The New Year of 2009 is at our doorstep and with the global turmoil it is about time many organizations begin thinking of enterprise risk management
Today we explore the Ultimate Enterprise Risk Management (ERM) Platform. Many of you expressed deep interest in my Ultimate Compliance Platform earlier in December. This week, I am delivering the second of my ultimate platform role-plays looking at what the Enterprise Risk Officer/Manager desires in an ideal Enterprise Risk Management (ERM) platform.
Defining an ERM platform is not easy – just as defining ERM is not easy. For some unfortunate organizations, ERM is Sarbanes Oxley on steroids as it is nothing more than a deeper look into internal controls with some heat maps built on top of it. In this case it truly is no an enterprise view of risk. In fact, many organizations have been deceived by the likes of the COSO ERM framework – which tends to take an auditors view of risk and not a true risk officer/manager view of risk. Granted, the COSO ERM cube is an interesting model to get a conversation started. The document itself is hard to read, hard to apply, and takes an internal view of risk and largely neglects the external elements of risk that a business faces in its operations outside of its organization. I myself find more promise in the adoption of ISO 31000 (currently in draft and expands upon the AS/NZS 4360:2004 standard).
However, many organizations are keenly interested in ERM. Some of this comes from the emphasis that credit rating agencies such as Standard & Poor’s are putting on it. Others are seeking solace in ERM to help them drive through turbulent economic times. While many seek ERM to help manage uncertainty in a dynamic and distributed business environment that extends across complex global business relationships where a small mishap may significantly impact business operations and performance.
The challenge organizations face in truly managing ERM is the number of silos of risk management scattered across the organization focused on specific issues of risk. The goal of ERM is to tie all of these independent risk management programs in the organizations together into a broader and transparent view of risk permeating throughout the enterprise.
The issue organizations face – there is no single vendor that ties all of the elements of risk together into a comprehensive ERM platform. The Ultimate ERM platform, like the Ultimate Compliance Platform, is one that needs further work and integration. The best solutions come from a range of providers and not a single vendor.
WARNING – most vendors marketing ERM platforms end up being a replacement for spreadsheets and do not bring a full picture of enterprise risk. If all the platform is doing is surveying people, they are just about assessing operational risk and controls. Challenge vendors – ask any vendor how they are managing ERM by providing integration into financial, treasury, and commodity risks alongside a breadth of operational and regulatory risks. Most will be stumped on this question.
If I were to build the Ultimate ERM Platform I would combine the following:
- Risk framework flexibility. The goal of ERM is to provide harmony across a range of frameworks, standards, and approaches that are currently being used across the enterprise. Different risk areas have their unique needs and standards they follow. A robust ERM platform will be able to harmonize and provide fluidity across these frameworks. To date the best platforms I have seen that provide a harmonized approach to integrating multiple frameworks is BWise, Cura, and Texert.
- Risk intelligence. These days every vendor has a dashboard to model and report on risk. However, they fall down when it comes to direct integration with business systems and applications. Further, most of them do not integrate with corporate performance management. This goes against what risk management is about. Risk management, done properly, is all about managing risk in light of corporate performance. For every key risk indicator there should be corresponding corporate performance indicators. The best risk dashboard that provides an integrated view into corporate performance is SAP’s.
- Risk management breadth & depth. Risk management is more than just managing the downside of risk; it is about optimizing risk taking in the organization to seize hold of opportunity and return to the organization. Organizations stuck in managing the negative and neglect the positive side of taking risk miss what ERM is about. A robust risk management platform will have sophisticated modeling capabilities that can demonstrate the positive return on risk taking and not just the downside. This requires depth in risk modeling and analytic capabilities to measure and model risk. Cura, MEGA, Strategic Thought, and Texert are vendors that I find leading in the breadth and depth of their risk management functionality.
- Risk visualization. I for one am tired of heat maps. Nearly every vendor has latched onto heat maps as if they are the only way to visualize risk. Granted, heat maps can be useful – but they are not the end all of risk visualization. Good risk management requires multiple visualization models. A risk manager needs to be able to look at risk from different views and angles to identify intricacies, relationships, and exposure. Different pictures tell different stories. You take a photograph of a room and this tells you only one story, an x-ray tells another, and a thermal map tells another. The same is true with risk visualization – we need multiple ways to visualize risk to comprehend the full picture. The good news is that there are vendors taking some interesting directions. I particularly like the risk relationship diagramming that Neohapsis (acquired from Risk Governance) and Riskonnect are offering. I am also quite intrigued by what some organizations are beginning to do with fractal maps (such as what Fractal Edge delivers).
- Risk process management. Enterprise risk management requires the flexibility of workflow and process management. Bringing together the many factions of risk management across the enterprise demands a platform that is easy to model business processes, workflow, and provides great flexibility and customization. The leading platforms offering the best risk process management capabilities are Archer Technologies, BWise, and MEGA.
- Risk integration – herding the silos of risk. Enterprise risk management is like herding cats – different parts of the organization have implemented their own risk solutions that are particularly adapted to their specific needs. A good risk management platform will provide integration with specialty platforms that are managing specific areas of risk. These might include Modulo focused on the depth of I
T risk management, the complexity of foreign exchange risk that FireApps manages, the intricacies of commodity risk management that Triple Point Technologies excels at, the complications of operational risk management that Ci3/Wolter Kluwer delivers, and legal/compliance risk that Axentis is focusing on with their risk driven compliance theme. Resolver is another vendor of interest as it provides a risk assessment and surveying technologies that simplify risk assessment processes. Of course, there are industry specific solutions managing the range and depth of risk for particular industries – such as Algorithmics, SAS, and Oracle Financial Services Software.
The Ultimate ERM Platform is not a one-stop shop at a single vendor – today it requires integration of several technologies. Many of these solutions show great insight and are executing on robust visions to deliver the best ERM platform for the future while delivering significant value to their clients today.