What is Integrated Risk Management (IRM)

Integrated risk management is a set of practices and processes supported by technologies that improve decision-making and visibility into an organization’s security and risk posture. IRM is a recognition that each organization faces unique sets of risks and threats and as a result, must take a risk-centric (not compliance-focused) approach to information security. 

The shift from traditional GRC to IRM marks the changing needs of modern information security leader and their teams. Rather than putting compliance first, IRM enables an organization to manage its unique set of risks and in turn, meet compliance requirements as a part of that mission. 

According to Gartner, the integrated risk management definition has a specific set of practices:

1. Strategy: Enablement and implementation of a framework, including performance improvement through effective governance and risk ownership
2. Assessment: Identifying risks, evaluation, and prioritization of risks
3. Response: Identification and implementation of mechanisms for risk reduction
4. Communication and Reporting: Provision of the best or most appropriate means to track and inform stakeholders of an enterprise’s risk response
5. Monitoring: Identification and implementation of processes that methodically track governance objectives, risk ownership/accountability, compliance with policies and decisions that are set through the governance process, risks to those objectives, and the effectiveness of risk mitigation and controls
6. Technology: Design and implementation of an integrated risk management solution (IRMS) architecture or an integrated risk management framework

To fully evaluate risk, organizations require an integrated view across all business units and risk and compliance functions, as well as key business partners, and supply chains. Security teams need to have enterprise-wide transparency to identify different types of risk, including financial risk and operational risk. In all, this actionable definition describes IRM as a reconfiguration of legacy GRC activities using a risk-aware culture and enabling technologies that improve decision-making and performance. 

See Also: Integrated Risk Management