As you are aware there are many risk management tools and solutions that have flooded the market. Many tools are claiming themselves as the next GRC solution, even though they are just on the periphery of the GRC world. As always the marketeers are redefining the GRC world based on their own necessities. It seems different for each marketeer just like the 9 blind men figuring out the elephant in the room.
Can I please ask the respected risk management professionals
1, Which risk management tool are you using or are you considering to use ?
2. What are their frailties of these tools, or which are their strengths
3. What would really like to have in your risk management tool or solution ?
Appreciate your comments to these and other issues regarding the risk management tool.
A look at EIRM webbase ERM courses will be a good start. It is possible to get some insitutional discounts. Idea is to spread the knowledge around.
Having lead on implementations of various systems the common pitfall i have come across is the ease of use or user friendliness
Most of the risk management system implementations fail because users can't use it. We are currently replacing a system of a large pharmaceutical company in india as they have not been able to use the already implemented system.
Yes you are right, the original fable had 5 blind men, but now it seems 9 as the right number as you say and also Nine blind men rhymes well :)
You are absolutely right, risk management should be strategically aligned with business goals and strategies (both short term and long term). Obviously this poses another challenge to the people managing the tool to keep track of the business strategies and then base the risk management using this knowledge.
This again throws up new challenges as to who are the people that will be involved in the risk management exercise. I believe the risk management exercise should not only involve top level executives (where you get strategic perspective) but also involve middle level managers who will provide the ground situation and the execution capability. This side thread would be covered in another discussion.
In order to be successful the GRC solution should be need to interacting with most of the significant business systems. Of course the company can make a deliberate decision to manage significant and large risks, while keeping in mind, the ignored risks do not include "1000 small cuts that will bleed you to death"
We can summarize if we get some more ideas in the pot.
Don't wait to put your thought in the pot.
Seshadri Chari said:
You are always a delight !
I would love your thoughts more on the deficient information part of the Risk management tool. As I believe the other failure sources could be corrected with quality enforcements. The information part for the risk management tool comes from the user. Deficient information is one of the facets of the risk environment (unknown cloudiness causing the risk in first place). So how can one improve upon the deficient information and how can one start quantifying some of the unknowns to be a better position to provide information to the decision making systems on CxOs dash boards ?
Have a safe journey
Subramanian Sankaranarayanan said:
Appropriately the number of blind men seems to be increasing. I thought the original fable had 5. With the types of risks increasing, the number of blind men also seem to be increasing.
Serilously, as a practicing risk manager and consultant, in my view, the GRC tools scratch the surface (since development cannot keep on happening - there is the time to market). In fact, as you have rightly said, it is the marketeer, instead of the user who is defining and redefining the tools based on his knowledge and understanding of the market. (My little knowledge of Peter Drucker's treatise on marketing tells me one should use the term "selling" instead of "marketing" in this context,).
Personally, I believe, mature risk professionals look at risk alongside business - meaning, necessarily the tools or solutions need to be integrated with business processes for success and sustenance.
A technology vision for this purpose, that spans in my view, a period of 7 to 10 years, depending upon the objective and the rigour of risk management desired in the achievement of business objective is an imperative as a starting point for any organization that is serious about GRC as a strategic advantage. Provided it has the luxury of time.
Governance, Risk and Compliance that makes up the GRC solutions need to be tailored to individual institutions - to that extent it needs to be a project-based approach rather than a product based approach. The latter is feasible if, as I said earlier, a vision is available, that modularizes and prioritizes the requirements, enabling the organisation to buy plug-ins.
The tools should comprise risk assessment & measurement, business intelligence, data warehousing, analytics and reporting. Ideally, a Straight Through Processing (STP) approach using an ERM package that is scalable (up or down, mind you) will be tolerable. One major issue is the stand-alone nature of the related components of the GRC software framework, that need to communicate, either laterally or vertically. Transparency is another issue for the user to understand and appreciate/approve.
Besides the usual requirements in a risk management tool - designed to achieve the stated objectives in a timely and cost effective manner, the tool should provide unambiguous Early Warning Signals and a causal analysis of the situation, facilitiating timely risk mitigation.
In the BFSI space, there is the concept of "System Integration" - you can see the elephant and blind men story being played out here, in reality. But there is hope. I believe industry collaboration, which I am sure will be forced on the vendors over a reasonably long period of time will happen. In the meantime, the stakeholders would have spent trillions gaining necessary experience.
One dedicated decade of effort in this area in banking has left me with, as Prof. SS says, a long pregnancy!.
Oh, what a stunning but pregnant thread indeed..? You have made me 'spin' and think.. Thank you..
Frames that Risk Management tool itself is beset with 'Risks'..!!
Mind-boggling hypothesis undermining every Risk Manager's basic confidence, thereby..!!
Tool built upon hidden flaws and un-tested variables, etc. would fail,..
Tool would fail on unproved logic and defective data structure and deficient information.
Risk Tool generally succeeds once a while as 'Fluke'..!!
These are quick and immediate unstructured but pure pristine thoughts.. Please bear with me..
I'm running to the airport, sorry, I 'll be back soon for more.
With love and regards
Ex Senior Central banker