What is Integrated Risk Management? How to Understand & Implement IRM

Kezia Farnham
Technology is changing faster today than ever, bringing with it new risks relating to digital technology and cybersecurity. This is driving businesses to bolster their risk management strategies, in many cases by adopting an integrated risk management (IRM) approach. 
 
What is integrated risk management? In many organizations, the CEO and executive board, rather than regulatory bodies, are now in control of risk management. Regulatory bodies pushing these executives to adopt best practices worked well in the past; siloed teams were acceptable for managing risk programs when new technology options were few. Having separate security and risk management teams worked to achieve the organization’s goals.
 
With new risks and new regulatory requirements continuously evolving, these strategies no longer work. Modern organizations require new governance and risk management solutions that allow for complete oversight rather than siloed teams with a limited understanding of how they connect. This is integrated risk management. 

Here, we define IRM, provide guidance for implementing an integrated risk management approach, discuss the relationship between ESG and IRM and address what to look for in an integrated risk management solution.

 

What Is Integrated Risk Management? 

What is an integrated risk management approach for an organization, and how can it help businesses? Integrated risk management (IRM) is a holistic practice that creates a single view of risk on a unified platform across internal audit, internal controls, compliance, risk management and ESG teams.

The team “integrated risk management” was first coined by research firm Gartner in 2017. Gartner defines IRM as “a set of practices and processes supported by a risk-aware culture and enabling technologies.” 

Putting in place an integrated risk management program enables company-wide visibility into governance processes through automation and technology integration. IRM is not synonymous with GRC, however: GRC vs. IRM

According to Gartner, IRM has the following characteristics: 

  • Strategy: Enabling and implementing an integrated risk management framework 
  • Assessment: Identifying, evaluating and prioritizing risks 
  • Response: Identifying and implementing risk mitigation mechanisms and methods 
  • Communication and Reporting: Implementing the means to inform stakeholders of an organization’s risk response 
  • Monitoring: Identifying and implementing processes that track the effectiveness of governance objectives, risk ownership and accountability, regulatory compliance, 
  • Technology: Implementing an IRM solution or solutions 

 

Implementing an Integrated Risk Management Approach for Your Organization 

The next step is determining how best to implement an integrated risk management program in your own organization. If you are currently using a siloed risk management approach in your organization, switching to an integrated risk management framework can result in three outcomes: 

  • Risk-Aware Culture: Your organization will recognize that risks previously only associated with one group will affect the entire enterprise. 
  • Increased Visibility: This is the most significant change you will see in your organization when you implement an integrated risk management framework. An integrated approach will lead to a fully integrated risk management organization, which will increase performance and communication company-wide. 
  • Fully Integrated Platforms and Solutions: Having a fully integrated risk management platform will lead to an improvement in productivity. The holistic view of risk given by utilizing an IRM approach enables better and faster risk mitigation than previous methods. 

 

The Relationship Between Integrated Risk Management and ESG 

Many organizations question whether IRM is the same as environmental, social and governance (ESG) initiatives. ESG is a way to track and measure an organization’s societal and environmental impacts. It is generally accepted that establishing and adhering to ESG goals can improve organizational performance. 

Naturally, ESG and IRM intersect in a variety of ways. According to Ezekiel Ward, founder of North Star Compliance Ltd. and a thought leader in the GRC space:

A trend like ESG is actually the same thing as integrated risk management, so we see [organizations] joining up the dots between different functions like internal audit, compliance, health and safety, HR and other functions. You have that kind of risk management or gatekeeper role, and you really start to see boards being conscious of [this] and talking more openly about the need to connect those dots. So, I certainly think that ESG, as I refer to integrated risk management in corporates, is one thing that I see carrying on in 2021.

While not everyone agrees that IRM and ESG are synonyms, an integrated approach to all governance, risk management, compliance and ESG initiatives is the only way an organization can ensure its leaders are fully informed and capable of making data-driven decisions. However, governance, risk and compliance (GRC) is distinct from IRMGRC is a broad term used to discuss an organization’s entire approach to governance, risk management and regulatory compliance. IRM is a strategy to integrate risk management into the wider business strategy and operations. You can read more about the differences between GRC and IRM in our article on the topic. 

 

What to Look for in an IRM Solution

IRM technology is a hot topic right now. And with the Gartner definition of integrated risk management including a reference to ‘enabling technologies’ it’s fair to assume that integrated risk management tools are a fundamental aspect of successful IRM adoption. 

What is an IRM solution? It can mean any integrated risk management tool or technology that helps organizations to bring rigor and consistency to their risk management efforts. It can relate to integrated risk management software that helps to facilitate integrated risk management by automating risk data collection, putting in place triggers and automated actions when these triggers are reached. 

There are numerous integrated risk management solutions on the market; when looking for IRM software to support your integrated risk management framework, review the available options. Is the provider an experienced SaaS (software as a service) provider? Do they have good client feedback and long-standing expertise in delivering IRM solutions? 

When considering an IRM solution, you should think about: 

  1. Practicalities of implementation. Is the solution easy to integrate with existing software or platforms? Can it be tailored to your organization’s needs? Are there limitations around the data it can incorporate? 
  2. User-friendliness. Is it intuitive and easy to learn? Is there training and support available? 
  3. Cost. What are the costs associated with this IRM solution? Are all elements mandatory, or can they be scaled to your needs?  
  4. Analytics. What does the tool offer in terms of analytics? Can your teams pull reports that provide actionable information? Can data be customized to meet the needs of the board and leadership? 
  5. Mitigation advice. The best IRM tools measure existing performance and provide insight into mitigation and remedial actions. Does your preferred IRM technology offer this? 
  6. Provider expertise. Is your chosen provider experienced; can they share good reviews and client feedback? 
  7. Continuous improvement. Does the solution enable you to learn from experience and improve your approach to integrated risk management? 

 

What’s Next?

Now more than ever, organizations are seeking to achieve a “single view of risk” that encourages a productive and transparent compliance-focused and risk-aware culture from the top down. A unified platform can bring together all elements of GRC for increased cross-functional alignment, greater efficiency and enhanced reporting.

Find out how you can gain a complete view of your risk landscape and deliver assurance across your organization with Diligent Integrated Risk Management.

 

Stay a Step Ahead of Risk, Audit & Compliance
Get the latest insights, stay informed on the latest trends and remain a trusted advisor to your board.
Background image
Related Insights

The Rising Tide of ESG – Navigating the Road Ahead

video

The Board's Role in Leading and Enabling GRC

article

Board and Executive Collaboration: Components of a Secure Platform for the Evolving Workplace

White Paper
Kezia Farnham Diligent
Content Strategy Manager
Kezia Farnham

Kezia Farnham is the Content Strategy Manager at Diligent. She's a University of the Arts London graduate who has enjoyed over seven years working across journalism, public relations and digital marketing, with a special focus on SEO and CRO in the B2B SaaS sector.

Kezia is passionate about helping governance professionals find the right information at the right time.