Integrated risk management (IRM) is a set of practices and processes supported by a risk-aware culture and enabling technologies, that improve decision making and performance through an integrated view of how well an organization manages its unique set of risks.
Under the Gartner definition, IRM has certain attributes:
- Strategy: Enablement and implementation of a framework, including performance improvement through effective governance and risk ownership
- Assessment: Identification, evaluation and prioritization of risks
- Response: Identification and implementation of mechanisms to mitigate risk
- Communication and reporting: Provision of the best or most appropriate means to track and inform stakeholders of an enterprise’s risk response
- Monitoring: Identification and implementation of processes that methodically track governance objectives, risk ownership/accountability, compliance with policies and decisions that are set through the governance process, risks to those objectives and the effectiveness of risk mitigation and controls
- Technology: Design and implementation of an IRM solution (IRMS) architecture
To understand the full scope of risk, organizations require a comprehensive view across all business units and risk and compliance functions, as well as key business partners, suppliers and outsourced entities. Developing this understanding requires risk and security leaders to address all six IRM attributes.