A quiet but unmistakable shift is underway in the world of risk management and compliance.
A booming market of tools and services once marketed as "GRC" (Governance, Risk, and Compliance) has disappeared, replaced by a successor labeled "IRM" (Integrated Risk Management). In late 2017, this shift - from GRC to IRM - was cemented when Gartner officially moved beyond GRC to publish their first ever Magic Quadrant for Integrated Risk Management.
This transition is about far more than semantics or branding, though. There's a clear functional shift underway, and it’s starting to gain more industry attention.
At its core, the move to Integrated Risk Management is a reflection of the shifting needs of today's digital businesses. New risks, new technologies, more complex regulatory requirements, and new demands from the business have forced the GRC market to evolve. Security and risk management leaders are no longer satisfied with traditional, compliance-driven GRC tools - today's tools need to synthesize, integrate, and visualize all forms of risk data.
Simply put, it's a new approach to risk management that integrates risk activities from across an organization to enable better and more sustainable strategic decision making.
Or, as Gartner defines it, IRM is a set of practices and processes supported by a risk-aware culture and enabling technologies that improves decision-making and performance through an integrated view of risk.
For most organizations, building an IRM program means blowing up traditionally siloed risk areas and replacing them with a single, holistic view of enterprise risk.
In order to see this holistic view of enterprise risk, organizations must look both vertically and horizontally at how risk is managed. From a vertical perspective, this means linking the overall corporate risk reduction strategy to distinct, quantifiable business objectives, which, in turn, can be met by deploying specific risk mitigation actions across the organization with support of the IT infrastructure.
At the same time, an organization must apply this “integrated” view across a variety of risk management activities that take on distinct perspectives of risk. For example, a legal department has its own definition of risk and its own series of mitigation plans, but that legal definition of risk varies drastically from the way IT-related risk is being addressed. By integrating these siloed risk constructs under one centralized risk management framework, an organization can view and analyze every risk metric simultaneously.
Short answer: as many as possible.
With IRM, the value of the program increases as more risk activities are brought into view, because it allows business leaders to make enterprise-level decisions about which risks to mitigate, and which to accept or transfer.
There are many important risk areas to consider as part of your Integrated Risk Management program, and there are often connections and interdependencies among them. As you break down siloes and improve control and visibility over one risk area, you often improve decision-making and business intelligence in other areas.
Similarly, integrating risk areas allows you to ask more strategic questions about the nature of your business risk, and how risk in one part of your business impacts other parts of the business.
Some of the key risk areas, as well as samples of these strategic questions, are outlined below.
Identity Risk Management - IdRM is the set of processes to mitigate the access risk in an organization through the Identity Access Management process (infrastructure for creating, maintaining, and using digital identities). When integrated within the broader technology risk posture of the organization, it will provide substantial improvements in an organization’s ability to measure and mitigate overall enterprise risk.
For more information about integrating Identity Management, check out our IRM whitepaper, Rethinking the Identity Risk Equation.
Third-party Risk Management - Managing complex vendor supply chains is one of the biggest challenges facing security and risk management leaders today. Recent third-party breaches and new compliance mandates make the issue even more pressing.
Strategic question: What is the impact on business continuity management or identity access management if the third-party risk for a particular vendor is high?
Business Continuity Management - The ability to identify, respond to, and recover from business disruptions is critical to the success of the modern digital business.
Strategic question: Does the business impact analysis align with the overall risk assessment of the organization or the risk profile for key third parties?
Corporate Compliance Management - The job of compliance managers only becomes more complicated as new regulations, like GDPR, come into effect, and organizational compliance requirements (social and environmental responsibility, for example) begin to accumulate.
Strategic question: What is the impact of incidents on my compliance obligations?
IT Risk Management - The risk associated with new and growing technologies continues to evolve. The Internet of Things (IoT), machine learning, social media, big data, and mobile devices (among many others) disrupt traditional risk management models and present new challenges for enterprise decision makers.
Strategic question: What is the impact of vulnerability management on IT risk?
Depending on your organization, you may also consider other key risk areas, like legal management and audit management, for inclusion in your Integrated Risk Management program.
In a fully mature IRM program, these sub-domains should roll up into centralized reporting tools and dashboards, allowing business leaders to leverage insights from all risk areas for better decision making.
This may sound difficult to achieve – and it is – but leading organizations are moving in this direction because of the long-term benefits it offers to the business:
But perhaps most importantly, knowing your risks across the business creates opportunities – for cost-savings, competitive advantages, and alignment. And as a business leader, creating these opportunities allows you to add value to your organization above and beyond risk mitigation.
Even if your organization is not ready to begin a full-blown IRM revolution, you can begin taking small steps to improve your risk visibility by leveraging the tools you already have in place.
To learn more about enhancing the Integrated Risk Management program at your organization, schedule a meeting with one of our IRM experts and check out our IRM whitepaper.
Subscribe to Focal Point's Risk Rundown below - a once-a-month newsletter with templates, webinars, interesting white papers, and news you may have missed. Thousands of your colleagues and competitors have signed up! You can unsubscribe at any time.