What is Integrated Risk Management (IRM)?

Integrated risk management is a set of practices and processes supported by technologies that improve decision-making and visibility into an organization’s security and risk posture. IRM recognizes that each organization faces unique risks and threats and, as a result, must take a risk-centric (not compliance-focused) approach to information security. 

The shift from traditional GRC to IRM marks the changing needs of modern information security leader and their teams. Rather than putting compliance first, IRM enables an organization to manage its unique set of risks and meet compliance requirements as a part of that mission. 

According to Gartner, the integrated risk management definition has a specific set of practices:

1. Strategy: Enablement and implementation of a framework, including performance improvement through effective governance and risk ownership
2. Assessment: Identifying risks, evaluation, and prioritization of risks
3. Response: Identification and implementation of mechanisms for risk reduction
4. Communication and Reporting: Provision of the best or most appropriate means to track and inform stakeholders of an enterprise’s risk response
5. Monitoring: Identification and implementation of processes that methodically track governance objectives, risk ownership/accountability, compliance with policies and decisions that are set through the governance process, risks to those objectives, and the effectiveness of risk mitigation and controls
6. Technology: Design and implementation of an integrated risk management solution (IRMS) architecture or an integrated risk management framework

Organizations require an integrated view across all business units, risk and compliance functions, key business partners, and supply chains to fully evaluate risk. Security teams need enterprise-wide transparency to identify different types of risk, including financial and operational risks. This actionable definition describes IRM as reconfiguring legacy GRC activities using a risk-aware culture and enabling technologies that improve decision-making and performance. 

See Also: Integrated Risk Management

Return to Ecosystem Terminology Glossary