Request Demo

Integrated Risk Management

Integrating Governance, Risk, and Compliance


When Gartner released the magic quadrant for integrated risk management (IRM) in 2018 rather than for governance risk and compliance (GRC), members of the information security community were shaken as well as relieved. As we’ve covered before, Gartner marked the rise of integrated risk management as a result of increased Board- and CEO-level concern for an organization’s cybersecurity posture. While the integrated risk management approach deviates from the conventional checkbox compliance activities that most teams have built their organizations with, that is not to say that governance risk and compliance activities have no place in organizations. Rather, governance risk and compliance as three functions are the foundational aspects of an integrated risk management approach to cybersecurity and risk management.

More is expected from information security teams in the form of visibility into their organization, reporting to business-side leaders, as well as more reliance as enterprises embrace more technology, and with that teams need tools that automate much of the GRC capabilities that they’ve used for years. An approach that integrates governance, risk management, and compliance activities supports these three new requirements for information security teams.

In this series, we will be examining how integrating GRC activities through the processes of governance, the frameworks of risk management and the standards of compliance can lead an organization towards a more integrated view of risk and compliance. We’ll explore how GRC automation and integrated risk management practices can streamline and support the new mandates for cybersecurity leaders. How “integrated risk management vs GRC” is a false dichotomy when the proper solutions can work together.

The Processes of Governance

In our governance post, we’ll be diving in to see the people processes and technologies that can improve the efficiency and effectiveness of an information security program. We’ll examine how tools that automate GRC activities can facilitate the transition to an integrated approach - through automated reporting and effective dashboards that translate risk management programs into business objectives and support business growth.

The Frameworks of Risk Management

Managing cyber risk is the core mandate of information security teams now. Frameworks are the foundation of the risk management activities that every organization practices. In our risk management post we’ll be diving into gold-standard frameworks and best practices for managing risk. How using integrated frameworks based on outcomes drives all aspects of a cyber program and supports business growth.

The Standards of Compliance

Compliance management was the driver for many information security organizations and is still an absolute necessity today. As more standard and compliance requirements are released, knowing how to construct a strategy that will be able to absorb these new requirements is critical. We’ll examine how integrated governance risk and compliance solutions support this patchwork of compliance standards we’re seeing emerge, and how integrated GRC solutions and IRM can help teams save time and supplement with AI and machine learning.

Integrating Governance, Risk, and Compliance

The expectation that those at the Board and CEO level have of CISO’s and their information security program has evolved rapidly since the days pre-Equifax. As data breaches and security events continue to make headlines almost daily, security leaders are faced with the need to update their programs to support this new role. A siloed security program that leaves each of the activities under GRC to disparate teams with no integrated GRC framework will leave these teams and leaders spread thin trying to navigate this new role. In the coming weeks, read how breaking down and re-integrating the activities behind governance, risk, and compliance is the key to an integrated risk and compliance vision.

You may also like

Why GRC Needs IRM
on August 7, 2019

Today, every organization strives to optimize the speed with which they access information. Data is being stored, processed, transmitted and utilized in almost every day-to-day ...

Alison Furneaux
SSP and POAM Guidance for DFARS ...
on July 24, 2019

Defense federal acquisition regulation supplement (DFARS) Compliance has been top of mind for Prime contractors as well as Department of Defense (DoD) suppliers since before the ...

Alison Furneaux
Integrated Risk Management Magic ...
on July 17, 2019

It has been roughly one year since Gartner released the 2018 Magic Quadrant for Integrated Risk Management, the first of its kind, and as of this week the second Integrated Risk ...

Alison Furneaux
"Glass-box" Solutions Are Critical ...
on July 11, 2019

With the likes of Equifax and Marriott, it is no secret that cybersecurity has made its way into the Boardroom. While many executives are experienced in managing myriad business ...

Reading Between the Lines of NIST ...
on July 9, 2019

On June 19th, the National Institute of Standards and Technology (NIST) released the much anticipated Rev 2 of SP 800-171 and the working draft of supplement SP 800-171B. As the ...

How We're Making DFARS Compliance ...
on July 2, 2019

With the Department of Defense (DoD) making DFARS compliance a requirement for all contractors doing business with the DoD, a great amount of stress has been put on DoD ...