Comparing two schools of thought, Integrated Risk Management vs GRC. Governance Risk and Compliance (GRC) is a well-established practice, so how is integrated risk management (IRM) defined, and how do the two compare. The difference between the two is essentially a disagreement in interpretation. Similar to constitutional interpretation, there are two schools of thought which can change the meaning of the well-established discipline of GRC. The group who emphasize the initial intentions of GRC terminology and practice have shifted away from GRC and adopted the new term IRM. Alternatively, there is the school of thought that believes GRC practices can expand and evolve to apply to the current time’s needs and drivers. These supporters do not see a need to introduce a new term to identify the expanded role GRC plays within organizations.
GRC was elevated to a standard business practice Sarbanes-Oxley. Over the years, the discipline has grown to encompass many regulatory standards, establishing and maintaining corporate rules and policies, and measuring risk across business activities. When comparing Integrated Risk Management vs. GRC, in this traditional scope the two are one and the same.
Recently, organizations have re-titled GRC to Integrated Risk Management. These organizations recognize that compliance regulations spawned GRC and emphasize that programs following this practice are driven primarily by regulatory compliance initiatives. The nature in which businesses operate today is much more complicated than it was a decade ago. Digital transformation and the intricate structure of enterprises today involve a broader scope of operations and a variety of new technologies. Compliance regulations have not kept pace with the changing landscape. While, the evolution across business operations has left several companies unprotected, leading to various incidents, and security breaches. IRM proponents insist that the terminology – Governance, Risk, and Compliance – is reflective of a narrow risk management perspective. A broader initiative across business practices and systems both inside and outside of an organization needs to be adopted, hence Integrated Risk Management.
Risk management is broken into a few different maturity level use cases, segmented into various sub-divisions that build on one another.
At the base, and the narrowest purview, you have compliance centric initiatives which reflect the initial intentions of traditional GRC. Establishing governance in reaction to regulatory laws is the focus of this IRM tier.
The next level is operation centric, including a focus on both IT and Operational Risk Management. Within IT Risk Management (ITRM), the focus is on the nature of risk in the digital age, including both the connectivity and security of systems throughout your business infrastructure. In tandem, you have Operational Risk Management (ORM) focused on task management and maintaining a balance between increasing efficiency while also mitigating risky activities.
Both disciplines transition from a reactive compliance centric approach to proactive risk management measures. ITRM and ORM are both built on top of compliance efforts. These practices shift from solely meeting regulatory requirements to initiating best practices across your business to reduce risk exposure. The focus on operational efficiency, as well as cybersecurity, adds a layer of sophistication to traditional compliance management.
The most advanced or mature use case is a true Integrated Risk Management program. IRM is the broadest scope of risk management, encompassing the two lower tiers of traditional compliance, as well as the digital nature of business today. The full range of IRM expands on proactive risk management efforts to implement continuous improvement initiatives and focus on business outcomes. Standard IRM practices include business continuity and disaster recovery (DR) planning management. Other IRM initiatives span reporting efforts to weigh the financial impact of risk, measure risk by department, or category, and more.
So, this new initiative believes that GRC is too narrow of a perspective to apply to the complex nature of businesses and emerging threats of today. The supporters who coined the term “IRM”, align to an originalist interpretation of GRC, that it is a static concept exclusive to compliance-based risk management initiatives. The IRM school of thought has evolved to include a broader scope and established levels of concentrated disciplines aligned to specific business practices. On the other side, there are the non-originalists who interpret GRC in a way that allows for the discipline to grow to incorporate the challenges modern-day businesses face.
IRM proponents do not reference GRC. Outside of explaining the dated terminology, there is little to no mention of GRC – in reading news and updates on the topic, the terminology is interchangeable. The debate is still ongoing, but to replace such an established and well-recognized term such as GRC it will take time and heavy market adoption.
To learn more about GRC and IRM visit OCEG a dedicated GRC industry organization.
How do you manage your enterprise’s digital ecosystem? Read about how OneTrust can deliver an integrated and up to date CMDB tool, a foundational element to any GRC initiative.