Getting more from your ERM technology

The best risk management strategy is the one that works and for risk management to work perfectly, a range of activities must be undertaken very well.

Whilst achieving the right culture, developing the right framework and recruiting the right people are just a few of these important activities, increasingly, organisations are looking to technology to help them better plan, execute and monitor their risk management processes.

Where does technology fit in?

ERM technology generally comes into play after an organisation has developed its ERM framework, defined its processes, responsibilities and strategy. 

For larger organisations, this makes sense because ERM technology would then support a more complex risk management strategy and detailed processes.

Small to medium organisations may decide on technology earlier on, as their risk management frameworks tend to be simpler, involve less people and are typically more straight forward.

What are the benefits of ERM technology?

A common language:  ERM technology will enable everyone across the organisation to ‘speaking the same language’ when it comes to risk management.   A common platform for measuring risk and monitoring will enhance comparative data analysis, benchmarking and exception monitoring.

Centralise data into one point: ERM technology will centralize all risk data into one central point.  The consolidation of ERM data allows organisations to share risks, controls and audit processes which minimizes data entry and administration time for end users.

Powerful management information:  ERM technology will also improve the quality of management information in terms of both integrity and speed of information.  Good ERM systems have edit checks and standard data fields which will enhance the integrity data and minimize ‘garbage’ data.  Integrated database technology means that reports can be standardized and available anytime to users.

Minimize silos: Integrating ERM information will reduce the traditional silos that exist between various activities within an organisation and helps promote the inter-relationships between risks and internal controls.  For example, risks in the production area can be treated by controls within finance.

Improve efficiency: Where ERM technology can support the majority of the organisations risk management processes, there will be greater efficiencies.  Implementing a risk management framework is ‘top heavy’ in nature i.e. most of the expenditure occurs at the beginning.  Using ERM technology means that data can be re-used, reviewed and edited more efficiently.  Technology can also help automate administration and monitoring activities.  This will save money in the mid to long term and make risk management a sustainable, long term investment.

Promote ERM accountability:  ERM Systems that identify the people responsible for various activities will further enhance accountability.  Any problems can be tracked to individual people or departments very quickly.

Should we develop an ERM system in-house or buy from a vendor?

The answer to this will again depend on the organisation and in particular, the strength of its resources, information technology and management capabilities. 

Organisations have three options to choose from.  They can develop a system in-house, buy an off the shelf package or buy a customized solution. 

1. Developing a system in house: This is usually the first option an organisation will pursue because system requirements will seem simple enough.  However, it is a lot of work most of them fail.  Many in-house systems either blow the budget or fail to deliver the required functionality because of either lack of risk management expertise and/or the ability to translate the risk management experts’ knowledge into computer processing rules

Organisations who have successfully developed ERM systems internally usually have strong ERM and project management skills, a result orientated IT department and deep pockets.  

2. Buy an off-the-shelf package:  This may be suitable for small to medium organisations who have less complex risk management requirements.  The advantage and disadvantage of with these packages is the uniformity.  Uniformity means that you have to fit into within the constraints of the software, but it also means that it is cheaper to buy because it is mass customized. 

3. Buy a customized solution: This involves working with an external specialist to take an existing package and further refine it to develop a customized solution.  This is suitable for medium to large organisations who have more complex risk management requirements and want to take risk management seriously.

The advantage of this approach is that the organisation build on an established platform and may be more viable that developing an in-house package from scratch. The organisation may also benefit from the vendor’s risk management knowledge and technical expertise from prior implementations.

Key considerations when selecting ERM technology

Implementing new ERM technology will mean either replacing an outdated system or the introduction of a new approach to performing risk management processes. 

Know your needs: The first step is to ensure you know exactly what you want from the technology.  Why? There are now a lot of ‘risk management’ systems available.  These range from basic, web-based compliance systems to complex operational risk systems incorporating value at

risk and simulation analysis.  In reality, most organisations just need a simple system to record risks and evaluate and test controls.

To help determine which system to investigate, break down your needs into three categories: 

1. Must have now: These are features that critical to the success of your ERM framework.  For example, comprehensive risk analysis features that conforms to AS/NZS 4360.

2. Nice to have now: These are features that aren’t critical, but if available will enhance your ERM framework.  For example, the ability to attach control documents to risks and controls.

 3. Would like in the future: These are features that may be required at some point in the future.  For example, the ability to record the cost of a control for further analysis.

Software considerations: Once you know your needs, you will need to search for the most appropriate system to meet your needs.  The internet provides a good starting point for initial investigations.  In addition, you can look through trade magazines and attend trade shows and conferences for potential systems. 

When considering software, contact at least 5 to 10 vendors to get detailed information.  After the review, get down to a short-list of 3 potential systems. Provide these vendors with your detailed business requirements and get them working hard to show you haw their system meets your requirements.  During the evaluation ensure you learn more and more about the capabilities of the competing software products asking questions and talking to their customers.

Increasingly, organisations are looking for ‘Adaptive Software’.  This is basically, the ability of the ERM software to adapt to the changing needs of the organisation.  One of our clients wanted to move from traditional file manager document management to Microsoft Sharepoint technology.  Fortunately, our technology platform was adaptive enough to support this need. 

We strongly recommend you stick to software that is built using common languages, databases and compliers.  Why? In the event that your software vendor goes ‘belly up’, it will be easier for you to take over the system and maintain it yourself.

Vendor considerations: There is a growing list of vendors to choose from.  Today, there is more software available than ever before.  Whilst this is good, it can get very confusing for end-users because of the different levels of functionality, features, platforms and delivery methods. 

When selecting a vendor, evaluate their ability to service the product, to support end-users, to enhance the product further, to customize technology, the cost of customization, the location of development team. 

The majority of vendors are small to medium sized software firms who have developed generic risk management packages.  The quality of these packages will vary and often not appropriate for medium to large organisations.

A vendor with expertise in risk management as well as computer technology will often provide benefits to an organisation.

Watch out for the hidden costs

Whatever you decide to do, watch out for those costs that may not have been considered as part of the technology solution.

Data conversion: If organisations have existing data in spreadsheets or multiple databases, there may be a conversion cost involved.  From experience, conversion costs will be greater when data is moving from ‘flat files’ such as spreadsheet to a multi-dimensional database.  Users will often to need to review the converted data and complete the conversion. 

Data integration: Where an organisation does not have an ERM system for risk analysis, control evaluation and audit, there will be additional integration costs involved.  The cost of these costs will vary depending on the level of integration and system being integrated.

Process re-engineering: Often, a new ERM system will improve processes and make some processes obsolete.  Whilst this is a benefit, in the short term, there will be additional training and process re-engineering costs.

Training: Without adequate training, the benefits of having ERM technology may not be entirely realised.  According to research by the Gartner Group, as a rule of thumb, training should be 10-15% of total project cost. 

What are the critical success factors to implementing ERM technology?

Senior management involvement and commitment: Investment in ERM technology requires senior management support because it will consume resources, may require considerable investment and ultimately, senior management are a key stakeholder and und-users in terms of reports.

A well documented and effective ERM framework: ERM technology should enhance and build on the existing ERM framework.  The framework should be well documented and understood, responsibilities should be well defined and process should be integrated.

User involvement: Ignoring the importance of user involvement almost guarantees failure.  Users need to be involved during business requirement stage and during user acceptance testing.  

Good planning and execution: Like any change management project, new ERM technology will require good planning and execution.  Project managers need to allocate sufficient resources and funds to the new ERM project.  Ensure the project plan includes key milestones and allows for training, conversion, testing and generous time for ‘fixes’.

Competent people:  All people involved in using the ERM technology should have the necessary skills and capabilities.  Ensure they receive adequate training and support.  If possible, ask the vendor to set up a separate training environment where users can ‘play’.