Integrated risk management is a set of practices and processes supported by technologies that improve decision-making and visibility into an organization’s security and risk posture. IRM is a recognition that each organization faces unique sets of risks and threats and as a result, must take a risk-centric (not compliance-focused) approach to information security.
The shift from traditional GRC to IRM marks the changing needs of modern information security leader and their teams. Rather than putting compliance first, IRM enables an organization to manage its unique set of risks and in turn, meet compliance requirements as a part of that mission.
According to Gartner, the integrated risk management definition has a specific set of practices:
To fully evaluate risk, organizations require an integrated view across all business units and risk and compliance functions, as well as key business partners, and supply chains. Security teams need to have enterprise-wide transparency to identify different types of risk, including financial risk and operational risk. In all, this actionable definition describes IRM as a reconfiguration of legacy GRC activities using a risk-aware culture and enabling technologies that improve decision-making and performance.
See Also: Integrated Risk Management