What to Look for in an Enterprise Risk Management Information Systems

By Larry Warner, CPCU, President, Warner Risk Group And Kristina Narvaez, President & CEO, ERM Strategies, Warner Risk Group

Larry Warner, CPCU, President, Warner Risk Group

Enterprise Risk Management (ERM) has received a lot of attention in recent years due to the Financial Crisis in 2008 and new legislation that followed the Financial Crisis requiring large financial institutions to have a Chief Risk Officer, board level risk committee and to establish an ERM program. Risk and Insurance Management Society defines ERM as “a strategic business discipline that supports the achievement of an organization’s objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio.”

"While collecting risk information is important to an ERM program, understanding how critical risks can impact the business landscape is even more important"

The basic of selecting an ERM information solution for financial institutions varies little from the expectations of manufacturers or service  providers. Purchasing an IT solution,too early in the development of an ERM process, represents one of the biggest mistakes a company can make. This can result in the IT solution driving the development of the methodology of the ERM program, thereby reducing the probability of the successful development of an ERM program.

Even though ERM programs will continue to evolve and improve over time, most companies have a fairly well defined program after three or four years. By allowing adequate time for the program to develop, ERM practitioners gain an opportunity to select an IT solution which will meet their ERM program’s unique characteristic and structure.

IT Support During Initial ERM Program Development

During the development phase of an ERM  program,the ERM team may or may not have insights to how they will use data for
analytics or the type of reports they will need to create in the future. Although a final IT solution may not be selected for
several years, ERM practitioners will need to work closely with their IT department from the program’s initial creation.

While the ERM team develops the templates, processes, workshops, etc. IT departments can provide significant support in streamlining the collection and analysis of early data. They can also provide support in the formatting and structure of templates, which will increase the probability that output from a program’s early development can be used once an IT solution is chosen.

Most organization begins the ERM process by collecting risk information from ERM surveys and/or workshops using an Excel spreadsheet. While an Excel spreadsheet can create a risk register that helps an organization identify their critical risks, assess the likelihood and probability of those risks occurring, name a risk owner, and assign risk treatments to address individual or groups of risks, it doesn’t show the ERM practitioner on how to aggregate those risks and see the risk correlations of the critical risks in the organization.

Risk Aggregation and Risk Correlation

While collecting risk information  is important to an ERM program,understanding how critical risks can impact the business landscape is even more important. Risk

Kristina Narvaez, President & CEO, ERM Strategies, Warner Risk Group

aggregation is the process of gathering various types of risk information across the organization and assimilating the critical risk information into a concise report for decision makers. Risk aggregation is only effective if risk information can be accumulated from various business and operational units and then prioritized based on their impact to the organization’s operational and strategic goals.

Because of that, it becomes necessary to design a robust general process enabling the aggregation of risks while allowing for the fact that the outcome for any one risk might depend on other types of risks in the organization. This is termed risk correlation and describes the interrelationship of risks in the organization. Ideally, organizations should develop and maintain strong risk– data aggregation capabilities that take into account correlations within their risk portfolios to ensure risk reports reflect risks in a reliable way.

Effective Risk Reporting

Accurate, complete and timely risk information is, after all, a foundation for effective risk management. But risk information alone does not guarantee that the board and senior management team will get the timely and accurate information they need to make effective decisions. The IT team should be able to share with the ERM team both the type of data already being collected in the organization and the types of reports being shared with the senior management team.

Unlike typical financial reporting, which is backward looking, ERM reporting should look towards the future. Not only should risk reports provide information in the context of limits and risk appetite/tolerance and propose recommendations for action
where appropriate, they should include the current status of measures agreed by the board or senior management to reduce
risk or deal with a specific risk situation.

How to Conduct Vendor Selection

There are various Governance Risk and Compliance (GRC) and Enterprise Risk Management software vendors and each has their strengths and weaknesses. Keep in mind that before you meet with one of these software vendors, it would be wise to prepare a clear understanding of the expectations by the board and senior management before starting to look at available technology. The CRO and the CIO should align behind the importance of identifying software, which allows the process to drive the technological solution and not vice versa.

When interviewing a software vendor, here is a list of things to ask about their system:

Are they focused on GRC or ERM?

The software you select should align with the type of program the ERM team develops.

Does their system have the capabilities to support your company’s unique program?

These items include some or all of the following: a risk register, risk maps, governance rules (ethics and internal procedures), risk dashboards, compliance activities, Key Performance Indicators, Key Risk Indicators, automated internal
performance incentive management reports, and a portfolio view of risks. The ad hoc reporting capabilities of the software should allow for the unique types of reporting that allows for the proper presentation of your ERM program’s output.

• The ideal ERM technology solution would also contain the following features: web–enabled “single source of truth,” view of risks at multiple levels, automated risk input, auto reporting and calculations across collected data, the ability to set and calculate risk tolerance levels or triggers, project management capabilities, import/ export capabilities in order to  expedite the sharing of risk information and actions, end–to–end tracking of risks as they are identified through their eventual resolution, common and consistent approach, traceability of accountability and ownership of risk actions.

While no system will meet all of these objectives, selecting the one that meets the most allows for some flexibility for change in the future, and ad hoc reporting will increase the likelihood of a successful long term solution.

The decision to acquire an ERM technology tool should incorporate the cost/benefit analysis of the tool. Direct and indirect costs for the tool may range extensively, but without a clear ROI, it may be unwise to proceed with an acquisition of an ERM solution.