Integrated risk management (IRM) is “a set of practices and processes, supported by a risk-aware culture and enabling technologies, that improves decision making and performance through an integrated view of how well an organization manages its unique set of risks,” according to the research and advisory firm Gartner, Inc.
In other words, integrated risk management is an approach to managing operational risks as well as IT risks that encompasses the entire organization as well as its third- and fourth-party vendors and contractors, and involves all business functions —including some that normally might not be associated with risk management such as human resources and communications/public relations.
Although closely aligned with enterprise risk management, IRM is less about strategy and more about the hands-on work of managing risk, implementing and monitoring controls at the system and technology level.
Cybersecurity risks that become incidents could disrupt critical business functions. Managing those risks has long been relegated to internet technology personnel overseen by a chief information security officer (CISO). Audit and compliance staff have typically been involved, too, helping to ensure that the enterprise conforms to regulations and industry standards that govern information security.
But as businesses increasingly become “digital-first,” many are taking a more holistic, integrated approach to managing the risks posed by cybercrime such as data breaches, theft of intellectual property, and debilitating ransomware.
IRM doesn’t only include cybersecurity, however. It takes into account every type of risk. In human resources, for instance, an employee who fails a background check or has falsified their resume to appear qualified when they don’t pose a risk to the organization. IRM helps you mitigate, avoid, or respond to these risks in a manner that protects the enterprise.
Gartner, which coined the term “integrated risk management” in 2017, lists six integrated risk management attributes:
- Strategy. IRM begins with a risk management framework such as the National Institute of Standards and Technology’s cybersecurity framework (NIST CSF). Strategizing aims to improve business performance through effective governance and risk ownership. At this stage, you will create a risk profile summarizing risks to the organization and determining the level and types of risk your enterprise is willing to take (“risk appetite”).
- Assessment: Identifying existing and new risks, risk assessment and evaluation, and prioritizing business risks according to the level of threat they pose is a critical step in the integrated risk management process. Taking an integrated view of risks business-wide is key.
- Response: Deciding how to handle risks comes next. This step involves creating a risk register listing every risk the enterprise faces and assigning a response to each. Possible responses include accepting, avoiding, or mitigating risks, and applying the appropriate risk mitigation controls.
- Communication and reporting: Informing board members, investors, employees, and other stakeholders of strategies, plans, and responses to risks and threats can help promote the risk-aware culture necessary for a truly integrated approach.
- Monitoring: Are your controls working as they should? Effectively managing risk entails keeping a watchful eye on processes to ensure that they’re being followed as prescribed. Monitoring lets you know if the organization is meeting its objectives regarding risk and holds people and processes accountable.
Technology: Using spreadsheets to manage and monitor risks can’t do the job properly in the digital age. Instead, enterprises are turning to effective governance, risk, and compliance (GRC), enterprise risk management (ERM) and integrated risk management solutions.