Gartner Blog Network

Seven Ways to Engage the Board on IRM

by John A. Wheeler  |  November 6, 2017  |  Submit a Comment

Based on public disclosures of risk oversight practices, such as those mandated by the U.S. Securities and Exchange Commission (SEC), public companies are focusing more effort and attention on improving their risk management programs, especially those related to cybersecurity and technology risk. In fact, in a recent survey of more than 600 board members by New York Stock Exchange (NYSE) Governance Services, 39% of directors said they discussed cybersecurity at every meeting. Cybersecurity and technology risk ranked fourth as a topic discussed at all meetings — behind strategy, regulatory compliance and capital allocation. In addition, four out of 10 respondents reported their board has at least one director with cyber expertise, with an additional 7% in the process of recruiting one.

Gartner recommends an integrated risk management (IRM) approach that includes a focus and understanding of the interrelationships between cybersecurity, technology risk, digital risk and operational risk. Through IRM, security and risk management leaders can develop a comprehensive risk strategy that balances the business performance and regulatory compliance requirements – see figure below.


Security and risk management leaders must quickly develop their risk management programs and methods for engaging with board members to keep pace with the board’s evolving risk management maturity and focus. The following seven activities will help to maximize the level of engagement with the board.

  1. Deliver IRM Reports at Every Board Meeting
  2. Define and Deploy Leading Risk Indicators
  3. Integrate Cybersecurity and Technology Risk With Broader Operational Risk
  4. Align Risk Management With Performance Management
  5. Articulate Risks Encountered Versus Authorized Risk Appetite
  6. Organize for Enterprise-wide Risk Identification and Accountability
  7. Use IRM Solutions to Inform Better Decision Making

Maintaining an effective dialogue with the board of directors is a must, especially as more companies experience greater losses associated with cyber attacks and digital risks. You can learn more through Gartner resources listed below.

Digital Risk Management Hub
Visit the Gartner Digital Risk Management Hub for complimentary research and webinars.

Client Research
Gartner clients can read the full report titled How to Engage Your Board of Directors on IRM.

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research

Category: audit-and-risk  business-continuity-management  cyber-risk  cyber-security  digital-risk  enterprise-risk-management-program-management  integrated-risk-management  irm  risk-assessment-process-and-methodologies  risk-coverage  risk-management  risk-response-strategies  security-of-applications-and-data  technology-and-emerging-trends  

Tags: digital-risk-management  integrated-risk  integrated-risk-management  irm  

John A. Wheeler
Global Research Leader - Risk Management Technology
9 years at Gartner
30 years IT Industry

John A. Wheeler is global research leader for risk management technology solutions and professional services. His areas of specialty include integrated risk management, executive leadership and corporate governance. Follow him on Twitter @JohnAWheeler Read Full Bio

Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.