Enterprise Risk Management versus Integrated Risk Management

Frameworks like Enterprise Risk Management help guide process. The technology recommended to enforce Integrated Risk Management are a natural and important followup. You need to understand both to make sure you mitigate and manage your exposure.

“The secret to winning is constant, consistent management.” Tom Landry, Dallas Cowboys

In cybersecurity, constant, consistent risk management is the secret to beating hackers at their own game. In sports, coaches make sure to have a variety of defensive moves in their playbooks to stop the opposing team. As your company’s cybersecurity coach, you need to do the same. Understanding the differences and overlaps between enterprise risk management and integrated risk management, therefore, allows you to align your risk strategies effectively and purposefully.

What is enterprise risk management?

Enterprise risk management (ERM) focuses on the process of planning, organizing, leading, and controlling the activities within your organization. ERM works as an organizational review. You look at your strategic business goals and then review the information technology (IT) risks associated with them.

For example, if you’re a database company that current sells a product tuned to the needs of retailer marketers , you might realize that your data management system is also relevant to financial institutions and want to enter that market. However, the retail and financial industries have different cybersecurity requirements with which you need to comply. Therefore, part of ERM is determining how to align your controls to scale your business.

What is integrated risk management?

Gartner defines integrated risk management (IRM) as “a set of practices and processes supported by a risk-aware culture and enabling technologies that improves decision making and performance through an integrated view of how well an organization manages its unique set of risks.” In less technical terms, IRM focuses on how you make risk-based decisions about adding technology to streamline your critical business processes.

For example, in restaurants, you may have noticed that servers use tablets or smartphones for taking customer orders rather than pens and paper. This shift to digital information collection, storage, and transmission makes front-of-house and back-of-house communications more efficient. But there are implications to having digital devices, possibly connected to other systems, in the hands of wait staff as they interact with customers.

How is enterprise risk management different from integrated risk management?

ERM focuses on reviewing strategic business decisions and the risks your technology poses to them. For example, a retail business may have a website that provides information about their product but focus sales in their brick and mortar store. However, if they’re looking to expand their reach and scale, they want to begin selling their products online as well. ERM means looking at the new risks to the business that arise out of the change, including choosing a vendor, managing the vendor, and new information technology compliance requirements.

IRM focuses specifically on analyzing the risks inherent in your business technologies. In the above example, IRM means reviewing the specific technologies, like ecommerce systems or tag management systems, that the retailer connects to their website for customer tracking and payment purposes and the ways that this new technology impacts other technologies it already uses. In this scenario, the website payment application might connect to an inventory application on a smartphone in a warehouse bringing in Internet of Things (IoT) security issues. This integration between the technologies is part of IRM.

Aren’t integrated risk management and enterprise management the same?

Although the two started out differently, they’re rapidly moving closer together. The use of Software-as-a-Service (SaaS) and Infrastructure-as-a-Service (IaaS) mean that the choices you make for your business ultimately require new technologies.

Back to the small retailer example, if the company chooses to use an Amazon Web Services integration for their online store, they’re using an IaaS platform to support their business strategies. Thus, while the two are distinct, they’re also inherently intertwined.

What is an integrated risk management framework?

An integrated risk management framework is the formal policy that creates a systematic approach to governing risk. Although it incorporates many elements of ERM, it also tends to be more holistic.

The industry standards that help establish cybersecurity control best practices often discuss IRM frameworks. For example, one of the most popular cybersecurity frameworks, the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity was updated in April 2018.

The NIST framework sets out five Core Functions that guide companies through the process of integrating technology risk throughout their organization.

What are the elements of the NIST Cybersecurity Framework?

The NIST Cybersecurity Framework (NIST CSF) focuses on five primary elements for governing IT and cybersecurity risk. Each of the primary elements are then broken down into subcategories which are further broken down into sub-sub-categories that define your evaluation activities.


The subcategories are: Asset Management, Business Environment, Governance, Risk Assessment, Risk Management Strategy, and Supply Chain Risk Management Risk.


The subcategories are: Identity Management Authentication and Asset Control, Awareness Training, Data Security, Information Protection Protection Process and Procedures, Maintenance, and Protective Technology.


The subcategories are: Anomalies and Events, Security Continuous Monitoring, and Detection Processes.


The subcategories are: Response Planning, Communication, Analysis, MItigation, and Improvements.


The subcategories are: Recovery Planning and Improvements.

How to compare NIST and traditional ERM

While ERM is a set of vague steps, the NIST CSF requirements specify activities and controls necessary for IRM across your business technologies. Additionally, the NIST CSF incorporates response and recovery requirements.

NIST Requirements / Traditional ERM Steps
Source: Zeguro, NIST

Zeguro’s Transparency Eases IRM

At Zeguro, we recognize that the IRM incorporates technical language that feels overwhelming. We also know that you want to secure your information so you can protect yourself and your customers. To us, transparency in the IRM process means:

  • Honesty: We review your data security risks to help you understand, even when it’s difficult, where you need to add more controls.
  • Clarity: We take the technical language out of the IRM process and help you understand what you really need to do to secure your information and monitor your security.
  • Simplicity: With our user friendly interface, you can see control effectiveness to analyze, mitigate, and monitor risks without having to get into the technicalities.

For more information about how we can help you, check out our risk management platform or contact us at Zeguro to learn more.

Zeguro is a cyber safety solution and insurance provider for small to mid-sized businesses (SMBs), offering a comprehensive suite of tools for risk mitigation and compliance, as well as insurance premiums that are tailored to the size, sector and profile of a company.
Learn more →

No items found.
Karen Walsh
Written by

Karen Walsh

Contributing Editor

14 years internal audit experience.; award-winning writing professor. Cybersecurity writer focused on compliance and end-user awareness.

Sign up for the latest news

Oops! Please make sure your email is valid and try again.