GRC & Chill: Kickstarting Your Risk Management with Quantification
In this episode of GRC & Me, Megan Phee talks to Netflix's Senior Information Security Risk Engineer, Tony…
This post is part of our GRC 101 series, providing an entry-level overview of the business of governance, risk, and compliance. In this post, we take a look at a similar acronym, IRM.
In late 2018, Gartner made the following statement about the future of risk management:
“By 2021, 50 percent of large enterprises will use an IRM [Integrated Risk Management] solution set to provide better decision-making capabilities.” [source]
Moreover, Gartner stated that the market for Integrated Risk Management alone would reach $8 billion annually, including consulting and implementation fees. Considering IRM’s relative infancy as a term (at least compared to GRC), it made for a bold vision of the future.
For many of the Chief Risk Officers faced daily with an exploding number and variety of risks, it likely made a lot of sense. Unlike many of their colleagues, risk managers have recognized for some time that the old Governance, Risk, and Compliance approaches have fallen short of addressing what’s really going on in risk departments. Traditional risk management is ill-equipped to manage the risks that permeate organizations in new (and expanding) ways. IRM seeks to account for enterprise-wide risks and empower decision-making at every level of the organization.
The market appears to be finally catching up. Let’s take a look at what that means.
What is Integrated Risk Management?
Gartner defines Integrated Risk Management (IRM) as “a set of practices and processes supported by a risk-aware culture and enabling technologies that improve decision making and performance through an integrated view of how well an organization manages its unique sets of risks.”
Under the Gartner definition, IRM has certain attributes:
- Strategy: Enablement and implementation of a framework—including performance improvement through effective governance and risk ownership
- Assessment: Identification, evaluation, and prioritization of risks
- Response: Identification and implementation of mechanisms to mitigate risk
- Communication and reporting: Using appropriate means to track and inform stakeholders of an enterprise’s risk response
- Monitoring: Implementation of processes that track governance objectives, risk ownership/accountability, compliance, and decision-making, as well as their risks and effectiveness
- Technology: Design and implementation of an IRM solution (IRMS) architecture
To synthesize: faced with overwhelming threats, IRM gives companies a framework for identifying, analyzing, mitigating, and managing risks holistically.
Sound similar to GRC? You’re not alone. A few industry voices have observed that Gartner’s definition of IRM is no different from the goals of GRC, just under a different name. It’s possible Gartner believes the term GRC has gotten stale due to its association with legacy GRC solutions, and created IRM to rebrand the industry and signal a new way forward.
The LogicGate point-of-view: we help our customers achieve their goals of improving their risk and compliance programs. Whether you refer to that as GRC or IRM at your company, it doesn’t really matter to us. We use the terms interchangeably.
What’s behind the rise of IRM?
For insight, Gartner’s John Wheeler turned directly to executives, noting in his blog “79 percent of executives stated that their organizations experienced risks that have actually translated into significant operational surprises and business disruptions in the past five years.”
Digital processes, global business, outsourcing to third parties, and more have created a rising tide of risks that compound to impact organizations in new and difficult-to-manage ways.
- Digital Processes: Companies are finding efficiencies and competitive advantage in a wide range of emerging digital technologies, including big data, mobile devices, the Internet of Things, and social media—all of which contribute to an expanding risk profile. These include cyber concerns, data exposure, and privacy issues.
- Globalization: Over the last few decades, globalization has promoted worldwide economic growth, created new markets, lowered prices for consumers, and much more. It has also introduced a great deal of operational risks. Geopolitical risks from natural disasters to currency swings can impact business operations in significant ways.
- Reliance on Third Parties: In recent years, companies have increasingly come to rely on networks of third-party vendors to help them compete. These vendor relationships are not only more numerous, but more sensitive information is being shared across them as well—bringing a host of oversight concerns including lack of control, cybersecurity threats, and risks to reputation.
What can IRM do for organizations?
Integrated Risk Management gives business leaders a clear picture of all their risks. With their newfound understanding of the enterprise’s dynamic risk profile, they can make better decisions at the enterprise level about which risks to mitigate, and which to accept or transfer. Similarly, by integrating risk areas and recognizing interdependencies, executives can ask more strategic questions about how risk in one part of your business impacts other parts of the business.
With IRM, the value of the program actually increases as more risk activities are brought into view. In a fully mature IRM program, all risk categories should roll up into centralized reporting tools and dashboards, allowing business leaders to leverage insights from all risk areas for better decision making.
LogicGate's Integrated Risk Management Software
At most companies, the full scope of risk is too much to manage by hand. Thus, IRM must be powered by technology if it’s to effectively meet the myriad and interconnected challenges that we’ve identified.
LogicGate helps users perform IRM in ways that are not only effective and efficient, but agile enough to respond to the ever-shifting nature of global risk. Our Enterprise Risk Management solution offers powerful data mapping capabilities, enabling you to see a holistic view of all your risks and how they relate to the business objectives and drivers that impact your organization. Based on your organization’s unique risk appetite, LogicGate’s flexible app builder empowers you to customize your risk scoring model and drive risk-response protocols based on conditional logic and dynamic reporting. Armed with this data, you’ll be able to make decisions concerning risk and innovation with confidence.
For more on Enterprise Risk Management, check out LogicGate's eBook below on How to Build Organizational Support for ERM.
