Your Risk Management Magazine
Tooling up for ERM

Font size : + -

email print

As corporates continue to confront and implement enterprise risk management frameworks, Stuart Fagg investigates the role of technology in ERM and finds it’s no silver bullet

While Enterprise Risk Management (ERM) or Enterprise Wide Risk Management (EWRM) remains an relatively new area, many firms across Australia are well under way with implementing new frameworks. As the practice becomes more popular and widely understood, the vendor market, both domestically and internationally, is burgeoning.

In compliance terms, technology has become a valuable tool assisting compliance professionals in embedding the practice in operational areas of the business, but the application of technology in ERM is a more opaque matter.

To understand the role of technology, it is first important to understand the concept of ERM and EWRM. The most widely accepted explanation of the practice is that it is the management of corporate-wide risks, which is supported by a cross-business framework that provides consistency in risk reporting. Ultimately, it is designed to get the board information that allows it to make decisions for the business and take that responsibility as board members.

Accepting this explanation is the first step to implementing the kind of technology that will help facilitate successful ERM. At present, some observers believe there is a disconnect in expectations that may hinder successful use of technology to enhance ERM roll out.

“Who is the technology helping? This is a key issue,”said Nick Chipman, who leads PricewaterhouseCoopers’ global risk advisory team. “If it is helping the risk management function to capture and contain information, then good. But there is a potential argument that says, ‘well that’s very useful for you down there in risk management, but what is the bigger picture who else needs to know?’

“Software solutions can help the risk management function, but is it in a format that the business can absorb or use? Probably not, because it’s captured in a technicians way, not in a business person’s way.

“The risk management function has probably got a way to go in converting technically sound information and data that looks to be reliable into something that the business person that has to do something about it can use,” Chipman said.

According to Lisa Segrave, responsible for the project management and global administration of the EWRM Software used at BHP Billiton, this is a key consideration, this is a key consideration given that many professionals outside the risk management space will use the technology and have a role in making the project happen.

“Involve relevant stakeholders in the process this includes IT, the people who will be using it, relevant business managers and representatives from your audit function and even external consultants if they are used to facilitate risk management,” she said.

This also presents an opportunity to risk management advocates keen to have risk seen as a business enabler, not as a naysayer and unnecessary business expense.

Experts also warned it was imperative to develop the ERM or EWRM framework before considering what technology to implement. While anecdotal evidence suggests that many firms are some way along the route to developing their frameworks, among those looked to for best practice in terms of ERM, some are yet to implement technology to support it.

For example, Alcoa of Australia, whose risk manager, Peter Janus, took out the 2004 Vero Global and Risk Managed/RMIA Risk Manager of the Year Award at last year’s Australian Risk Management Awards for his ERM framework, is yet to implement specific ERM technology, yet has a well functioning ERM framework.

Likewise, prior to its technology roll out, BHP Billiton used more traditional tools to aid EWRM.

“Prior to the implementation of our technology solution, risk information was stored in excel spreadsheets and various custom-built databases,” said Segrave. “The risk management process, as opposed to the risk identification process, was driven centrally by a corporate risk department. Risk management activity was reactive and involved a push process rather than a pull process.”

So while ERM and EWRM could function without technology support, there were many benefits to implementation. “I would not say it [use of technology] has changed our EWRM framework,” said Segrave. “BHP Billiton has an extensive framework of standards and guidelines that provide governance over how we identify, evaluate and manage risks across the organisation – they are the core of the EWRM process. What it has improved is our ability to focus attention in the right areas and effectively look across the organisation as a whole to understand what risks we face on an enterprise-wide level. It provides us with the assurance that risks are being managed at all levels.”

Indeed, the list of potential benefits of ERM and EWRM technology cited by those with working frameworks is long, spanning common language, centralised data, improved information management, better assurance on controls to stakeholders and the markets, better governance and the promotion of best practice.

But PwC’s Chipman added it was important not to view technology as a “silver bullet” shortcut to ERM, but as a facilitator.

“Technology is an enabler, not an architect,”he said. “Risk frameworks can be very variable. If you look at the way most companies run their business, that is really the true risk management architecture – the underlying business model, the capital structure, the value chain and all that. Clearly, the best way to have the system is to enable the business to run properly and in this case, better to have the framework first. Because of a specific risk management approach, often-times people will try and bolt on something. They may say we need a risk capture methodology or a internal audit plan or a risk control thing or an insurance plan to fit around the risks we’ve got.

“Those bolt-on things can support the underlying business by acting as a reminder system or a calendar system so people can access them. But that doesn’t drive better behaviour. Does that really drive better business decision-making? I don’t think so.”

However, while that may be the case in large and complex corporates, technology can be implemented at the same time as the ERM framework is being developed.

“ERM technology generally comes into play after an organisation has developed its ERM framework, defined its processes, responsibilities and strategy,” said Tony Harb, director at In-Consult, who advises on ERM implementations. “For larger organisations, this makes sense because ERM technology would then support a more complex risk management strategy and detailed processes. But small to medium organisations may decide on technology earlier on, as their risk management frameworks tend to be simpler, involve fewer people and are typically more straight forward.”

In a smaller environment, the fact that technology can do the work of many might also be a plus. “There may be some one-man bands that need some extra software support,” said Chipman. “But in the bigger corporate markets there is an argument to say that some of the lower-tech versions of software are not going to hit the spot.”

But in general terms, the cultural aspects of ERM and EWRM the shifting of the consideration of risks from a silo mentality to a company-wide one also make it key to not put the cart before the horse.

“ERM is about culture, ERM is not about using this tool or that tool,” said Alcoa’s Janus. “Rather, each area of application has its own agreed set of tools.”

Once the framework has been developed and the cultural levers needed to make the framework work are in place, there are still a number of pitfalls to navigate before implementing technology to support it.

First, the would-be implementer must navigate the increasingly crowded vendor market for ERM and EWRM technology. While some firms have developed ERM systems in-house, this can be a risky option given the fast moving nature of technology and those keen to develop in-house will need a very robust ERM framework, a large and willing IT department and deep pockets.

So for many, buying a vendor solution is the best way forward.

“There is a growing list of vendors to choose from,” said Harb. “Today, there is more software available than ever before. Whilst this is good, it can get very confusing for end-users because of the different levels of functionality, features, platforms and delivery methods.”

There is no ‘one size fits all solution’ either, so it is important to consider how your organisation is managing risk and what the desired outcomes of the ERM framework are.

“There are multiple software products available, each with generic and unique capabilities,” said BHP Billiton’s Segrave. “I have not seen one product that does it all; it may come eventually. The difficulty software vendors have with providing a ‘one fits all’ solution is that different organisations have different needs and there is not a clear idea of what the ‘all’ should be. Risk management has changed and continues to change and the drivers for the embedding of risk management are changing all the time.”

Added Chipman: “One size does not fit all requirements. The reason is that there’s an element of judgment about what should be included in disclosures. There isn’t a prescribed set of outcomes, so the element of judgment about how much you should put in or how little you should put in therefore dictates what system is best. There is no one system that can do it all, despite the claims.”

Research is also key. With the framework in place ahead of technology implementations, the vendor should be able to tailor its offering to your framework, rather than trying to make the framework fit the technology.

“When considering software, contact at least five to 10 vendors to get detailed information,” said Harb. “After the review, get down to a short-list of three potential systems. Provide these vendors with your detailed business requirements and get them working hard to show you how their system meets your requirements. During the evaluation ensure you learn more and more about the capabilities of the competing software products, asking questions and talking to their customers.”

It is also important to consider what technology the business is already utilising.

“ERM software is more focused on risk assessment,” said Chipman. “You need to decide whether capturing it separately is going to serve your business. Or is it serving the risk management function? They both have a role, but if you’re attempting to get the rest of the business to fit in with what you want, you might want to rethink. If we assume we are talking about systems that are more end to end than others, and not just risk analysis, do they help? One could argue that existing email or software enterprise resource program should be able to handle the right communications on risk.”

Finally, think about the future. “Increasingly, organisations are looking for ‘adaptive software’,”said In-Consult’s Harb. “This is basically the ability of the ERM software to adapt to the changing needs of the organisation.”

  • Bookmark & Share
go back
Your comment
Risk management is the place for positive industry interaction and welcomes your professional and informed opinion.
eNewsletter

Breaking news, video interviews, opinion and analysis delivered straight to your inbox. Subscribe now
Categories

Home   |    Advertising   |    About Us   |    Contact Us   |    Privacy Policy  

© 2012 Key Media Pty Ltd.