Enterprise Risk Management Software: Lipstick on a Pig?

Steven Minsky | May 25, 2006

The article by Evan Busman Handling Twin Takes of ERM is a great overview of evaluating enterprise risk management software, especially in highlighting the pitfalls of compliance software not addressing the more strategic business risk and performance management objectives of the firm. Risk Management has traditionally been associated with risk elimination, insurance and compliance.

Most GRC software vendors have predictably added some risk features onto their existing compliance packages because it is easier for them to sell. You can put lipstick on a pig, but it’s still very much a pig. The true Enterprise Risk Management approach is best described by Dan Borge in The Book of Risk, in which he writes, “Risk Management means taking deliberate action to shift the odds in your favor – increasing the odds of good outcomes and reducing the odds of bad outcomes”. Enterprise Risk Management is about building business value in support of better decision making rather than only providing oversight of major compliance management system issues or satisfying the requirements imposed by external auditors. New software built from the ground-up to meet the very different needs of true Enterprise Risk Management is required.

Enterprise Risk Management software must fully manage the complexity of an ERM program. Based on my research, I have identified the following key characteristics:

Root Cause: A framework that gets to the cause of issues makes follow-up straight forward and logical.
Performance Management: This makes it easy to help line managers achieve process improvements to reduce costs, bottlenecks, and unnecessary risk translates into their embracing risk management.
Business Process Driven: Selecting the most relevant 30 to 50 key risk indicators for each core business process from thousands of possibilities.
ERM Reports: Cross Functional Risk: Features to deliver a portfolio view with interactive dashboards to drill down or cut across silos to identify dependencies between risks.
Risk Mitigation: Go beyond financial controls to also quantify the effect of controls on business goal achievement while maintaining accountability throughout the process.
Risk Tolerance: Embedding risk management processes within the existing corporate culture from enterprise-wide board room strategy to tactical planning and analysis.
Risk Maturity Model: Enable the risk management department itself to accelerate adoption of best practices, to set program objectives and measures and to manage ERM program activities. With this criteria you can evaluate true Enterprise Risk Management Software capabilities versus GRC vendors claiming to do enterprise risk management.