For today’s security professionals, managing risk is arguably the most critical and challenging part of their job–and quite often, what keeps them up at night. Yes, managing IT risk across the enterprise today is essential, yet, incredibly, 65% of tech companies still use an ad-hoc approach. Many still cling to a traditional siloed strategy, using disparate processes and disconnected tools to identify and mitigate risk.
And guess what? It’s not working. 61% of respondents in the 2022 IT Compliance Benchmark report have experienced at least one security incident or compliance lapse in the last three years. However, in a world of vastly expanded attack surfaces, continually evolving risk, and ongoing regulatory volatility, should we really be surprised?
Now, for some good news–the future of risk management is here, and it’s integrated. Successful organizations realize better risk management results from an integration of risk governance, cybersecurity, and compliance efforts, with teams working in unison around a “risk first” mindset.
It’s time for your organization to get familiar with integrated risk management. This article will introduce you to this effective, team-oriented approach to managing IT risk across the enterprise in today’s volatile threat landscape.
What is Integrated Risk Management (IRM)?
Integrated risk management (IRM) is a holistic, organization-wide approach to addressing risk which welcomes input from various functions, including risk management, cybersecurity, compliance, and various business units. It’s designed to provide a holistic view of risk across the enterprise and streamline the risk assessment and remediation process. This model leverages agile principles, automation, a security-aware culture, and cross-departmental collaboration to outpace the more traditional, compliance-driven model.
Why is integrated risk management important?
Integrated risk management is really about incorporating compliance activities with security risk objectives and key-to-day operations. Chances are, there are already synergies and overlap among all the work happening within your risk management, security, and compliance teams. Many organizations may have multiple operational procedures and technology standards that align closely with various compliance program requirements. In turn, meeting those requirements often aligns with customers’ expectations of their vendors and service providers. Here are a few examples of alignment:
- Protecting the privacy of customer data
- Ensuring that your products and services are highly available and resilient to unavailability due to technological or operational issues
- Reducing risk vectors through implementing technology safeguards or through administrative procedures maintained within corporate functions such as HR, Legal, Vendor Management, etc.
Taking an integrated approach to risk management allows your organization to scale activities and resources to meet the demands of an increasing compliance scope; by making compliance an output of existing business and security objectives.
What are the types of risk management?
Types of risks modern organizations need to manage to include:
- Cyber risk
- Privacy risk
- Legal/regulatory/compliance risk
- Supply chain risk
- Financial risk
- Market risk
- Environmental risk
- Social/reputational risk (related to how an organization treats its employees and customers and how it’s promoting diversity and inclusion)
How does IRM differ from a traditional approach to compliance?
Traditionally, organizations attempt to manage risk in siloed departments and teams, each with its own set of tools. Information and insights become siloed in individual departments while disparate processes and disconnected tools work independently, often costing more time and money.
In a traditional model, an organization’s compliance team is primarily concerned with ensuring that rules and regulations are followed. This model defines security policy and internal controls based on cybersecurity regulations and standards. If we satisfy all the requirements of a cybersecurity framework, we must naturally be managing risk, right? Unfortunately, that’s not the case.
After all, regulations and standards are inherently backward-looking–established after a critical mass of people or organizations has already experienced some unfortunate event. Meanwhile, risks are unique to each organization, and they can change quickly and suddenly. In other words, many risks are not yet captured by existing laws and standards.
IRM breaks down departmental silos and fosters a unified, security-aware culture from the top-down, always viewing risk management in the context of business goals. IRM stresses a risk-first approach beginning with a thorough understanding of your organization’s unique risk profile. Risk management policy and security controls are based on risk assessments with robust testing to ensure proper control function. The goal is to engage all departments to create a holistic yet consolidated view of risk across the enterprise and then design policies and controls to address these risks.
Organizations that take an integrated approach to risk management are more effective at avoiding security lapses and meeting compliance obligations–and recent numbers from the 2022 IT Compliance Benchmark survey back it up. According to this survey, while 61% of survey respondents reported their organization had experienced a compliance violation in the last three years, only 40% of those who take an integrated view of risk management and compliance activities experienced a compliance violation.
On the other hand, 71% of respondents who view compliance as a rule enforcer have experienced a compliance violation in the past three years. These statistics verify the effectiveness of integrated risk management, but for James Gomez, CISO and Managing Partner at Cybersec Consulting, the value goes beyond the numbers. “Integrated risk management tools allow us to look at enterprise risk in real-time, through a single-pane-of-glass for situational awareness. This real-time data allows you to quickly minimize enterprise risk, positively affecting business outcomes.”
Develop an Integrated Risk Management Plan
Managing risk is indeed strategic, and successful teams go through various stages in the management process. There are generally five recognized stages in the life cycle of strategic risk management:
- Identify all the risks present in the environment
- Analyze all risks in terms of consequences, scope, and the likelihood of occurrence
- Rank and prioritize all risks based on the severity
- Treat high-level risks with mitigation or remediation measures
- Monitor low-level risks and consider transferring higher-level risks with cyber insurance if direct mitigation measures aren’t feasible
IT risk management follows these basic life cycle steps starting with internal assessments for risk identification. This ensures that discovered risks are analyzed and prioritized with appropriate controls selected, and the chosen controls are continually monitored with rigorous testing to ensure proper function.
Integrated Risk Management Solutions
Are you ready to switch to an integrated risk management model? Here are the steps we recommend:
Align cyber strategy with business goals
How do you get business executives and security team leaders pulling in the same direction with an eye on creating a security-aware culture? Start by establishing a clear link between improved security and business outcomes. Cultivate a business-centric view of risk, showing its potentially negative impact on business goals and corporate value. Ensure your risk management and cyber strategy align with business outcomes to keep both camps equally invested in an enterprise-wide effort to boost security awareness and mitigate risk.
Make risk management a shared responsibility
A risk-aware culture starts with buy-in from leadership. CISOs need management endorsement, beginning with the CEO, CIO, and CFO. A cultural shift toward security awareness and enterprise-wide accountability will require the continual promotion of a shared responsibility mindset among business stakeholders.
Risk assessments shouldn’t be done in silos. They require the involvement of business stakeholders from all departments. After all, business stakeholders from Product Development, Engineering, Sales, HR, and Finance are on the frontlines of operating IT systems and software that affect data security, integrity, and privacy.
IT compliance teams and business stakeholders (and engineers) should work together to understand what the business is trying to accomplish and how existing software/IT systems support those business goals. The teams ought to come together to identify risks that may occur from using these systems.
From there, they can find the best ways to ensure that these systems are configured and operating in a way that advances the business objective, minimizes the risks, and adheres to internal and regulatory standards. The compliance team should know and be alerted when business stakeholders decide to change how they use these systems or purchase new software that affects the processing of sensitive information.
The compliance team should document the proper, compliant operating procedures for business stakeholders so business operators can ensure these procedures are followed during the course of doing business.
Make the work involved in managing risks visible to all relevant stakeholders
This shared responsibility model will only work if everyone knows their responsibilities. It’s important to use a tool that makes all risk management work visible to everyone who has skin in the game. For instance, it will be important to document all of your internal controls (i.e., activities designed to mitigate risk and ensure compliance with a regulatory requirement) and store all evidence of activities around those controls in a single repository.
Ownership of controls and the responsibilities to implement, test, and review controls should be assigned and tracked. Compliance teams should see when a control process deviates from what’s deemed acceptable and connect with relevant business stakeholders to address the issue.
Automate routine and repetitive work
If your risk and compliance teams cannot efficiently get through the tactical work involved in risk management (e.g., track which controls need to be tested, collect proof that a particular software system is configured with proper roles/permissions settings), they won’t have enough time to work on strategic tasks. To better manage risk, your organization must find ways to reduce or automate the routine, repetitive workflows that can unnecessarily drain resources.
There’s a better way to handle risk and compliance.
Work iteratively and make improvements continuously
To ensure that risks are mitigated day in and day out, it’s imperative to set up a rigorous reporting and analysis regimen. Remember, controls shouldn’t be designed to satisfy an external auditor’s checklist. Controls are meant to address your risks and need to keep up with your current business processes.
Don’t wait to review dozens of controls until right before an audit, which, unfortunately, many compliance teams do today. Instead, use automated reporting to monitor and gauge the effectiveness of your internal controls in real-time and strive to improve your controls iteratively.
Think about how often your company launches a new product, buys new software, brings on new partners, and tries to enter new markets. To effectively manage risks, you must recognize that as the business processes and tools used by organizational stakeholders change, unknown risks may be introduced. Whenever a change happens, it’s important to evaluate whether the controls currently in place are still effective.
Deploy IRM tools and IRM software
Risk management is a dynamic process that never stops. To manage risks in an integrated approach, you need a system that allows you to quickly understand how your organization is currently doing. How the organization is managing your risks, identifying what work needs to be done, assigning the work to people across your organization, and helping stakeholders complete their work in a low-friction way.
To support a risk-aware culture, your integrated risk management approach should use IRM tools (also referred to as IRM software). IRM tools should make it easy for business unit stakeholders to participate in risk management and compliance activities, such as submitting evidence of controls’ operating effectiveness, without learning to use a brand new tool. Further, your IRM solution should keep organized records of all of your risk management and compliance activities, so it’s easy for you to produce proof of your risk mitigation and compliance activities to auditors, customers, and regulators when asked.
While many GRC software platforms claim to support integrated risk management, organizations often get mixed results because GRC software can be clunky and difficult to use. For instance, collecting evidence of compliance activities and reviewing evidence in a GRC platform may be challenging. The software UI may be complex — making it intimidating for business stakeholders to use. As such, many organizations that have GRC tools continue to use spreadsheets and other tools to manage portions of their risk management activities. And the root causes of many compliance failures — managing risks in an ad-hoc manner — remain unaddressed.
The term “GRC tool” is a misnomer, according to James Gomez. “You’re really just checking a box after asking if it operated effectively, yes or no.” Hardly an effective tool to provide a worthwhile glimpse of your risk landscape.
Use an Integrated Risk Management System to Achieve Success
Managing risk today is a team sport, requiring a holistic, unified, enterprise-wide effort. Unfortunately, too many organizations attempt to manage risk by relying on a siloed, compliance-first model–hiding behind a false sense of security until the harsh reality of a costly breach hits home.
Risk management, cybersecurity, compliance, and business teams must work in unison to manage risk successfully today. A risk-first approach should guide your team’s risk management roadmap and selection of security controls based on individual risk assessments. Risk management strategy must align with business outcomes within a security-aware culture where the responsibility of managing risk is shared between business stakeholders and security/compliance professionals.
So, how does integrated risk management success actually look? James Gomez offers his thoughts: “The next level up is where cybersecurity begins to talk to risk management, and risk management people begin to connect with people in other departments, sit in a room, and ask what is being done to minimize risk. Then they say, ‘Let’s use risk management to drive our cybersecurity roadmap, and then let’s use this roadmap toolkit to create the proper compliance program.'”