Integrated Risk Management – Everything You Need to Know

When organizations fail in their enterprise risk management processes, the results can be devastating for the organization. Examples where a failure of risk management has caused hundreds of billions of dollars in losses – and had world-wide ramifications – are many and varied. In fact, one of the world’s most catastrophic economic events – the global financial crisis – is widely considered to have been caused by “a massive failure of risk management across most of Wall Street”.

That’s why organizations need to consider how integrated risk management can be of benefit. Keep reading to learn more.

What is integrated risk management?

Integrated risk management (IRM) is an organization’s set of people, processes, technology, and tools that improve its ability to identify and manage risks. It’s also designed to build a culture that supports best practice risk decision-making and strong organizational outcomes. 

Generally IRM is undertaken by risk teams who are focused on one or more major risk categories, but who work together to ensure there is a comprehensive view and approach across the entire organization and risk and corporate compliance functions. This approach also includes other relevant stakeholders, such as primary business partners, outsourced organizations and suppliers, and all internal business units and compliance functions. 

Elements of IRM

• Risk identification
• Risk analysis
• Risk strategy
• Risk response and actions
• Risk communication
• Risk auditing and monitoring
   

How does integrated risk management differ from governance, risk and compliance?

Experts believe that an integrated risk management approach is the modern approach to risk visibility and management, and fundamentally differs from the more traditional, “check-the-box” governance, risk and compliance (or GRC) approach. Gartner analyst John Wheeler explains that, “IRM goes beyond the traditional, compliance-driven GRC technology solutions to provide actionable insights that are aligned with business strategies, not just regulatory mandates.” 

So, how is it different in practice?

GRC:

• Strategy focused on “check-the-box” compliance activities
• Compliance-driven, siloed approach to all risk categories
• Modular GRC tools and solutions used by disparate teams 
• Actions based primarily on regulatory mandates

IRM:

• Strategy focused on creating and supporting a risk-aware culture
• Embraces flexible, easy-to-use and easy-to-implement solutions within risk teams
• Integrates outcomes-based risk management frameworks with business contexts that go beyond regulatory mandates
• Utilizes GRC activities as a foundation for all risk management approaches

At the end of the day, IRM allows an organization to see their risk in light of their business outcomes. It creates the opportunity for a simplified process that is more easily automated and that can better integrate strategic, financial and operational risk management processes allowing organizations to build a vertically-integrated view of risk.

Learn more: What is strategic risk management?
 

Why do organizations need a strong integrated risk management approach?

We’re occupying a vast and complex risk landscape today, and one that is constantly changing and growing. That makes it extremely difficult for organizations to identify every probable or potential risk in the first place. But even once they are identified, many organizations still struggle to see the connections in their business framework between those disparate risks. 
 
Without seeing those connections, setting outcome-based objectives and making best-practice risk decisions based on those objectives becomes impossible. Instead, an organization is forced to focus its risk resources on mitigation – putting them in the reactive position of constantly putting out fires – rather than being able to take proactive and protective measures that can add real value back into the organization.
 
An IRM framework gives an organization the structure to understand the risks, connections and best practices for risk management generally. But it also helps them to develop a strong strategy for risk control that includes a coordinated and holistic approach for the identification, evaluation, management, and monitoring of risks, and sets the actions for optimal risk control.
 
Importantly, an IRM approach is unique because it shifts the focus from looking at risks individually or in isolation, to looking at an organization’s collective risk exposure. And by understanding how risks interact with each other, risk teams can see how an organization will be impacted as a whole – both in light of the risks themselves, and the framework and actions that are being built up and taken around those risks. It’s this focus that allows organizations to face changes and shocks as they arise and create opportunities for growth and greater success in a global marketplace. 
 
Learn more: Operational Resilience

Integrated risk management system vs enterprise risk management system
 

An integrated risk management system and an enterprise risk management (ERM) system are sometimes treated as the same thing, but it’s important to recognize that they are not. 

Where an ERM system is focused on planning, organizing, leading, and controlling your risk activities, an IRM system is a more comprehensive approach that focuses on analyzing the risks that are inherent within your organization generally. Where an ERM system gives you the framework for reviewing your strategic business objectives and associated risks, your IRM framework establishes a structured approach that provides a game-changing link between your business objectives, the various organizational departments, and your risk assessment.

Although IRM includes many of the elements of ERM, it replaces the old-school siloed view of risk management, with a holistic and integrated approach that is far more comprehensive. So while it includes all the key functions of your company, such as personnel, financial services, procurement, information technology, strategic development, marketing and much more, instead of each department adopting their own risk management process, they all take part in a single overarching risk management process.