Integrated Risk Management

… a core concept used in Implementation and Delivery and Atlas107

Click for free e-book

Concept description

Andrew Graham (reference below, e-book on right) defines integrated risk management (IRM) as “the systematic application of risk management.” (p. 17)

He writes:

“The systematic application of risk management has many names. One often hears the one adopted here, Integrated Risk Management. But there is also Enterprise Risk Management. Many names are on offer. Choose the one that works for you. But the choice of integrated is deliberate. Risk management cannot be seen as a new management system, existing independently and separated from the way in which your organization manages itself, makes decisions, allocates resources and holds people accountable.

“… risk management cannot exist alone and be effective for the organization. Further, risk management cannot take place in only some parts of the organization (what we would call vertical silos) and not others. However, it cannot also take place at some levels and not others (what we would call horizontal silos.) Many of the earlier risk frameworks stood by themselves, and thus tended to be implemented within functions. Therefore, you will see risk management applied to finance exclusively or to project management, just to name a few. Further, risk management tools and measures apply in a wide range of technical and scientific fields. As a result, many risk management practices have been implemented in silos, i.e., in one part or one function, of the organization. Consequently, risk management may be done very well in one section, but not consider how actions of other parts of the organization affect their risks, or it might not capture the overall significant risks that the organization faces. Integrated Risk Management requires an enterprise-wide perspective of risk and standardizes terms and concepts to promote effective implementation across the organization.

“Some of the important elements of IRM are:

  • It is a continuous and systematic process to understand, manage and communicate risk from an organization-wide perspective.
  • It is about making strategic decisions that contribute to the achievement of an organization’s overall corporate objectives.
  • It integrates the risk management process into the planning and decision-making of business processes and aggregates all types of risk across the organization, and monitors and manages risk on a comprehensive basis.
  • An inherent part of sound corporate management.
  • It is integrated into the organizational governance process

“Managing risk in an integrated way can mean everything from using financial instruments to managing specific financial exposures, from effectively responding to rapid changes in the organizational environment to reacting to natural disasters and political instability or changes in direction. Within this wider understanding of integrated risk management, three competencies are especially important.

  • Financial risk management: Accurately evaluating market, liquidity and credit exposures and proposing courses of action to buffer the risks. In addition, it entails projecting spending patterns against budget to make course corrections that could threaten budgetary discipline.
  • Operational risk management: Continuously assessing the effectiveness of internal controls, measuring and identifying weak areas to mitigate the risk of failure of those controls. It also entails the observant use of operational data to identify risks and potential opportunities for system improvement.
  • Strategic and business risk management: Assessing risks related to planning and management processes that support an organization’s business plan and model; evaluating the impact of external and internal variables, such as market dynamics and major events.

“These competencies also form the basis for an overall framework for integrated risk management, enabling organizations to address the unique character of different types of risk while also ensuring that risks are mitigated in an integrated fashion and from a strategic perspective.

“Above all, IRM is a full deal. It does involve more than simply a risk identification process that is treated as input to an environmental scan. You can do that. If you do it well, you will put your organization at further risk since you have identified risks, made yourself and your organization aware of them and done nothing. Once you start with risk, you follow through.” (pp. 17-18)

Atlas topic, subject, and course

Managing Risk (core topic) in Implementation and Delivery and Atlas107.


Andrew Graham (2008), Integrated Risk Management Implementation Guide, free e-book at, accessed 21 September 2017.

Page created by: Ian Clark, last modified 21 September 2017.

Image: Andrew Graham (2008), Integrated Risk Management Implementation Guide, free e-book at, accessed 21 September 2017.