An update of ERM systems

ERM is not only important for decisions that are taken within a company; there are other factors to consider as well. Peter Robertshaw, vice president of global marketing at Strategic Thought Group explains that this need for risk information is further bolstered by the requirements of regulators, credit ratings agencies and by insurance companies who want to know more about the risks they may, or may not, be covering. ‘Enterprise risk management technology,’ he continues, ‘is no longer just a “nice to have” for complex internetworked businesses.’

Paul Hopkin, technical director at AIRMIC agrees, saying that ERM technologies are important, especially to more complex risks. ‘ERM applications are well developed for analysis tools, such as predictive models and dependency analysis,’ he says.

So what does an ERM package do? Stuart Selden, manager, business risk consulting group EMEA and Asia-Pacific at FM Global explains that the ‘enterprise’ in ERM means tying together all the disparate risk management approaches across a business. He adds: ‘Because of the breadth of such an approach, software applications can be a useful tool in pulling together information and structuring outcomes but there are more important basics to have in place – a software application alone is not likely to result in a high quality risk management process.’

Selden advises not to look for a technology to drive the ERM process, but to support it. He suggests that companies make sure the basics are in place beforehand and they ensure that the ERM system is sufficiently flexible to meet changing business needs. He adds that companies should ensure that it can interface with existing risk management systems. And he concludes by saying: ‘Remember that once technology is used, it then becomes a process that needs to be considered in the risk management framework going forward.’

What’s needed?

A company needs to decide what it is looking for in an ERM package. Trent Derr, president and CEO for Syntex Management Systems, Inc, explains that one of the major critical success factors is to select a solution that will adapt to its needs and business structure over time. ‘Inherently, as your organisation’s risk management practices mature, you’ll need your ERM solution to facilitate those changing business processes and structures,’ he says.

He continues by pointing out that at the most basic level of ERM, a company will have integrated, repeatable processes across the organisation with a common risk data repository. By the time a company reaches the highest level of ERM maturity, he says: ‘The organisation will have a continual process improvement process in place that includes the repeated identification of the leading indicators of specific risk exposures in the business.’

As an ERM system is a large investment for any company, getting these basics right is vital to the future successful use of the ERM package. It is also worth asking the people who are going to use the ERM, what they think it needs to do. A company is not only choosing an ERM package for today, it should also be looking at how the company and its demands on its ERM could change in the future.

A real-life example comes from John Summers, chief advisor – risk at Rio Tinto. He explains how they went about choosing an ERM package. ‘We were looking for a system that could identify, manage and report risk data in a flexible and convenient form; capability to escalate and delegate risks through the organisation; one that was fully enterprise enabled with necessary internal and external security features to prevent data loss (either inadvertent or deliberate).’

He says that they also wanted a system with a flexible, workshop enabled front-end risk identification capability and a system suited to the established Rio Tinto risk process. ‘So that we were not forced to adapt our process to match system constraints,’ he concludes.

Rio Tinto chose Strategic Thought Group’s Active Risk Manager package as the company’s ERM solution.

Another company who are using Strategic Thought’s Active Risk Manager is Leighton Contractors PTY Ltd based in Australia. Karl Davey, manager, risk management group operational services explains what they were looking for in an ERM. The company wanted a system which would support true organisational wide enterprise risk management. Davey continues: ‘In that respect we wanted a system which could be used by all levels of the business (engineers to senior management and board) and would cover all the facets of enterprise risk management (project, operational, business and strategic, safety, catastrophic and crisis management, financial, and environmental aspects).’

“It seems very likely that a risk scoring system will be developed by the analysts who evaluate companies from an investment and debt perspective

Integrating the ERM into existing systems and business structures is another important issue when choosing a package. Summers says: ‘We are in the early stages of a full deployment but our experiences with users have, so far, been positive.’

Other factors

There are other factors to look at. Keeping ahead of the technologies that are being used in your organisation is one consideration. Personal digital assistants, Smartphones and mobile phones are all now common place and data may need to be captured from them in some instances.

Training is another area that a company should look into when choosing an ERM solution. Davey says: ‘Training in the product has been supported through our Leighton way online management system or via workshops. What has been important to us is training people in the foundations of effective risk management and we have embedded Active Risk Manager training into this course so people can practise the theory using the system they will use in normal practice.’

Summers agrees about the importance of training: ‘Training is a real issue; our supplier gave us generic material that we have tuned and extended to match our configuration of the system, and have built our own risk-literacy training courses. We are deploying across our business world-wide and using e-learning as our only training method.’ He adds that: ‘Throughout this project we have learned hard lessons that communication and training are as important as the system's technical capability.’

What’s out there?

There are several different ERM packages on the market. Some are designed for specific industries such as finance, whereas others are designed for other industries including property and energy. A small selection of these are the following.

• FM Global’s RiskMark is the only global, fact-based property risk quality benchmarking model available, says Selden. ‘RiskMark provides a reliable measure of risk quality on a scale of 1 to 100. Our analysis shows that losses at locations with the lowest scores are eight times larger and occur four times more often than losses at the locations with the highest scores.‘

• Strategic Thought Group’s Active Risk Manager is a web-based product. Robertshaw says that: ‘The Collaborative Workshop Solution (CWS), allows all employees to be involved with the risk and reward process whatever their location, even in areas where connectivity is limited. Risk data is later synchronised when a connection to the enterprise ARM system is possible.’

• Derr says that the Syntex IMPACT ERM enables a company to capture and manage all their proactive and reactive sources of risk and perform analytics on that common data repository to identify those factors that are impacting operational performance. Industries that are using this product include energy, utility, transportation and manufacturing companies.

• SAS offers ERM software for the financial, communications, energy and insurance industries. The company claims that their software has the most powerful predictive analytics available and they also offer courses.

• Methodware’s Enterprise Risk Assessor integrates risk, audit, compliance and governance and is designed around the Australia/New Zealand 4360 standard. The product can be used in a single location or in an enterprise situation.

“A company needs to decide what it is looking for in an ERM package

What’s coming?

As risk management continues to develop and grow, ERM packages will also have to grow and adapt to deal with these changes and still provide effective help for companies. What will future ERM packages include?

Derr says that it seems very likely that a risk scoring system will be developed by the analysts who evaluate companies from an investment and debt perspective. ‘This risk score will very likely be similar to the FICO score used in Canada and the US as a measure of an individual’s credit worthiness,’ he adds.

He goes on to say: ‘However the risk score for a corporation will include the key factors that are correlated with operational excellence such as process integrity, leadership commitment, risk culture, and etc. By having this standardised risk scoring metric, it will be easier to assess the impact of risk practices across organisations both within an industry and across industries.’

Selden thinks that it will be people who become more important in the future, not just the software. ‘I see innovations in process rather than technology specifically. Risk managers need a higher profile and more operational integration, to be able to influence culture. The position of CRO (chief risk officer) raises some questions because it may well draw risk management away from operations, which will further decrease their ability to integrate.’

And in that may lay the key to running a successful risk management policy – having the right software, people who know how to use it well and making sure that the right people are involved in the process.

Another important aspect is keeping ahead of new technologies such as personal digital assistants. as Tony Dearsley, computer forensics manager at Kroll Ontrack explains: ‘I think that the enterprise risk management sector has become much more aware of the power and the danger of a relatively small and innocuous-looking piece of media, and at the same time more aware of the power of a single individual to disseminate a vast amount of sensitive information in a small amount of time.’

He concludes by saying that in the future, he thinks that we will see more efforts to acknowledge these facts in policies and in practices: ‘But in ways that also acknowledge the need not to impede workflow unduly.’

Though implementing an ERM system can take time, the rewards for those companies that fully embrace the idea could be great. As Robertshaw says: ‘Companies are good at the traditional qualitative assessments of risk and mitigation information: where they fall short is by not doing a quantitative assessment on at least their top risks and the associated return on investment on the mitigation strategies.’

He goes on to say that this type of approach can be incredibly beneficial in decision support and can improve business performance, either top line or bottom line, by decreasing insurance premiums, reducing losses, improving business continuity and crisis responses and delivering projects and products on time, to budget and to technical specification.

And these are as good reasons as any to seriously look into implementing an enterprise risk management package.