The needs of businesses today are rapidly changing. With the rising adoption of digital technologies, the reliance on information and cybersecurity has gone from a technical focus to a top Board agenda item. Where regulatory bodies were once the driving force behind the adoption of cybersecurity best practices, now those practices are mandated by the CEO and Board. As we have started to see the impact that cybersecurity and cyber risk management failures can have on the bottom line, so too have we started to see the failure of fragmented and siloed governance, risk, and compliance (GRC). The technologies of yesterday are not enough to support what security and business leaders need, which is an integrated risk management approach.
In the era of checkbox compliance, with a mass amount of frameworks and standards being produced by regulatory bodies, siloed teams were a viable approach to managing cybersecurity and IT risk programs. When the options for new technology were few, and as a result regulatory compliance was in fact the brunt of what an organization needed to be secure, breaking apart security and risk management teams did in fact get the job done. However, that era of long adoption cycles for new technology, with IT teams as the gatekeepers, ended with the rise of a technologically literate workforce.
Now, organizations are faced with a barrage of new technologies that appeal to almost every possible business unit and team within the enterprise. As a result, security and risk teams at each respective company are faced with a unique configuration of risk and security threats given the sheer volume of options for tools that companies face. Governance, risk and compliance was not designed, nor matured in, a time when flexibility and versatility were paramount. The information security community needs something better to face the threats of today’s business environment - enter the Integrated Risk Management (IRM) solution.
What is Integrated Risk Management
Integrated risk management is a set of practices and processes supported by technologies that improve decision making and visibility into an organization’s security and risk posture. integrated risk management is a recognition that each organization faces unique sets of risks and threats and as a result, must take a risk-centric (not compliance-focused) approach to information security.
The shift from traditional governance, risk and compliance to integrated risk management marks the changing needs of the modern information security leader and their teams. Rather than putting compliance first, integrated risk management enables and organization to manage its unique set of risks that face its organization specifically and in turn meet compliance requirements as apart of that mission.
Under the Gartner definition, integrated risk management has a specific set of practices:
- Strategy: Enablement and implementation of a framework, including performance improvement through effective governance and risk ownership
- Assessment: Identification, evaluation, and prioritization of risks
- Response: Identification and implementation of mechanisms to mitigate risk
- Communication and reporting: Provision of the best or most appropriate means to track and inform stakeholders of an enterprise’s risk response
- Monitoring: Identification and implementation of processes that methodically track governance objectives, risk ownership/accountability, compliance with policies and decisions that are set through the governance process, risks to those objectives and the effectiveness of risk mitigation and controls
- Technology: Design and implementation of an integrated risk management solution (IRMS) architecture or an integrated risk management framework
To understand the full scope of risk, organizations require an integrated view across all business units and risk and compliance functions, as well as key business partners, and supply chains. In all, integrated risk management is a reconfiguration of legacy governance risk and compliance (GRC) activities using a risk-aware culture and enabling technologies that improve decision making and performance.
Embracing An Integrated Risk Management Approach Within Your Organization
Making the shift from a governance, risk and compliance oriented program to an integrated risk management framework results in three major results:
- Risk-aware culture
- Cross-functional visibility and functionality within your information security teams
- Fully integrated platforms and solutions
Enabling A Risk-Aware Culture
A foundational tenet of a strong integrated risk management framework is recognizing that digitization and the risks associated are enterprise-wide issues. With proper buy-in and the right training, information security leaders can help shift the organizational culture to one that supports security best practices and helps mitigate risk. Culture changes are incremental and information security leaders must play the long-game when it comes to making this critical shift to integrated risk management.
Increased Visibility Within The Information Security Organization
The biggest differentiator between integrated risk management and governance, risk and compliance is the fact that integrated risk management reconfigures the modules and siloes of governance, risk and compliance into one holistic cybersecurity and risk management organization. This increase in performance through an integrated approach not only helps improve cyber posture but also enhances business continuity and allows CISOs to more fluidly communicate with the Board and CEO.
Implementing Integrated Risk Management Solutions
A new approach requires new tools to enable it. As a result, a program supported by a risk-aware culture and integrated cybersecurity teams requires a fully integrated solution to manage that new program. Teams often are designed around the solutions that their organization employs to enable them, and making the shift to integrated risk management requires leaving the modular governance, risk and compliance solutions in the past and trading it in for integrated risk management solutions. Not only does this change improve the productivity of the cybersecurity program, but it also enables better and fast risk mitigation by taking a holistic view of the enterprise risk profile, while also enabling enhanced reporting to the Board and CEO - allowing them to roll cyber risk into the general enterprise risk management program.
Taking Action With Integrated Risk Management
The journey to implementing integrated risk management practices and processes is a journey to be sure. However, in one way or another, all organizations will be faced with embracing some level of integrated risk management in the digital age. The silos and modules of the governance, risk and compliance era are rapidly coming to an end. Where once IT organizations could manage the trickle of new technologies, the current onslaught of new tools and platforms has irrevocably changed that for almost all businesses. As a result, information security teams must adapt and embrace new methodologies and frameworks to support this paradigm and enable their entire organization to aid in the improvement of cyber posture.