I was thinking about the characteristics of companies that make the decision to acquire and then successfully implement an Enterprise Risk Management software solution. Why? Well, we are in the business of providing software solutions to companies so we are always interested in understanding, why certain companies get more out of ERM solutions than others. However, upon reflection, I think it is also important for companies on the ERM journey to reflect on these factors of success in their own decision-making process. So what are some of the factors of success?
1. Company Size – Does Size Matter?
Often company size is considered as a driver for moving to an ERM software solution. The bigger the company, the greater the need as there are more people involved in the process. Manually following up actions, treatment plans and risk assessment becomes more time-consuming and prone to errors. So generally speaking, we would expect some correlation between the number of ERM installations and size.
Our experience, however, is that it is not an important driver. We have a variety of very small, to very large clients on the Protecht.ERM solution, with some companies having as little as 30 employees. So I don’t think size is a crucial driver. In fact, size can often work against successful implementations, as too many people become involved in the decision-making process as to how the ERM solution is used, and the ability to plot an agile course in expanding its utilization can be slowed down.
Whether the company has a risk and compliance team or at least a dedicated resource is crucial. Where risk is viewed as a part-time function, managed by the CFO in his or her spare time, we are unlikely to see a successful use of an ERM platform. Read the Article 'What does it take to be a risk manager?'
Like anything we care for, an Enterprise Risk Management platform needs love and attention. If this is done on a part-time, ad-hoc basis there is the risk that data, forms and reports will become obsolete.There is a greater chance of success where a risk professional has a clear vision about the risk framework, understands the interconnectivity of risk across various functions and can then, use the platform to streamline related processes and capturing of information to support their desired risk reporting.
Stability of the team also helps. Risk management is still somewhat of an art form – every CRO or Operational Risk Manager has their own way of thinking about things. A constant change in team membership means constant revisions of the ERM processes and solution supporting them. Read the related article 'That risk is not mine'.
3. Tone from the Top – CEO and Board are on Board!
Companies which have CEO’s and Boards that aren’t really interested in risk management can result in a lack of investment in the area, both in terms of systems and people. If risk management is viewed as a hindrance or a nice to have, rather than an enabler by the top – then ERM Software Solutions are ranked well below other priorities that may more directly influence revenue generation. In my opinion, the more support from the top – the higher the probability that an ERM solution will deliver value and be used more effectively.
4. Risk Maturity – Operational Framework and Spreadsheets
An organization with a framework that has been operating for a number of years is more likely to have a need for an ERM software solution. If the company has, for example, an operational risk appetite statement, risk framework policies and risk is being considered in the decision making process - at some point, the pain of trying to manage and report on the framework using Excel and Word becomes too much.
Aggregating risk assessments from different divisions, the same risk having slightly different taxonomy in different business units, manually sending out reminders for actions or treatment plans and then updating them in a spreadsheet – it becomes too hard and an ERM solution is sought to alleviate the pain.
However, someone with no risk framework or a very basic one, probably will be happy using spreadsheets and the odd email to keep it ticking over.
5. Regulatory Pressure – The Supervisors Influence
A key driver for ERM Software Solutions (certainly in Australia at least!) has been the relevant regulatory agencies. In the financial services sector, there is a clear mandate from the Prudential Authority that banks and insurers should have appropriate risk management systems and frameworks to support their operations. ASIC through its consultative papers on risk management also influences other entities.
Although not specifically mentioning software solutions, there is general consensus amongst the market, that this will be better achieved with an appropriate ERM solution.
'It is also clear that simply having the software does not tick the box. It must be used regularly, embedded in day to day operations and ensure that all levels of management receive appropriate risk management information to support their decision making. Currency and accuracy of data is crucial.'
What other factors do you think are relevant?
David Bergmark consults on a variety of market and enterprise risk management issues and is actively involved in the development and implementation of Protecht's risk management software (ERM and ALM). David started out in the audit division of Price Waterhouse in 1990, handling clients such as Macquarie Bank and Bankers Trust. By 1994 he was Risk Controller for Carrington Securities - a financial markets trading company. In 1996 David left Carrington to head up the Risk Management Department at IBJ Australia Bank (IBJA) where he was responsible for the development of all risk disciplines at the bank – market, credit, liquidity and operational.