An introduction to integrated risk management
First coined by information technology thought leader Gartner, the term “integrated risk management” or “IRM” refers to a specific set of practices and processes that improves the quality of organizational decision-making and performance through a holistic view of how well an organization manages the panoply of risks it faces.
In short, IRM is a panacea to the problem of information silos—a phenomenon that hinders an organization’s ability to proactively manage its legal, regulatory, financial, operational and reputational risks by undermining transparency. Under Gartner’s definition, IRM has six core components—namely, (1) strategy; (2) assessment; (3) response; (4) communication and reporting; (5) monitoring; and (6) technology. Adoption of all six components is required throughout an organization—from the very lowest business unit through the C-Suite—for IRM to function as an effective risk detection and mitigation mechanism.
A closer look at the six components of the IRM framework
The strategy component of the IRM framework is foundational to the IRM process. Here, organizations are required to adopt a holistic approach to the management of risk that focuses on driving organizational improvement through effective risk and governance ownership. In other words, the strategy facet of IRM requires an organization to define and implement an overall approach to the management of risk that is both unique to the organization and achievable with its given resources. Critically, the strategy component requires organizations to carefully examine their own operations and set realistic expectations for incremental improvements over time, rather than abstract—and often unattainable—goals.
In the assessment phase of the IRM process, the organization proactively identifies, evaluates and prioritizes the various risk factors it faces. This requires input from all of the constituent business units that comprise the organization as a whole and is typically coordinated by the compliance or internal audit function of a company. Importantly, the risk assessment phase involves the identification of tangible—as opposed to merely theoretical—risk factors that confront an organization in the course of its daily operations. In the compliance context, a key subdomain of the risk assessment process is identification of the risks faced by the organization from its third-party relationships. As U.S. Department of Justice (“DOJ”) guidance has repeatedly emphasized, an organization must have a complete understanding of its third party risks by examining the nature of each business relationship, the geographic location of the third party in question, and the degree to which that third party has relationships with foreign government officials. A critical examination of third party risks is an integral component of an effective risk mitigation strategy as it pertains especially to anti-bribery and corruption compliance.
The response phase of the IRM process is synonymous with the compliance concept of remediation. Following the identification of an organization’s major risk factors in the assessment phase, the response phase calls for action to address those risks. Importantly, an organization’s response should be tailored as narrowly as possible to address the risk in question. For instance, an organization that identifies major supply chain risks emanating from the sourcing of raw materials in China should adopt appropriate internal controls to ensure that those materials are not sourced from prohibited regions. Conversely, a company that identifies money laundering or terrorist financing risks emanating from its activities in Africa or the Middle East should adopt appropriate enhanced due diligence, financial transaction monitoring, and periodic audit measures to mitigate that specific risk. All risk mitigation measures adopted by the organization during the response phase must be thoroughly documented and periodically reviewed for continued efficacy.
Communication and reporting is the fourth—and arguably most critical—element of effective IRM. In line with emerging regulator and enforcement authority expectations, a company must ensure that information concerning the organization’s overall risk profile is both effectively and consistently communicated to all organizational stakeholders. This element of the IRM process is particularly designed to solve the seemingly intractable problem of “information asymmetry,” by no means unique to the field of economics, in which one person or group has more access to relevant information than another person or group. In a typical organization, this asymmetry is created by the phenomenon of territoriality—a tendency by a company’s constituent teams to guard against broader access to information pertaining to that group’s operations in an effort to increase their relevance and stature. The implementation of an effective IRM strategy requires that organizations resist—and indeed actively undermine—attempts by any one group to subvert its commitment to complete risk management transparency. In short, organizations should encourage and incentivize information sharing on a cross-functional basis to ensure that all stakeholders are operating from the same proverbial playbook.
The monitoring phase of IRM supplements the communication and reporting component by requiring an organization to adopt measures that track risk ownership and accountability, governance objectives, and compliance with policies and decisions set through the governance process. Thus, the monitoring component of IRM serves principally as an accountability mechanism that ensures the organization adheres to risk reduction strategies and tolerance thresholds set by the company’s senior management and executive leadership. The monitoring element also requires that the organization periodically assess the effectiveness of IRM controls for deficiencies and enhance or replace such controls where necessary.
Finally, the technology component of IRM refers to the design and implementation of a technological solution that facilitates the transmission of risk information to relevant stakeholders. Adoption of an IRM solution allows the organization to centralize its risk data and update its risk management strategy in real time. Access to an IRM platform also permits teams across the company to work collaboratively to develop, implement, and refine risk mitigation plans. In the unlikely event that an organization faces a probe from a regulatory or enforcement authority, the aggregation of this information into a single repository—and evidence that the platform has been utilized in connection with the company’s risk management strategy—may be pivotal in leveraging administrative or prosecutorial leniency.
GRC v. IRM — a distinction without a difference?
Governance, risk, and compliance or “GRC” capabilities and IRM processes are substantially similar in scope but differ in methodology. As defined by the Open Compliance and Ethics Group (“OCEG”), the term GRC includes a set of “critical capabilities that must work together to achieve Principled Performance—the capabilities that integrate the governance, management, and assurance of performance, risk, and compliance activities.”
As Gartner explains, the paradigm for implementation of a GRC program is fixated firmly on the objective of compliance, while IRM focuses more on performance and outcomes. Thus, the starting point for the adoption of an IRM program is developing a complete operational profile of the organization that leads into identification of risk factors, and the incremental emergence of a cohesive risk management strategy. Conversely, the starting point for the implementation of a GRC program is the overall goal of compliance, which in turn, dictates how the organization’s operational profile should be shaped or reshaped.
One potential weakness of the GRC paradigm is a myopic focus on compliance-oriented outcomes in the absence of information concerning the organization’s operations and unique risk profile. This creates the potential that an organization prioritizes theoretical—as opposed to tangible—risks for remediation, undermining the purpose of the organization’s risk management strategy to begin with. But this criticism of the GRC framework may be overstated since no organization operates without at least some visibility into its core operations. As a consequence, the assertion, for instance, that a domestic manufacturing operation lacking any foreign suppliers or customers would prioritize foreign bribery and corruption as a major risk factor for remediation is largely nonsensical. In short, GRC and IRM are both sound frameworks for achieving legally-compliant and ethically-oriented outcomes.