A Simple Guide to Choosing the Right Risk Management Software

Operating a business comes with risks and dealing with them effectively can make the difference between success and failure. In recent years, and even more so because of the current impacts of COVID-19, the interest in risk management strategies has greatly increased. Businesses that already incorporated risk management procedures in their operations have seen huge benefits such as having the ability to make smarter and faster decisions, having complete oversight with tracking and monitoring risk treatments.

There are many steps involved in effectively managing risk, including, risk identification and assessment, risk analysis, response planning, business continuity planning, recovery planning, and so on.

A good risk management software solution can help you streamline the risk management process, better analyse performance, and take action faster. This blog will discuss must-have features in risk management software and support you to choose the right one for your organisation.

Benefits of Risk Management Software

Today’s risk management software products are designed to dynamically deliver information and analysis to all those with a role or responsibility in risk management. They incorporate features that ensure risk data is being communicated effectively in the organisation and include a number of reporting options. Some of the benefits of risk management software include:

1. Anticipating Risks

An important function of risk management software is to identify and assess both current and emerging risks. It enables organisations to identify and track new or likley risks and to respond to them in a timely and appropriate way, which can minimise a range of financial and non-financial impacts on the organisation.

2. Realistic Expectations

Effective risk management, supported by software, provides senior managers with the data and analysis tools to make realistic expectations of success and failures. This allows them to create achievable goals, realistic timelines, and appropriate resourcing.

Compaq was the world’s largest supplier of personal computers in the 1990’s, at its peak having a market value of $US 18bn and a share price of US $51. By 2002, it had $2bn in debt and its share price had dropped to US $12. Reasons for its demise included over expansion into software and services in an attempt to dominate every aspect of the computer industry.

3. Aid Strategic Decision Making

With the right risk management software, organisations are able to support informed strategic and operational decision making to minimise threats and maximise opportunities. This facilitates growth and controls costs and losses.

Slow and wrong decisions have led many businesses to collapse throughout time, including the world’s biggest film company Kodak, which filed for bankruptcy in 2012. Despite spending billions on digital photography, Kodak did not go on to produce digital cameras for the mass market. This was largely due to the fear of damaging its film business. This was despite having market assessments of the risks and opportunities of this disruptive technology. Kodak failed to make the right strategic decisions to grow the company.

4. Transparency and Accountability

Risk management software enables all those with risk management roles and responsibilities to easily see at any time what the risks are at any level of the organisation, what their status is and what treatment options are being pursued and by whom. System generated reminders for risk and control reviews and treatment action progress reports assist in making sure that those with direct responsibilities are accountable.

Access to risk software at any time from any location together with both electronic dashboard and hardcopy reporting ensure timeliness and transparency.

The Australian Financial Services Royal Commission in 2018 found that in the case of the Commonwealth Bank of Australia (CBA) risks were neither clearly understood nor owned and the frameworks for managing them were cumbersome and incomplete. Further, there were unclear accountabilities, starting with a lack of ownership of key risks at the Executive Committee level and weaknesses in how issues, incidents, and risks were identified and escalated through the institution, as well as a lack of urgency in their subsequent management and resolution.

How Does Risk Management Software Work?

It is essential that risk management software aligns with ISO Risk Management Standards yet is configurable to cater for the differences between organisations risk frameworks. No two organisations have exactly the same settings for their risk management approach so flexibility without compromising integrity is key. Below is an illustration of how risk management software work:

Effective risk management software covers all aspects of risk management including:

• Risk Identification: Allows risks and their causes and consequences to be entered as risk records and linked to the appropriate area/level of the organisation.
• Risk Assessment: Risks can be assessed in their inherent and residual states
• Control Identification and Assessment: Current risk controls can be entered, responsibilities assigned and effectiveness rated.
• Key Risk Indicator Management: Risk metrics can be entered, linked, monitored and reported on.
• Treatment Action Management: Actions to further treat a risk can be setup with a responsible officer, start and end dates, organisational links and links to existing controls where appropriate.
• Risk Reviews: Risks can be scheduled for periodic review by risk owners and line management and where required the frequency can be determined by the residual rating.
• Communication and Reporting: Provides a range of risk communication and reporting options from system generated notifications to digital dashboards, interactive heat maps and hardcopy report formats.

What are the Advantages?

The use of risk management software fundamentally speeds up the risk management process while improving its consistency and outputs. It helps ensure that the organisation’s risk framework and the work of risk managers are well supported in terms of data access and reliability.

The use of risk management software is beneficial due to the following:

• Easy web browser access to visual dashboards showing risk profile by risk categories as well as by organisation and planning structures
• Opportunity to visually show residual risk ratings against the organisation’s risk appetite which assists in choosing the most appropriate risk treatment option
• Ability to show relationships between risks and to link key risk indicators (KRIs or KPIs) to respective risks
• Automating risk and control review notifications as well as reminders on updating risk treatment action progress to those responsible
• Flexible reporting options either on-screen or in software generated reports
• 24/7 access for review, updating and reporting for those with risk management roles and responsibilities

Challenges When Implementing Risk Management Software

Every new software solution when introduced to an organisation brings challenges. Listed below are some of the well-known challenges when introducing risk management software.

1. Dispersed and disparate approaches Some organisation’s have different versions of risk management in various areas of the organisation. Bringing them into a common software solution and standardising the approach, where appropriate, can be time consuming and challenging. On the plus side, organisation’s in this situation see the introduction of the software as an opportunity to address this problem.

2. Lack of clarity on roles and responsibilities Good risk management software links up key risk management roles and responsibilities, whether you be on the Board, a member of a risk and audit committee, responsible for a Directorate’s risks or an individual owner of a risk, a control or risk treatment action, risk are allocated accordingly. It also provides the opportunity to introduce signoffs and review comments. This sometimes exposes a lack of clarity on the specifics of risk management roles and responsibilities, even though they may be referenced in broad terms in the organisation’s risk management strategy.

3. Issues in risk registers It is quite common to find a number of issues with risk registers in an organisation such as lack of consistency in defining risks, variations in risk and control ratings, missing data, risks that are no longer relevant, risks that are inherently insignificant and so on. The introduction of new risk management software can be seen as an opportunity to clean up the risk registers in advance of migrating them into the software or running a series of workshops within the organisation to equip responsible managers and key staff with the knowledge to update their risks after they have been entered in the new system. Either way, it is about ensuring that the new tool contains a high standard of risk identification and assessment on which to report and support better decision making.

4. Transitioning from spreadsheets and other systems Staff who have had a long history with spreadsheet risk management or earlier generations of risk management software can find it challenging to leave them behind and embrace a new software solution. Successfully transitioning them requires good communication from the outset on why the new system is being introduced, what its benefits are not only to the organisation but to them in their area of activity. Providing adequate training and support in understanding and working with the software is vital.

5. Upskilling staff and stakeholders A stakeholder communication and training needs analysis at an early stage of the implementation is highly recommended. Who needs to know what and when and what level of support is required across what timeframe are key questions. Risk system administrators and risk champions will require a higher level of product functional/technical knowledge, while risk owners will need good coverage of the risk process workflow in the software. Control and risk treatment action owners will need more targeted training around reviewing and updating. Board and Executive members typically benefit most from an overview understanding of the system with a particular focus on reporting, dashboards and analysis.

6. Higher level of transparency and accountability Because current generation risk management software enables timely tracking of risk and control reviews, implementation progress of risk treatment actions (on track/off track) and more effective linking and reporting of risks against the organisational and planning structures, it necessarily results in higher levels of transparency and accountability. This can be challenging for some staff who may have previously been used to occasional or no reporting on risk management in their areas. System generated notifications for risk and control reviews and risk treatment progress reports to responsible officers can take a little adjusting too. It can also be challenging at a Board and Executive level to be viewing, sometimes for the first time, individual risk residual ratings against the organisation’s prescribed risk appetite, in particular when there are a number of risks that may exceed it. The key to addressing the fears and concerns ties back to clarity around roles and responsibilities, providing the required training and support, as well as making it clear from the top that this is about opening up risk management to all levels of the organisation with better and more timely information. And yes, there is an accountability that comes with any truly successful risk management strategy, irrespective of the software.

Steps When Selecting a Risk Management Software Solution

There are a number of factors to consider when making an informed decision when purchasing a risk management software solution. Whilst cost is always an important consideration, it should not always be the single deciding factor. Many organisations can often recall previous purchases of cheaper software solutions that ended in failure or with on-going performance issues and in some cases costly fixes.

The following 7 step process provides a checklist guide to assist in making an informed software purchase decision.

STEP 1 – Outlining WHY Your Company Needs Risk Management Software

Like any other software, your risk management software must meet your business objectives and provide value for money. For instance, you may need risk management software because spreadsheets become too difficult to manage across the organisation and reporting is a costly manual process.

Some key questions that can assist are:

• What are the weaknesses and opportunities for improvement in your current risk management process? Where higher levels of quantification and accuracy are required, tools such as advanced process mapping and lean six sigma are beneficial.
• Which of these improvements could risk management software deliver on?
• What are your overall business objectives for adopting risk management software?
• What is the cost: benefit of adopting risk management software?

Where the time and cost of undertaking a full cost benefit analysis is prohibitive or unwarranted, an estimate of potential cost savings for a resource intensive part(s) of the risk management process e.g. multi-level reporting, could be made and non-financial as well as non-financially quantified benefits listed. This information can be added to a business case for software acquisition where the organisation requires it.

STEP 2 – Determining WHO Will Be Involved in the Selection Process

Successful risk management requires effective collaboration between users from different departments and different levels of the organisation structure.

A useful starting point in determining which groups to consult with on their current experience and needs that risk management software might meet would be the roles and responsibilities section of the organisation’s risk management strategy. It is worth remembering however, that if the risk management strategy was developed without software in place, it is likely to have omitted the role of IT.

The involvement of these stakeholders may be in two phases:

• Consultation on their current experience with the risk management process, identification of needs that risk management software could meet and challenges in implementation. This will help to shape the specification of the software and services required.
• Involvement of limited number of key stakeholders in the selection process e.g. Executive sponsor, risk manager, IT representative/business analyst, business unit/end user representative.

STEP 3 – Determining WHAT is Needed in Risk Management Software and Services

Based on the findings from Steps 1 and 2, a list of all the required features, functionality and priority implementation deliverables can be compiled. The consolidated list can then be reviewed and prioritised to determine the “must haves” from “nice to haves”. Below is an example of the type of checklist you might compile (this is far from exhaustive but should give you an idea):

Check List Template

STEP 4 – Determining WHAT is Needed in a Risk Management Software Vendor

This step is often overlooked, however, a risk management software vendor is the go-to person for whatever incidents may happen while you use the system. Therefore, having a list of criteria for the software vendor is as important as having a list of required features for the software itself. Below is a list of traits that you should look for in a software vendor (yes, we try to be critical of ourselves):

STEP 5 – Compiling and Shortlisting a List of Potential Vendors and Solutions

Once you know what software features and potential vendors you are looking for, it is time for you to search and compare potential solutions against the checklists.

Here are some potential sources to start the comparison process:

• Industry analysts such as Forrester and Gartner
• Credible software comparison sites such as Capterra, G2 Crowd, and Software Advice
• Partner organisations and professional peers
• Google Search

We recommend that you maintain a healthy scepticism of web-based search review results from other than industry recognised sites.

STEP 6 – Previewing Shortlisted Software

Before progressing to Step 7, it is worthwhile previewing the shortlisted risk management software to ensure that it does align with the must-have checklist items from Step 3 and the expectations you have from research in Step 5.

STEP 7 – Contracting / Agreement

Once your choice is made, it is crucial that you address everything you need in the contract, including the licence, support, and implementation costs. If possible, it is essential to involve your legal and financial departments in this phase to avoid any future regrets.

If you would like to learn more about the Camms risk management software solution and understand how it can strengthen your risk management programme, request a demo.