Skip to content

How do I select a new enterprise risk management system?

Choosing the right enterprise risk management (ERM) software is an important decision for any organisation committed to maintaining robust governance and compliance standards while capturing opportunities for growth. But what evaluation criteria should you use?

Let’s consider the approach needed to evaluate ERM software, ensuring that the chosen solution not only aligns with your specific needs but also empowers you to manage and anticipate risks proactively. The key dimensions we’ll look at are:

  • Understanding core ERM use cases
  • Effective user management
  • Efficient and effective workflows
  • Underlying technology
  • Analytics and reporting
  • Expert implementation and ongoing support

To assist you in creating a compelling business case for transitioning to sophisticated ERM software, we've developed a comprehensive Business Case Template. Download it now:

Download the template

Understanding core ERM use cases

Core ERM functionalities form the backbone of any ERM software, directly impacting the ability to manage and mitigate risks effectively.

A fully integrated risk management system ensures that all aspects of risk – strategic, operational, financial, or compliance-related – are managed in a unified manner. This integration allows for an integrated view of risk exposures and facilitates better decision-making.

Your ERM software should have the following core functionalities:

  • Centralised risk register: The software should maintain a centralised risk register that captures all risk data, including identification, assessment, mitigation strategies, and monitoring. This register serves as a single source of truth, ensuring consistency and accessibility of risk information throughout the organisation.
  • Dynamic risk assessment tools: Dynamic tools for risk assessment that adapt to the changing risk landscape are essential. These tools should support consistent risk taxonomies that allow your organisation to draw insights across the complete risk lifecycle.

Specialised use cases such as compliance management, vendor risk management, IT risk management, operational resilience, and audit management require specific functionalities:

  • Compliance workflow management: The system should automate and streamline compliance processes, including handling regulatory changes and enabling easy assessments and control management.
  • Vendor risk assessment: Look for features that provide a clear and actionable view of vendor risks, streamline the assessment process, and integrate with the overall ERM plan.
  • ISMS/IT risk management: Ensure that the software offers tools to identify and manage IT-specific risks, including cybersecurity threats and IT compliance issues.
  • Operational resilience: The system should support resilience planning and audit processes, helping to anticipate potential disruptions and maintain continuous operations.

Effective user management

An ERM system must ensure that the right people have the right access to the right information at the right time, both for security and usability reasons.

Software that’s capable of meeting user needs and driving widespread adoption will tend to have the following traits:

  • Intuitive user interface: Check that the software provides a clean, intuitive interface that users can navigate easily without extensive training.
  • Customisation capabilities: Evaluate whether the ERM system allows you to configure workflows, risk matrices, and reports to match your organisation's specific risk management processes.

Good access controls protect sensitive information from unauthorised access while ensuring that users have the information they need to perform their roles effectively. Here’s what to look for:

  • Role-based access control (RBAC): Ensure that the ERM software supports robust role-based access controls that allow you to define what each user or group of users can view and do.
  • Integration with security systems: The system should seamlessly integrate with existing security frameworks within your organisation, such as Single Sign-On (SSO) protocols.

Effective risk management workflows

Efficient and effective workflows are vital for ensuring that your processes are integrated, systematic, and capable of adapting to change.

A robust ERM system should provide comprehensive integration capabilities that connect various aspects of risk management into a cohesive framework:

  • Holistic integration: Evaluate whether the software can integrate all aspects of risk management to provide a unified view that enhances understanding and decision-making.
  • Task management capabilities: The system should facilitate the efficient management of tasks related to risk management, including creating, assigning, tracking, and reporting on tasks.

To ensure that the ERM system fits well with your organisation's specific needs, it must offer flexible and customisable templates that can be tailored to various risk management activities:

  • Risk register templates: Check if the software provides best practice risk register templates that can be easily adapted to your organisation’s specific requirements.
  • Customisation options: Assess the software’s ability to allow for the creation of bespoke risk registers and other templates, which can help ensure that all relevant risk information is captured and managed effectively.

The system should promote consistency across the organisation while enhancing the efficiency of risk management processes:

  • Consistency in risk & controls management: Ensure that the software supports consistent terminology and methodologies across all registers and templates, which is crucial for accurate reporting and analysis.
  • Efficiency in processes: Evaluate how the software supports the streamlining of risk management processes, including the ease with which risk assessments can be conducted and updated.

Underlying technology

The underlying technology of an ERM system is key to its efficiency, security, and adaptability. It determines how well the system supports the organisation's current and future needs.

The ability to integrate with other business systems and manage data effectively is important for providing a unified view of risk:

  • Data integration capabilities: Assess whether the ERM software can seamlessly integrate data from various sources, including internal systems and external intelligence. This integration should support a comprehensive risk assessment and management process.
  • Accessibility for remote users: Verify that the system is accessible to remote users, which is especially important in increasingly flexible work environments.

The system should also ensure that all data, particularly sensitive information, is securely managed and that compliance with data protection regulations is maintained:

  • Data security standards: Check that the software adheres to high standards of data security, including encryption of data in transit and at rest. The system should use secure, up-to-date protocols for data transmission.
  • Document and evidence management: Evaluate the system’s capabilities for document attachment, storage, and management. This includes checking how the system handles evidence collection and storage, such as uploading and linking documents related to risk assessments and audits.

Analytics and reporting

Effective dashboards and visualisation tools help communicate risk information clearly and efficiently, making it accessible to all stakeholders involved in risk management:

  • Integrated dashboards: Check if the ERM software offers comprehensive, customisable dashboards that provide real-time insights into key risk indicators and metrics.
  • Ease of report generation: Assess how easily users can generate reports and whether the system allows for both standard and ad-hoc reports.

Advanced reporting capabilities ensure that the organisation can look deeper into analytics, providing a more detailed understanding of risks and their impacts:

  • Depth of analytical tools: Look for features that allow for detailed data analysis, such as trend analysis, predictive analytics, and scenario planning.
  • Export capabilities: Ensure that the system supports the export of data and reports in various formats (e.g., Excel, PDF, PowerPoint).

Expert implementation and ongoing support

Effective implementation and reliable ongoing support are crucial to maximising the value of the ERM software and ensuring it meets the organisation’s needs over time.

The vendor’s ability to provide knowledgeable and effective implementation support can significantly impact how well the ERM system is integrated into your organisation’s existing processes:

  • Vendor expertise: Evaluate the vendor's experience and knowledge in both risk management and software implementation. Ensure they understand the specific needs of your industry and can suggest best practices.
  • Support during implementation: Look for evidence of a structured implementation process that includes comprehensive training, configuration assistance, and initial setup support.

After implementation, the quality of ongoing support and system maintenance becomes pivotal in ensuring the software continues to perform optimally and evolve with your organisation’s needs:

  • Regular updates and enhancements: Ensure the vendor commits to regularly updating the software with new features and security enhancements. Check how these updates are managed and communicated to minimise disruption.
  • Customer support accessibility: Assess the availability and quality of customer support. This includes the availability of support personnel during your business hours, the responsiveness to inquiries and issues, and the presence of a comprehensive knowledge base or help desk.

Conclusions and next steps

The right ERM software both simplifies the complexities associated with managing various types of risks and enhances decision-making capabilities. Evaluating core ERM functionalities, user management, effective workflows, underlying technology, analytics, reporting, and expert implementation support are all crucial steps in selecting an ERM system that aligns with your organisation's specific needs.

To assist you in creating a compelling business case for transitioning to sophisticated ERM software, we've developed a comprehensive Business Case Template. Whether you're upgrading from a manual process or an existing ERM system, our template will provide you with the expert guidance needed to make a compelling case for a state-of-the-art ERM solution:

Download the template

About the author

Damien Stevens leads our Product & Marketing team and is responsible for Protecht’s global product vision, design and go to market strategy. He graduated from the University of Technology, Sydney with a degree in Marketing & Finance. With extensive experience in B2B software, financial services and data and analytics, Damien has built and launched many widely used and loved products that solve real problems for large and small businesses.