📜 Post with us on Reddit
📝 Create a new article
🏭 Create a company page
🇬🇧 - in English
🇫🇷 - en Français (FR)
🇵🇹 - em Português (PT)
🇩🇪 - in Deutsch (DE)
🇯🇵 - 日本語で (JA)
Sponsored articles

You can edit almost every page by Creating an account. Otherwise, see the FAQ.

Integrated risk management

From EverybodyWiki Bios & Wiki

Integrated risk management (IRM) is a business discipline that combines technology, process and data to simplify, automate and integrate the management of strategic, operational and cybersecurity / information technology (IT) risks. In many organizations, risk management is highly fragmented and generally organized into programs at three levels - enterprise risk management, operational risk management and IT risk management. IRM seeks to integrate these programs vertically by linking strategic and tactical methods for managing risk.

In Sweden, the Swedish Transport Administration’s integrated risk management approach is based on the international standards ISO 31000 (risk management), ISO 22300 (societal security), ISO 9000 (quality management), ISO 27000 (information security management systems), COSO ERM (enterprise risk management)..[1] In the United Kingdom's pensions regulator, IRM is a risk management tool that helps trustees identify and manage the factors that affect the prospects of meeting the scheme objective, especially those factors that affect risks in more than one area.[2] In the United States, the Federal Reserve Bank uses IRM to aggregate risk types (market, credit, and operational) whose distributional shapes vary considerably. [3] Also, Moody's recommends IRM as an approach to provide banks in the US and internationally significant benefits in bridging the gaps between distinct risk management silos.[4]

John A. Wheeler instituted the term "integrated risk management" for technology solutions in his report, “Transform Governance, Risk and Compliance to Integrated Risk Management.” In the report, Mr. Wheeler highlights the need for IRM with a finding from a 2016 survey of risk executives by the Risk and Insurance Management Society: nearly three-quarters of the respondents claimed that forecasting critical risks would be increasingly difficult for the next three years, and the main obstacle is the ongoing lack of “cross-organization collaboration.” [5]

David Hillson discusses the need for IRM in a project management context in his report to the Project Management Institute. In the report, Dr. Hillson states, "Integrated risk management addresses risks across a variety of levels in the organisation, including strategy and tactics, and covering both opportunity and threat. Effective implementation of integrated risk management can produce a number of benefits to the organisation which are not available from the typical limited-scope risk process."[6]

Standards / Frameworks[edit]

The demand for IRM is increasing due to the new and greater amount of risk associated with digital business transformation and cybersecurity.[7] The National Institutes of Standards and Technology (NIST) promotes the development of IRM programs in its Framework for Improving Critical Infrastructure Cybersecurity, version 1.1.[8]

Similarly, the International Organization for Standardization (ISO) supports the integration of risk management in its ISO 31000:2018 standard.[9] This new standard according to ISO "provides more strategic guidance than ISO 31000:2009 and places more emphasis on both the involvement of senior manage- ment and the integration of risk management into the organization."[10]

In the United States, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) recently updated its enterprise risk management framework to increase the emphasis on IRM.[11] Neil Amato describes five benefits of the COSO framework and IRM to include: (1) increasing the range of opportunities considered, (2) identification and management of risk entity-wide, (3) reduction of negative surprises and increase of gains, (4) reduction in performance variability and (5) improvement in resource deployment.[12]

In addition, national governments have promoted the use of IRM. For example, Canada has created an IRM framework and guide for use in the public sector. Developed by the Treasury Board of Canada Secretariat, the guide states, "Risk management cannot be practiced effectively in silos. As a result, integrated risk management promotes a continuous, proactive and systematic process to understand, manage and communicate risk from an organization-wide perspective in a cohesive and consistent manner. It is about supporting strategic decision-making that contributes to the achievement of an organization's overall objectives."[13]

Regulations[edit]

The US Securities and Exchange Commission (SEC) highlights the need for IRM in its latest cybersecurity disclosure guidance for US publicly traded companies.[14] The European Union General Data Protection Regulation (GDPR) also addresses the need for IRM in collecting and maintaining personal data across an enterprise. While GDPR provides specific data requirements for breach notification, right to access, right to be forgotten, data portability and privacy by design, it also more importantly mandates the role of a data protection officer (DPO).[15] To accomplish the requisite duties, a DPO must have a full understanding of data flows across the enterprise and the related risks - strategic, operational and IT related. Thus, organizations with an IRM focus will have an advantage in supporting the DPO and the associated compliance requirements.

Technology[edit]

Gartner, a global technology research and advisory firm, defines IRM as a set of practices and processes supported by a risk-aware culture and enabling technologies, that improves decision making and performance through an integrated view of how well an organization manages its unique set of risks.[16]

Gartner defines IRM solutions as technology deployed to provide a vertically integrated view of risk, starting with an organization's strategy, through to its business operations and, ultimately, into the enabling technology assets. This is done through a range of solutions from purpose-built applications to single-vendor, integrated solution sets across six primary use cases - digital risk management (DRM), vendor risk management (VRM), audit management (AM), corporate compliance and oversight (CCO), enterprise legal management (ELM) and business continuity management (BCM).[17]

References[edit]

  1. https://trid.trb.org/view/1513422
  2. http://www.thepensionsregulator.gov.uk/guidance/guidance-integrated-risk-management.aspx
  3. https://www.econstor.eu/bitstream/10419/60689/1/389505617.pdf
  4. https://www.moodysanalytics.com/risk-perspectives-magazine/integrated-risk-management/principles-and-practices/benefits-of-a-consolidated-data-framework-across-an-organization
  5. Goodwin, Chris. "Next-level compliance begins with integrated risk management". Bloomberg Professional Services. Bloomberg LP. Retrieved September 25, 2017.
  6. Hillson, David. "Integrated risk management as a framework for organisational success". PMI.org. Project Management Institute. Retrieved 30 June 2018.
  7. "Cyber risk is a growing challenge. So how can we prepare?". The Global Risks Report 2018. World Economic Forum.
  8. "NIST Releases Version 1.1 of its Popular Cybersecurity Framework". US National Institutes for Standards and Technology. Retrieved April 16, 2018.
  9. "The new ISO 31000 keeps risk management simple". International Organization for Standardization. Retrieved 15 February 2018.
  10. "Risk Management ISO 31000" (PDF). International Organization for Standardization.
  11. "Enterprise Risk Management — Integrated Framework". COSO.org. The Committee of Sponsoring Organizations of the Treadway Commission. Retrieved 30 June 2018.
  12. Amato, Neil. "5 benefits of an integrated risk management programme". Financial Management Magazine. Retrieved 30 June 2018.
  13. "Guide to Integrated Risk Management". Government of Canada. Treasury Board of Canada Secretariat. Retrieved 30 June 2018.
  14. "Commission Statement and Guidance on Public Company Cybersecurity Disclosures" (PDF). Securities and Exchange Commission. Retrieved February 26, 2018.
  15. "Data Protection in the EU". European Commission. Retrieved 20 June 2018.
  16. "Integrated Risk Management (IRM)". Gartner. Retrieved 19 June 2018.
  17. "Competitive Landscape: Integrated Risk Management Solutions". Gartner. Retrieved 12 April 2018.


This article "Integrated risk management" is from Wikipedia. The list of its authors can be seen in its historical and/or the page Edithistory:Integrated risk management. Articles copied from Draft Namespace on Wikipedia could be seen on the Draft Namespace of Wikipedia and not main one.


Retrieved from "https://en.everybodywiki.com/index.php?title=Integrated_risk_management&oldid=907871"
License CC BY-SA 3.0
Powered by MediaWiki
Powered by Semantic MediaWiki