Everything you need to know about integrated risk management
Your complete guide to integrated risk management within your organisation.
What is integrated risk management (IRM)?
When organisations fail in their enterprise risk management processes, the results can be devastating for the organisation.
Examples where a failure of risk management has caused hundreds of billions of dollars in losses – and had worldwide ramifications – are many and varied. In fact, one of the world’s most catastrophic economic events – the global financial crisis – is widely considered to have been caused by “a massive failure of risk management across most of Wall Street”.
​
That’s why organisations need to consider how integrated risk management can be of benefit.
Definition of integrated risk management
Integrated risk management (IRM) is an organisation’s set of people, processes, technology, and tools that improve its ability to identify and manage risks. It’s also designed to build a culture that supports best practice risk decision-making and strong organisational outcomes.
​
Generally IRM is undertaken by risk teams who are focused on one or more major risk categories, but who work together to ensure there is a comprehensive view and approach across the entire organisation and risk and corporate compliance functions. This approach also includes other relevant stakeholders, such as primary business partners, outsourced organisations and suppliers, and all internal business units and compliance functions.
Elements of an IRM include:
-
Risk identification
-
Risk analysis
-
Risk strategy
-
Risk response and actions
-
Risk communication
-
Risk auditing and monitoring
How does IRM differ from governance, risk & compliance (GRC)?
Experts believe that an integrated risk management approach is the modern approach to risk visibility and management, and fundamentally differs from the more traditional, “check-the-box” governance, risk and compliance (or GRC) approach.
Gartner analyst John Wheeler explains that, “IRM goes beyond the traditional, compliance-driven GRC technology solutions to provide actionable insights that are aligned with business strategies, not just regulatory mandates.”
​
So, how is it different in practice?​​
​
At the end of the day, IRM allows an organisation to see their risk in light of their business outcomes. It creates the opportunity for a simplified process that is more easily automated and that can better integrate strategic, financial and operational risk management processes allowing organisations to build a vertically-integrated view of risk.
​
Learn more: What is strategic risk management?
Governance, risk & compliance (GRC)
-
Strategy focused on “check-the-box” compliance activities
-
Compliance-driven, siloed approach to all risk categories
-
Modular GRC tools and solutions used by disparate teams
-
Actions based primarily on regulatory mandates
Integrated risk management (IRM)
-
Strategy focused on creating and supporting a risk-aware culture
-
Embraces flexible, easy-to-use and easy-to-implement solutions within risk teams
-
Integrates outcomes-based risk management frameworks with business contexts that go beyond regulatory mandates
-
Utilises GRC activities as a foundation for all risk management approaches
Why do organisations need an integrated
risk management approach?
We’re occupying a vast and complex risk landscape today, and one that is constantly changing and growing. That makes it extremely difficult for organisations to identify every probable or potential risk in the first place. But even once they are identified, many organisations still struggle to see the connections in their business framework between those disparate risks.
​
Without seeing those connections, setting outcome-based objectives and making best-practice risk decisions based on those objectives becomes impossible. Instead, an organisation is forced to focus its risk resources on mitigation – putting them in the reactive position of constantly putting out fires – rather than being able to take proactive and protective measures that can add real value back into the organisation.
​
An IRM framework gives an organisation the structure to understand the risks, connections and best practices for risk management generally. But it also helps them to develop a strong strategy for risk control that includes a coordinated and holistic approach for the identification, evaluation, management, and monitoring of risks, and sets the actions for optimal risk control.
​
Importantly, an IRM approach is unique because it shifts the focus from looking at risks individually or in isolation, to looking at an organisation’s collective risk exposure. And by understanding how risks interact with each other, risk teams can see how an organisation will be impacted as a whole – both in light of the risks themselves, and the framework and actions that are being built up and taken around those risks. It’s this focus that allows organisations to face changes and shocks as they arise and create opportunities for growth and greater success in a global marketplace.
​
Learn more: Operational Resilience
Integrated risk management vs an ERM system
An integrated risk management system and an enterprise risk management (ERM) system are sometimes treated as the same thing, but it’s important to recognise that they are not.
​
Where an ERM system is focused on planning, organising, leading, and controlling your risk activities, an IRM system is a more comprehensive approach that focuses on analysing the risks that are inherent within your organisation generally.
Where an ERM system gives you the framework for reviewing your strategic business objectives and associated risks, your IRM framework establishes a structured approach that provides a game-changing link between your business objectives, the various organisational departments, and your risk assessment.
​
Although IRM includes many of the elements of ERM, it replaces the old-school siloed view of risk management, with a holistic and integrated approach that is far more comprehensive. So while it includes all the key functions of your company, such as personnel, financial services, procurement, information technology, strategic development, marketing and much more, instead of each department adopting their own risk management process, they all take part in a single overarching risk management process.
How to implement an integrated
risk management system
Because it’s a comprehensive, holistic approach, your integrated risk management system must be designed to meet the specific needs of your overall organisation. To ensure that you’re meeting all those specific needs, take the time to consult with your internal and external stakeholders – especially those with risk management responsibilities – before creating strategies or implementing any processes or actions. To be effective your IRM system needs to include the following elements:
01
Strategy
You must create a risk-aware culture where management and employees understand and buy into the risk management strategy, plans and actions.
02
People
The people within your organisation must have the resources and the authority to take risk actions when necessary, including communication, monitoring, and reporting.
03
Technology
Your IRM tech must be designed to support your risk management strategy and bring value to the process generally.
04
Processes
For a successful IRM system you must establish risk management processes that are focused on business outcomes, as well as risk and compliance outcomes that are easy to implement and easy to action.