Today there are more risk drivers that span across more areas of business, making it harder to monitor, manage, and mitigate risk than ever before. Yet much of the financial services industry is continuing to approach risk in the same way it always has—through two distinct silos of compliance and risk. However, the onset of the COVID-19 pandemic has exposed the cracks in these traditional approaches, and raised the need for a more comprehensive approach called Integrated Risk Management (IRM).
“The response to the coronavirus pandemic is a perfect example of when the [three lines of defense] and traditional risk governance don’t work very well. Traditional approaches fail because they can’t effectively deal with fast-moving and interconnected risks.” — Malcolm Murray, VP, Gartner Audit & Risk practice.
In this article, we cover:
- Defining Terms: GRC vs. ERM vs. IRM
- The Six Practice Areas of IRM
- The Initial Steps for Implementing IRM
An Overview of IRM and How It’s Different From Other Approaches
There are many factors that drive the overwhelming pace of change across financial firms’ risk profiles. These factors include:
- The sweeping adoption of digital tools to meet consumer needs, which requires a reliance on external-facing third-party vendors.
- The adoption of third-party vendors to manage behind-the-scenes complexities; often these new technologies and integrations must access consumer data collected by the firm, or they themselves collect more consumer data—a reality that leads to more subsequent risk.
- Business expansion into other markets across the nation and around the globe, adding liability as both the number of consumers to protect and the number of regulators to adhere to multiply.
- The reality of regulatory complexities, which is increasing on both a national and global scale.
How firms monitor, manage, and mitigate the risk associated with these factors depends on their risk and compliance philosophy. Here are two approaches that firms often take and how they compare to an IRM strategy.
Governance, Risk, and Compliance (GRC)
To understand IRM, it’s important to also understand how it came to be. In 2002, a series of financial scandals led to the passage of Sarbanes Oxley (SOX), a federal law that created a set of rules for accountants, auditors, and corporate officers, and imposed more stringent recordkeeping requirements on financial firms especially. As a result, the industry developed the discipline of “governance, risk, and compliance” (GRC) to keep up with and manage these SOX requirements.
Over time, the role of innovation began to play a more prominent role within the governance, risk, and compliance discipline to both align IT with business objectives, and effectively manage risk and meet compliance requirements. This ultimately led to the creation of GRC-focused technology designed to help companies achieve these goals.
As time has passed, the GRC acronym has become synonymous with the GRC technology itself, which has led to the framework of the GRC discipline being conflated with the technology that powers it. But the framework that connects governance, risk, and compliance is an essential part of monitoring, managing, and mitigating risk effectively.
A conventional GRC framework is typically carried out by the three lines of defense, which are each responsible for a different aspect of overall risk management:
- 1st line of defense: Line management should act as the first line of defense, identifying risks and implementing controls.
- 2nd line of defense: Risk and assurance functions such as legal, compliance and enterprise risk management (ERM) should act as a second line, overseeing and monitoring risk management processes.
- 3rd line of defense: Internal audit should act as a third line, taking a birds’ eye view of the effectiveness of controls and risk management.
While the three lines of defense model is important, it can also make reacting to new risks difficult because it is more meticulous and is often disjointed from the rest of the organization, including at the executive and board level.
Enterprise Risk Management (ERM)
As SOX compliance auditing and the GRC framework were taking shape, the role of enterprise risk was evolving as well. Risk mitigation was historically covered by purchasing insurance—such as property insurance, liability insurance, and malpractice insurance—to deal with literal events like natural disasters and theft, as well as lawsuits and claims relating to damage, loss, or injury. However, as more drivers of risk began to surface for firms, risk professionals expanded their purview to include risks associated with technology (particularly technological failures), company supply chains, and business expansion.
In response to this expanded risk profile, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) created the concept of Enterprise Risk Management (ERM) to spot risks and map them throughout a traditional company structure. ERM typically involves the highest levels within an organization, including executive and board-level decision makers, as it is intended to connect all of the departments across the organization.
While ERM is meant to help organizations proactively manage and mitigate company-wide risks, it does not oversee the management and implementation of the measures necessary to prevent and mitigate risk, especially in relation to regulatory compliance.
Integrated Risk Management (IRM)
In 2016, Gartner revisited the concepts of GRC and ERM and determined that each, while critical, didn’t fully connect all of the dots from a risk and compliance perspective. So, Gartner created a renewed framework that addressed both the high-level strategy of managing risk, as well as the hands-on work of making these strategies possible. And so Integrated Risk Management was born.
The numbers speak for themselves:
- 57 percent of senior-level executives rank “risk and compliance” as one of the top two risk categories they felt least prepared to address.
- 87 percent of organizations see tech risk management as a siloed, reactive process rather than an organization-wide function for proactive risk management.
- Only 4 percent of organizations feel that their third-party risk management tools fully integrate and capture overall risk for reporting purposes.
IRM helps organizations address all of these concerns. It is an umbrella approach that bridges ERM and GRC—both relying on ERM strategy to identify risk drivers, and the framework of GRC to implement the actual work of compliance. Through this connection, IRM creates a comprehensive view that:
- Exposes any risk management gaps that exist due to silos
- Proactively monitors, tracks, and implements compliance measures across all of the areas identified by the company’s executive-led ERM strategy
In turn, this enables companies to be more agile in their response to unforeseen circumstances, as IRM is both a top-down and bottom-up approach that includes executive and board-level leadership and the teams that do the actual work.
“Rather than putting compliance first, integrated risk management enables an organization to manage its unique set of risks that face its organization specifically and in turn meet compliance requirements as a part of that mission.” — CyberSaint Security
The Six Practice Areas of IRM
Gartner defines IRM through six practice areas:
1. Strategy: Enablement and implementation of a framework, including performance improvement through effective governance and risk ownership
2. Assessment: Identification, evaluation and prioritization of risks
3. Response: Identification and implementation of mechanisms to mitigate risk
4. Communication and reporting: Provision of the best or most appropriate means to track and inform stakeholders of an enterprise’s risk response
5. Monitoring: Identification and implementation of processes that methodically track governance objectives, risk ownership/accountability, compliance with policies and decisions that are set through the governance process, risks to those objectives and the effectiveness of risk mitigation and controls
6. Technology: Design and implementation of an IRM solution (IRMS) architecture
Ultimately, IRM oversees, prepares for, and mitigates all of the aspects that make up a company’s dynamic risk profile, such as physical, technological, data-oriented, and regulatory risk. According to LogicGate, an agile GRC cloud solution and Ascent integration partner:
“Integrated Risk Management gives business leaders a clear picture of all their risks. With their newfound understanding of the enterprise’s dynamic risk profile, they can make better decisions at the enterprise level about which risks to mitigate and which to accept or transfer. By integrating risk areas and recognizing interdependencies, executives can ask more strategic questions about how risk is one part of the business impacts other parts of the business.”
LEARN MORE: Ascent GRC Integrations
The First Steps in Implementing an IRM Strategy
The first steps in building an IRM strategy focuses on two of the six practice areas (Strategy & Assess):
1. Outline your company goals and strategy
2. Determine which stakeholders ladder up to those areas of business
3. Identify the key risk drivers from those areas of business, including those associated with regulatory compliance
To identify the risks associated with regulatory compliance, it’s important to start from the beginning. At Ascent, we use the most granular regulatory data in the industry to help risk and compliance teams pinpoint and map their regulatory requirements / obligations throughout their organizations. This is especially important when trying to set a regulatory compliance framework for the first time or address any gaps within a firm’s existing regulatory compliance framework.
Our AI-driven technology called RegulationAI takes this process one step further, by keeping firms’ obligations updated so they never miss a regulatory change that could expose them to additional risk. These dynamic granular obligations are even more powerful when they’re seamlessly tied into GRC platforms, such as LogicGate and IBM OpenPages—a capability that Ascent has built through its API integrations.
To learn more about Ascent’s API integrations, contact us directly.