User:AllenArnold/sandbox

Integrated risk management (IRM) is a business discipline that combines technology, process and data to simplify, automate and integrate the management of strategic, operational and cybersecurity / information technology (IT) risks. In many organizations, risk management is highly fragmented and generally organized into programs at three levels - enterprise risk management, operational risk management and IT risk management. IRM seeks to integrate these programs vertically by linking strategic and tactical methods for managing risk.

Standards / Frameworks
The demand for IRM is increasing due to the new and greater amount of risk associated with digital business transformation and cybersecurity. The US National Institutes of Standards and Technology (NIST) promotes the development of IRM programs in its Framework for Improving Critical Infrastructure Cybersecurity, version 1.1. Similarly, the International Organization for Standardization supports the integration of risk management in its ISO 31000:2018 standard. This new standard according to ISO "provides more strategic guidance than ISO 31000:2009 and places more emphasis on both the involvement of senior manage- ment and the integration of risk management into the organization."

Regulations
The US Securities and Exchange Commission (SEC) highlights the need for IRM in its latest cybersecurity disclosure guidance for US publicly traded companies. The guidance specifically advises companies to disclose the following:
 * the occurrence of prior cybersecurity incidents, including their severity and frequency;
 * the probability of the occurrence and potential magnitude of cybersecurity incidents;
 * the adequacy of preventative actions taken to reduce cybersecurity risks and the associated costs, including, if appropriate, discussing the limits of the company’s ability to prevent or mitigate certain cybersecurity risks;
 * the aspects of the company’s business and operations that give rise to material cybersecurity risks and the potential costs and consequences of such risks, including industry-specific risks and third party supplier and service provider risks;
 * the costs associated with maintaining cybersecurity protections, including, if applicable, insurance coverage relating to cybersecurity incidents or payments to service providers;
 * the potential for reputational harm;
 * existing or pending laws and regulations that may affect the requirements to which companies are subject relating to cybersecurity and the associated costs to companies; and
 * litigation, regulatory investigation, and remediation costs associated with cybersecurity incidents.

The European Union General Data Protection Regulation (GDPR) also addresses the need for IRM in collecting and maintaining personal data across an enterprise. While GDPR provides specific data requirements for breach notification, right to access, right to be forgotten, data portability and privacy by design, it also more importantly mandates the role of a data protection officer (DPO). To accomplish the requisite duties, a DPO must have a full understanding of data flows across the enterprise and the related risks - strategic, operational and IT related. Thus, organizations with an IRM focus will have an advantage in supporting the DPO and the associated compliance requirements.

Technology
Gartner, a global technology research and advisory firm, defines IRM as a set of practices and processes supported by a risk-aware culture and enabling technologies, that improves decision making and performance through an integrated view of how well an organization manages its unique set of risks. Under the Gartner definition, IRM has certain attributes:


 * Strategy: Enablement and implementation of a framework, including performance improvement through effective governance and risk ownership


 * Assessment: Identification, evaluation and prioritization of risks


 * Response: Identification and implementation of mechanisms to mitigate risk


 * Communication and reporting: Provision of the best or most appropriate means to track and inform stakeholders of an enterprise’s risk response


 * Monitoring: Identification and implementation of processes that methodically track governance objectives, risk ownership/accountability, compliance with policies and decisions that are set through the governance process, risks to those objectives and the effectiveness of risk mitigation and controls


 * Technology: Design and implementation of an IRM solution architecture

Gartner defines IRM solutions as technology deployed to provide a vertically integrated view of risk, starting with an organization's strategy, through to its business operations and, ultimately, into the enabling technology assets. This is done through a range of solutions from purpose-built applications to single-vendor, integrated solution sets across six primary use cases - digital risk management (DRM), vendor risk management (VRM), audit management (AM), corporate compliance and oversight (CCO), enterprise legal management (ELM) and business continuity management (BCM).