Integrated Risk Management: Above and Beyond Risk Mitigation

Integrated Risk Management flow chart
Originally posted at

We face risk every day – it’s a part of life. For organizations, it’s also a part of doing business. There are many different definitions of risk and even more methods for managing it. Over the last couple decades, risk management has evolved due to the changing business landscape and interconnected world.

As the digital universe has expanded, so have the capabilities of the individuals and organizations trying to exploit it. Sadly, organizations face these threats every single day. This is why they must find a way to identify and deal with these risks without jeopardizing business operations and reputation. All while operating in an increasingly regulated world.

Exposure to Business Risk Has Always Been a Concern

The type and frequency of risk has changed but exposure to business risk has always been a concern. Early on, organizations simply had to identify the risk and define how they would deal with it. This wasn’t an exact science and the total ramifications were seldom understood. As regulations increased in an effort to protect consumers, risk management evolved from simple identification and remediation to compliance and governance.

Governance, Risk and Compliance (GRC) became the standard as companies operated within frameworks to choose the controls they must be compliant with based on their business and the governing body. This also entailed policy and procedures, technology, tools, and monitoring. But the growing threat of attacks casts a bigger shadow over business financials, reputation, and overall viability creating a need for aligning security priorities with the overall corporate vision and goals to protect critical digital assets and systems. Aligned in this way, organizations can make better informed, more strategic business decisions.

A Shift from GRC to IRM

Two years ago, Gartner shifted focus away from GRC to Integrated Risk Management (IRM) because it enables simplification, automation, and integration of strategic, operational, and IT risk management processes and data. IRM goes beyond the traditional, compliance-driven GRC methodology to provide a complete view of risk from across the organization. Security and risk management leaders are beginning to recognize the need to add value and long-term benefit by aligning with business strategy to make enterprise-level decisions.

Gartner describes the key to the success of IRM as the ability to provide a vertically integrated view of risk starting with an organization’s strategy through its business operations and ultimately into the enabling technology assets. Easier said than done. But they also estimate that by 2021, more than 50% of large enterprises will use an IRM solution set, up from approximately 30% just a year ago (Top 10 Factors for Integrated Risk Management Success, Gartner Inc., August 2018). If you’re looking to make the transition from GRC or even ERM to IRM, you need to understand the elements of IRM and the long-term benefits.

The first step toward IRM is to understand the key components as defined by Gartner. These six use cases include:

Digital Risk Management (DRM)

DRM technology integrates the management of risks specifically associated with digital business components, such as cloud, mobile, social, and big data, as well as third-party technology, such as artificial intelligence and machine learning, operational technology (OT), and the Internet of Things (IoT).

Vendor Risk Management (VRM)

Vendor risk management programs help organizations manage the risks of third parties with adequate controls for business continuity management, vendor performance, vendor viability security, and data protection.

Business Continuity Management (BCM)

Business continuity management is the practice of coordinating, facilitating, and executing activities that ensure an enterprise’s effectiveness in identifying risks that can lead to business disruptions, implementing disaster recovery solutions and recovery plans, responding to disruptive events, and recovering mission-critical business operations.

Audit Management (AM)

Audit management solutions streamline internal audit operations. These solutions automate audit planning, scheduling, work paper management, time and expense management, reporting, and issue management.
Corporate Compliance and Oversight (CCO)
Corporate compliance and oversight software supports the goals and activities of compliance leaders, providing automated policy development and management, compliance risk assessment, control rationalization, assessment and attestation, regulatory change management, and investigative case management.

Enterprise Legal Management (ELM)

Enterprise legal management software applications provide support through better documentation, spend management, information availability, and collaboration via an integrated set of applications that include matter management, e-billing, financial/spend management, legal document management, and business process management.

Obviously, this transformation doesn’t happen overnight. But once you have leadership buy-in to an IRM approach, you can begin to implement the strategy and tools necessary to realize a true, enterprise-wide view of risk. Is it worth it? Consider the long-term benefits:
  • Strategy-based; aligns with corporate mission and objectives for improved, comprehensive, decision-making
  • Consolidated reporting from across the organization
  • Removal of “silos” provides enterprise-wide awareness of risk
  • Integrated view of risk provides full understanding, resulting in business opportunity, cost savings, competitive advantage, and business value

Is IRM right for your organization? Only you can decide. But one thing is certain—each organization needs to continue to evolve in how it approaches risk. More and more CEOs expect their risk management strategy to align with organizational goals and objectives. In the end, IRM ties your program and activities to something meaningful for the business.

If you would like to learn more about Integrated Risk Management, check out this IT Leadership Summit presentation entitled: Integrated Risk Management = Enterprise-Level, Strategic Decision Making.