Protecht.ERM Showcase: Manage the full lifecycle of risk management in one system
Register Now

This interview was featured in the Risk Management Survey special supplement by the Institute of Risk Management in London. You can access the full publication here.

What are the most common couple of failings that businesses make when they implement risk management software?

The first mistake that people make when they implement risk management software is that they fail to have a clear plan of what it is they want to achieve with the software. Integrated risk management software can cover many areas such as risk and control assessment, metrics, incident reporting, internal audit and more. At times, there can be conflicting requirements across the various stakeholder groups which can cause delays in the implementation of the software. The second mistake is a failure to engage end users early in the design process. The more engaged the end users are, the more likely they will be willing to support the rollout and process.

What are the main couple of practical steps that they should take to overcome those?

Have a project committee that’s responsible for overseeing decisions that relate to the design, build and execution of the project plan for the implementation of the risk software. That project committee needs a firm hand to make the harder decisions to keep the project on track and get stakeholders to compromise when needed.

"The first mistake that people make when they implement risk management software is that they fail to have a clear plan  of what it is they want to achieve with the software."

Apart from the project committee, what other practical steps would you recommend?

Make sure that the business analyst has clearly understood the requirements of the various stakeholders that are looking to implement the software. The business analyst needs to clearly understand what fields are going to be on the data input forms, the workflows associated with the forms and what reporting is required for key stakeholders before the build commences.

What are the two or three things risk managers can do to maximise their return on investment in risk management software?

aggregation.  The shared reporting and messaging across the various board committees is also critical to ensure a common unified approach to risk management is achieved.


How to get more intimate with your Risk Controls

Controls are usually not well understood or managed.This often leads to a control framework that inadequately addresses risk, is not effective and is costly to manage and maintain. Find out how you can build an optimal risk control framework

Get the eBook


Return on investment in risk management software is generated from efficiencies gained in data collection, transition of that data through various approval levels and insightful reporting to various stakeholders.

An integrated solution allows easier collection of data across the entire organisation by providing a single platform for users to enter data into web-based forms. Once entered, efficiencies can be gained in terms of automatic notification and dissemination of that data through the workflow engine that is attached to the solution. It removes time-consuming and error-prone distribution of data previously done by email and Excel spreadsheets. For example, sending out attestation questionnaires to the first line can be automated, along with reminder emails, on a rolling basis. The risk and compliance team are relieved of what was previously a highly manual task.

For risk managers that are using Excel, reporting and dashboard visualisation of that data can also be time-consuming to prepare. Having an embedded analytics engine in the application allows great visualisation of the data to be done much more efficiently. Dashboards are live with the data as soon as it is entered, allowing risk managers and stakeholders to make risk-based decisions faster.

Return on investment is therefore gained by maximising efficiencies in these three areas.

"Risk managers do play an important role in supporting strategic decision-making because, in the end, risk management is all about outcome management."


IRM SPECIAL SUPPLEMENT - JAN 2020 - David Bergmark, Keith Davies, Gary Lynam and David Tattam

(L-R) David Bergmark, Chief Executive Officer; Keith Davies, Director Sales and Operations, UK & Europe;
Gary Lynam, Director of Risk Advisory, UK & Europe, and David Tattam, Director Research and Training.

Boards sometimes complain that risk managers do not play enough of a role in supporting strategic decision-making. What couple of ways can they leverage risk management software to make that a reality?

Risk managers do play an important role in supporting strategic decision-making, because, in the end, risk management is all about outcome management. If we are aware of our risks that are related to strategic decisions, we are going to be better positioned to achieve those strategic objectives.

A board should have a risk appetite statement that covers not only risks that have a downside such as safety and business disruption, but also strategic risks that have an upside – new products and geographic expansion as examples. The board should be able to articulate with the risk manager how much appetite they have for obtaining gain from those strategic decisions, and what risks they’re willing to take to achieve those gains.

In terms of using software to facilitate that decision-making, I think the first thing software can do is produce an integrated risk profile for all of the key risks that have been articulated in the risk appetite statement.

In Protecht.ERM, we connect internal audit findings, incidents, metrics and more to the key risks. As a result, the board can receive more real-time information as to how each of those key risks, regardless of whether they are strategic or operational, are being managed and monitored within the organisation. As such, I firmly believe it will help decision-making around further investments related to the risks.

The risk management software should also have a clear connection between the divisional risks and strategy. If this connection is established, then the divisions will have a better understanding that the risks they are managing impact strategy and as a result feel more engaged with the risk framework.

"The risk management software should also have a clear connection between the divisional risks and strategy."

Do you feel technologies such as artificial intelligence and data mining are going to transform risk management software over the next couple of years?

Starting with the AI question, we feel machine learning will be more relevant for the risk management space. We have already seen it put into practice for credit decisions and now facial recognition, relevant for law enforcement (and casinos!). In the enterprise risk management software, I expect it to guide first-line users through the risk assessment and incident capture process. Once the deep-learning algorithm error rates fall below those of humans, which is starting to happen in more areas, take up will accelerate.

Data mining, on the other hand, looks for patterns in large data sets. A large data set is typically at least millions of records. In enterprise risk management areas (incidents, audit findings as examples), I personally don’t feel there is enough data for true data mining to be that relevant. I do, however, see that visualisation of the smaller data sets using analytics engines will help identify patterns more efficiently. As an example, if we can see that the majority of incidents happen with a certain two-hour period, we can start to investigate why and take corrective action. Being able to aggregate that information up into more meaningful dashboards that support decision-making at a higher level is the important thing.



Forum organised by Protecht in London in September 2019 – ERM The Six Essentials

What do you think are the top critical items for a company to think about when it comes to risk management at the moment?

The number-one item is the tone from the top. Executives and boards need to actively support risk management by viewing it as an enabler rather than a regulatory cost to the business. Redefine risk as a practice that allows your organisation to go faster, rather than hinder it. Boards, therefore, need to be proactive in setting the risk appetite statement. Executives need to be proactive in communicating the risk appetite statement throughout the organisation and making sure risk data is aggregated across all lines to help identify emerging or systemic risks. The business – the first line of defence in the three lines model – must have ownership of its risks and their related management.

The second critical item is that the data that’s being captured and reported through risk systems must be used effectively. Many of the findings that came out of The Australian Prudential Regulation Authority (APRA) inquiry to The Commonwealth Bank of Australia (CBA), indicated that there were a lot of resources devoted to risk management activities, but information derived from those activities was not actioned. One example was that internal audit findings were outstanding for more than three years, even though they were of a high priority or critical nature. We need to use the information captured to formulate actions that have owners and a clear time horizon for implementation.

Finally, the views of different stakeholders need to be balanced, such that organisations need to give equal consideration to shareholders and customers. The APRA report had a very simple message here: ask “Should we?” instead of “Can we?”

"Redefine risk as a practice that allows your organisation to go faster, rather than hinder it."

IRM SPECIAL SUPPLEMENT - JAN 2020 - Features-RiskInMotion

RiskInMotion dashboard from the Protecht.ERM system

How does Protecht help its clients with those critical items?

The Protecht Group supports companies across the entire lifecycle of risk management. Firstly, to support risk management education, we produce a substantial amount of risk-related technical content. We do that through free monthly webinars as well as our client community portal that allows risk managers to communicate with each other and continually improve their knowledge. We also provide live public courses and in-house training to support development. Much of that content is freely available on our website

Our implementation teams are also experienced risk practitioners and hence are able to guide risk managers on connecting risk management concepts to Protecht.ERM, our integrated risk management solution. It is a platform to support all areas of the risk framework – risk assessment, metrics, compliance, incidents, internal audit findings, treatment plans, business continuity and EHS.

Once the data is captured, the workflow engine disseminates information efficiently, and the analytics engine allows great visualisation of the data into meaningful dashboards. Risk profiles are alive with connected information. – #RiskInMotion.

Controls eBook Image

Related Articles

feature image
Webinars, Protecht.ERM

Risk Bow Tie Leadership Webinar Wrap Up

Risk Bow Tie Analysis is a powerful tool to document and communicate any type of risk. At Protecht we have always been passionate about Bow Ties and...
Read more
feature image
Risk Management, ERM, Protecht.ERM

ERM and other Risk Management acronyms

The management of an organization's risks on a true enterprise basis should be the aim of contemporary risk management. Enterprise Risk Management...
Read more
feature image
Health & Safety, Risk Professionals, Protecht.ERM

Webinar Q&A: Protecht.ERM Risk Management System Showcase

We want to thank Adel Fakhreddine for answering the questions and also to all the participants around the world for being really proactive and...
Read more