the replacement.  But if you look at the diagrams used to communicate the concept it’s clear we’re still a long way from understanding how to do it, and it’s again basically software vendors who claim to have the answer.

When will we learn?