What Does IRM Mean?

IRM stands for Information Risk Management. The term is often abbreviated to IRM.

Risk Management defined in ISO 31000 as “the effect of uncertainty on objectives”. Not a terribly helpful description.

Information Risk Management can better be summarized as the identification, assessment, and prioritization of risks to sensitive information.  Elements of this investigative phase can include a risk analysis, a security risk assessment, and an asset inventory.

These steps should be followed by risk response efforts to minimize, monitor, and control the probability and/or severity of negative impacts on business operations.

Information Risk Management is often viewed as dealing exclusively with IT risks, cybersecurity or compliance with regulations such as HIPAA, PCI, DSS etc. However, a robust IRM program should deal with all forms of sensitive information, both physical and virtual, wherever it “lives” and however it can be accessed.

Want to Know More?

We offer weekly webinars, monthly newsletters and training courses packed with information tailored to multiple levels of experience.

Visit our Knowledge Center to view all of our resources.


Clearwater helps healthcare organizations ensure patient safety and improve the quality of care by safeguarding the confidentiality, integrity and availability of protected health information (PHI).

We have assisted more than 400 customers to operationalize and mature their information privacy, security, compliance and information risk management programs. And in the process, we are raising the bar for safeguarding PHI, protecting millions of Americans and driving real value for the organizations we support and the healthcare industry at large.