Integrated Risk Management
Through the application of technology and automation, we'll help you manage your risks efficiently and effectively across the entire enterprise.
Identity and Access Management
We'll help you ensure everybody within your organisation has access to the right systems and data, for the right reasons, and at the right time.
Cyber & Application Security
Our experts will uncover security weaknesses within your security design and business-critical applications. Helping you protect your organisation from both internal and external threats.
About us
A group of passionate individuals with a shared purpose to help the world's leading companies embrace best practices for GRC and risk management.
Turnkey's strategic partner network consists of selected organisations that complement our capabilities.
Corporate Social ResponsibilityCSR
We are committed to being agents for change through our Climate Action Plan, championing diversity in our workplaces, and more.
Get in touch
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
Webinars & eBooks
All of Turnkey's webinars, guides and other insights available in one place.
Read the latest insights from our experts on GRC and risk management, covering the latest industry topics.
Press Coverage
See all the publications where Turnkey, our experts and our successes have been noted.
Key events
See the key industry conferences on GRC, SAP security and risk management which we are attending.
Case Studies
Client satisfaction is of the utmost importance to us, and we strive to constantly deliver above expectations, going the extra mile at every opportunity.
We've put together a comprehensive list of frequently asked questions - along with our responses - to the most common GRC and SAP security issues.
24 October 2019

The operational approach to integrated risk management

How can information security professionals help their organisations move from traditional governance, risk and compliance to integrated risk management that integrates risk activities from across an organisation to enable better strategic decision-making?

Integrated Risk Management – the operational approach
Integrated Risk Management (IRM) is becoming an increasingly popular term to showcase the importance of risk at the forefront of corporate governance, as well as inferring that traditionally, these activities have been siloed within a corporate enterprise. However, even in an IRM world, a variety of activities and disciplines are required from many different teams, while there are alternative ways to achieve an integrated view.

Top-down versus bottom-up
A top-down approach to IRM requires the executives and management layer to source accurate information and view it in a consistent manner to make appropriate decisions.

In contrast, an operational, or bottom-up approach tends to value having each and every business unit taking responsibility for risk management. This assumes that if all the risks are captured and filtered at the lowest relevant level, those that are of greatest impact will naturally, or systematically, be visible further up the chain; it depends on risk management processes rather than a technology solution. To be effective, it requires risk managers at the operational layer to be aware of the business strategic objectives and understand how these are impacted by their identified risks. Similarly, risk managers need clarity on the way that risks should be identified and classified; without this the risks may still be inconsistent and the overall clarity reduced.

Rather than raising strategically important risks from the lowest level in the business, the key is to understand which risks are important to each particular function.

Generally speaking, those at the top of an organisation are interested in business strategic risks that will have a material impact on the ability of the enterprise to trade or grow according to its strategy. Many different aspects will impact these risks; some (process efficiency for example) are controllable from within the company, and some (such as government policies) are not.

Operational decisions require detailed information
However, these risks tend to be more generic in nature and informed by more detailed activities that may be taking place further down the line, where objectives and perspectives will be very different. Far more granular information is required to make a more operational decision based upon the risk at hand.

Here the risk of IT failure provides a great example. A strategic top down view may be as simple as reviewing whether IT assets are sufficiently controlled for the business to operate, or if they are at significant risk of compromise.

Whilst this is a noble question to ask, it is not sufficient to meet operational resource planning where much more detailed information may need to be factored in: which operating systems are running on which assets; the assets that are affected if a vulnerability is found; what data is stored on which server and the risk that poses if it is impacted; etc.

These detailed questions are highly relevant for an IT asset driven risk management approach as, from an industry perspective, they may contribute directly to the operational risk of not meeting compliance objectives. However, much of this information is not relevant for the executive table in anything other than a summary statement based upon the influencing factor that may occur on the top-level corporate risk.

Integrating top and bottom
Joining these two worlds is the crucial element of an integrated risk management approach. It’s not about everyone knowing everything about the whole of the enterprise; rather it is about each individual businesses understanding how it is part of a whole and where it has an influence.

Technically focused individuals may raise legitimate strategic business risks, but generate a false impression of their criticality because they are important to them, or define them in terms that are overly technical for the organisation overall. However, something being technical doesn’t mean it is not justified. It may also identify a business-killing event such as a cyber-attack or zero-day vulnerability. The key is to have the right filters in place to allow information to be centrally captured, without being mutated, while also ensuring there is a coherent understanding of the risk, wherever it is sourced.

Managing risk is not a competition. People should be able to raise risks where they’re identified, but avoid flagging them for the sake of it (in an organisation that is culturally risk averse for example, or to protect their reputation if there are related issues at a later date). In most cases, the optimal solution is a centrally-run risk management function that has inputs and representation in all business units to inform on the risks. They can then act as the filter, spot duplication and help to facilitate the integration into the wider strategic agenda.

Adopting an operational, or bottom-up approach to risk management requires the following to be in place:

  • Processes need to be consistent, as well as simple enough for everyone to understand what is expected of them and how to do it.
  • People can be empowered to do the right thing through an understanding of what is a great outcome for the organisation, reinforced with enabling materials that support the message. They can also be encouraged to perceive risks and controls as a part of their job, rather than an abstract extension of it.
  • Technology should also make it easy to act correctly when it comes to risk. This should allow processes and risk information to be standardised, but not be so prescriptive that reduces the ability to tap into the expertise available.

At its core, integrated risk management is focused on everyone having access to the right level of information, that is relevant to their job function, at the right point in time. Centralising and integrating this information allows it to be viewed from the top for the summary, but also drilled into so that the specific details of the problem can be found.


Learn more about more about 'How to minimise cyber attacks on SAP applications' in our on demand webinar by clicking the image below.

OD ETD Webinar SM image-1