I'm often asked, "How did you go from submarining into integrated risk management and compliance space?"
I know most risk majors come from either a direct risk management background or an IT security background or financial management background, insurance background. Why submarine? Well, as a submariner, risk management is part of your everyday job. You're faced with an unimaginable amount
You have a 3000-pound hydraulics and a nuclear reactor. Many submarines carry nuclear weapons, 450-volt electricity. You're surrounded, you live in a hazardous environment. How do you manage that? By effectively managing those risks. And by managing all those risks, you can undertake activities that no one else can do.
In submarines, risk management was truly integrated into every command decision that was made. Today, we're going to learn about integrated risk management (IRM). How is IRM different than GRC? How does IRM impact business decision making? How do we get more from IRM?
What is Integrated Risk Management?
What is integrated risk management? First, start first with this idea that Content is king. This was popularized by Bill Gates back in the 1990s with essay that he wrote of the same title; Gates was pontificating on how money would be made through the internet. He pointed out that to get value in a digital medium, content would have to be presented within a new context, a multimedia type of context.
In other words, context makes the difference.
IRM is a process that improves decision-making and enhances business value by integrating risk intelligence into activities across the enterprise, such as strategic planning and strategy execution, investment decision making, project portfolio management, enterprise performance management, third-party performance management, and information governance.
Integrated risk management differs from other forms of risk management by its context - and context is what creates value within the enterprise. It improves business decision-making by integrating risk intelligence into activities across the enterprise.
How Is IRM Different From GRC?
GRC is focused on preserving corporate integrity, protecting our brands and our reputations, providing assurance of compliance with the laws, regulations, standards, contractual obligations, and policies, that ensure that our companies are well-governed; and ensures that directors and executives and employees have the risk intelligence to ensure exceptional business performance.
IRM is risk intelligence in context. It integrates risk intelligence into business activities, into business decision-making, to improve that decision-making, and to enhance the business value.
IRM activities go beyond the traditional GRC functions of internal audit and compliance, and even beyond traditional risk management. IRM goes beyond GRC to focus on strategic planning: How do we integrate risk intelligence into strategic initiatives that our company will take over the next two or three years? (Usually a business only has two or three strategic initiatives in which massive amounts of investment report.)
We invest in GRC programs for assurance that we're complying with rules and regulations, complying with policies, and complying with the decisions that are made around strategic initiatives and objectives. But IRM is focused on performance
But IRM is focused on performance.
Integrated risk management helps us make decisions around which strategic initiatives to invest in, and how to execute effectively on those strategic initiatives. It impacts top-line growth, ensuring that those new initiatives add value, that our enterprise performance supports them, and that investments are aligned with the corporate strategy and objectives.
GRC is below the line, driving productivity. IRM is above the line, meaning the more we invest in it and the more we make it work correctly, the more positive business value it will have.
How Does Risk Intelligence Add Value to an Organization?
Risk intelligence is the risk information that's supplied through IRM initiatives to those business activities that go beyond risk management, compliance, audit, and other more defensive programs. What risk intelligence do we need to make sure that our strategies stay on track?
- Third-party risk management
For digital business initiatives and global supply chains, third parties can pose risk to our strategic initiatives and organizational performance.
- Investment decision-making
The overall project portfolio management of the project risk is very important in many industries, such as oil, gas, and mining. Organizations are finding that they have a project portfolio of investments and strategic initiatives that has to be managed very carefully. Risk intelligence is necessary to ensure the best decisions.
- Day-to-day operational management
Risk intelligence must be available to process owners, so that the day-to-day operations that underly strategic initiatives don't suffer because of unknown risk.
- Information governance
Information underlies all the decisions we make. There are numerous threats to the security and access to information assets.
GRC is best approached as a program to bring together risk management, internal audit, compliance and other activities that protect the enterprise, ensure it operates within prescribed boundaries set by law and by policy. GRC adds value by minimizing or eliminating fines and penalties and by improving the productivity and the efficiency of those risk management, security, compliance and audit professionals, third-party risk managers and so on.
The IRM is best approached as initiatives across value-added business activities above the inflection point of business value. It ensures that risk intelligence is incorporated into executive decision-making.
This post is based on a session at NAVEX Next, our annual virtual conference for risk and compliance professionals, from a session titled What Compliance Needs to Know About IRM, featuringWha Dr. French Caldwell, Founder and Chief of Research for FCInsight.