African American IT Engineer in Data Center

IRM+: a new approach toward technology-enabled risk management

High costs, a lack of relevant, timely info, and redundant processes drive highly regulated organizations to data-driven risk management.

In brief
  • Organizations’ disconnected intelligence and risk ecosystems, lack of valuable data and automation can lead to poor internal and external user experiences.
  • IRM+ enables risk management by capitalizing on mature risk management methodology across three lines of defense, using advanced enterprise technology.
  • Benefits include simplified risk management, insights-driven activities, holistic organizational transparency, and reduced enterprise risk management costs.

In today’s volatile regulatory and risk landscape, highly regulated organizations, such as those in financial services or pharmaceuticals, are challenged with the rising cost of regulatory compliance, along with ineffective processes that keep them from understanding their holistic risks. In addition, organizations are facing a changing operating environment where their ecosystems have evolved to become digital and more complex, with business processes that traverse not only vertically but also horizontally. This forces enterprise services, such as risk and compliance, to navigate these complex silos to effectively manage risk.

Given current market dynamics, organizations are also finding it critical to reduce costs. In theory, cutting costs is easy; in practice, doing so while maintaining strong risk management is hard. It is therefore imperative that organizations continue to strengthen their responses to regulations and risk vectors while becoming more flexible, efficient, resilient and purpose driven to maintain strong risk management practices in today’s climate.

Risk management is not new. Identifying, assessing, prioritizing and managing an organization’s risk is an essential part of corporate strategy. What started decades ago as a transaction-based analysis reliant on professional judgment and manual processes must evolve to leverage the significant automation and data analysis capabilities that are being driven throughout organizations today. Eighty percent of respondents polled for the EY/IIF global risk management survey said the priority of automation will increase as a risk management focus area going forward¹. While many organizations have taken advantage of these capabilities and moved toward a data-driven approach to risk management, not all have been able to make the transition.

Download the PDF

PDF (15 MB)

How EY can help

Technology enablement of risk management programs is not easy. A range of problems can exacerbate the challenges faced by organizations: high costs, poor data management, inconsistent or redundant processes, and difficulty in discerning relevant and timely insights needed by the organization. These challenges can be traced to three key factors:

  1. First, issues may be caused by a disconnected ecosystem where multiple risk management systems are not unified by a cohesive underlying data model, or operational intelligence systems are not connected to risk management systems. This can make it difficult to ascertain information about the organization, whether that is determining new or changing risks, or where similar processes and activities are taking place across the organization to mitigate similar risks.
  2. Second, challenges can stem from a lack of valuable insights, which happens when organizations are not asking the right questions or where reporting is produced on a stale backward-looking cycle — so that by the time observations are reported, the operational impact has already occurred.
  3. Finally, difficulty can arise from a lack of automation, which is often used at a disproportionately lower rate within risk management functions compared with the other areas of an organization. This increased reliance on manual processing can cause inefficient and siloed processes, redundant and disconnected outputs, and a higher cost of operations from resource needs.

These factors can cause numerous issues that create a negative user experience for external customers and internal stakeholders alike. But how can organizations prevent these issues?

 

Integrated risk management: solving traditional challenges

 

Organizations have increasingly turned to integrated risk management (IRM) to solve these challenges. IRM treats risk and compliance activities as an enterprise-wide responsibility by managing risk across the enterprise, integrating activities and using an end-to-end process to promote transparency that provides business management with better information for decision-making. However, given the complexities of today’s operating environment and the proliferation of advanced technologies, IRM principles must be supplemented with a new approach to technology enablement of risk management. This approach, known as IRM+, is defined by enabling IRM through modern enterprise technology. With IRM+, organizations can more successfully drive real-time insights, provide enhanced user experiences and decrease the cost of risk management.


IRM+: blending IRM with modern enterprise technology

A high-level concept to enable risk management, IRM+ capitalizes on advanced technology capabilities and has three components:

  1. A methodology that augments traditional risk management solutions with modern technology capabilities
  2. An approach to implementing risk management technology platforms, often including governance, risk and compliance (GRC) platforms
  3. Use cases or solutions to deliver on a specific risk management component
Risk automation graphic

IRM+ helps organizations drive real-time insights, improve stakeholder user experiences and reduce the enterprise cost of risk management.

A new way of thinking

IRM+ provides a new way of thinking about the value technology can deliver for risk management professionals and the organization. Instead of focusing on specific regulatory questions or risk-management-aligned processes, IRM+ looks to educate risk management professionals to ask better questions: What insights allow us to be an enabler to the business? How can we leverage automation and process efficiency to drive speed? What needs to be connected to bring about this change? 

Risk professionals must work with their counterparts in technology to connect their risk management and GRC systems with enterprise technology capabilities to deliver customer and shareholder value beyond what is typically seen from traditional risk management. This includes capabilities that can drive workflow automation; an integrated data model; application integration via application programming interfaces (APIs); and advanced capabilities for analytics, including machine learning (ML), artificial intelligence (AI) and natural language processing (NLP).

Move the black arrow with the yellow background to the right for the “after” view.


Traditional risk management vs. IRM+ implementations

Traditional risk management and GRC platform implementations typically follow certain patterns. These platforms are often customized to conform with legacy processes without consideration of the broader data and technology ecosystem used across the enterprise. In addition, these systems are often implemented and governed using decision by consensus, which can cause a fragmented environment and a poor user experience. Finally, organizational change management is rarely prioritized, leaving internal users without a sense of why change is occurring.

In contrast, the IRM+ implementation uses a simplified, streamlined approach to drive operational cost savings and a better user experience. Risk processes are rationalized based on proven industry methodologies and aligned to out-of-the-box (OOTB) principles to reduce technical debt and provide a more effective risk management experience. An integrated data model is designed to support connectivity to other systems within the organization to drive better insights and reporting. Governance is implemented with a single owner or decision-maker driving the product implementation roadmap to enforce organizational priorities over individual preferences. Finally, organizational change management is prioritized to enhance the user experience and adoption, helping users understand how their efforts support organizational goals. 

A new way of thinking about the value technology can deliver for risk management professionals and the organization.

IRM+ implementation approach


Specific use cases drive activities through organizational insights and increase efficiency through automation.

IRM+ use cases and solutions

IRM+ transforms specific risk management use cases by reframing them with a specific set of questions and leverages advanced technology architecture that reacts to today’s risk management challenges. Organizations focused on insights, automation and a connected enterprise will use the approaches mentioned above to enhance their capabilities around specific use cases. Driving a more proactive and efficient controls environment through automated controls testing and monitoring is one example of this. Another is the addition of a risk management by design (RMBD) approach that utilizes information about the enterprise to build risk management capabilities into the product lifecycle during the design phase. A final example is enablement of a trigger-based risk assessment for which operational insights and external market factors drive processes and schedules. 

The goal of IRM+ is to drive activities through insights and increase efficiency through automation. Any risk management focus area, such as issues management or regulatory change management, can use the IRM+ approach. Taking this holistic approach to risk management will help organizations respond more quickly and easily to today’s dynamic risk environment while decreasing the overall cost of risk management operations.

The article was co-authored by Chris Lucado.

Summary 

Faced with process inefficiency and poor user experience, the high cost of risk management, and an inability to understand their holistic risks, organizations have been turning to IRM and GRC for their risk management needs. But the next level of risk management, IRM+, combines IRM with advanced technology architecture to deliver better experiences, insights-driven activities, and a view of an organization’s risk profile while decreasing the overall cost of risk management operations. IRM+: enabling integrated risk management through modern enterprise technology.

Related articles

How to build a dynamic risk assessment

Companies need a mandate that determines the scope of risk, how data is sourced and how much each input matters. An integrated taxonomy is vital.

27 Jun 2022 Scott McCowan + 1

Who, what, where: getting to know your risk ecosystem by name

Find out why an integrated risk strategy starts with identifying your risk steward and why an integrated risk taxonomy supported by tech is key to success.

29 Apr 2022 Scott McCowan + 1

Why now is the time to modernize your risk management strategy

Find out how to modernize your risk strategy by taking a connected risk approach and leveraging data and technology to support your risk management efforts.

04 Mar 2022 Scott McCowan + 1

    EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.