Using risk management software properly, accelerates business decision-making and helps organisations create value from their strategies, says David Bergmark, Chief Executive Officer at Protecht.
The first mistake that people make when they implement risk management software is that they fail to have a clear plan of what it is they want to achieve with the software. Integrated risk management software can cover many areas such as risk and control assessment, metrics, incident reporting, internal audit and more. At times, there can be conflicting requirements across the various stakeholder groups which can cause delays in the implementation of the software. The second mistake is a failure to engage end users early in the design process. The more engaged the end users are, the more likely they will be willing to support the rollout and process.
Have a project committee that’s responsible for overseeing decisions that relate to the design, build and execution of the project plan for the implementation of the risk software. That project committee needs a firm hand to make the harder decisions to keep the project on track and get stakeholders to compromise when needed.
"The first mistake that people make when they implement risk management software is that they fail to have a clear plan of what it is they want to achieve with the software."
Make sure that the business analyst has clearly understood the requirements of the various stakeholders that are looking to implement the software. The business analyst needs to clearly understand what fields are going to be on the data input forms, the workflows associated with the forms and what reporting is required for key stakeholders before the build commences.
Return on investment in risk management software is generated from efficiencies gained in data collection, transition of that data through various approval levels and insightful reporting to various stakeholders.
An integrated solution allows easier collection of data across the entire organisation by providing a single platform for users to enter data into web-based forms. Once entered, efficiencies can be gained in terms of automatic notification and dissemination of that data through the workflow engine that is attached to the solution. It removes time-consuming and error-prone distribution of data previously done by email and Excel spreadsheets. For example, sending out attestation questionnaires to the first line can be automated, along with reminder emails, on a rolling basis. The risk and compliance team are relieved of what was previously a highly manual task.
For risk managers that are using Excel, reporting and dashboard visualisation of that data can also be time-consuming to prepare. Having an embedded analytics engine in the application allows great visualisation of the data to be done much more efficiently. Dashboards are live with the data as soon as it is entered, allowing risk managers and stakeholders to make risk-based decisions faster.
Return on investment is therefore gained by maximising efficiencies in these three areas.
"Risk managers do play an important role in supporting strategic decision-making because, in the end, risk management is all about outcome management."
(L-R) David Bergmark, Chief Executive Officer; Keith Davies, Director Sales and Operations, UK & Europe;
Gary Lynam, Director of Risk Advisory, UK & Europe, and David Tattam, Director Research and Training.
Risk managers do play an important role in supporting strategic decision-making, because, in the end, risk management is all about outcome management. If we are aware of our risks that are related to strategic decisions, we are going to be better positioned to achieve those strategic objectives.
A board should have a risk appetite statement that covers not only risks that have a downside such as safety and business disruption, but also strategic risks that have an upside – new products and geographic expansion as examples. The board should be able to articulate with the risk manager how much appetite they have for obtaining gain from those strategic decisions, and what risks they’re willing to take to achieve those gains.
In terms of using software to facilitate that decision-making, I think the first thing software can do is produce an integrated risk profile for all of the key risks that have been articulated in the risk appetite statement.
In Protecht.ERM, we connect internal audit findings, incidents, metrics and more to the key risks. As a result, the board can receive more real-time information as to how each of those key risks, regardless of whether they are strategic or operational, are being managed and monitored within the organisation. As such, I firmly believe it will help decision-making around further investments related to the risks.
The risk management software should also have a clear connection between the divisional risks and strategy. If this connection is established, then the divisions will have a better understanding that the risks they are managing impact strategy and as a result feel more engaged with the risk framework.
"The risk management software should also have a clear connection between the divisional risks and strategy."
Starting with the AI question, we feel machine learning will be more relevant for the risk management space. We have already seen it put into practice for credit decisions and now facial recognition, relevant for law enforcement (and casinos!). In the enterprise risk management software, I expect it to guide first-line users through the risk assessment and incident capture process. Once the deep-learning algorithm error rates fall below those of humans, which is starting to happen in more areas, take up will accelerate.
Data mining, on the other hand, looks for patterns in large data sets. A large data set is typically at least millions of records. In enterprise risk management areas (incidents, audit findings as examples), I personally don’t feel there is enough data for true data mining to be that relevant. I do, however, see that visualisation of the smaller data sets using analytics engines will help identify patterns more efficiently. As an example, if we can see that the majority of incidents happen with a certain two-hour period, we can start to investigate why and take corrective action. Being able to aggregate that information up into more meaningful dashboards that support decision-making at a higher level is the important thing.
Forum organised by Protecht in London in September 2019 – ERM The Six Essentials
The number-one item is the tone from the top. Executives and boards need to actively support risk management by viewing it as an enabler rather than a regulatory cost to the business. Redefine risk as a practice that allows your organisation to go faster, rather than hinder it. Boards, therefore, need to be proactive in setting the risk appetite statement. Executives need to be proactive in communicating the risk appetite statement throughout the organisation and making sure risk data is aggregated across all lines to help identify emerging or systemic risks. The business – the first line of defence in the three lines model – must have ownership of its risks and their related management.
The second critical item is that the data that’s being captured and reported through risk systems must be used effectively. Many of the findings that came out of The Australian Prudential Regulation Authority (APRA) inquiry to The Commonwealth Bank of Australia (CBA), indicated that there were a lot of resources devoted to risk management activities, but information derived from those activities was not actioned. One example was that internal audit findings were outstanding for more than three years, even though they were of a high priority or critical nature. We need to use the information captured to formulate actions that have owners and a clear time horizon for implementation.
Finally, the views of different stakeholders need to be balanced, such that organisations need to give equal consideration to shareholders and customers. The APRA report had a very simple message here: ask “Should we?” instead of “Can we?”
"Redefine risk as a practice that allows your organisation to go faster, rather than hinder it."
RiskInMotion dashboard from the Protecht.ERM system
The Protecht Group supports companies across the entire lifecycle of risk management. Firstly, to support risk management education, we produce a substantial amount of risk-related technical content. We do that through free monthly webinars as well as our client community portal that allows risk managers to communicate with each other and continually improve their knowledge. We also provide live public courses and in-house training to support development. Much of that content is freely available on our website www.protechtgroup.com.
Our implementation teams are also experienced risk practitioners and hence are able to guide risk managers on connecting risk management concepts to Protecht.ERM, our integrated risk management solution. It is a platform to support all areas of the risk framework – risk assessment, metrics, compliance, incidents, internal audit findings, treatment plans, business continuity and EHS.
Once the data is captured, the workflow engine disseminates information efficiently, and the analytics engine allows great visualisation of the data into meaningful dashboards. Risk profiles are alive with connected information. – #RiskInMotion.
Protecht is an international company founded by some of the most accomplished risk professionals in the industry. Since 1999, we have delivered training, advisory and software solutions that intensify the Risk Management focus and discipline of government departments, corporations around the world.