PwC’s Integrated Risk Technology (IRT) Framework

Seth Rosensweig Partner, Cyber, Risk and Regulatory, PwC US June 04, 2021

PwC’s Integrated Risk Technology (IRT) Framework outlines the key components for tech-enabling modernized risk management programs - including, and beyond, enterprise Governance Risk & Compliance (eGRC) technology. From risk vision and strategy through to the people and change management required to drive change and deliver value to the organization. Follow this series to learn more about PwC's perspective on IRT and what we’re seeing in the marketplace; and to take a deep dive into the different areas of the framework.


Modernizing risk management with Integrated Risk Technology and enterprise GRC

An abundance of data, emerging technologies and ever growing complexity in the business landscape are forcing organizations to rethink how to modernize their risk management to keep pace. And while it’s not the only component of modernization, a large part involves designing and implementing Integrated Risk Technology which includes eGRC that enables risk and compliance functions to work in concert to proactively manage risk and achieve strategic business objectives.

Let’s face it — organizations no longer rely on one technology to enable all of their risk programs and processes. Most companies have moved from a single system of record to an IRT ecosystem, which includes and goes beyond enterprise GRC technology. While the goal is the same — a complete and relevant view of governance, risk and compliance across the organization that provides insights to inform business decision making — the journey to accomplish this looks different.

  • Architect for the future: Implementing IRT requires strategic forward thinking about not only what’s important today, but what will be important for leaders to know and make better risk-informed decisions tomorrow — creating an IRT strategy in support of your business and risk objectives. Then it’s just like building a house. Get yourself a “solution architect” who will design an IRT blueprint that includes the various tools, technologies, data and processes that need to be part of the solution. To be clear, this is not an exercise to replace your current technology, but rather a strategic initiative that is going to change the way you manage risk and compliance.
  • Govern with a fresh lens: One of the most critical things in an IRT implementation is strong governance. From setting the vision and blueprint, to overseeing the execution of the IRT strategy, it requires significant investment from a cross-functional decision-making body like a steering committee. Though the concept of a steering committee is not new, in an IRT ecosystem, this governing body now has purview over multiple technologies and data sets, including automation and potentially bespoke complementary tools. Governing how the people, processes, data and technologies interact to modernize risk management is complex; as is overseeing the total cost of ownership and ROI, which make it imperative to select the right leaders to govern IRT.
  • Deliver valuable insights: An IRT ecosystem necessitates the creation of a robust abstraction and analytics layer with a well thought out strategy for the various types and levels of reporting because data lives in multiple places now. More importantly, integrated data-driven risk reporting is truly the value of IRT. In the journey to modernization, organizations are training their practitioners to have a data-driven mindset; and many are even hiring specifically for skillsets in data analytics and visualization that were not traditionally core to risk and compliance programs. Pro tip — build great reports as fast as humanly possible, and use them to show stakeholders the power of IRT, demonstrate value and drive adoption. Seeing is believing!

Managing an IRT ecosystem is a whole new challenge — as if managing one tool was not hard enough. So think about your risk programs and the multiple interconnected technologies that make up your ecosystem. Do you have your blueprint?  What needs to change to more effectively govern the ecosystem? And what resources do you need in order to capitalize on the power of the data within the ecosystem and deliver valuable risk insights to your organization?

Additional insights