Corporate Governance (Integrated Risk Management – IRM)
-
Integrated Risk Management (IRM) is a recent (introduced around 2016-2017) risk management framework that attempts to provide a useful methodology for developing an efficient enterprise risk profile, by dissolving the compartmentalized “silos” (departmental or divisional bastions of corporate proprietary risk-related data, guarded fanatically and jealously by the denizens of each such silo, so that no corporate risk data would ever leave such silo to be shared with the other silos across the enterprise, thus preventing those other silos in the enterprise from benefitting from any such key risk data, and ultimately preventing the enterprise from establishing a collaborative, comprehensive and coordinated shield to protect the enterprise from various risks) that had evolved intentionally over time as a result of data greed, as the managers of such silos purposely horded key risk information for themselves (and their silos), in futile attempts to increase power and prestige for themselves (and their silos) within the enterprise.
-
IRM was originally-envisioned as a way to promote transparency and open communications throughout the enterprise regarding risks to the enterprise, thus hopefully inculcating the necessity of creating a risk-aware culture into every enterprise employee, focusing upon the spin for the enterprise risk culture – for example, whether the enterprise emphasized pro-active and informed decision-making regarding risk (as would be the case if the enterprise was utilizing an IRM framework), or whether the enterprise simply viewed risk events as reporting events, with no further action necessary (as might be the case if the enterprise was utilizing only a governance, risk and compliance – GRC – framework).
-
IRM is designed as one, integrated platform, intended to manage all the functionalities of previous risk platforms, such as, for example:
-
insurance (basically, the original risk management framework) – such as, for example: claims administration; health-related insurance; risk management information system (RMIS); reputational risk management; safety-related insurance; and the like;
-
environmental social governance (ESG) – such as, for example: environmental – not only on physical environmental global issues, but also with any activities of the global population that might negatively affect the global environment; social – the most broad category, and focuses on both business issues and also on issues that may affect the quality of global human existence in general, whether within the physical workplace or in general society; governance – relates to how companies, entities of authority and governments may enforce compliance with ESG-related international directives, guidelines, laws, opinions, policies, regulations, rules, statutes and treaties in the environmental and social categories;
-
governance, risk and compliance (GRC) (an immediate predecessor to IRM) – such as, for example: internal audits; enterprise risk management (ERM); regulatory compliance; third-party risk management;
-
-
Regarding the comparison of IRM to GRC in particular, it may be useful to highlight some of the differences between those frameworks:
-
Integrated risk management (IRM) solutions are fundamentally different from GRC tools, because IRM is built as one fully-integrated solution, whereas GRS has a basic framework, to which various add-on GRC tools modules may be attached.
-
IRM strategy practitioners focus on enabling a risk-aware culture, embracing flexible and easy-to-use solutions within their teams, an integrate view of business, and building on outcomes-based frameworks that put risk in a business context, rather than just checking boxes in the GRC framework that may be less-specific to the particular risk profile of the enterprise;
-
IRM is the successor to GRC framework, and it is the three (3) elements of GRC (governance, risk and compliance) that form the foundation for IRM;
-
IRM is intended to promote risk-strategy-based decision-making and planning, whereas GRC is basically just compliance-based;
-
IRM widens the risk focus to include a more-holistic picture of both risk tactics and risk strategy, including positive options and strategic risks, whereas GRC presents a more-narrow focus, on only the general risk landscape;
-
the architecture of IRM is open, and integrates with other risk management applications, whereas the architecture of GRC is closed, does not integrate with other risk management applications, and is proprietary to the GRC application;
-
content in IRM is focused on eliminating risk, whereas content in GRC focuses on compliance;
-
the design of IRM is business-oriented and process-based, whereas GRC design is more technical and based on the controls:
-
IRM has an easily-recognized purpose, due to its name recognition (branding), whereas the GRC moniker never really defined the purpose of the framework with clarity;
-
IRM framework was designed to be agile and flexible, whereas GRC framework allows very little functionality;
-
IRM has greater appeal for practical, business-oriented individuals, whereas GRC is appreciated by those more technically-oriented;
-
IRM allows for seamless integration across many diverse business units throughout the entire enterprise, whereas GRC is more of a siloed, single-department or single-division solution (which is ironic, since GRC was originally supposed to assist in dissolving compartmentalized, data-specific, intra-departmental silos within an enterprise;
-
-
The IRM framework both helps the enterprise remain compliant with risk-related regulations (and due to regulatory change management functionality in IRM, in the event a monitored regulation changes suddenly, the IRM framework automatically sends out a notification alert, so the appropriate risk personnel may either consult any potential risk solutions stored within the IRM framework taxonomy, or the appropriate risk personnel may research any other risk solutions online, allowing the enterprise to instantly adapt and remain compliant) and also provides ways to automatically catalog risk information into repositories for future use), whereas GRC helps the enterprise remain compliant with risk-related regulations.
-
Pundits have opined that at a minimum, an enterprise-wide IRM framework should include: artificial intelligence (AI) and machine learning (ML) capabilities to enhance strategic risk planning active and aggressive external and internal risk monitoring; clear lines of communication throughout the enterprise(as established through corporate policies and organizational charts); clear lines of reporting throughout the enterprise (as established through corporate policies and organizational charts); detailed risk assessment; detailed risk response plan; implementation of a comprehensive enterprise-wide IRM software platform, simultaneous with the enterprise-wide IRM framework.
-
Some of the functionalities inherent in IRM software platforms are: access control; audit management; auditing tools; board reporting; complete IRM process management; compliance change management; compliance database; converged risk analysis; compliance management integration across platforms; corrective and preventive actions (CAPA); data mapping; data protection impact assessment (DPIA); enhanced data access; event notifications; exceptions management; Health Insurance Portability and Accountability Act (HIPAA) compliance change management; financial risk quantification; heat maps; incident management; incident response management; industry-specific risk scenarios; integration of risk indicators into the assessment process to reduce subjectivity; internal controls management; key performance indicator (KPI) monitoring; key risk indicator (KRI) monitoring; legal risk management; operational risk management; operational safety guidelines; presentation a holistic, objective, un-siloed and unified risk map; privacy impact assessment (PIA); reputational risk management; risk analysis; risk analytics; risk appetite frameworks; risk assessment; risk bow-tie analysis; risk communications; risk control assessment; risk control documentation; risk mitigation action strategies; risk monitoring; risk quantification; risk reporting; risk scenario; repository root-cause diagnosis; safety management; safety training plans; Sarbanes-Oxley (SOx) Act compliance change management; sensitive data detection; strategy-centric risk; triggered alerts; vendor qualification tracking; version control; and the like.
-
The general components of an IRM framework may be: internal risk culture; risk analysis; risk assessment; risk communication; risk control; risk identification; risk information; risk monitoring; risk treatment.
-
IRM strategy favors a low risk tolerance (meaning the amount of acceptable risk an enterprise is willing to endure), because a prime assumption of IRM is that the people in an enterprise are most-familiar with the risks inherent in the enterprise operations, product and services, since those are the same people who are intimately-involved with producing such operations, product and services, and so those same people should also be able to identify in advance all the inherent risks to the enterprise from such operations, product and services, and then be able to formulate whatever risk acceptance, avoidance, elimination, mitigation, remediation or transfer strategies may be required to protect the enterprise as best as possible, under the circumstances, in keeping with the spirit of the International Standards Organization (ISO) 31000 – Risk Management Standard.
-
An enterprise-oriented risk management framework (such as IRM should be, if practiced properly by all enterprise personnel simultaneously), should embrace many of the tested-and-true principles from ISO 31000, such as, for example:
-
risk management should always be conducted in a manner that is as collaborative, inclusive, integrated and transparent as possible;
-
continuous improvement in the risk approach through frequent reviews of existing risk policies and making revisions thereto, as may be required due to changed circumstances, either externally or internally;
-
supporting enterprise-wide consensus decision-making and prioritization of responses to various risks (after the identification of such risks either through enterprise-wide consensus, or, more-commonly in large enterprises, through the consensus of a risk identification committee established either by the Board of Directors, or, more-commonly in large enterprises, by either a group of C-suite executives designated by the Board, or by a committee designated by such group of C-suite executives);
-
treating risks as threats to the entire enterprise, even though such risks may either emanate from or threaten one particular enterprise department or division, and the recommended solution to such risks should be structured in a manner protect the entire enterprise, rather than just such a particular department or division;
-
accommodating quick-response micro-decision-making in the enterprise risk approach (as opposed to only the macro-decision-making of the risk committee), so as to allow personnel confronted by one particular type of emergency risk to a department or division to formulate a solution as quickly as possible, thus avoiding further harm to the enterprise, rather than having to first submit a report to the risk committee, and then waiting for a response while the enterprise sustains continuing harm;
-
any risk approach adopted by the enterprise should always take into account both the external and internal ramifications of both the risk identified and the proposed solution thereto.
-
-
A key requirement for the proper functioning of any risk management framework within an enterprise is to have only one point source of responsibility – such as a Chief Compliance Officer (CCO), Chief Risk Officer (CRO) or Vice President of Risk Management – to avoid any possible confusion over the direction and application of all risk-related endeavors.
-
In terms of implementing an IRM from scratch, perhaps the first step may be to do a complete analysis of the entire enterprise (much like performing a Sarbanes-Oxley – SOx – analysis), in which enterprise personnel would inventory, for example:
-
all the departments and divisions of the enterprise, as well as all the operations, products and services of the enterprise, and then each such particular operation, product or service would be mapped to a particular department or division, in order to determine the exposure that such department or division might have as a result of the particular operation, product or service to such particular department or division;
-
all risk-planning-related documents (such as, for example: audits; corporate strategic risk plans; evaluations; key performance indicator (KPI) reports; key risk indicator (KRI) reports; performance reviews; and, any other relevant risk-related documentation that may provide any information regarding the accountability, ethics, leadership, performance reports, risk management practices, strategic planning documents, values, performance history and stewardship, within the enterprise;
-
-
The level of risk tolerance within an enterprise may be determined through data derived from personal interviews with the Board of Directors, C-suite executives, senior management, managers and employees.
-
Once all the above data has been compiled, the Board, the C-suite executives, the individual (COO, CRO or the like) and the risk committee (if it has been established), must reach consensus about the direction they will take in order to implement the IRM; for the sake of transparency, once they have reached consensus, they should publish their decision on both the corporate intranet and corporate website, so everyone externally and internally can understand the decision-making process;
-
Such decision-making process may include detailed information regarding all the data they reviewed and the various rationales they used to reach their decision, such as, for example: accountabilities and responsibilities for managing risks; all the risk factors and methodologies they considered; constant ability to update the IRM framework; defining the risk review chain of command and point person; establishment of long-term goals and objectives; integration of new concepts and ideas as circumstances evolve; management of conflicting interests; methodology to measure efficacy and progress; reporting mechanisms; planning for adequate funding and resources; revising any existing enterprise corporate policies, as may be required; seeking alignment between the enterprise objectives and the capabilities of the IRM framework.
-
In terms of allocated resources, of course ensuring that the required funding is available throughout the anticipated lifecycle of the IRM framework, but no IRM framework can succeed without qualified personnel; thus, it is important to ensure that the enterprise allocates a sufficient number of enthusiastic and intelligent individuals to staff the IRM effort, at all phases, including: startup – the IRM design, implementation, evangelization (spreading the risk culture to the entire enterprise), training; and, operations – auditing, maintenance, training and updating.
-
One of the most-critical competencies required for the personnel staffing the IRM effort is risk identification; although there may be industry manuals explaining the nuances of many different types of risks (such as risk taxonomies), it is probable that many of the types of risks encountered by the IRM staff may be completely unique to the business model of the enterprise; thus, the IRM staff must have critical-analysis skills sufficient enough to be able to identify previously unidentified risks, categorize the type of risk, determine the information that may need to be collected and what level of detail is required to document such risk at a level that can be easily understood by the future IRM staffers, and then to formulate robust risk response plans for addressing such risk.
-
Such risk response plans may generally be categorized as either: acceptance (ignoring the risk without any action, perhaps if the risk is trivial to the enterprise); avoidance (changing something within the enterprise that does nothing to eliminate the risk in general, but which eliminates the possibility that the enterprise will be affected in any way by the particular risk); elimination (taking whatever action may be necessary to completely negate the risk itself, completely and permanently); or, transfer (foisting the risk onto a third-party, such as an insurance company, perhaps through the payment of money to the third-party).
-
Risk communications protocols must be established so that in the event of a risk event, the IRM staffers have clear guidelines regarding: whom to notify about the risk event; the type of information they must provide to those them must notify; and, the means and methods that they must use to disseminate such notifications.
-
Some of the potential benefits to the enterprise from implementing an IRM framework may be: automated alerts, notifications and responses to risk events; compliance change management for risk-related guidelines, regulations, rules, statutes, treaties and the like; coordinated and rapid response to risk events, allowing the application of the appropriate disseminating accurate, consistent and current risk information throughout the enterprise as rapidly as possible; efficient external and internal monitoring of potential risk events, allowing more lead time to formulate appropriate responses; faster recovery time for the enterprise after a risk event, due to pre-strategized recovery plans; greatly improved and swift decision-making by upper echelons of the enterprise regarding responses to risk events, due to the availability of risk strategy taxonomies templates; improved allocation of resources in response to a risk event; metrics to define the success of the IRM framework itself; improved operational efficiency; rapid response times, from the identification of a possible risk event to its solution as a result of predefined protocols.
-
Drafting and negotiating all IRM-related documents and legal support for all IRM-Related tasks.
Progress_Page_Last_Updated_221104_1935