It’s a business maxim: Where business goes, risks follow. And in recent years, business has found itself in places that might not have been part of the original plan: Digital processes, global business, outsourcing to third parties, and other circumstances more have uncovered new business risks. The scope of risk management is bigger than ever before.
Risk management is defined as the forecasting and evaluation of financial and business risks, as well as the identification of procedures and measures, to avoid or minimize their potential impact.
But traditional risk management is ill-equipped to serve digital-first organizations, because it considers risk in isolation. In a technology-based environment, where data flows through different systems and departments, successful companies are adopting integrated risk management (IRM) to include enterprise-wide risks and empower decision-making at every level of the organization.
Gartner defines integrated risk management (IRM) as “a set of practices and processes supported by a risk-aware culture and enabling technologies that improve decision making and performance through an integrated view of how well an organization manages its unique sets of risks.”
Here's an up-close view of the major new risks that demand an IRM approach, and how such an approach uniquely manages these risks.
The rise in digital business processes
Companies adopt digital processes enabled by big data, 5G, the Internet of Things and social media to become more efficient, lower costs, boost output, and gain competitive advantages.
As they do, new digital risks emerge, such as cyber concerns, data exposure, and privacy. IT leaders are under pressure to ensure systems can withstand attack. Threats can come from anywhere leaving assets at risk, which is why more regulations are adding requirements and guidance specifically for digital risk.
Integrated risk management allows risk managers to identify, analyze, mitigate, and manage digital risks holistically, before they have a chance to harm the organization. That means addressing vulnerabilities, using patch cadence, and performing continuous testing of controls.
You can’t eliminate risk, but you can manage it. The best way to do that is with an enterprise-wide perspective on risk, which is exactly what IRM gives you.
Globalization increases digital risk
Globalization is notable for promoting trade that encourages global economic growth, creates jobs, makes companies more competitive, and lowers prices for consumers. Globalization also creates operational risks that only integrated risk management can fully address.
Before COVID-19 disrupted the supply chain, one of the best examples of operational risk was the 2017 hurricane that hit Puerto Rico and disrupted the medical supply chain. Overnight, factories that produced medical supplies and drugs were either destroyed or suffered power failures, which impacted hospitals and clinics in the US with reported shortages in IV fluid bags.
An IRM view would have connected the dots, revealing the risk of what could happen in Puerto Rico and empowering decision makers to act before events occurred.
“The response to the coronavirus pandemic is a perfect example of when the [three lines of defense] and traditional risk governance don’t work very well,” says Malcolm Murray, vice president and fellow, research for the Gartner Audit and Risk practice. “Traditional approaches fail because they can’t effectively deal with fast-moving and interconnected risks. Pandemic is a rapidly developing type of risk that needs a dynamic risk governance set-up.”
It’s not just natural disasters and pandemics that disregard borders. Geopolitical risks from tariff talk to saber-rattling can enter the picture at any time and impact business operations. Seeing how these risks could impact your organization enable leadership to be more proactive.
Many discussions that were once kicked around by the IT department have made their way into the executive offices. As Wheeler notes, digital transformation is a must for competitiveness and survival. Integrated risk management is an inevitable step in that transformation.
Third-party reliance leads to third-party risk
Third parties are entities outside your organization, and they may handle your sensitive data. As such, they pose a third-party risk to your entire organization. These new third-party risks are also operational risks that can impact the entire company.
To illustrate: Banks face new risks from a major shift to fintech, a term coined for computer programs and technology that support or enable banking and financial services. This greater reliance on digital platforms increases the risk of cyber attacks and other IT incidents.
Given the operational role played by third parties, managing their risk is an integral part of IRM. Third-party risk management’s assessments, monitoring, and more, all report into IRM with metrics and indicators for input and influence on enterprise-wide risk and performance.
IRM technology helps manage digital risks
The rise in digital processes, the era of globalization and the trend toward third-party reliance are forcing organizations to evolve from a siloed risk management approach to IRM, requiring additional technology to support these complex processes.
The right technology allows users to perform IRM in ways that are efficient, effective, and agile. Use the solution to optimize risk appetite, assist decision-makers, encourage collaboration, and embrace change, all while creating a more resilient organization.
Technology-powered IRM is required to meet the challenges of our digital risk-filled business world in 2020.