Integrated Risk Management and the role of IRM software

Digital transformation and digitalization offer enormous opportunities. But they also bring many risks. The same applies to new technologies and the assets of the digital economy, with data at the center.

The ongoing digitalization is one of many reasons why companies are rethinking their risk management approach, while the market of integrated risk management (IRM) sofware is rapidly evolving and growing.

Integrated risk management (IRM) is a set of practices and processes supported by a risk-aware culture and enabling technologies, that improves decision making and performance through an integrated view of how well an organization manages its unique set of risks (Gartner)

Other factors contributing to the growth of the IRM (and GRC) market include increasing regulatory compliance challenges and the stronger focus on risk management overall since the COVID-19 pandemic started. Last but not least, there are still many silos in risk and compliance, the importance of sustainability and ESG has a tremendous impact on the market, and new technologies bring new cyber risks in an increasingly complex cybersecurity and cyber crime landscape.

risk management concept

Let’s look at integrated risk management and the importance of IRM software in the context of these evolutions and the changing views on GRC.

Integrated risk management vs. Governance, Risk, and Compliance

The term ‘Integrated Risk Management’ (and the acronym IRM that goes with it) was coined by IT research and consulting firm Gartner.

In 2016, the company published a report titled “Transform Governance, Risk and Compliance to Integrated Risk Management.” In the years before that, Gartner covered the market for technology solutions for Governance, Risk, and Compliance (GRC), like most analysts.

As a reminder: GRC is a long-standing umbrella term for a broad domain of activities, frameworks, tools, and functions, encompassing the three overarching components in the acronym.

Governance, risk management, and compliance are closely intertwined. But in practice, this was not always the case with many silos. Each of the three domains also encompasses many aspects. For example, many risks need to be managed for those who want to work risk-based. And compliance requires a structured approach and embraces many new elements directly or indirectly related to digitization in this era. Just think of personal data protection and privacy, to name an obvious one. So it all has partly to do with accountability but equally with managing everything needed to meet specific standards/rules and at the same time ensuring that the company’s objective is completed, which essentially means governance.

The demand for the ability to track and monitor risk is at an all-time high (Alla Valente, Senior Analyst, Forrester, 2021)

Why move from GRC to integrated risk management software and approaches?

But why did Gartner think it was important to move from GRC (tools) to IRM (software) in the beforementioned report?

In 2018, John A. Wheeler, responsible for the Integrated Risk Management category at Gartner, explained the rationale in a blog post. Wheeler, who in early 2022, announced his move to AuditBoard, a provider of Audit, Compliance, & Risk Management software, was the driving force behind the movement from GRC to IRM.

In explaining why Gartner shifted its focus from GRC to risk technology with its Magic Quadrant for Integrated Risk Management, Wheeler referred to the increasingly complex security and risk management needs in times of digital business and – obviously – data.

Integrated Risk Management needed to go beyond traditional, compliance-driven GRC technology solutions and provide actionable insights aligned with business strategies and not just look at regulatory mandates per Wheeler.

In particular, a more holistic approach was and is essential. Gartner today defines Integrated Risk Management as a set of practices and processes, supported by a risk-aware culture and enabling technologies, that improves decision-making and performance through an integrated view of how well an organization manages its unique set of risks.

In another blog, Wheeler explained the difference between GRC and IRM from a software solution perspective, introducing the table below.

The difference between GRC and IRM from a software solution perspective per Gartner – source and more information

GRC platforms and IRM software categories

Others continue to use the term GRC in the context of applications. For example, Michael Rasmussen, a global authority on GRC, had quite a bit of criticism for what he thought was a useless term back in 2018.

Among other things, the founder of GRC 20/20 pointed out that what Gartner was saying about integrated risk management corresponded to what he had been saying for some time with his concepts of GRC 3.0 and 4.0.

And that other well-known research and consulting firm, Forrester, still talks about GRC software in its Forrester Wave and overview of Governance, Risk, And Compliance Platform Providers.

By the way, the players, no matter what you call them, overlap, and the dynamics and changes in the market are pretty much the same. And that, of course, is at least as important as the tools.

In practice, many endpoint solutions are being used to manage the various aspects of GRC and IRM, too, of course. Think, for example, of tools for third-party risk management (TPRM), vendor risk management (VRM), software supply chain security, compliance management, ESG (environmental, social, and governance) management, etc.

Integrated Risk Management software is typically…integrated in terms of the features and solutions for various GRC domains covered by it. The same goes for many GRC software segments. Many vendors also offer platforms that can be easily integrated but only cover specific domains, as you’ll read below. However, integration and avoiding – or reducing – silos between various risk areas is an important IRM objective.

The people at Reciprocity, behind the ZenGRC platform, have a good overview of the place and role of ERM (Enterprise Risk Management, now seen as part of IRM), GRC, and IRM.

In a blog post about selecting GRC platforms, Forrester analyst Alla Valente divides that market into three fairly obvious segments:

  1. Full-service platforms. Here, integration with a broad range of solutions for governance, risk, and compliance domains is essential. These platforms typically target larger enterprises and make pretty extensive use of artificial intelligence.
  2. Purpose-built technologies, on the other hand, go as deep as most leading full-service tools but don’t have the same breadth. In short, they are particularly suited for specific use cases or domains, from third-party risk to IT risk or audit.
  3. Emerging solutions often focus on the ability to quickly and easily cover various domains with out-of-the-box features. The breadth and depth of the covered areas vary per player.

Silos and other challenges in risk and compliance: the need for IRM ahead

As previously mentioned, one of the challenges that remain concerns silos. A survey by integrated risk management solution provider Riskonnect, announced at the end of 2021, among others, found that 66 percent of organizations say poor collaboration between risk and compliance functions slowed their risk response.

IRM topped the list of most popular emerging technology inquiry topics for technology and service providers in H1 2021 per Gartner

Per the Risk and Compliance Integration Benchmark Survey, conducted by Compliance Week, there is a lack of integrated data: about a quarter of respondents (24 percent to be precise) indicated that critical risk and compliance information is siloed and extremely difficult to pull together. Another 56 percent of respondents state that the data lives in multiple sources.  

The benchmark report states that Cybersecurity threats (25 percent), Enterprise Risk Management (ERM, 12 percent), and ESG (10 percent) will be the most pressing issues for risk and compliance departments over the next six to twelve months.

According to the survey, the pandemic will continue to increase data privacy, cybersecurity, and employee health and safety risks. Speaking about the pandemic: in 2020, with the COVID-19 crisis and its risks in mind, John A. Wheeler wrote a blog on IRM market trends that would accelerate demand in COVID-19 recovery and provided an expanded coverage of IRM use cases (depicted above). It was another argument for the need for an integrated risk management approach.

With risk becoming increasingly complex, diverse, dynamic, and interconnected, the demand for integrated risk management software and services increased in 2021. According to Gartner, IRM even continued to top the list of most popular emerging technology inquiry topics for technology and service providers, as you can read here and see in the graphic above. Here as well, the challenges and risks with regards to COVID-19, privacy, ethics and compliance, ESG, cybersecurity, and digital business were mentioned as contributing factors.

It’s clear that all the mentioned evolutions are still highly relevant for years to come and will drive the market in 2022 and beyond.

More findings from the Riskonnect Risk and Compliance Integration Benchmark Survey in the announcement of the survey results, and the report itself. You can also check out the larger version of the infographic below in this blog.

Top image purchased under license Shutterstock, all other images belong to their respective mentioned owners and serve illustration purposes.

Riskconnect and Compliance Week Risk and Compliance integration benchmark infographic
Riskconnect and Compliance Week Risk and Compliance integration benchmark infographic – source, larger version and courtesy