What is the best ERM tool for a regulated public company?

We've got a question from a leading USA water utility company to discuss what are the best ERM tool choices out there in the market.
In terms of requirements they are looking for a good tool to track risks, action plans, follow-up/updates & a dashboard/reporting tool.
Selection criteria -  cost, functionality & good customer reviews...
Should anyone have an expertise in the field, please go ahead and reply in the comments

Views: 375

Reply to This

Replies to This Discussion

Hi Boris,

Can I respectfully suggest our product CalQRisk as we fulfil the requirements (and more) as stated: You can assess risks, take snapshots of current status, record Control Verification, create and manage Tasks (using Action Manager) and see status of Risks, Tasks, Compliance and more in the Dashboard. Check out www.calqrisk.com and contact me if you think this fits the bill.

Gerry Joyce

I agree with Kurt, there are no short-cuts. ERM means Enterprise-wide Risk Management. You got to do the deep dive and try to know more of the things you don't know:-) I'm happy to say that CalQRisk take this approach. We include an extensive knowledgebase that dives deep and asks many searching questions. If the board want to know (and they should) they can drill-down from the top (Dashboard). The biggest problem I see is that Boards do not understand their role. Theirs is an oversight role, they need to ensure that the risk is being managed.  Many don't know the best way to do this, they have limited time to devote to this task, so they rely on consolidated reports. But they should be able to access the detail when required.

Essentially, my job is risk analysis & risk assessment for chemical plants (risk analysis & assessment for hazardous substances releases to the environment). This work is just a part of the activities / task of risk analysis involving in an ERM. One scenario of release of a hazardous substance to the environment had an major effect  with high financial loss that was the trigger event the company had to review and define a possible implementation of an ERM in the future. We have little experience in ERM, so we have decided, as a first approach or a initial test process to ERM, applying CAS Framework.  It is basic and result helpful to know the dynamic of how an ERM works.  The next step planned with the experience of CAS, it reviews other ERM framework  through a comparative tabl. . We expect the company have the experience and criteria to  define the ERM framework required by its operations.

Basically its better to follow a specific ERM apprach as ISO31000:2009 or COSO ERM framework or others that will be as check list to consider all important processes
Second for details processes if we are talking about ERM we need to recognize that it should be tailored and it's not not a copy past application because what suit one organization hardly could suit others as my friends mentioned above . differences in goals, enablers , weaknesses, strengths , business model, business cultur ... thus basically an experienced risk manager or consultat could facilitate a requested business risk analysis to articulate the best available solution in managing risk that includes embeding risk management in the organisation management framework, risk policy, assesments techniqes, communications andconsultaions tools, monitoring and review within their business processes and finally bulding the necessary risk culture which can support the tailored RM to be able in helping organisations acheived their objectives
Raida Mashal
Jordan Risk Expert
Jrmc CEO

A comment below by Kurt Kendis was deleted by mistake:

------------
Boris.....Sorry to put a gloomy side to your question, but the events of the last decade more or less lead to the conclusion that the reliance on high level consolidated and compressed 'tools' is a risk in an of itself.  In a recent advisory session I found myself actually chastising my clients (Board members) for thinking that they could fulfill their obligation using short cuts.  We still offer them dashboards, but they have to follow up.To me it appears that deep dives and extensive questioning and study are the toolkit of good ERM -- and then we are still open to black swans.

Hi Boris,

I think a good ERM tool nowadays should support the collaborative approach, meaning involving all stakeholders into the RM process. Traditional risk management methods, based on risk registers, - models and - calculations, have proven not to be effective. Unfortunately, all risk tools nowadays are based on risk registers. Effective risk management can only be achieved by raising the risk awareness of the whole organization, making it understandable and stick from board level to operational level.

To achieve this a simple and practical RM tool can help a big deal. Please take a look at RISKID, the collaborative risk management tool, that can help your organization drive engagement and buy-in for RM: http://products.riskid.co.uk. A white paper with a business case on how RISKID have worked for a regulated public company can be downloaded from the website as well.

Thanks!

Calvin Lee

 

As an independent consultant, I could do a first work of definining a baseline to review - using a comparative table of features and issues, which ERM model can be adequate for the company considering aspects such as cultural organization, the characteristics of the operations, type of customers, market, industry of the organization and then define where are allocated the mayor financial risks and what combination of risks have high impact in the reputation of the company. It may also establish a baseline or analysis process to define which ERM can be more helpful to identify risks that can be converted in business opportunities.     

As an independent consultant, I could do a first work of definining a baseline to review - using a comparative table of features and issues, which ERM model can be adequate for the company considering aspects such as cultural organization, the characteristics of the operations, type of customers, market, industry of the organization and then define where are allocated the mayor financial risks and what combination of risks have high impact in the reputation of the company. It may also establish a baseline or analysis process to define which ERM can be more helpful to identify risks that can be converted in business opportunities.     

There are many variables to consider when making a choice.  Is the company primarily concerned with US regulations or others?  What is the framework (if it has been determined) that is the 'model' of choice (ISO27000, CoBIT, ITIL, other)?

There are firms that have HazOp and NERC in their library of standards which would be a good basis from which to start an ERM program.

I have worked on MetricStream and Archer.  I have seen the others more than once.  All solutions require significant effort and ongoing care and feeding.  None of these are 'set it and forget it' no matter what sales people say.

In any case, you do have to start with your core - Policies, Control Standards, Organizational Structure, and CMDB components (devices, applications, etc).  These alone take some time.  Once these pieces are performing, then I suggest approaching Vulnerability and Risk.  If you have no Controls or Structure, then there is no way to know your current, comprehensive posture.

I like Archer for its ability to integrate across the organization.  If the firm can agree to use the out of the box applicable Policy and Standards, this can go quickly.  If it is necessary to map existing content and revalidate, it is much slower.  However, it is possible to see where you are meeting regulatory and industry best practices due to the out of the box content.  It is possible to develop a strategic road map using the tool with experience.  Assessments can be quickly assembled using the Question Library which includes questions against most major concerns. (SIG, PCI, etc.)

With any tool, there is a significant learning curve so patience is a virtue.

Good Luck,

Laura

Reply to Discussion

RSS

Our Sponsors

Would you like to reach over 22,000 + Risk Professionals? 

REQUEST OUR MEDIA KIT

 

Advance Your Career - Take the Global Risk Academy Courses Below

Business Exchange

If your organization delivers products and services that bring value to our members, you are welcome to join our partnership program.

Companies are welcome to setup a business profile page in our Multimedia Business Directory. You will get full control of the page and can include cutting edge possibilities – videos, adverts, presentations, white papers, job offers, Press Releases, product information, company blog, news feeds and more.

CLICK HERE TO APPLY

Our Knowledge Partners

Request our MEDIA KIT

Badge

Loading…

Our Twitter feed

© 2017   Created by Boris Agranovich.   Powered by

Badges  |  Report an Issue  |  Terms of Service