Integrated risk management (IRM) is “a set of practices and processes supported by a risk-aware culture and enabling technologies that improve decision making and performance through an integrated view of how well an organization manages its unique set of risks,” according to research firm Gartner Inc.
Put simply, integrated risk management is an approach to risk management that integrates risk activities across every level of your company to enable better decision-making by your decision-makers.
Elements of an integrated risk management system:
- Risk Identification
- Risk Assessment
- Risk Response
- Risk Communication
- Risk Monitoring
During risk identification, your organization identifies and develops a solid understanding of its risks. You should include risks that could keep you from achieving your business objectives at various levels of your company.
You should also provide your staff members with clear direction regarding your expectations about identifying risks and provide the necessary tools to help them do this. There are a number of tools and methods you can use to identify risks, including workshops and checklists.
You can identify risks using a structured integrated risk management approach as part of a formal risk assessment or on an ongoing basis as part of regular meetings. When it comes to defining risk identification activities within the risk management process, you may opt to offer direction regarding:
- Who should be involved in identifying risks;
- How much rigor is needed for particular risk identification activities;
- The type of data you have to collect and the level of detail that you need;
- How you should document the risks you identify for risk assessment purposes.
During the risk assessment, you have to analyze and prioritize risks. Typically, analyzing risks during the risk assessment process involves assessing how likely it is that a particular risk will occur and how much it will affect your business if it does occur.
Risk assessment generally focuses on residual risk, i.e., the level of risk after you take into consideration existing controls and any existing risk responses. However, risk assessment may also include assessing inherent risk, i.e., the level of risk before you consider existing controls and any existing risk responses.
Analyzing risks during the risk assessment helps you to prioritize them. This usually involves ranking risks that need responses so you can focus on the right risks. When you prioritize risks, be sure to consider your risk tolerance.
You should perform a risk assessment at the organizational as well as activity level and include identifying and analyzing risks that may affect your company’s ability to achieve its business objectives. In general, risk assessment involves determining how important the risk is, assessing the probability that the risk will occur and figuring out how to handle it.
When you define your risk assessment activities within the risk management process, you may want to indicate:
- Who should be involved in the risk assessment;
- How much rigor is needed for a specific risk assessment activity;
- What type of information you need to collect and what level of detail is required;
- How you should document assessed risks for risk response purposes.
Risk response is the process of selecting and implementing strategies to respond to a specific risk. Usually, you select a general response strategy, e.g., accept, monitor, transfer, avoid, or reduce the likelihood and/or impact of a risk. Your tolerance for a specific risk should determine your risk response.
If you decide that you’ll take some action, e.g., you decide not to accept the risk, you have to put a plan in place outlining the specific actions, responsibilities, and timelines of the action. Your risk response strategy should include all of the activities to accompany the risk response, such as communications and outreach.
When you define your risk response activities within the risk management process, you might want to offer direction in terms of:
- Considering the wider context of the risk, including the business objectives you’ve defined and the outcomes that you expect;
- How stakeholders inside and outside your company will tolerate the risks;
- Your priorities in terms of allocating resources.
Risk communication, a key part of the decision-making process, refers to how you communicate and report information about risks to the appropriate levels of your organization at the right times to support your decision-makers in their decision-making.
This includes communicating risk information internally to your employees across different operational areas, as well as externally to clients and stakeholders. An important aspect of effective risk management communication is giving your decision makers enough information so they can contribute to the decision-making process in an informed way.
Risk communication also lets you reuse risk information for other processes, which means you won’t have to conduct multiple risk assessments on the same area for different purposes, e.g., auditing, planning, resource allocation.
As with risk identification and risk assessment, there are a number of tools and techniques you can use to communicate risk information. However, you should consider implementing a standardized method to communicate risks.
In defining risk communication activities within the risk management process, you should consider offering information about:
- What type of data you need to communicate at various stages, i.e., what type of information do stakeholders need and want;
- Who is the audience for this information, e.g., your employees, your management, external stakeholders;
- How you will communicate the information to the right people.
Monitoring your risks is critical to ensure that the information you have about them continues to be relevant. Risk monitoring involves reviewing and monitoring whether your risk profile changes after you implement internal controls.
That means you have to review your risk information regularly so that you can take into account the impact that changing circumstances have on your existing risk responses. It also means that you must review your risk responses to ensure that you’ve implemented your risk responses effectively and that you are achieving your business objectives. Monitoring risks also enables you to identify improvements that you could make to the risk management process.
In defining risk monitoring activities within the risk management process, you might want to offer information about:
- Who should be involved in monitoring risks;
- How you should monitor the changes to the nature and the level of risks and how you should monitor the continuing relevance of the risk responses;
- How you should monitor the progress on implementing risk responses;
- How you should monitor the effectiveness of risk responses as it pertains to moving risks toward levels your company can tolerate;
- How often you should review risk information;
- Who is responsible for making changes or taking any corrective actions.
Developing Communications and Reporting Methods
Developing communications and reporting methods enables you to continually keep stakeholders in the loop in terms of organizational risk management processes, practices, and risk responses. At any time, you should be able to provide stakeholders with a snapshot of your company’s key risks and what you’re doing to manage them.
When you’re identifying or designing mechanisms to ensure you clearly communicate risk issues, practices, and procedures throughout your company you should:
- Consult with internal and external stakeholders.
- Communicate senior management’s commitment to and vision of risk management throughout your company.
- Communicate the components of your risk management approach and any modifications to that risk management approach in a timely manner.
- Report the effectiveness and outcomes of your risk management approach.
Once you’ve established these foundational elements, you have to integrate them into your company’s risk management strategy, people, processes, and technology so they become an inherent part of your company:
- Risk management strategy: Establish and activate a risk-aware culture, sponsorship, plans, and roadmaps, including developing an integrated risk management framework.
- People: Empower all your employees and give them the resources they need to do their jobs. Communication and reporting are critical. You have to take the steps necessary to implement the best methods to track and inform all your stakeholders about your company’s risk response.
- Processes: Establish risk management processes that deliver risk and compliance outcomes and make certain everyone can follow them.
- Technology: Implement technologies that accelerate your risk management strategy. Establish processes, enable collaboration, drive engagement, support your integrated risk management strategies, and keep stakeholders informed and involved.
With all this talk of integrated risk management strategy, it’s important to understand that integrated risk management is not the same as enterprise risk management.
Enterprise risk management focuses on planning, organizing, leading, and controlling your risk activities. Enterprise risk management enables you to review your strategic business objectives as well as the information technology risks associated with those objectives.
Integrated risk management revolves around analyzing the risks inherent in your company’s technologies. Although integrated risk management includes many elements of enterprise risk management, it’s typically more comprehensive.
For most companies, building an integrated risk management system means replacing risk areas that have traditionally existed in silos with a single, holistic view of enterprise risk.
This integrated risk management strategy requires that all the key functions in your company, e.g., personnel, finance and accounting, manufacturing, procurement, information technology, legal, internal audit, strategic development, marketing, etc., take part in the risk management process.
An integrated risk management framework establishes a structured approach to governing risk. Applying an integrated risk management strategy lets you evaluate your risks by providing a link between your business objectives, the functional departments of your company, and the components of a risk assessment, i.e., the extent of the potential loss and the probability that the loss will occur.