GRC 101: What is Integrated Risk Management (IRM)?
This post is part of our GRC 101 series, providing an entry-level overview of the business of governance, risk, and compliance. In this post, we…
This post is the first of our GRC 101 series, which will provide an entry-level overview of the business of governance, risk, and compliance. The first three posts will unpack GRC itself, starting with Risk Management.
Governance, Risk, and Compliance, typically shortened to GRC, refers to a company's coordinated strategy for managing the broad issues of corporate governance, risk management, and compliance with regulatory requirements.
In this post, we’ll take a closer look at one of these pillars: Risk Management.
It’s easy for most people to answer that in a generally applicable way. At its absolute highest level, it involves any measure taken to avoid or limit the chance of a bad outcome—such as wearing a hard hat in a construction zone or buying insurance in case of a flood.
In a business context, things get a bit more specific. Let’s start with a definition:
Definition 1: Risk management is the ability to effectively and cost-efficiently mitigate risks that can hinder an organization's operations or ability to remain competitive in its market.
Meanwhile the Open Compliance and Ethics Group (OCEG) offers a more comprehensive definition:
Definition 2: Risk management is the system of people, processes, and technology that enables an organization to:
The application piece is where things get complicated. Firstly, think of all the potential risks a business should think about. Examples of potential risk areas include financial risk, credit risk, market risk, strategy risk, operational risk, fraud risk, reputational risk, information security risk, technology risk, compliance risk, and natural disaster risk. Just within information security risk, you have security breaches, data loss, cyber attacks, and system failures—to name but a few.
An effective risk management process will help identify which risks pose the biggest threat to an organization and its resources, and provide guidelines for handling them. But that’s just the start. Risk Management can be divvied up into three steps: risk assessment and analysis, risk evaluation, and risk mitigation. Let’s take a closer look at each.
It depends on the company.
At small companies, there may not be anyone designated to assess and manage the company’s risk. At larger enterprises, typically there’s a department whose sole job it is to monitor the company’s changing risk profile and put processes in place to manage it. The heads of such departments often have titles such as Chief Information Security Officer (CISO) and Chief Risk Officer (CRO). Lower-level employees will have titles like Risk Analyst or IT Security Manager.
Effective assessment, analysis, and management of an organization's risks pays dividends in a multitude of ways. It helps protect assets, improve decision making, and optimize operational efficiency. As a good steward of risk, the company can invest time and resources with a clear understanding of all potential outcomes—including the downsides. It’s a fundamental part of any company’s strategy to attain its goals.
For more on Risk Management, check out LogicGate's enterprise risk management solution or download our eBook below on How to Build Organizational Support for ERM.
This post is part of our GRC 101 series, providing an entry-level overview of the business of governance, risk, and compliance. In this article we’ll…
Businesses are built on data. Whether a hospital or a grocery store, the modern organization produces oceans of data on a daily basis. Thus, how…