Integrated risk management helps companies prevent the domino effect of damage throughout an organization.
Smart companies focus on risk management strategies. Whether for individual projects or to ensure business continuity, business leaders invest in risk management plans because they want to know that when the dominoes begin to fall, they will stop before cascading throughout the enterprise.
The problem is that risk is all too often managed on an individual project, program, or issue-related area. Risk is repeatedly approached from a negative perspective, the "what could go wrong and how do we prevent it" approach.
Risk management is evolving, however, with integrated risk management approaches and solutions helping to develop synergistic approaches to risk and shining the light on potential opportunities. This new approach is driving companies to achieve resilience with integrated risk management solutions.
Defining Integrated Risk Management
Integrated Risk Management (IRM) is based on three fundamental principles of sound security and risk management programs:
- Strong frameworks
However, while these principles are often used in determining project- or issue-specific risk management, IRM takes a holistic approach. It is the processes and practices developed and implemented that help improve leaders’ abilities to make decisions. In a risk-aware culture and with the appropriate technologies in place, these decisions will be made through an organizationally wide lens that factors the organization’s unique set of risks.
IRM looks at external and internal risk factors and creates a framework that connects these risks seamlessly. For most organizations, this framework connects risk at three levels: strategic, operational, and IT.
One main advantage of IRM is that it allows the organization to appreciate the full scope of risk throughout the organization: across business units and divisions, at multiple locations, from the perspective of risk management and compliance functions, and with key business partners, suppliers, and outsourced work.
Why IRM Is Needed
Risk management has evolved over several decades into a complex discipline focused on mitigating risk to projects, people, and performance. These foci have been almost uniformly tactical in nature, looking to identify key risks and developing solutions to prevent them from occurring or minimizing impact should they occur.
In addition, risk management has focused almost exclusively on threats to the enterprise, usually ignoring the upside opportunities that risk can present to organizations.
The standard risk management process includes well-defined steps:
- Planning, where scope and objectives are defined, tools and techniques are identified, and roles and responsibilities are assigned.
- Identification of foreseeable risks that could affect project objectives, along with causes and effects
- Assessment and analysis that determines the probability of risks, overall exposure from collective risks, and prioritizing risks
- Response development, which assesses the appropriate response to each risk and the collective risk, chooses a strategy that is affordable and achievable, and assigns responses
- Monitoring the effect of developed responses on each exposure and communicating risk information to stakeholders
- Review of the process and updating accordingly, identifying new risks, and reviewing all processes
The narrow scope of most risk management processes makes it difficult to consider opportunities. However, if risk is perceived as how to address uncertainties, then opportunities can be considered as positive uncertainties.
Slight changes to processes within the standard risk management schema can lead to the identification of opportunity. For example, if employees are encouraged to identify opportunities along with risks and incorporate them into the assessment, response, and monitoring steps, the organization can demonstrate not simply resilience to risk, but also innovation.
Benefits of IRM
IRM provides organizations with several significant benefits, including:
- Broadening the range of risk management processes to include opportunities. Considering unintended consequences and possibilities provides powerfully positive incentives to take a broader perspective to risk management activities.
- Tying together the tactical needs of effective risk management with the organization’s broader strategic goals and objectives, with projects and processes focused on fulfilling corporate needs and vision.
- Focusing projects on benefits they will support, not just on defined deliverables.
- Entity-wide identification and management of risks. Risks can have a cascading impact, appearing first in one area of the organization but shifting to impact others. A broader approach to risk management will identify these issues and develop solutions faster.
- Providing better information to stakeholders in uncertain environments that can support better decision-making.
- Fewer surprises and more gains as risk management becomes a broadly considered and executed discipline. A broader approach brings more perspectives into the decision-making and enables better solutions.
- Providing space that allows organizations to manage risk in advance, deploy planned responses to identified risks that emerge, improve efficiency and efficacy, and reduce stress and waste.
- Predictable performance due to more anticipatory decision-making and contingencies developed for identified risks and opportunities.
- Informing risk assessment for new projects, allowing organizations to take on new projects with a better understanding of potential risk, aligning that risk to the organization’s risk tolerance level, and potentially evolving that risk tolerance level with more and better information over time.
- Better resource management that allows organizations to assign assets in response to identified risks and opportunities.
Getting Started With IRM
To begin considering an IRM approach, companies should consider following the 10 steps outlined below, and adopted from Gartner’s recommendations.
1. Risk Appetite
Security, risk management, and CxO officials need to determine how much risk they are willing to accept in order to achieve strategic goals.
2. Risk Assessment
Officials need to know what the existing levels of risk are in play (along with residual risks) that are related to strategic goals. This includes having a clear understanding of how residual risks, and the controls developed to effectively mitigate those risks, are monitored. Companies also need to be sure they have a clear understanding of how remediation efforts and their efficacy are determined and measured.
3. Risk Aggregation
Risks need to be perceived in view with the organization’s strategic goals. The overall risk exposure needs to be articulated as it relates to each strategic objective.
4. Risk Analytics
Key risk indicators need to be developed that can impact key performance indicators. Models should be developed that show the material impact of risk events on operations. Finally, risk tolerance levels need to be determined that align with the stated-above risk appetite level.
5. Risk Applications
Technologies need to be identified that allow for communication and collaboration of risk and compliance information. These technologies need to support decision-making and improved business performance.
Technology assessment should also factor in the ability to automate risk management processes and reporting, using the latest technologies, such as enterprise resource planning (ERP), business intelligence (BI), and analytics platforms. Automation should also be used for controls and monitoring functions.
6. Risk Architecture
With integrated systems becoming more the norm across complex and smaller corporate ecosystems, it is critical that risk management solutions be included within the broader enterprise architecture. This means that risk monitoring solutions, automated and manual controls, reporting functions, and analytics are all embedded in other systems. IT governance objectives need to factor in risk management projects and initiatives.
7. Risk Assurance
Along with the digital solutions and systems, IRM requires a robust set of policies, procedures, and training that meet both strategic objectives and legal and regulatory mandates. Measures need to be developed that ensure that the risk management program is aligned with business objectives.
Policies and processes also need to be in place that ensure risk controls are operating effectively over time. Reassessment processes need to be in place that ensure that new risks are identified and that existing controls are revised or redesigned.
8. Risk Accountability
Risk ownership needs to be assigned appropriately throughout the organization with proper oversight, training, influence, and resource allocation.
9. Risk Action
Employees can be intentional or unintentional bad actors, leading to risk exposure. The organization needs programs in place that ensure that employees act with the best interests of the organization in mind and understand their roles in risk mitigation. Shared ownership of risk, without overly punitive impacts, is an appropriate way to gain employee buy-in and commitment.
10. Risk Achievement
Risk needs to be quantified and tied to business outcomes and performance metrics.
Integrated Tools Suite
In order to approach IRM, organizations need to consider having multiple solutions tied together in a cohesive platform that allows for ease of use, reporting, and decision-making. These tools need to provide for real-time, mobile-friendly access, and integrate with EPS, IT service management, and take key data from other sources of truth.
Among the programs to consider when developing an IRM plan are:
- Business continuity management
- Disaster recovery management
- Incident management
- Crisis management
- Vendor risk management
- Cyber response
These solutions should be part of any IRM plan that comes together in a platform that includes heat maps, risk assessments, scorecards, reports, and enterprise-wide dashboards.
At Continuity Logic, we help clients develop robust IRM solutions that include customization features, user-defined forms, and clear, real-time reporting. We help migrate companies from spreadsheets, legacy systems, and older software that restrict risk identification and response.
Contact us to learn more about how Continuity Logic can help your company develop an integrated risk management plan.