Most community banks and credit unions have traditionally managed operational risk, vendor risk, compliance, audit, and resilience as separate programs. To consolidate the register, controls, and reporting for each aspect for examiners becomes challenging using legacy systems. Integrated risk management is the operating solution.
Read on to understand where the term came from, how it differs from enterprise risk management, the six risk domains it spans, the operating-model components, and the regulatory anchors.
Integrated Risk Management Defined
According to Gartner, which originated the term in 2017, integrated risk management is “a set of practices and processes supported by a risk-aware culture and enabling technologies, that improves decision-making and performance through an integrated view of how well an organisation manages its unique set of risks.”
IRM is the discipline (the governance, taxonomy, controls, KRIs, and reporting) and an IRM platform is the technology that supports it. In a US banking context, IRM is the operating layer that sits underneath enterprise risk management and on top of the day-to-day risk processes in the business lines.
Integrated Risk Management vs Enterprise Risk Management
Enterprise risk management, as defined in COSO ERM 2017, is an enterprise-wide framework focused on aligning risk taking with strategy. ERM is the layer that sets appetite, identifies principal risks, and reports them to the board.
ERM tells you what your appetite is and which risks matter, while IRM is what lets you see, day to day, whether you are inside that appetite across all domains at once.
| Dimension | Enterprise Risk Management (ERM) | Integrated Risk Management (IRM) |
|---|---|---|
| Primary objective | Align risk taking with strategy and performance | Consolidate risk data and controls across all domains |
| Scope | Enterprise-wide, principal risks | Operational, third-party, digital/cyber, compliance, resilience, audit |
| Framework anchor | COSO ERM 2017 | COSO ERM 2017 plus domain frameworks (FFIEC, NIST, ISO 31000) |
| Examiner reference | Board reporting, risk appetite | Comprehensive risk management framework (OCC Heightened Standards) |
| Typical owner | Chief Risk Officer, Board Risk Committee | Chief Risk Officer with shared second-line ownership |
| Technology posture | Reporting and disclosure tooling | Unified data layer across domains |
The lines blur in practice. Many institutions adopt COSO ERM 2017 as the strategic anchor and execute it operationally through an IRM model, keeping the term “GRC” for the compliance and audit tooling inside that picture.
The Six Risk Domains of Integrated Risk Management
Six risk domains typically sit inside an integrated risk management approach. The boundaries between them are not perfectly clean, but the six-domain breakdown is the most common organising structure used by US financial institutions.
Operational risk
This is defined in the Basel II framework as “the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.” Operational loss events fall into seven categories:
- Internal fraud
- External fraud
- Employment practices
- Workplace safety
- Clients, products, and business practices
- Damage to physical assets
- Business disruption and system failures
- Execution, delivery, and process management
Third-party risk
This category covers:
- Vendor inventory
- Criticality tiering
- Contract risk
- Performance monitoring
- Concentration analysis
The June 2023 interagency third-party risk management guidance expanded examiner expectations to fourth-party risk and lifecycle governance.
Digital and cyber risk
This type of risk consolidates:
- Controls
- Vulnerability data
- Incident history
- Identity management posture
AI model risk has become a meaningful sub-component following the April 17, 2026 reissue of SR 11-7 as updated SR 26-02 and OCC Bulletin 2026-13, plus the Treasury Financial Services AI Risk Management Framework published in early 2026.
Compliance risk
This covers BSA/AML, fair lending, UDAAP, consumer protection regulations, and the institution’s broader regulatory obligation inventory. A core IRM premise is that compliance obligations and controls share a control library with operational risk.
Operational resilience
This aspect covers:
- Critical operations
- Impact tolerances
- The institution’s ability to recover from disruption
Large banks operate under the interagency operational resilience guidance issued by the FRB, FDIC, and OCC, while smaller institutions reference the FFIEC Business Continuity Management booklet.
Internal audit
This is the third line under the Institute of Internal Auditors’ Three Lines Model. It is included because audit needs a consolidated view of risk and controls to provide independent assurance.
The Integrated Risk Management Operating Model
Six domains by themselves do not constitute a program. The operating model is what turns them into one. These five components are common to most IRM operating models within financial organizations in 2026:
Governance
An IRM operating model consolidates the standalone risk committees that grew up domain by domain into a single executive risk committee with clear escalation to the board. Domain-level working groups still exist, but they feed one integrated committee.
Risk taxonomy
The institution adopts a single shared taxonomy that maps risk events, controls, KRIs, and obligations across all six domains.
Controls and KRIs
A unified control library lets one control satisfy multiple regulatory obligations across domains. KRIs roll up into an enterprise dashboard tied to the appetite statement.
Technology
The integrated risk management software layer absorbs RCSAs, vendor assessments, control tests, regulatory change feeds, and resilience exercises into a single data layer.
Reporting
The institution produces one set of board and executive dashboards drawn from the same data.
Regulatory Anchors and Examiner Expectations for IRM
The FFIEC IT Examination Handbook, particularly the Management and Operations booklets, sets the expectation for an integrated approach to risk and control assessment across IT-dependent processes.
The OCC Heightened Standards (12 CFR 30 Appendix D) apply to insured national banks, federal savings associations, and federal branches of foreign banks with $50 billion or more in average total consolidated assets per the OCC. The standards reference a comprehensive risk management framework, the three-lines structure, and a clearly articulated risk appetite.
NCUA Supervisory Letter 13-12 sets enterprise-wide risk management expectations for credit unions and explicitly references the integration of compliance, operational, and credit risk views.
COSO ERM 2017 is the framework most US banks reference for the strategy and appetite layer that an IRM operating model executes against.
The June 2023 interagency third-party risk management guidance, issued jointly by the Federal Reserve, FDIC, and OCC, pushed vendor and fintech risk into the integrated risk picture. The April 17, 2026 reissue of SR 11-7 as updated SR 26-02, paired with OCC Bulletin 2026-13, brings model risk management under the IRM umbrella.
Integrated Risk Management Software and Platform Capabilities
A US bank or credit union evaluating an IRM platform typically looks for a unified risk register across all six domains (detailed above):
- Configurable RCSA and third-party assessment workflows
- A shared control library with mappings to regulatory obligations
- KRI dashboards with appetite-threshold visualisation
- A regulatory-change feed that classifies obligations to the institution
- Audit-issue tracking; resilience-test scheduling
- Board-ready reporting drawn from the integrated data layer
Predict360 implements the IRM capability set as a single data layer that consolidates these aspects into shared registers and dashboards. This kind of platform layer is structurally necessary for the operating model to scale in any organization.
Frequently Asked Questions
What is integrated risk management vs enterprise risk management?
Enterprise risk management, as defined in COSO ERM 2017, is the framework layer that sets risk appetite, identifies principal risks, and aligns risk taking with strategy. Integrated risk management is the operating layer that executes against that appetite day to day across all risk domains.
What is integrated risk management in banking?
In a US banking context, integrated risk management is the operating model that consolidates a financial institution’s risk programs into one register, one control library, and one set of reporting. Examiners reference its substance under FFIEC examination procedures, OCC Heightened Standards (12 CFR 30 Appendix D), and NCUA Supervisory Letter 13-12, though they do not use the term itself.
How does integrated risk management relate to GRC?
GRC (governance, risk, and compliance) is the legacy framing focused on policy management, compliance obligations, and internal audit workflow. Integrated risk management extends that scope to all six risk domains and treats technology as a first-class component of the operating model.
What is an integrated risk management framework?
An integrated risk management framework is the documented governance, taxonomy, control, and reporting scaffolding that executes the IRM operating model. It defines the risk taxonomy, the appetite statement, the RCSA and vendor-assessment methodology, the control library, the KRI methodology, and the reporting and escalation structure. The framework is what an examiner reviews when assessing the institution’s integrated risk approach.
For readers who want to go deeper, the risk management system overview describes the institution-level artifact that documents the program.
Discover AI-powered technology that helps manage every aspect of risk and compliance, all in one platform.
Request Demo- Risk Prediction
- Regulatory Tracking
- Workflow Automation
- Integrated GRC