The various niches of risk management have become a veritable alphabet soup of acronyms. The advent of the digital age is partly to blame.
Virtually every organization is “going digital” across multiple business processes and operations. For example, retail is now “e-tail,” manufacturing plants are increasingly automated, and nearly every step of the hiring and contracting process happens online, from application to background checks to payroll.
Every Internet-connected device on a corporate network exposes the organization to the risk that someone might breach the company’s IT systems. The danger increases that unauthorized parties – more commonly known as “attackers” – might gain access to private or proprietary information, cause a disruption of critical services, or shut your business down.
As such risks proliferate and evolve, so do the ways to manage them. New products, services, and consulting partners emerge constantly, each one striving to distinguish itself from the rest.
Coining new terminology is one way to do that. As a result, we now have:
- Enterprise risk management (ERM)
- Governance, risk management, and compliance (GRC)
- Integrated risk management (IRM)
Exactly how do these approaches to risk management differ from one another? Nobody seems to know for sure.
Research firm Gartner, which coined the term “integrated risk management” in 2017, claims that GRC focuses narrowly on regulatory compliance, while IRM has a more expansive, risk-oriented view. Others disagree. (And where does ERM fit into that debate? Again, nobody is quite sure.)
What are the differences among these types of risk management? Are there differences at all? Which is best? This article will try to answer those questions.
ERM: A Short History
Not long ago, risk managers concerned themselves mainly with hazards such as fires and floods; or in the financial sector, loan defaults (credit risk). Organizations typically bought insurance to avoid the losses these risks could cause, thus “transferring” the risk to the insurance company.
Over time, however, boards and executives began to recognize that this vision of risk was too narrow in a global business world. Risks to the supply chain, risks of IT systems coming under attack, risks of regulatory enforcement distracting and disrupting senior executives: none of them neatly fit into pre-existing categories.
After a series of financial, accounting, and insider trading scandals rocked the corporate and shareholder world in the early 2000s, business leaders and Congress recognized the need for strategy-driven enterprise-wide risk management. As a result, in 2004, the Committee of Sponsoring Organizations (COSO) issued a second framework: Enterprise Risk Management -Integrated Framework, subsequently updated in 2017. COSO’s ERM framework builds upon, and is intended to work with, the committee’s internal control framework issued in 1992 and updated in 2013.
Today, COSO’s ERM framework and the International Organization for Standardization’s ISO 31000 Risk Management – Guidelines are the most commonly used frameworks for enterprise risk management.
GRC: A Short History
Although organizations have always engaged in governance, risk management, and compliance in one form or another, the term “GRC ” seems to have been coined by risk consultant Michael Rasmussen, the “GRC Pundit,” in 2002. Here’s how he tells the story:
“On a cold, snowy day in February 2002, in the offices of Giga Information Group in Chicago, soon to be acquired by Forrester Research, I sat through two vendor briefings that struck me with a revelation.
“The first was a technology vendor briefing demonstrating their solution to manage and integrate policies, controls, and risks. This struck me. It was something I had envisioned in the 1990s as a consultant, but I was not a software developer, so I never took action. It was simply brilliant. What do we call it?
“A few hours later, I had another briefing with PwC reviewing their services. My ADD mind was bouncing back to this previous briefing while returning to the PwC briefing – sort of a mental Ping-Pong. The PwC briefing had some terms that seemed to drift toward me from the sidelines.
“My mind locked onto the terms Governance, Risk Management, and Compliance on different slides. There it was! A name for this new market: GRC.”
Rasmussen notes that tech-driven GRC solutions came along years after organizations began using spreadsheets and documents (first as paper documents, and later in digital form) to track and manage policies, controls, risk registers, and risk assessments.
GRC solutions have rendered these manual processes increasingly obsolete, and make the job easier by performing ever-more functions. Rasmussen sees the GRC development timeline as follows:
- GRC 1.0 (2002-2007): Financial reporting, Sarbanes-Oxley Act (SOX) compliance, and their related IT controls.
- GRC 2.0 (2007-2012): Audit management, enterprise, and operational risk management, compliance beyond financial controls, and more.
- GRC 3.0 (2013-2018): Using GRC solutions for enterprise-wide management in various areas such as risk management, compliance, legal, finance, audit, security, and health and safety.
- GRC 4.0: (2018-present): Automated GRC.
IRM: A Short History
In 2018, the research and advisory firm Gartner introduced the term “integrated risk management” (IRM), defining it as “a set of practices and processes, supported by a risk-aware culture and enabling technologies, that improves decision making and performance through an integrated view of how well an organization manages its unique set of risks.”
It introduced the term as part of its “Magic Quadrant,” evaluating service vendors that provide IRM solutions. Previously, Gartner had focused on GRC vendors.
The firm strove to distinguish between IRM and GRC by saying that while GRC is compliance-focused and reactive, IRM is risk-focused and proactive.
Some thought leaders, including Rasmussen, disputed this distinction, pointing out that GRC solutions continually evolve as risks evolve. Moreover, he scoffed in 2018 at Gartner’s switch to IRM as a marketing-driven attempt to “make itself feel relevant” in The IRM Emperor (Gartner) Has No Clothes.
In 2020, Gartner informed vendors evaluated in the 2019 Magic Quadrant that it had retired the IRM market category “in favor of more targeted marketing segments.” While the company will continue to research IRM, it has found that most users view IRM as a strategy to be pursued rather than a product category, Gartner said. Its official statement is worth quoting at length:
“There is no single buying center for IRM solutions with a consolidated view of risk and a consolidated budget. Therefore, IRM is not a good fit for what our end user clients consider a ‘market’ to be. Magic Quadrants are aimed at individuals selecting vendors and products to solve specific critical problems. Therefore, this Magic Quadrant and Critical Capabilities research was not aligned to our end user clients’ behaviors.”
Does this mean that IRM is a risk management strategy and GRC is a risk management solution? Not so fast, our experts say.
ERM vs. GRC vs. IRM: What’s the Difference?
Practically speaking, there is no difference, according to Reciprocity consultant Gerard Scheitlin, founder and president of the risk management company RISQ Management. All three terms refer to enterprise-wide, integrated risk management – a program that encompasses all risks: cybersecurity, finance, human resources, audit, privacy, compliance, natural disasters, and so on.
The way the terms are used, however, defines ERM as involving strategic, high-level risk management that includes various functions and involves executives and the board.
IRM, according to Gartner, involves the hands-on work that makes ERM possible: the technical controls critical to effective cybersecurity, such as security monitoring, network monitoring, and perimeter protection.
Somewhere in the middle is system management: risk management policies and procedures, which Gartner places in the ERM camp. Accreditations and certifications are considered compliance; some of those measures fall on the ERM side (such as COSO and ISO 31000), while others would be more technically oriented and therefore classified under IRM (such as compliance with NIST and PCI DSS cybersecurity frameworks).
Under Gartner’s model, the place where ERM and IRM split is a gray area and irrelevant, Scheitlin maintains.
“The differences between them don’t matter,” he says. “They’re integrated.”
Both IRM and ERM provide a holistic model to manage IT risk and operational risk, Scheitlin says, and are integrally related. You can’t have one without the other: IRM feeds ERM, and ERM guides IRM.
And GRC, which Scheitlin calls “risk assurance,” implements this holistic approach. GRC is where risk management magic happens.
The Better Question To Ask
ERM, IRM, GRC: Which is more important? They’re all critical, Scheitlin says. The better question to ask is where your organization should start its risk management efforts.
“Typically, most start at the technical controls,” he says. “So you’ve got to have some in place. And that’s where every CISO wants to start, because it’s considered the first line of defense.”
“Then you’ve got to build out your system. How are you going to build it? What are you going to do? How are you going to put it all together? It would help if you built a model, like a risk hierarchy, to categorize how you will get work done. You have technical (IT) risks, system risks, and process risks. How will you ensure you’ve got the entire organization involved in this?”
For a truly holistic risk management plan, you need to create a risk profile for your enterprise that takes an integrated view of all departments and functions.
You’ll conduct a risk assessment identifying and prioritizing risks and establish the amount of risk you’re willing to take, typically known as your risk appetite.
You’ll think ahead, anticipating new risks down the road and your organization’s risk response: accept, avoid, transfer, mitigate.
You might use a risk management framework such as COSO or ISO 31000 to aid decision-making and guide you through these tasks. Risk management solutions (and especially GRC solutions) can also be invaluable.
The best GRC solutions will manage risks from bottom to top: technical, systems, and process, not only in the enterprise but also third- and fourth-party risks. They’ll also make compliance management a snap.
What Is IRM in Risk Management?
Integrated risk management (IRM) refers to all risk management practices used by an organization to enhance risk visibility and decision-making, so that the organization can not only survive risk, but also benefit from it.
IRM works by bringing discipline to how groups within the organization handle the risks they face; it is meant to impose unity and consistency across the many siloes of an organization that, left to themselves, might handle risks in different ways. IRM would make them confront questions such as:
- How can we plan our actions to minimize risks?
- What are integrated risk management’s value-creating factors?
- What possible consequences may there be if the risk is not managed?
- How can a comprehensive approach to risk management assist in minimizing failure and increasing success?
Building a solid IRM process inside a business has several benefits. Below is a summary of a few business benefits that an organized IRM program may provide.
- Users and application systems receive accurate, consistent, and verifiable information.
- It allows companies to meet compliance standards with readily available, trustworthy, and secure data.
- It offers the flexibility to create and manage new organizational structures and inter-organizational linkages that may come from mergers and acquisitions.
- The definition, implementation, and measurement of a corporate data quality strategy and metrics are made more accessible by integrated risk management, which also helps businesses prevent possible delays caused by data problems when providing services or goods to consumers.
- It assists management in determining the best solution for managing risks following the organization’s strategy, objectives, and risk tolerance.
- It aids leadership teams in maintaining a comprehensive understanding of how risks may affect the company’s business objectives and strategic goals.
- It enables one or more risks to be managed by a single monitoring and management system, improving the clarity of corporate risk assessments, risk management, and understanding of interconnections between various risk categories.
- IRM leads to a more realistic analysis and evaluation of managerial actions for risk mitigation by additionally taking into account events that occur beyond the researched risks alone.
Many Needs, One Solution
“The Reciprocity ROAR platform covers all of this,” Scheitlin says. ROAR (Risk Observation, Assessment, and Remediation) identifies vulnerabilities, analyzes policies and procedures, helps to assure that monitoring and other controls are working as they should, and strengthens compliance with various frameworks.
- Direct integrations with critical third-party apps. Select from our library of pre-built connectors via ZenConnect to integrate ROAR with the business and infosec apps your company relies upon, including AWS, Qualys, Jira, Splunk, Slack, and Tableau.
- Industry-specific content developed by our experts. Access pre-built and preloaded templates for frameworks like SOC 1 and SOC 2, FedRAMP, ISO, PCI, HIPAA, and SOX, so your teams can get up and running fast.
- Real-time access to infosec posture. Automate evidence collection, simplify workflows and generate real-time reports to reduce manual effort and shorten audit cycles.
- Easy-to-use cross-mapping to multiple frameworks. Avoid redundancies, identify overlaps and quickly assess gaps in your company’s infosec and compliance efforts.
- Customizable risk calculations and multi-variable scoring. Gain a holistic view of risk across your organization so you can understand how multiple risks interact, how they could affect your business, and the probability that they will become incidents.
- Streamline vendor and third-party risk management. Automate questionnaires and assessments, improve vendor relationships, and eliminate unnecessary workloads for your teams.
- Unified contextual insights based on your business objectives. Convey the risk implications of business processes and priorities to eliminate silos and enable data-driven decisions.
- Increased visibility and reporting with dashboards. Improve transparency and multi-level stakeholder reporting with up-to-date status reports that aren’t a burden.
Reciprocity ROAR is the most comprehensive solution for fully integrated, holistic, enterprise-wide management of your organization’s risks. Schedule a demo today, and start on the path to worry-free governance, risk management, and compliance.