What is Integrated Risk Management?
Gartner defines integrated risk management (IRM) as “a set of practices and processes supported by a risk-aware culture and enabling technologies that improve decision making and performance through an integrated view of how well an organization manages its unique sets of risks.”
Why do we need IRM when we already have risk management? It’s a business maxim. Where business goes, risks follow. And where business has gone in recent years is different than before. Digital processes, global business, outsourcing to third parties, and more have created a preponderance of new risks that impact organizations through and through.
As John Wheeler noted in his Gartner blog: “79 percent of executives stated that their organizations experienced risks that have actually translated into significant operational surprises and business disruptions in the past five years.”
Traditional risk management is ill-equipped to manage these new risks that permeate the organization. Only an IRM approach can account for enterprise-wide risks and empower decision-making at every level of the organization. It’s why Gartner predicts: “By 2021, 50 percent of large enterprises will use an IRM solution set to provide better decision-making capabilities.”
In this post, we’ll give an up-close view of the major new risks that are demanding an IRM approach, and how such an approach uniquely manages these risks.
The rise in digital processes
Companies adopt digital processes enabled by big data, mobile, IoT and social media to become more efficient, lower costs, boost output, and gain competitive advantages.
As they do, new digital risks emerge, such as cyber concerns, data exposure, and privacy. It’s why IT leaders are under increased pressure to ensure systems can withstand attack. Threats can come from anywhere leaving assets at risk, which is why more regulations are adding requirements and guidance specifically for digital risk. Watch our recent webinar on the digital risk revolution.
IRM allows you to identify, analyze, mitigate, and manage digital risks holistically. The idea is to manage digital risks before they have a chance to harm your organization. That means addressing vulnerabilities, using patch cadence, and performing continuous testing of controls.
You can’t eliminate risk, but you can manage it. The best way to do that is with an enterprise-wide perspective on risk, which is exactly what IRM gives you.
The era of globalization
Globalization is notable for free trade that promotes global economic growth, creates jobs, makes companies more competitive and lowers prices for consumers. Globalization also creates operational risks that require IRM.
For example, the 2017 hurricane that hit Puerto Rico disrupted the medical supply chain. Overnight, factories that produced medical supplies and drugs were either destroyed or suffered power failures, which impacted hospitals and clinics in the US with reported shortages in IV fluid bags. The IRM view would have connected the dots, revealing the risk of what could happen in Puerto Rico and empowering decision makers to act.
It’s not just natural disasters that disregard borders. Geopolitical risks from tariff talk to saber-rattling can enter the picture at any time and impact business operations. Seeing how these risks could impact your organization enable leadership to be more proactive.
Trend toward third-party reliance
Third parties are entities outside your organization, and they may handle your sensitive data. As such, they pose a third-party risk to your entire organization. These new third-party risks are also operational risks that can impact the entire institution.
To illustrate, banks face new risks from a major shift to fintech, a term coined for computer programs and technology that support or enable banking and financial services. Computer Weekly noted in an article: the growing reliance on digital platforms for customer services has increased the likelihood of cyberattacks and IT failures.
Given the operational role played by third parties, managing them is an integral part of IRM. Third-party risk management’s assessments, monitoring, and more, all report into IRM with metrics and indicators for input and influence on enterprise-wide risk and performance.
The rise in digital processes, the era of globalization and the trend toward third-party reliance are forcing organizations to evolve from a siloed risk management approach to IRM, requiring additional technology to support these complex processes.
The right technology platform allows users to perform IRM in ways that are efficient, effective, and agile. Use the solution to optimize risk appetite, assist decision-makers, encourage collaboration, and embrace change, all while creating a more resilient organization.
Technology-powered IRM is required to meet the challenges of our risk-filled business world.
With Constitution Day tomorrow, September 17, let’s learn what the Constitution can teach your organization about corporate governance.
Learn how Lance completed his 50 mile race and how it relates to building a risk management program.
This month’s Risk Roundup is about data privacy, the biggest California earthquake in 20 years, and the business impact of the US-China trade war.