“Integrated Risk Management has to be a company wide initiative”
We asked Josh Tessaro of Thirdera to provide his take on Integrated Risk Management, an important IT management issue. How do you define Integrated Risk Management (IRM), how are CIOs addressing it, and what are some best practices for solving IRM problems?
Gartner defines Integrated Risk Management as “a set of practices and processes supported by a risk-aware culture and enabling technologies, that improves decision making and performance through an integrated view of how well an organization manages its unique set of risks.”
We asked Josh Tessaro of Thirdera to provide his take on this important IT management issue. Here’s what he said.
JAXenter: How do you define Integrated Risk Management?
Josh Tessaro: Integrated risk management (IRM) is an end-to-end approach to traditional Governance, Risk & Compliance (GRC) management that prioritizes risk identification and mitigation as the single most important goal. IRM leverages all GRC processes and practices to give business leaders the appropriate data to make informed business decisions based on their current risk landscape.
When executed correctly, an effective IRM program will improve the consistency, efficiency and profitability of any business.
JAXenter: How are CIOs addressing IRM today?
Josh Tessaro: Not many CIOs are considering the GRC functions under an integrated approach. Typically, CIOs are focused on compliance or risk as a general concept, and are looking to assign a limited amount of IT resources to tackle the problem.
JAXenter: What problems do they run into with this approach?
Josh Tessaro: This approach expects (naively) that a group of people, working in a corner of the office, can produce enterprise-wide data and outcomes.
This also leads to a lot of segmentation across the many GRC processes and limits the GRC practitioners to providing limited observational data, which rarely drives behavior changes or other continuous improvement.
You end up with an organization that understands the need for an integrated approach to GRC / IRM but lacks the organizational will and cohesion to reach a point where it is truly integrated and IRM is driving profitability.
JAXenter: What are some best practices for solving these problems?
Josh Tessaro: Every company has multiple incentives to implement an IRM program but many get distracted by the most immediate incentive and use that as a starting point. This ends up limiting the scope and effectiveness of the program. For example:
A privately owned supply chain company is preparing to go public. They would know that they are about to have external regulatory and reporting requirements for the first time due to Sarbanes-Oxley (SOX), which regulates all publicly traded companies.
This is the first time executives at the company have had to settle on a documented set of policies and practices that are adhered to across the business with this level of rigor and documentation. They are looking for the cheapest and easiest way to “check the box” and move on so they can focus on the IPO.
The company assigns “Jason” to the responsibility of managing SOX compliance. Unfortunately, Jason does not have the visibility, organizational history and knowledge, or influence to enact any real change. His days will be dedicated to chasing down business leaders who do not want the interruption and asking for evidence that they are compliant. This interruption will be frustrating for everyone involved and while the company may be able to show its SOX compliance, it is likely not even skin deep and there is significant risk to the business. Additionally, the company has missed a great opportunity to implement an IRM program that delivers a far-reaching set of organizational benefits.
Regardless of why an organization is considering a GRC / IRM program, the correct approach is always risk first and goes something like this:
- What are my risks?
- What are my operational or industry specific risks (regulatory sanctions/fees included here)?
- What are my organizational risks (Information Security, personnel redundancy)?
- What are my financial or investment risks?
- What are my 3rd party risks (vendors I rely on)
- What are my business continuity/resilience risks?
- For each risk, is the potential impact of the risk (loss exposure in $$) within my tolerance?
- For each risk not in my tolerance, what am I going to do to mitigate it?
- For regulatory risks, mitigations (controls) that are standard mitigations.
- For other risks, you can develop company specific policies or and controls to help define standards and processes that will make the risk less likely (such as mandating your forklift drivers wear helmets).
- For each mitigation that has been created, is it in place? Is it being followed? (continuous monitoring)
- Periodic reviews of your mitigations to ensure they are effective and find any room for improvement (audits)
The above steps are roughly how an IRM program is built. IRM has to be a company wide initiative that becomes part of the organizational culture – everyone in the company is a risk officer. And by following through we can make the company safer, less prone to error, more efficient, more compliant and ultimately more profitable.
JAXenter: What advice do you have for CIOs who struggle with IRM?
Josh Tessaro: IRM is hard. Don’t make it harder by trying to do just a part of it; it works so much better when you commit fully as a company.
Additionally, the issues to consider are vast and not every organization will commit to (or needs) the same level of IRM maturity. Starting with a roadmap that works towards company wide risk transparency, allowing business leaders to determine where to invest in risk mitigations, is the first step. From there, you can make informed decisions on how much farther is right for your organization.