This blog was co-authored by Carisa Brockman, GRC Practice Lead.
First things first: It is crucial to understand the difference between Governance, Risk and Compliance (GRC) and Integrated Risk Management (IRM) because this sets the stage for long term strategic risk management and breaks down the siloed approach to risk that exists in many organizations today. It is because GRC is sometimes implemented from a compliance-driven strategy rather than a risk driven initiative. Instead of delving into the name itself, let’s define the approach and get started with the key items to consider while making the transition from GRC to IRM, so that it feels less like a leap.
GRC can be defined as a set of tools for managing compliance and remains valuable for that specific challenge, but it aligns less precisely with today’s evolving definitions of risk and risk management. The answer is not to abandon GRC completely, but to evolve into an approach that is better suited to today’s multifaceted challenges, which is IRM.
What does it mean to adopt an integrated approach?
It involves managing risk at an enterprise level with risk-aware people, integrated processes working across business entities, and a centralized and enabling technology platform.
As organizations embark on this journey of implementing IRM, some of the everyday wish list items we hear about from our customers primarily include:
- Unifying all of your risks across the organization
- Adding automation to improve accuracy and consistency
- Linking incidents, claims, risks, and controls to action plans
- Providing the right metrics to assist with enterprise actionable decision making
- Removing silos and building the link amongst ERM, Internal Audit, Legal, IT, Cybersecurity and overall business
Connecting the dots: It is our business to help protect your business.
Many organizations across industries are adopting an integrated approach to risk management across their business units and extended vendor network. This cohesive approach enables stakeholders to effectively coordinate and unify risk management activities across all business functions, simultaneously aligning their assurance programs gaining comprehensive visibility into both risk exposure and relationships.
Here are some building blocks to consider as you embark on this journey of identifying the IRM platform that will best fit your organization.
What is in a name?
Moving beyond acronyms: As you are putting together the building blocks of IRM and moving beyond GRC, some of the key considerations should be around the outcomes of the IRM initiative. Is this going to help build a risk-aware culture within your organization? A cyber strategy is closely linked to business strategy and risk-aware culture gets your cybersecurity initiatives a step closer to the business objective.
That brings about the need for a formalized risk strategy within your organization. It is not about listing out of all the potential risks but being able to tie it to business outcomes and more importantly, to see it through to risk mitigation. Today, we see many point solutions within organizations and the data generated from many sources never make it to the overall risk posture and do not feed into the actionable decision-making process.
With increased attention being paid to risk management as a critical driver for business success, more companies are thinking about the potential of an integrated risk management approach, and we hope this triggers an initial action plan that can be applied in that process.