Integrated risk management (IRM) technology is uniquely suited to address the myriad of risks arising from the current crisis and future COVID-19 recovery. IRM technology product leaders will need to develop IRM capabilities that are capable of addressing the IRM market insights outlined in this blog post.
- The shift in the IRM buyers from IT leaders to business leaders is being driven by an increasing need to better understand the tactical view of technology risks in a strategic business context.
- The economic impact of the current pandemic is being driven by disruptions in business operations due to health and safety related closures, which means the resolution of this crisis will be operationally-centered.
- Re-starting business operations will require risk visibility not only across the organization but vertically down through the organization as well.
- The pandemic has intensified the need for organizations to rely on digital operations in order to not only remain competitive and grow but also to survive.
IRM technology product leaders evaluating the impact emerging technologies and trends on products and services should:
- Shift focus from the technical buyer to the business buyer by creating new persona profiles and messaging.
- Provide a full view of business operations by delivering forward-looking measures of related risk to help customers successfully navigate the COVID-19 recovery.
- Offer capabilities to analyze business impacts at all levels of the organization by linking both strategic and tactical risk metrics.
- Develop digital risk management solutions rapidly by partnering with solution providers who can provide a quantitative and qualitative view of digital product and service risks
Gartner’s 2020 expanded coverage of IRM use cases (see figure below) coincides with rapidly evolving customer demands linked to crisis response and recovery efforts. There are a growing number of IRM vendors (see Gartner Peer Insights for Integrated Risk Management) that automate various workflows in support of cross-organization collaboration for risk management.
Through evaluative capabilities including risk and control documentation/assessment, incident management, risk mitigation, key risk indicator reporting/monitoring, and risk quantification and analytics, IRM vendors address multiple market use-case domains defined by Gartner. The eight defined Gartner IRM (formerly known as GRC) use-case domains are as follows:
- Digital Risk — Digital risk management technology integrates the management of risks of digital business components associated with digital products and services — such as cloud, mobile, social and big data — and third-party technologies.
- Vendor/Third-Party Risk — Vendor/third-party risk management technology enables adequate controls for business continuity management, performance, viability, security and data protection.
- Quality Risk — Quality risk management technology (also known as quality management systems) provides the business information management system that houses quality policies and standard operating procedures (SOPs).
- Business Continuity — Business continuity is the practice of coordinating, facilitating and executing activities to identify risks of business disruptions, implement disaster recovery solutions and recovery plans, respond to disruptive events, and recover mission-critical business operations.
- Internal Audit — Auditors independently and objectively evaluate, analyze and assess the effectiveness of an organization’s system of internal control, governance processes and risk management capability.
- Environment, Health and Safety (EH&S) — EH&S regulatory compliance requires providing a foundation for ensuring a safe and healthy workforce as well as promoting sustainability and protection of the general environment.
- Ethics and Compliance — Ethics and compliance technology includes policy management, ethics and compliance training, hotline and investigative case management, conflicts of interest, gifts and hospitality management, compliance risk assessment, and third-party risk management.
- Legal Risk — Legal risk management technology is focused on supporting legal and compliance departments, corporate secretaries, boards of directors, and senior management.
Product leaders should consider the following four market trends that will fuel demand for IRM solutions to aid in the COVID-19 business recovery. Each market insight is critical to consider for future product development in addition to market positioning and messaging activities.
1. IRM buying center continues shift from IT leaders to business leaders
As more businesses are maturing their risk management practices, the buying center for IRM is shifting. This is primarily driven by an increasing need to better understand the tactical view of technology risks in a strategic business context. In 2019, Gartner saw a 36% increase in IRM client inquiry by business leaders. In addition, 73% of the 760 IRM client interactions in 2019 were business leader focused1.
In particular, as our end-user clients look to digital transformation and innovation to emerge from the pandemic, business leaders such as the Chief Executive Officer, Chief Operating Officer, Chief Financial Officer and Chief Risk Officer will need insight into IRM technology providers. This need for IRM is reflected in our most recent Gartner CEO Survey where CEOs identified risk management as one of their top priorities in 2020 & 2021 (see figure below). In fact, risk management received the highest increase in response (39% more than 2019) from CEOs and senior business leaders.
2. The current crisis is operationally-centered
Unlike the 2008-2009 Great Recession that was financially-centered in its origin and resolution, the COVID-19 crisis is operationally-centered. This means that the economic impacts from this crisis are driven by a disruption of business operations due to health and safety-related closures. The financial stimulus provided by governments around the globe is merely a bridge to the other side of the crisis – business operations recovery. Once recovery begins, IRM will provide visibility of interconnected risks (i.e. third-party, digital, business continuity, health & safety, legal and ethics & compliance risks) businesses must navigate to succeed.
To effectively manage these risks, business leaders must have an understanding of the linkages between strategic business outcomes, operational processes and technology assets (see figure below). In addition, a growing need for visibility into the risks associated with products and services balanced by the necessary policies and procedures will lead business leaders away from legacy GRC technology. Legacy GRC technology focuses exclusively on policies and procedures in a siloed, departmental view. In the new digital business environment, the more balanced, integrated view of risk will be required for success.
3. Risk visibility is needed vertically through the enterprise, not just horizontally
This risk visibility is needed both horizontally across the organization (as seen in most enterprise risk management – ERM programs) and vertically down through the organization (see figure below). A single view of risks at strategic and tactical levels will be needed to re-start business operations as the workforce slowly transitions back to full speed. Too often, boards of directors and senior business leaders will only consider an ERM view of risk without understanding how business operations factor into risk mitigation at the tactical execution layers. A greater understanding of how risk mitigation must be integrated throughout the business is essential for successful recovery efforts.
4. Digital transformation is rapidly becoming a “must have” for businesses
Certain digital transformation is now a “must have” not only for future competitiveness and growth, but also for survival. The business world is now relying on digital operations to maintain business continuity in this crisis. This shift will not fade as we recover. It will remain as a new way of conducting business in a cost-optimized, more efficient environment. As such, management of digital risks in an integrated way will become a top priority for businesses.
To this end, business leaders need more risk quantification and analytics to support their digital business decision making. No longer can they rely exclusively on qualitative measures of risk. A balanced view of both quantitative and qualitative risk measures is needed at both the tactical and strategic levels (see figure below). Targeted risk mitigation as part of digital optimization efforts requires a cost/benefit analysis to determine how much risk the organization is willing to tolerate. Strategic risk mitigation as part of a digital transformation initiative requires an ROI/IRR analysis to determine how risks will factor into the profitability of a product or service.
These are trying times for business leaders and their organizations. The only way through this crisis into recovery is to increase our degree of certainty in a highly uncertain world. That is what IRM is designed to help organizations do.
Recommended Reading (Gartner subscription required)