Integrated risk management (IRM) is a strategic and collaborative way for organizations to manage risk across their entire group. With IRM, the risk management team works together with all business segment leaders to share and visualize data around risk, determine the organization’s true appetite for risk, ensure compliance, and communicate the risk and risk mitigation strategies to the C-Suite. This strategy accepts risk as a part of doing business, and pulls it into a company’s culture so that the organization manages risk as a part of both daily operations and long-term strategy. The result is a company-wide understanding of risk and risk mitigation that positions them to be better prepared for handling risk and builds up proactive defenses through advanced scenario planning. This guide outlines the essential elements of IRM and why it’s important, key approaches to be mindful of, and what to look for when determining which integrated risk management software solution is right for your organization.
What Is Integrated Risk Management (IRM)?
Integrated risk management is an organization-wide approach to addressing risk that involves input from all teams and centers risk as a fundamental part of business strategy. Gartner defines it as a ”set of practices and processes supported by a risk-aware culture and enabling technologies that improves decision making and performance through an integrated view of how well an organization manages its unique set of risks.” Any business activity carries inherent risk, so IRM folds risk assessments and mitigation strategies into all aspects of the company. IRM ties together three risk management program areas — technology/cyber risk, operational risk, and enterprise/strategic risk. An integrated risk management framework involves stakeholders within and outside the organization, requires vocal and consistent support from senior management, and relies on good communication between teams in order to be successful. The result is a comprehensive view of an organization’s risk positions — from strategy to execution. IRM also enables a “risk-first” mindset that creates a more agile, forward-thinking, risk-aware culture — outpacing the outdated compliance-driven approach to risk management.
Why Is Integrated Risk Management Important?
As John Wheeler — former Gartner IRM analyst and currently a Senior Advisor to AuditBoard for Risk and Technology, notes, “No matter the size, industry, or location, every business looks to achieve four IRM objectives — better performance, stronger resilience, greater assurance, and cost-effective compliance.” While at Gartner, Wheeler effectively coined the term “integrated risk management,” and led the research to define the new approach and the IRM technology market. He has identified four ways IRM enables organizations to work towards those goals: Improving performance, increasing resilience, locking in company-wide risk assurances regarding the overall appetite for risk and mitigation strategies, and meeting compliance requirements as a by-product without outsize costs, resources, and friction for the business.
“No matter the size, industry, or location, every business looks to achieve four IRM objectives — better performance, stronger resilience, greater assurance, and cost-effective compliance.” - John Wheeler, Sr Advisor, Risk & Technology, AuditBoard”
There are many benefits to using an integrated risk management framework in the approach to everyday business activities in the short term and as a part of long-range planning. The integrated risk management approach is important because it ensures that an organization is comfortable with risk and assesses how best to manage it, folding ongoing risk assessments and mitigations into everyday activities. The benefits to an organization range from day-to-day operational improvements to larger-scale results — and companies are far less likely to be surprised by unforeseen risks due to the thorough advance planning and scenario building in the risk assessment and mitigation processes. IRM benefits include:
1: Good Data
Compliance risk assessments and fulfillment are a part of IRM, so company data is always reliable, current, and available to business leads who need the latest details on the organization’s regulatory compliance positions.
2: Disaster Preparedness and Resilience
The integrated risk management approach prepares organizations for edge-case extremes and allows organizations to bounce back quickly in the event of a major disaster. An extreme weather occurrence or work stoppage won’t halt all business, because IRM sets up an organization to maintain critical functions.
3: Cost Savings
IRM provides insight into a company’s risks and operational controls, mapping individual controls to multiple risk factors. Understanding business risks that hit different areas and their mitigation controls can reduce costs due to compliance redundancies.
4: Finding Efficiencies
The IRM process helps identify opportunities for savings and often finds efficiencies during the risk identification, analysis, and assessment exercise. This extends to teams, and groups may gain flexibility and new organizational structures and cross-team relationships that cut costs.
5: Appetite Awareness
IRM assessments allow senior management to determine the best possible options to mitigate the identified risk issues, and in doing so clarify an organization’s strategy and their overall appetite and comfort level with their business risks.
6: Project Prioritization
The IRM process works to ensure that high-priority projects are properly resourced and positioned first by the business, and guides decisions so that significant risks are well-managed.
7: Comprehensive Views
Leaders gain a full view of how their organization’s risks have an impact on objectives, strategies, and operations. Successful IRM also takes into account events that might take place outside of the studied risks, and in doing so contributes to a healthy analysis of the landscape and management’s position in all areas of their industry.
8: Third-Party Trust
It’s more important than ever for companies to create and maintain a high level of trust with outside third parties, be they clients, vendors, or potential buyers. Solid integrated risk management processes with third parties bolster trust not only with them, but with all key stakeholders. For example, sustainability is gaining importance to investors, customers, and regulators, and the ability to achieve positive climate risk ratings can be very appealing.
Taking a comprehensive approach to risk reaps financial rewards — from finding redundancies in controls or personnel, to identifying unexplored areas to work in and generating newfound investor interest. Remember to align IRM efforts to the business goals, and the costs of deploying time and resources against it are quickly outweighed by the benefits.
Six Main Attributes of Integrated Risk Management
In order to comprehend the scope of their risk, organizations need a full picture from all business units and compliance functions, plus any third-party suppliers or partners. To gain that understanding, leaders must understand the six main attributes of IRM. According to Gartner, they are Strategy, Assessment, Response, Communication and Reporting, Monitoring, and Technology.
1: Strategy
Implementing a risk framework, including performance improvements through risk ownership and proper organizational oversight.
2: Assessment
The full risk assessment includes the identification, evaluation, and prioritization of all risks across all business segments.
3: Response
The implementation of mechanisms to mitigate all identified risks.
4: Communication and Reporting
Establishing a proper communication and escalation plan to inform the appropriate stakeholders on risk response and tracking.
5: Monitoring
Identifying and implementing processes that track governance goals, risk ownership and accountability, and compliance. This includes monitoring risks and assessing the ongoing effectiveness of the mitigations and controls.
6: Technology
The design and implementation of an integrated risk management solution architecture.
After these six phases, make sure that your groups are iterating and continuously improving on risk mitigation efforts. IRM is an iterative process that is always evolving and adapting to changes in the marketplace, with regard to vendor technologies, to any new legislation and resultant compliance requirements, and in response to the overall business goals.
Four Key Approaches to Integrated Risk Management
There are some essential steps that must be taken when shifting to IRM. The four key approaches are aligning strategies with goals, making sure risk management is a team effort, communicating plans to all stakeholders, and working “smarter.”
1: Match Strategies with Goals
In order to secure executive support and business unit alignment, you must create a culture of risk awareness. Demonstrate a link between improved risk management and better business outcomes, showing team leads that IRM strategy matches the company’s goals. When IRM is linked with financial goals, it’s easier to get complete buy-in from all team members.
2: Risk Management as a Team Effort
After securing cross-team and leadership support for the IRM efforts, there should be a cultural shift. To maintain enterprise-wide accountability, there needs to be ongoing promotion of IRM efforts and shared responsibility for outcomes. Risk assessments must be cross-functional efforts. IT compliance teams and business leads work together to understand what the business is trying to accomplish and how teams can best support those goals. Compliance groups should be alerted to stakeholder decisions and informed any time new systems or solutions are enabled. They then document new processes and procedures, circulating updates across all segments.
3: Communicate Risk Management Plans
Sharing the risk management plans causes all cross-functional teams to support and align with the IRM strategies. This requires everyone to have clarity on what their role is, and the risk management efforts need to be visible to all involved. A complete rundown of internal controls must be properly documented and shared. Compliance teams need to continually review processes, document any adjustments, and communicate those updates to stakeholders. Remember: continuous dialogue and over-communication in the world of integrated risk management is a good thing.
4: Work “Smarter”
Leaders often say, “Work smarter, not harder.” To facilitate a successful IRM integration, this approach means dialing down a team’s repetitive, administrative efforts and turning up innovation in the workplace. Teams that spend a lot of time battling the tactical work of risk management — like tracking controls and permissions — don’t have time to think strategically about their business. Automate as much as you can to free up team time.
Don’t wait to review controls until just before the next audit round. Instead, use automated reporting to gauge performance and make improvements before scheduled review periods. Give teams the time and room needed to be strategic, and then shift as required — remembering to document and communicate all changes to the appropriate parties.
GRC vs. Integrated Risk Management (IRM): What’s the Difference?
Governance Risk and Compliance (GRC) is the standard approach that many organizations use to align their business with their industry’s compliance requirements. It’s a more traditional model than integrated risk management, and in the GRC mode an organization’s compliance group is singularly focused on ensuring that regulations are met. When comparing GRC vs. integrated risk management, the GRC approach tends to define security policy solely on industry regulations. What is missing here — and what is captured by the integrated risk management approach — is a forward-thinking and business-specific outlook. Risks unique to each organization might be missed by a company solely focused on meeting regulatory needs. Alternatively, the culture of IRM folds risk awareness into all aspects of business, and that model has a consistent, big picture view of risk and risk mitigation. That means there is a greater company-wide culture of mitigating relevant risk, and a smaller likelihood of unanticipated, negative business outcomes.
Selecting the Right Integrated Risk Management Software for Your IRM Program
When choosing the right IRM software for your business, ensure that it helps you collaborate across the organization and connects with the company’s strategic planning process and all business units. Here are additional factors to consider:
1: Flexibility
Is the tool easy to add into the existing system? How adaptable is it? Can it integrate risk related data from external sources? What does the implementation timeline look like?
2: Training
Can team members easily learn how to use the tool? Does the service provide training, tutorials, and technical support?
3: Recommendations
Does the software evaluate risk scenarios and recommend solutions for mitigation? If so, are those recommendations relevant to your industry and actionable?
4: Auditing Tools
Does the software provide proper direction regarding procedures, resourcing, and does it meet both financial and control-based audit requirements?
5: Analytics
Are the tools easy to customize, to make sure that your team is able to pull reports on the analytics that are most important to them? Will your organization’s key performance indicators be captured?
6: Communication
Does the software enable learning about the most relevant risks and compliance requirements? Can it inform teams about learning progress and deficiencies? How frequently does it push out useful information?
7: Cost
Does the overall cost of the tool make sense for your organization, given all of the capabilities that are offered and the business needs that you are trying to meet?
Once you’ve answered all of these questions you should be prepared to select the right software solution for your organization. Keep in mind that it may change as your business expands, contracts, or pivots to a new space, and as the software technologies themselves update and evolve. It’s a good idea to regularly assess if the software you have in place is still the best choice for your company.
Get Started With Integrated Risk Management Today
The right technology can help you build an effective IRM program. AuditBoard’s integrated risk management software is ready to help you and your organization take steps towards building a powerful, forward-thinking business plan that effectively manages risk. Embrace IRM to future-proof your business and set up your organization for success.
