Top 10 factors for integrated risk management success

In 2019, organizational risks are turning into significant operational surprises, and the frequency will only increase as digital business requirements grow. There is no longer room for siloed risk management programs. Instead, security leaders must focus on building integrated risk management programs.

Risk management programs mitigate the impact of uncertainty on business performance. By 2021, more than 50% of large enterprises will use an integrated risk management solution set to provide better decision-making capabilities, up from approximately 30% today.

What is integrated risk management (IRM)?

Integrated risk management (IRM) is a set of practices and processes supported by a risk-aware culture and enabling technologies, that improve decision making and performance through an integrated view of how well an organization manages its unique set of risks.

Under the Gartner definition, IRM has certain attributes:

Strategy: Enablement and implementation of a framework, including performance improvement through effective governance and risk ownership
Assessment: Identification, evaluation and prioritization of risks
Response: Identification and implementation of mechanisms to mitigate risk
Communication and reporting: Provision of the best or most appropriate means to track and inform stakeholders of an enterprise’s risk response
Monitoring: Identification and implementation of processes that methodically track governance objectives, risk ownership/accountability, compliance with policies and decisions that are set through the governance process, risks to those objectives and the effectiveness of risk mitigation and controls
Technology: Design and implementation of an IRM solution (IRMS) architecture

To understand the full scope of risk, organizations require a comprehensive view across all business units and risk and compliance functions, as well as key business partners, suppliers and outsourced entities. Developing this understanding requires risk and security leaders to address all six IRM attributes.

Gartner's top 10 factors of IRM success fit within three dimensions; framework, metrics and systems.

1. Reference Framework Standards and Gartner Research to Leverage Best Practices for Developing an Effective Framework That Is Unique to Your Organization's Risk Profile

To guide the development of a framework that is effective and unique to your organization's risk profile, security and risk management leaders must seek the answers to the following questions related to each factor:

1) Risk Appetite:

How much risk are we willing to accept to achieve our strategic goals?

2) Risk Assessment:

What is our current level of inherent and residual risk related to our strategic goals?
How are residual risks and control effectiveness monitored?
How is the need for and effectiveness of remediation determined and assessed?

3) Risk Aggregation:

How do we view our risks in relation to our strategic goals?
How do we understand and articulate our total risk exposure in relation to a given strategic objective?

2. Use Gartner's Definition of IRM Solutions and Pace-Layering Methodology to Design, Implement and Integrate Risk Management Systems

Security and risk management leaders can identify and implement the right systems to address the following questions:

4) Risk Analytics:

How do our key risk indicators impact our key performance indicators?
How can we model risk events that will have a material impact on our business operations?
What risk tolerance limits are required to maintain our stated risk appetite?

5) Risk Applications:

What technology is required to enable collaboration and communication of risk- and compliance-related information to support business performance and decision making?
What technology enables the automation of risk management processes and reporting?
What technology enables automation of controls and risk monitoring?

6) Risk Architecture:

Are risk management projects and initiatives aligned with governance objectives?
How are automated and manual controls, risk monitoring processes, and risk reporting incorporated into enterprise architecture?

7) Risk Assurance:

What policies, processes and controls are required to meet strategic objectives, as well as legal and regulatory mandates?
How do we know that the risk management program is effective and remains aligned with business objectives?
Are the risk controls functioning consistently over time?
Do these controls need to be revised or redesigned based on a changing risk landscape?

3. Identify How Risk Influences the Behavior and Ability of Individuals to Achieve the Organization's Goals

This model provides a mechanism for companies to answer the following questions:

8) Risk Accountability:

How do we reinforce the ownership of risk and control within the enterprise?

9) Risk Action:

How can we ensure that employees act in the best interests of the company and within established risk tolerances?

10) Risk Achievement:

What risk metrics are required, and how are they linked to performance metrics, to ensure the desired business outcome?
How can we quantify the amount of risk, its impact on business operations and the successful mitigation to bring the risk within the organization's appetite?

Integrated risk management will be a core focus at Gartner Security & Risk Management Summit, 18 – 19 May in Munich, Germany.