• Poornachander Kola

Integrated Risk Management..isn't it GRC?

Organisations of all sizes seek to adopt digital technology to enable teams, thereby increasing the business risk associated with that technology. Before this, the siloed approach of Governance Risk and Compliance (GRC) teams operating independently was sufficient.

The next generation of security, privacy, and risk management emerge: the integration of technology into business-side teams made digital risks pervasive across the organisation, not just within technical teams. CISOs and information security leaders report out to their CEO and Board on the cybersecurity posture of their organisation. With breaches such as Equifax, Marriott, and Capital One, CEOs and Boards have seen how information security can have direct impacts on the bottom line. As the scope of IT risk has expanded to include the entire business, information security leaders can no longer operate in modular teams.

Integrated risk management (IRM) provides a holistic viewpoint of enterprise-wide risk across business units, compliance functions, and enables enterprise-wide information security governance in a way that traditional governance, risk, and compliance is limited in delivering.

Integrated risk management is the combined activities of corporate governance, digital and cyber risk management, and cyber security-based compliance integrated into a holistic approach that enables a streamlined program.


Governance, risk and compliance applications, approaches, and solutions have enabled organisations to operate cybersecurity teams for all three of those functions (corporate governance, IT risk, and industry and geographic compliance). The reasons that enabled the move from a siloed approach also was responsible for information security leaders to seek out integrated risk management to align their entire information security organisation to deliver on the new expectations.

Integrated risk management strategy focuses on enabling a risk-aware culture in the organisation with embracing flexible and easy-to-use solutions that put risk in a business context rather than checking boxes on the compliance framework.

Governance risk and compliance (GRC) as three functions are the foundational aspects of an integrated risk management approach to cybersecurity program management.

The integrated risk management system can identify all risks that affect the implementation of processes and activities attached to an organisational goal; it can assess the overall consequences and adopt measures depending on the level of uncertainty and the existing inherent risk that affects achieving objectives set.

Also, integrated risk management allows the foundation and decision making to lower hierarchical levels of the organisation and also at the top level and ensures co-ordination of activities in order to solve current problems between certain functional structures. It helps to increase efficiency within the organisation also by others administrative or managerial ways, such as better allocation of resources.

This risk management process, characterised by the development of integrated risk management methodology, include as steps: establishing the organisational context and risk management, identifying, analysing and assessing risk, risk treatment, risk control, communication and monitoring the risk management plan.

Advantages of Integrated Risk Management

The main feature of an integrated risk management system is that it integrates risk monitoring mechanisms of the functional departments of the organisation and its culture, with a focus on the risks associated with strategic objectives with emphasis is on monitoring and controlling risk with the intent of reducing it.

  • Risk appetite is a limit to which risk can be accepted and to which the organisation may be exposed. The management has the opportunities available to them to achieve goals and select the most advantageous option in conjunction with the profile of risk;

  • Helping to improve decisions about risk treatment.

  • Establishing a single internal control measure to be able to handle more risk found in several functional structures of the organisation;

  • Integrated risk management takes into consideration events outside the negative and positive nature of the risks, the nature of opportunities.

  • Knowledge of risks the organisation is facing and the level of risk exposure contribute to a more realistic analysis and substantiation of managerial decisions.

While the terms GRC and IRM are used interchangeably, "IRM" means a particular category of technological solutions for risk management. IRM solutions are an extension of conventional GRCs designed to promote a holistic approach to risk management across the enterprise by incorporating risk information on business strategy and results, activities and business actors' compliance and assurance functions.To this end, they offer audit-specific modules which enable integration with workflows of other functions.

IRM approaches aim to combine historically different GRC products in one bundle for strategic, operational and IT risk management , allowing for a vertically integrated approach to risk management. Which means they promote a perception of the danger from the strategy of a company down to its activities and through its enabling technologies.

10 views0 comments