Tom Teixeira discusses the reality of implementing an enterprise risk management software system

Before going down the technology route, it is important to remember the aims of an integrated risk management approach. In any business, risk management is an opportunity for improvement. An integrated approach to risk management will ensure the capture of all types of risk in the business, as well as implementation of cost-effective mitigation strategies and controls to exploit opportunity. Risk management is not just the capture and reporting of data, but encompasses the whole decision support process.

In turn, this ensures the realisation of tangible business benefits against corporate objectives.

The ability to hold risk information as knowledge for future use, and to provide greater levels of access to it, within the right security model, is a key requirement of every enterprise risk management system (ERM).

Technology provides a means for process consistency across all business areas, allowing the capture and presentation of information in a format that will support decision making. Risk processes must be well communicated and audited, data must be clean, and risk approval work flow is strongly recommended for continual improvement.

Over the past few years, risk management software providers have been implementing solutions to support an enterprise wide approach. These implementations have not been easy or straightforward, and the lessons learnt are leading to the formulation of procedures for best practice.

Ingredients for success

Experience has shown that approaches to risk management fall into two camps: 'compliance driven' and 'performance driven'.

Compliance-driven organisations tend to be those that are interested in undertaking the minimum to satisfy regulatory requirements. Their belief in the benefits of the risk management process is minimal.

On the other hand, performance-driven organisations fundamentally believe that effective risk management will reduce their operating costs, increase their margins and ultimately assist in achieving the main requirements of their business plan. All levels of management have achieved buy in to the process.

It is not surprising that audits on recent software implementations have indicated a greater level of success across performance-driven organisations.

This enthusiasm for, and embracing of, an ERM framework are the first, fundamental, ingredients.

The second key attribute is the level of risk management maturity. A software system must support the current level of risk maturity and have the flexibility to adapt and grow with business requirements. It is therefore essential to understand the level of risk maturity in an organisation during the initial phase of a software system implementation.

Project implementation plans must be configured to take into account the level of maturity and the robustness and workability of the risk management plan. The lack of an effective plan should be seen as a direct threat to a successful implementation.

It is important to note that risk management software is not only of benefit to companies with established risk management processes. Some of the most successful ERM implementations have been in organisations that introduced risk management processes and technology simultaneously.

However the implementations were always supported by an excellent plan and documented, measurable objectives.

A finger in the wind

A common, and largely misguided, theory is that risk management is purely subjective. Today's functionality rich software has replaced the 'finger in the wind' assessments of yesterday with business unit specific, scoring templates, based on shared inherent knowledge and company experience.

However, some organisations argue that a knowledge base of known or historic risks, while important, is not as useful as sharing knowledge about what may constitute a medium probability risk with a high reputational impact.

Risk scoring knowledge is as important as historic risk sharing.

Configuring the risk structure within software to represent the way an organisation operates is fundamental to successful integrated risk management.

The aim of the risk structure is to provide a clear understanding of risk exposure across different tiers of the organisation - operations, assets and projects. To achieve successful risk profiling, the structure must be correctly calibrated. This means establishing the right context at different levels of the organisation and implementing rules based on the risk appetite of different levels of management. These lead to the establishment of scoring templates, used to score and prioritise the risks.

Unfortunately, although the creation of risk structures has been reasonably successful, organisations have failed to correctly calibrate them. A recent example was a failure to set the right risk structure at the lower levels of an organisation, meaning that junior management were assessing risks in line with corporate thresholds, not against their own local budgetary and schedule constraints. This led to incorrect and confused risk assessments, resulting in a threefold increase in the risk.

Can software administer an effective process?

No matter how well designed a software system is, it will always be susceptible to the 'garbage in, garbage out' factor. Reported risk profiles that are not realistic or do not make sense quickly lead to the risk management process and its supporting IT system being discredited. Process is fundamental in terms of risk capture and planning.

Organisations still have a tendency to undertake a bottom-up approach, leading to the capture of detailed technical risks, as opposed to higher-level business items. Risk registers presented to senior management often fail to capture fundamental business information, for example that a lack of contracts will result in redundancies. The approach to risk profiling must be top-down as well as bottom-up to cover all potential risks.

One of the biggest obstacles faced by organisations during roll-out is the lack of a consistent business process across business units or programmes.

Some organisations have given up trying to implement an enterprise process because of the amount of effort involved. Instead, they have focused on getting individual business units to undertake effective risk management using their own frameworks. Although this approach has positive short-term effects, in the long-term, major consistency problems will arise when attempting to report an aggregate view of the risk exposure to executive level.

This is a key advantage of web-based ERM systems. Their ability to capture company-wide data and roll up to business unit and board level for effective decision making on the key risks is immensely time saving. The board do not want to be presented with 2,000 low-level risks, so effective use of scoring templates and re-scoring at business levels is paramount in the risk sifting process. The key question is how to get to this position of enterprise-wide inclusion?

Experience has shown that any software roll out must be tightly controlled.

Roll out across the enterprise must be undertaken in stages, due to the effort involved in ensuring that the process is consistent and correct, and that the software system is supporting the process. The most successful model has been to pick a high profile project or business unit and undertake a tightly controlled implementation with regular audits. It is then possible to demonstrate the business benefit being achieved as a result of effective risk management. The fact that the rest of the organisation can now see a successful business model promotes quicker buy in. The lessons learned can be applied, and the rest of the implementation successfully undertaken across the enterprise.

Technology and political problems

Organisations are often stumped when grappling with the problem of how to communicate mitigation and control efficiency across the organisation.

Travel and time spent in endless cross-functional risk meetings have been significantly reduced through the effective use of web based risk software.

The majority of organisations are keen to have this during the initial implementation, but quickly come to realise how politically sensitive it can be, due to the automatic release of risk information to all levels of management. The process becomes transparent, and leads to a degree of nervousness. Experience has shown that barriers to roll out quickly go up.

Specific initial workshops with all the main stakeholders present should carefully decide what events should generate e-mails, the wording of the e-mails (neither too aggressive nor too moderate), and who should receive the information. Again, careful control of the roll out is required.

Man and machine in the future

There will gradually be a greater acceptance that risk management software solutions are in fact business crucial and that companies must focus effort on correct configuration and implementation across the whole enterprise to achieve maximum competitive advantage. Successful ERM software vendors will supply this, championed by risk consultancy companies and endorsed by organisations whose share prices have eroded through blatant disregard for risk management. Man's machine is a necessary component of the successful delivery of an enterprise risk management initiative.

- Tom Teixeira is head of risk management at Strategic Thought, Tel: 020 8410 4000, www.strategicthought.com

TANGIBLE BENEFITS THROUGH MAN AND MACHINE

Real benefits and return on investment (ROI) are being achieved in the performance driven-business community. There has been a steady acceptance that ERM systems are becoming more business-critical and act as a support mechanism for better business decisions. Here are some of the benefits Strategic Thought has noted from closely monitoring organisations over a period of six to 12 months.

ACCEPTANCE OF RISK EXPOSURES - With the comprehensive data sets that are being developed, risk managers have a much better understanding of the size of the exposure faced as well as the cost of various alternative mitigating strategies. Formal decisions are now being made to accept the current level of risk, since the total cost of impact will be less than the estimated cost of mitigation. These types of visibility and reporting mechanism are becoming standard features of ERM systems, with great flexibility in report generation and security-enabled views. Some vendors are taking this a step further with the inclusion of statistical modelling capabilities such as Monte Carlo. Such integrated sub tools have broken free from their project based roots and are now proving their worth in operational risk environments; not least to help justify insurance premium reductions.

- COMMITMENT OF FUNDS TO RISK MITIGATION - Where it can be clearly demonstrated that the planned reduction in the level of risk exposure is considerably greater than the cost of alternative mitigating strategies, funds are being actively committed. In some cases millions of pounds are being diverted towards the implementation of these strategies.

- ENTERPRISE EFFECT - Enterprise systems have been able to create greater visibility of risk exposure and strategies across business units, thus reducing the silo effect. Risk managers have been able to identify where individual units have taken out their own insurance to transfer risks that were, in fact common to a number of areas. By taking out a single policy to hedge all common risks, premiums have been reduced by up to 30%.

- EFFICIENCY - Through standardisation, organisations are finding that they are able to achieve more risk management in less time at a lower cost. At a management level, they require fewer resources to compile data from different formats into one set of comprehensive reports.