What’s so bad about organizational silos? According to strategic advisors Herman Vantrappen and Frederic Wirtz, authors of the Harvard Business Review article Making Silos Work for Your Organization, perhaps not as much as we’ve been led to believe. Common to almost all organizations, silos — or verticals — exist to leverage the benefits of specialization. Separation of various functions within an organization, they explain, helps to “aggregate expertise, assign accountability, and provide a sense of identity.” Even so, Vantrappen and Wirtz acknowledge that there can also be detrimental by-products associated with organizational silos. These include “insular mindsets that inhibit sharing or collaboration between verticals, or worse…finger-pointing and turf wars.”
Risk management, safety, and compliance professionals — despite sharing a common, overarching goal of identifying, understanding, and mitigating potential risks to their organizations’ employees, reputation, strategic objectives, and bottom line — are often all too familiar with these negative side effects of organizational silos.
In an increasingly complex and interconnected risk environment, the unwelcome offshoots of silos — including the technological and data silos that are yet another unintended consequence of entrenched functional divides — become even more of a threat. In addition to manifesting the problems cited by Vantrappen and Wirtz, they undermine attempts at coordinating risk management efforts and, more importantly, restrict an organization’s ability to operate from a single source of truth that provides the context and data insights necessary for fully informed decision-making.
To maintain the expertise, accountability, and other benefits associated with separate business functions while also minimizing undesirable side effects such as a lack of efficient cross-enterprise processes, poor collaboration and communication, and insufficient insight into critical risk, safety, and compliance data, organizations are increasingly turning to Integrated Risk Management (IRM) as the solution.
What is Integrated Risk Management (IRM)?
Originally defined by the tech research and consulting firm Gartner, Integrated Risk Management (IRM) is a business strategy that seeks to identify, assess, and manage all of an organization’s potential risks. It involves integrating risk management practices across various departments and business functions to create a comprehensive, enterprise-wide risk management framework.
IRM vs. GRC vs. ERM: WHAT’S THE DIFFERENCE?
Integrated Risk Management (IRM); Governance, Risk, and Compliance (GRC), and Enterprise Risk Management (ERM) are all approaches to managing risk, but each differs in scope and focus. Where and how they diverge is an ongoing debate and, for many, a cause of confusion with risk professionals, consultants, risk technology providers, and others using the terms interchangeably to mean the same thing.
Where an IRM framework is intended to consider all types of risks, including financial, operational, strategic, and reputational, and seeks to integrate risk management practices across an organization, a GRC framework is typically focused on regulatory compliance.
Like IRM, ERM takes an expansive — enterprise-wide — view of risk. In practice, ERM programs are typically based, at least in part, on frameworks put forth by the Committee of Sponsoring Organizations (COSO) or the International Organization for Standardization’s ISO 31000 Risk Management – Guidelines. The most common definitions of ERM tend to focus on the impacts of risks to an organization’s high-level, strategic objectives, as overseen by the organization’s executives and board.
Ideally, an IRM approach will draw from an organization’s GRC and ERM data (if programs exist) and, along with data from other areas of the organization, be used to generate insights that can be used to inform the ongoing refinement of GRC and ERM efforts.
An IRM approach recognizes that the risks an organization faces are inherently interconnected: One risk can trigger others that roll through and impact the entire organization. IRM helps businesses to proactively identify and manage those risks, rather than reacting to them after they occur.
Using an IRM strategy enables business leaders to make informed decisions with greater context and a deeper understanding of risks and their potential impact on operations and financial performance. It can also help businesses more effectively allocate resources and prioritize risk management efforts. All of this can, in turn, help businesses stay ahead of emerging risks, ensure regulatory compliance, safeguard health and safety, protect reputation, and reduce total cost of risk.
The Role of Technology in Integrated Risk Management (IRM)
It’s not news that technology can play a major role in supporting the identification, assessment, and management of the various risks an organization faces. But with the increasing complexity and interconnectedness of risk, technology has become essential to mitigate risks effectively. So much so that technology is — along with strategy, assessment, response, communication and reporting, and monitoring — one of the six attributes of IRM as defined by Gartner.
IRM technology solutions serve a number of purposes in support of an IRM strategy:
- IRM solutions automate risk assessment, data collection, analysis, and reporting. Data analysis tools (and, increasingly, machine learning algorithms and artificial intelligence applications) can be used to detect patterns, forecast risks, and quantify losses.
- IRM solutions are also essential for effective communication and collaboration among different stakeholders involved in risk management. Collaborative tools such as online portals, messaging platforms, and document-sharing software are used to enable timely communication and sharing of information on potential risks.
- Another vital role of IRM solutions is the provision of real-time data monitoring and risk management analysis. The ability to monitor risks in real-time and respond to adverse changes enables organizations to limit (or negate) their impact — or use them for competitive advantage.
PRODUCTIVITY AND IRM TECHNOLOGY SOLUTIONS
Increasingly, risk, safety, and compliance programs must find ways to boost efficiency as they seek to produce more actionable insights. Unfortunately, not all IRM solutions are created equally. To learn more about how the right IRM solution can help accomplish this, download our latest ebook, Boosting Productivity with Integrated Risk Management.
Technology — and solutions designed to support IRM, specifically — has become an integral part of the risk management process by enabling more comprehensive, efficient, and effective identification and mitigation of risk. As technology continues to advance, the role of technology-based solutions in IRM will continue to broaden and become even more indispensable.
IRM: Beyond Concept to Application
A general understanding of what IRM is and the role that technology plays in supporting an IRM framework is all well and good, but what does IRM really look like in practice?
There is, unfortunately, no “one-size-fits-all” answer to that question. The reality is that it will vary from organization to organization based on several factors including how risk management, safety, and compliance functions and processes are aligned organizationally. Also important is the overall health of an organization’s risk culture. In other words, is risk management seen as the job of one team, a designated group, or as the role of all in the organization?
REAL-WORLD EXAMPLES OF IRM
To learn more about what IRM can look like in practice, visit our IRM resource center to download and read case studies featuring McCarthy Building Companies, Inc. and THE CHEESECAKE FACTORY®.
As Vantrappen and Wirtz remind us, the “boundaryless organization is a chimera.” Bringing disparate departments and functions together to agree on strategy will likely require the commitment and input of executive “champions” committed to communicating the value of IRM.
Data Silos: Breaking Down A Major Barrier To IRM Success
While organizational silos have their benefits, technology and data silos only serve to hamper collaboration, foster inefficiencies, add layers of territorialism, and most damaging of all, place insurmountable barriers to accessing comprehensive, accurate information necessary for making data-driven decisions and informing actions that might otherwise not be taken.
As those considering an integrated approach to risk management consider potential steps for getting started, it will be important to consider all of the positive aspects of silos, or verticals, mentioned in Making Silos Work for Your Organization — expertise, accountability, and identity — while eliminating those that stand in the way of success.
“Yes, verticals have undesirable side effects, but the solution is not to dismantle them. To preserve the strengths of verticals while minimizing potential side effects, organizations should do two things,” write Vantrappen and Wirtz. Although they are not writing about IRM, specifically, the two suggestions they detail in the article — building bridges between verticals and instituting a system of checks and balances — are part and parcel of a healthy, fully-functioning IRM framework. When it comes to building bridges, technology — “an enabling infrastructure (for example, a common IT platform)” — is one of the elements that, along with clear procedures and responsibility models, can help break down barriers and cut through the noise.
As outlined above, a common IRM technology solution is, in essence, the engine that facilitates IRM by providing the tools for sharing critical data, improving communication, automating processes, and enabling real-time monitoring. Yet while all of those can contribute to successful outcomes, the "must have" of any IRM solution is a platform that serves as a centralized, single source of truth — one place that provides stakeholders the context they need to inform decision-making and for measuring the success of an organization’s unified risk, safety, and compliance efforts.
With the right IRM framework in place — one supported by the right IRM technology solutions — organizations can bridge the gaps that exist between risk, safety, and compliance functions and the organization as a whole.