We continue our “20 for 20” theme this year by highlighting the integrated risk management (IRM) critical capabilities and top 20 software functions / features. Several years ago when Gartner began evaluating IRM technology providers, we surveyed our end-user clients to determine the most critical capabilities for IRM software products. We landed on the following five critical capabilities to guide our reviews (see figure below). These five capabilities support both an integrated view of strategic, operational and technology risk as well as the related business outcomes, processes and assets.
1. Risk & Control Documentation /Assessment
Risk statements and the related controls required to mitigate them to an acceptable level must be documented sufficiently to satisfy key internal and external stakeholders — including regulators, external auditors, business partners/associates, suppliers, senior executives and board members.
2. Risk Mitigation Action Planning
When risks are assessed to be beyond defined risk tolerance levels, action plans must be developed to ensure that appropriate mitigation steps are taken to meet the risk appetite set by the board of directors or other governance body.
3. Risk Monitoring and Communication
To effectively monitor risks across the organization, companies can use IRM solutions to aggregate and report a wide array of risk levels using key risk indicators (KRIs).
4. Risk Quantification and Analytics
Beyond assessing risk from a qualitative perspective, companies in many industries (e.g., banking, insurance and securities) measure risk on a quantitative basis. Some quantitative analysis supports cyber/IT risk requirements driven by the use of cyberinsurance. Other quantitative analysis methods are used to develop more precise predictive models to determine the potential for digital risk events, such as product/service liability, fraud or theft.
5. Incident Management
Proactive management of risk incidents, ranging from physical events (e.g., slip and fall) to data loss events, can reduce business impacts and inform future risk mitigation efforts. A record of incidents can inform the risk assessment process and facilitate the identification of event causes.
Within each critical capability are key functions / features that best support the product capability at a given point in time. Here are the 20 functions / features receiving the most interest and demand (see figure below, in no particular rank order).
Learn more about IRM by reading our latest views on the technology in our research publication, Technology Outlook for Integrated Risk Management (Gartner subscription required). Also, for those attending Gartner’s first ever virtual ITXpo / Symposium this week, look for more info on our continuing coverage of IRM technology providers.