Home > Risk > The most critical feature of a risk management system

The most critical feature of a risk management system

When you look at software to help you with an enterprise risk management program, I find everybody is interested in how well it supports activities like risk assessment, reporting, and remediation.

But in a world where risks are changing all the time, what McKinsey refers to as turbulent times, those are features of a slow-moving or even static risk landscape.

Reporting through nice dashboards and charts is fine. But by the time you share those reports with management, they reflect the state of the risk landscape that used to exist – when the data was gathered. They are an historical record rather than something that necessarily enables prompt and agile management.

The most critical feature for me is the ability to monitor and be alerted to changes in known risks, or the emergence of new risks. That kind of prompt risk intelligence means that the executive team and decision-makers across the enterprise are able to make business decisions with a picture of today’s rather than yesterday’s risks.

How does this affect the choice of a risk management solution?

While some place a priority on the integration of risk management with compliance and even internal audit functionality, my priority is on the integration of the risk management solution’s core system and the organization’s business intelligence (or equivalent) software – the software used to perform continuous risk monitoring. (If you are not performing continuous risk monitoring, that’s a different and serious problem – IMHO). Examples include SAP’s BusinessObjects, Oracle’s Hyperion, and IBM’s Cognos. I like to use them to monitor my risks and bring the results into solutions (usually from those same vendors, such as SAP’s Risk Management solution) for workflow, analysis, and reporting.

Do you agree? I welcome your comments.

  1. Kathryn M. Tominey
    June 25, 2013 at 1:54 PM

    There is no reason why each senior mgr could not be assigned monitoring responsibilty. The score board, matrix, etc. system can & should automatically alert the executive monitor regarding change of status changes.

    Taking schedule as a simple example any delay or ahead of plan results represents a need for attention. Attention to assess impacts of delays & how to over come slips. Or, looking at other schedules for under runs to determine what competitive advantage might be found. That is, can we roll out system or product, sooner and get ahead of competition.

    That said, the bottom line is working hard & smart is required for success.There are no shortcuts.

  2. June 26, 2013 at 3:55 AM

    Pertinent commentary, as always. However, there is a need to temper this view with the basic principles of proportionality and the underlying risk maturity of the business. Trying to leap straight into something very sophisticated, when the underlying maturity is low, can often damage and or hinder progress in developing truly embedded and effective risk management systems into a business. So – I agree that measuring the “here and now” is important, but caution on how quickly any firm looks to get there….

    • Kathryn M. Tominey
      June 26, 2013 at 11:16 AM

      Right on about keeping things as simple as possible for newbies. That said, with an over simplified reporting process the person managing the system & reporting needs to be prepared to do one-on-one updating when the unexpected emerges. By that i mean the risk mgt system mgr needs more granular data & quicker feedback by at least a factor of 10.

      Like inspection systems the measurement accuracy & precision should be at least a 10th of the spec. If you are working to +,- 0.0005 then the measurement system should be doing +,- 0.00005.

  3. July 1, 2013 at 6:56 AM

    The responsibility centre providing the advisory and “corporate challenge” functions can add value to this process, since new risks might be identified and new risk management strategies required after the roll-up. There needs to be a synergy between the overall risk management strategy and the local risk management practices of the organization.

  4. Kelly Barton
    July 7, 2013 at 8:18 AM

    It is always great to read your insights Norman. I agree with you on these points, but only in part. Your commentary assumes that the reporting and dashboards are not dynamic and are net set to update regularly and be sent automatically to a distribution list of risk owners. New technology enables this and should be expected in any ERM or GRC solution, even if the maturity level of the organization is not currently ready to undertake these capabilities. Furthermore, you must measure to notice trends and be able to project forward. Alerts should be set to notify risk owners of changes in trends or hitting some threshold. Your point is spot on with the fact that some place the priority on risk integration with compliance and audit. We find this important, but not where the priority should be placed.

  1. June 26, 2013 at 9:45 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: