We've got a question from a leading USA water utility company to discuss what are the best ERM tool choices out there in the market.
In terms of requirements they are looking for a good tool to track risks, action plans, follow-up/updates & a dashboard/reporting tool.
Selection criteria -  cost, functionality & good customer reviews...
Should anyone have an expertise in the field, please go ahead and reply in the comments

You need to be a member of Global Risk Community to add comments!

Join Global Risk Community

Votes: 0
Email me when people reply –

Replies

  • There are many variables to consider when making a choice.  Is the company primarily concerned with US regulations or others?  What is the framework (if it has been determined) that is the 'model' of choice (ISO27000, CoBIT, ITIL, other)?

    There are firms that have HazOp and NERC in their library of standards which would be a good basis from which to start an ERM program.

    I have worked on MetricStream and Archer.  I have seen the others more than once.  All solutions require significant effort and ongoing care and feeding.  None of these are 'set it and forget it' no matter what sales people say.

    In any case, you do have to start with your core - Policies, Control Standards, Organizational Structure, and CMDB components (devices, applications, etc).  These alone take some time.  Once these pieces are performing, then I suggest approaching Vulnerability and Risk.  If you have no Controls or Structure, then there is no way to know your current, comprehensive posture.

    I like Archer for its ability to integrate across the organization.  If the firm can agree to use the out of the box applicable Policy and Standards, this can go quickly.  If it is necessary to map existing content and revalidate, it is much slower.  However, it is possible to see where you are meeting regulatory and industry best practices due to the out of the box content.  It is possible to develop a strategic road map using the tool with experience.  Assessments can be quickly assembled using the Question Library which includes questions against most major concerns. (SIG, PCI, etc.)

    With any tool, there is a significant learning curve so patience is a virtue.

    Good Luck,

    Laura

  • As an independent consultant, I could do a first work of definining a baseline to review - using a comparative table of features and issues, which ERM model can be adequate for the company considering aspects such as cultural organization, the characteristics of the operations, type of customers, market, industry of the organization and then define where are allocated the mayor financial risks and what combination of risks have high impact in the reputation of the company. It may also establish a baseline or analysis process to define which ERM can be more helpful to identify risks that can be converted in business opportunities.     

  • As an independent consultant, I could do a first work of definining a baseline to review - using a comparative table of features and issues, which ERM model can be adequate for the company considering aspects such as cultural organization, the characteristics of the operations, type of customers, market, industry of the organization and then define where are allocated the mayor financial risks and what combination of risks have high impact in the reputation of the company. It may also establish a baseline or analysis process to define which ERM can be more helpful to identify risks that can be converted in business opportunities.     

  • Hi Boris,

    I think a good ERM tool nowadays should support the collaborative approach, meaning involving all stakeholders into the RM process. Traditional risk management methods, based on risk registers, - models and - calculations, have proven not to be effective. Unfortunately, all risk tools nowadays are based on risk registers. Effective risk management can only be achieved by raising the risk awareness of the whole organization, making it understandable and stick from board level to operational level.

    To achieve this a simple and practical RM tool can help a big deal. Please take a look at RISKID, the collaborative risk management tool, that can help your organization drive engagement and buy-in for RM: http://products.riskid.co.uk. A white paper with a business case on how RISKID have worked for a regulated public company can be downloaded from the website as well.

    Thanks!

    Calvin Lee

     

  • A comment below by Kurt Kendis was deleted by mistake:

    ------------
    Boris.....Sorry to put a gloomy side to your question, but the events of the last decade more or less lead to the conclusion that the reliance on high level consolidated and compressed 'tools' is a risk in an of itself.  In a recent advisory session I found myself actually chastising my clients (Board members) for thinking that they could fulfill their obligation using short cuts.  We still offer them dashboards, but they have to follow up.To me it appears that deep dives and extensive questioning and study are the toolkit of good ERM -- and then we are still open to black swans.

    Free URL Redirection Services and more at The WebAlias Network
    The only free URL redirection and web forwarding service that offers free domain names, free advertising, free up-to-the-second usage statistics, and…
  • Basically its better to follow a specific ERM apprach as ISO31000:2009 or COSO ERM framework or others that will be as check list to consider all important processes
    Second for details processes if we are talking about ERM we need to recognize that it should be tailored and it's not not a copy past application because what suit one organization hardly could suit others as my friends mentioned above . differences in goals, enablers , weaknesses, strengths , business model, business cultur ... thus basically an experienced risk manager or consultat could facilitate a requested business risk analysis to articulate the best available solution in managing risk that includes embeding risk management in the organisation management framework, risk policy, assesments techniqes, communications andconsultaions tools, monitoring and review within their business processes and finally bulding the necessary risk culture which can support the tailored RM to be able in helping organisations acheived their objectives
    Raida Mashal
    Jordan Risk Expert
    Jrmc CEO
  • Essentially, my job is risk analysis & risk assessment for chemical plants (risk analysis & assessment for hazardous substances releases to the environment). This work is just a part of the activities / task of risk analysis involving in an ERM. One scenario of release of a hazardous substance to the environment had an major effect  with high financial loss that was the trigger event the company had to review and define a possible implementation of an ERM in the future. We have little experience in ERM, so we have decided, as a first approach or a initial test process to ERM, applying CAS Framework.  It is basic and result helpful to know the dynamic of how an ERM works.  The next step planned with the experience of CAS, it reviews other ERM framework  through a comparative tabl. . We expect the company have the experience and criteria to  define the ERM framework required by its operations.

  • I agree with Kurt, there are no short-cuts. ERM means Enterprise-wide Risk Management. You got to do the deep dive and try to know more of the things you don't know:-) I'm happy to say that CalQRisk take this approach. We include an extensive knowledgebase that dives deep and asks many searching questions. If the board want to know (and they should) they can drill-down from the top (Dashboard). The biggest problem I see is that Boards do not understand their role. Theirs is an oversight role, they need to ensure that the risk is being managed.  Many don't know the best way to do this, they have limited time to devote to this task, so they rely on consolidated reports. But they should be able to access the detail when required.

  • Hi Boris,

    Can I respectfully suggest our product CalQRisk as we fulfil the requirements (and more) as stated: You can assess risks, take snapshots of current status, record Control Verification, create and manage Tasks (using Action Manager) and see status of Risks, Tasks, Compliance and more in the Dashboard. Check out www.calqrisk.com and contact me if you think this fits the bill.

    Gerry Joyce

This reply was deleted.

Introducing the Global Risk Series - Book 1 Risk Management How Tos

Dear GlobalRisk Community member, Our community’s mission is to foster business, networking and educational explorations among members. Learn from some of the top experts in the industry as they clearly explain how to approach the most important Risk management concepts. Check out their expert tips and use the link at the end of each article to navigate back to the website to leave your comment or ask a question.   Some of the topics include: How do you Explain Risk Appetite?  How to Prepare a…

Read more…
16 Replies · Reply by GlobalRiskCommunity Mar 21
Views: 1132

[Free COVID-19 Framework] What's the path to recovery look like?

We created a free presentation (attached), which discusses both global and organizational impacts of the COVID-19 pandemic, along with critical actions organizations should take immediately. This presentation introduces a framework that helps regions and organizations navigate a path to recovery via 9 potential scenarios. These scenarios capture outcomes related to GDP impact, public health response, and economic policies. The presentation also breaks down 6 immediate and critical actions…

Read more…
4 Replies · Reply by Steve Diaz Jul 8, 2023
Views: 244

If risk management is about decision making, are current risk management solutions irrelevant?

Now that the updated COSO and ISO risk management standards emphasize a connection to enterprise objectives and decision making, does this mean ERM and GRC solutions focused on risk registers and regulatory compliance are missing the true value of risk management?Will current risk management solutions evolve to integrate more decision support functionality or will standalone prescriptive analytics and other technology solutions take a more prominent role in enabling risk-informed…

Read more…
3 Replies
Views: 175

A question related to classification of instruments between trading and banking book.

We have an interesting question from one of our members.       "We usually perform OTC FX transactions with clients backed-to-back on the market (with Banks). Now we are going to perform a FX swap (i.e. Spot + forward) JPY/EUR for the Bank account for 1 week at the longest. The purpose is to get EUR place @ CB for LCR compliance purpose (no trading purposes). Bank's Management think that this should be considered as a trading position and therefore be classified within the Bank's trading book.…

Read more…
5 Replies · Reply by Prisha Singh Dec 26, 2023
Views: 381

Plunging oil prices: curse or blessing in disguise?

The recent sudden crash of oil prices has had a major impact on the world economy, leading to many troubled faces in the international arena. The Russians fear the effects of yet another powerful hit on their economy, Venezuela seems to be considering default and the Americans are weary of the consequences for its young and emerging shale oil industry. And then you have the Middle East, where the smallest match is enough to ignite the largest fire. But are these worries really justified or…

Read more…
1 Reply
Views: 113

    About Us

    The GlobalRisk Community is a thriving community of risk managers and associated service providers. Our purpose is to foster business, networking and educational explorations among members. Our goal is to be the worlds premier Risk forum and contribute to better understanding of the complex world of risk.

    Business Partners

    For companies wanting to create a greater visibility for their products and services among their prospects in the Risk market: Send your business partnership request by filling in the form here!

lead