Risk management has become a veritable alphabet soup. The advent of the digital age is partly to blame.
Virtually every organization is “going digital,” in a growing number of areas. Retail is now “e-tail”; manufacturing plants are increasingly automated; nearly every step of the hiring and contracting process happens online, from the application process to background checks to payroll and beyond.
Every connected device and network opens the business to the risk that someone will breach its systems. The danger increases that unauthorized entities might gain access to private and proprietary information, or cause a disruption of critical services, or shut the business down.
As risks grow and change, so do the ways to manage them. New products, services, and consultancies continually emerge, their proponents striving to differentiate themselves. Coining new terminology is one way they do this.
As a result, we now have:
- Enterprise risk management (ERM)
- Governance, risk management, and compliance (GRC)
- Integrated risk management (IRM)
How do these types of risk management differ from one another, exactly? No one seems to know for certain.
A Google search presents a plethora of possibilities: one is “qualitative,” posits one website, while another is “qualitative.” A different site disputes that differentiation (as do our own experts).
Gartner, which coined the term “integrated risk management” in 2017, claims that GRC focuses narrowly on regulatory compliance, while IRM has a more expansive, risk-oriented view. Others disagree including, again, our experts.
What are the differences among these types of risk management?
Are there differences at all?
Searching for answers can make you feel like you’re chasing your own tail. What is what? Which is best?
Are you even doing risk management right?
Swimming in the soup of acronyms becomes not only confusing but also worrisome—even alarming. For as cyberattacks increase in scope and expense, and data privacy takes a front-row-center seat in customers’ and clients’ minds, the cost of getting it wrong has never been greater.
ERM: A Short History
Not too long ago, risk managers concerned themselves mainly with hazards, such as fires and floods and, in the financial sector, loan defaults (credit risk). To avoid the losses these types of risk could cause, organizations bought insurance, thereby “transferring” risks to the insurance company.
Over time, however, boards and executives began to recognize that this vision of risk was too narrow in a multinational business world.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO), a group of five major financial and accounting organizations, in 1992 developed a framework to help companies establish internal controls.
Internal Control—Integrated Framework, also known as the COSO framework, provided the first common definition of “internal control.” It also gave organizations a system they could use to assess their internal controls’ effectiveness, whether in a single business function or process or throughout the enterprise. (COSO revised this framework in 2013.)
After a series of financial, auditing/accounting and insider trading scandals rocked the corporate and shareholder world in the early 2000s, business leaders, as well as Congress, recognized the need for strategy-driven enterprise-wide risk management. COSO in 2004 issued a second framework: Enterprise Risk Management—Integrated Framework, updated in 2017.
COSO’s ERM framework and the International Organization for Standardization’s ISO 31000:2018 Risk management—Guidelines are the most commonly used frameworks for enterprise risk management.
GRC: A Short History
Although organizations have always engaged in governance, risk management, and compliance, the term “GRC” seems to have come from risk leader Michael Rasmussen, the “GRC Pundit,” in 2002. Here’s how he tells the story:
“On a cold snowy day in February 2002, in the offices of GiGa Information Group in Chicago soon to be acquired by Forrester Research I sat through two vendor briefings that struck me with a revelation. The first was a technology vendor briefing demonstrating their solution to manage and integrate policies, controls, and risks. This really struck me. It was something I had envisioned in the 1990s as a consultant but was not a software developer so never took action on. It was simply brilliant. What do we call it? A few hours later I had another briefing with PwC reviewing their services. My ADD mind was bouncing around back to this previous briefing while coming back to the PwC briefing — sort of a mental Ping-Pong. The PwC briefing had some terms that seem to drift toward me from the slides. On different slides, my mind locked onto the terms Governance, Risk Management, and Compliance. There it was — a name for this new market — GRC.”
Rasmussen points out that technological GRC solutions came along years after organizations had been using spreadsheets and documents in analog and, later, digital, form to track and manage policies, controls, risk registers, and risk assessments. GRC solutions have rendered these processes increasingly obsolete, and make the job easier by performing more and more functions. Rasmussen sees the GRC development timeline as follows:
- GRC 1.0 (2002-2007): Financial reporting, Sarbanes-Oxley Act (SOX) compliance, and their related IT controls
- GRC 2.0 (2007-2012): Audit management, enterprise and operational risk management, compliance beyond financial controls, and more
- GRC 3.0 (2013-2018): Using GRC solutions for enterprise-wide management in a variety of areas such as risk management, compliance, legal, finance, audit, security, and health and safety.
- GRC 4.0: (2018-present): Automated GRC
IRM: A Short History
In 2018 the research and advisory firm Gartner introduced the term “integrated risk management” (IRM), defining it as defining it as “a set of practices and processes, supported by a risk-aware culture and enabling technologies, that improves decision making and performance through an integrated view of how well an organization manages its unique set of risks.”
It introduced the term as part of its “Magic Quadrant” evaluating service vendors that provide IRM solutions. Previously, Gartner had evaluated GRC vendors.
The firm strove to distinguish between IRM and GRC by saying that, while GRC is compliance-focused and reactive, IRM is risk-focused and proactive. But some thought leaders, including Rasmussen, disputed this distinction, pointing out that GRC solutions continually evolve as risks evolve. He scoffed at Gartner’s switch to IRM as a blatant marketing-driven attempt to “make itself feel relevant.” The IRM Emperor (Gartner) Has No Clothes, he wrote in August 2018.
In February 2020, Gartner informed vendors evaluated in the 2019 Magic Quadrant that it is “officially retiring the IRM market category in favor of more targeted marketing segments.” While the company will continue to research IRM, it has found that most users deem it a strategy to be pursued rather than a product category, the announcement stated.
“There is no single buying center for IRM solutions that have a consolidated view of risk and with a consolidated budget. Therefore, IRM is not a good fit for what our end user clients consider a ‘market’ to be. Magic Quadrants are aimed at the individuals who are selecting vendors and products to solve specific critical problems. This Magic Quadrant and Critical Capabilities research was not aligned to our end user clients’ behaviors.”
Does this mean that IRM is a risk management strategy and GRC is a risk management solution? Not so fast, our experts say.
ERM vs. GRC vs. IRM: What’s the difference?
Practically speaking, there is no difference, according to Reciprocity consultant Gerard Scheitlin, founder and president of the risk management company RISQ Management. All three terms refer to enterprise-wide, integrated risk management—a program that encompasses all aspects: cybersecurity, finance, human resources, audit, privacy, compliance, natural disasters, and so on.
The way the terms are used, however, defines ERM as involving strategic, high-level risk management that includes various functions and involves executives and the board.
IRM, according to Gartner, involves the hands-on work that makes ERM possible: the technical controls critical to effective cybersecurity such as security monitoring, network monitoring, and perimeter protection.
Somewhere in the middle is system management: risk management policies and procedures, which Gartner places in the ERM camp; accreditations and certifications, which is compliance, some of which fall on the ERM side (such as COSO and ISO 31000), others which would be more technically-oriented and therefore classify under IRM (such as NIST and PCI DSS).
The place where ERM and IRM split, under Gartner’s model, is therefore, a gray area—and irrelevant, Scheitlin maintains.
“The differences between them don’t matter,” he says. “They’re integrated.”
Both IRM and ERM provide a holistic model of risk management, IT risk as well as operational risk, Scheitlin says, and are integrally related. You can’t have one without the other: IRM feeds ERM, and ERM guides IRM.
And GRC, which Scheitlin calls “risk assurance,” implements this holistic approach. GRC is where risk-management magic happens.
The Better Question To Ask
ERM, IRM, GRC: Which is more important? They’re all important, Scheitlin says.
“Where you start is the better question,” he says.
“Typically, most start at the technical controls. You’ve got to have some in place. And that’s where every CISO wants to start because it’s considered the first line of defense.”
“Then you’ve got to build out your system. How are you going to build it? What are you going to do? How are you going to put it all together? You have to build a model—a risk hierarchy—for how you’re going to separate this out to get work done. You have technical (IT) risk, system risks, and process risks. How are you going to make sure you’ve got the entire organization involved in this?”
For truly holistic risk management, you need to create a risk profile for your enterprise, one that takes an integrated view of all departments and functions.
You’ll conduct a risk assessment identifying and prioritizing risks, and establish the amount of risk you’re willing to take, or your “risk appetite.”
You’ll think ahead, anticipating new risks down the road and your organization’s risk response: accept, avoid, transfer, mitigate.
You might use a risk management framework such as COSO or ISO 31000 to aid you in decision-making and guide you through these tasks. Risk management solutions, especially GRC solutions, can be invaluable, as well.
The best GRC solutions will manage risks from bottom to top: technical, systems, and process, not only in the enterprise but also third- and fourth-party risks. They’ll also make compliance management a snap.
Many Needs, One Solution
“ZenGRC covers all of this,” Scheitlin says. Zen identifies vulnerabilities, analyzes policies and procedures, helps to ensure that monitoring and other controls are working as they should, ensures compliance with a wide variety of frameworks, and more.
- Direct integrations with critical third-party apps—Select from our library of pre-built connectors via ZenConnect to integrate ZenGRC with the business and infosec apps that your company relies on, like AWS, Qualys, Jira, Splunk, Slack, and Tableau.
- Industry-specific content developed by our experts—Access prebuilt and preloaded templates for frameworks like SOC 1 and SOC 2, FedRAMP, ISO, PCI, HIPAA, and SOX, so your teams can get up and running fast.
- Real-time access to infosec posture—Automate evidence collection, simplify workflows, and generate real-time reports to reduce manual effort and shorten audit cycles.
- Easy-to-use cross-mapping to multiple frameworks—Avoid redundancy, identify overlaps, and easily assess gaps in your company’s infosec and compliance efforts.
- Customizable risk calculations and multi-variable scoring—Gain a holistic view of risk across your organization, so you can understand how multiple risks interact, how, if realized, they could impact your business, and what the probability is that they will become incidents.
- Streamlined vendor and third-party risk management—Automate questionnaires and assessments, improve vendor relationships and eliminate unnecessary workloads for your teams.
- Increased visibility and reporting with Dashboards—Improve transparency and multi-level stakeholder reporting with up-to-date status reports that aren’t a burden.
ZenGRC is the most comprehensive solution available for fully integrated, holistic, enterprise-wide management of your organization’s risks. Call today for your free consultation, and start on the path to worry-free governance, risk management, and compliance—the Zen way.