If you’ve been around the risk management industry for several years, you’ve seen a distinct shift in risk maturity, risk culture, and various operating models to achieve a control-oriented environment. There has been a shift away from a monoline approach to risk management to a more comprehensive approach, known as Integrated Risk Management (IRM), in recent years.
IRM marks a distinct difference from the legacy approach of having a GRC model: governance, risk, and compliance. In the traditional GRC model, very distinct lines are drawn between different functions and different types of risk – the danger, as we’ve seen – is sometimes the different disciplines don’t communicate effectively, or a risk appetite in one area may be wholly different than another area. The IRM approach allows for a more comprehensive view of the entire risk landscape. To make an analogy, picture an Olympic size pool, with lanes designated for each participant – that’s the GRC view of the world – regulated and controlled to certain disciplines without the necessary crossover at times. By comparison, the IRM approach would look at the entire pool.
IRM expects that everyone participates in managing risk – that is, everyone has a role and understands their place in the operating model. IRM also encompasses cybersecurity work, so there isn’t a tension between continuity planning and risk management but a melded approach. Risk isn’t just about communicating status information to senior management and the board, but a full-fledged conversation on risk levels and regular updates on risk performance changes and perspectives.
Integrated risk management follows a discipline, as laid out by a Gartner study. These principles include:
• Assessment of risk
• Response to identify and mitigate risk
• Communication and reporting
• Monitoring of risk and related processes
• Technology design to support the IRM solution
In a rapidly growing organization, these principles are put to a real test to support the business need while also mitigating risk. A disciplined approach and regular communication are critical to the success of an IRM protocol.
Moving from static ways of measuring risk to a holistic approach has certainly benefited organizations that have adapted to this practice, keeping management well-informed while also addressing all facets of the company’s risk posture.
Connect with our experts to get started with a customized solution to address your requirements.