As organizations turn to Enterprise Risk Management (ERM) software to automate and enhance aspects of their ERM Programs, it’s time to take a critical look at the ERM and GRC marketplace to determine where gaps exist between the current offerings and the needs of risk managers.
Many GRC software tools on the market today offer a separate ERM module at an additional cost. If the goal of enterprise risk management is to take traditionally silo’d information and communicate it with a single framework, does it make sense to offer ERM as a part, or module, of a platform?
Risk Managers must be wary when evaluating ERM software, and there are a few questions they should ask of all vendors.
Does your solution support the best practices outlined by an accepted ERM framework?
The answer from an enterprise risk perspective should be an unqualified yes. There are considerable resources available to risk managers (i.e. the RIMS Risk Maturity Model) that can provide a framework for an ERM program, and if the ERM solution in question does not explicitly adhere to one or more of these standards, it’s likely that you’ll find yourself at a roadblock only a year or two down the road. ERM programs forced to operate with tools not designed for true Enterprise Risk Management become quickly frustrated with their results; and worse, their executives and leadership become disenfranchised with the entire concept of ERM, putting their jobs in jeopardy.
Is your solution flexible enough to fit the unique and evolving responsibilities of your ERM program?
Enterprise Risk Managers have been tasked with the enormous responsibility of providing transparency and insight into their organization's risk universe. In order to accomplish that goal, an ERM software must be cross-functional and capable of aggregating silo’d information dynamically. Ask to see information aggregated by strategic goal, geographic location, or by a risk category currently in use by your company.
As your program grows, chances are your responsibilities will grow to regulatory compliance management, policy management, business continuity, or other key function. Any solution should flexible enough to tackle these functions within the confines of your ERM framework. Many GRC Software solutions consider these roles to be separate. Look for an integrated tool that doesn’t charge extra for the modules you need, and keep in mind that your responsibilities today might not be the same as they are a year down the road. Your ERM solution should grow with your program, not define or limit it.
Does your ERM solution provide the support necessary to ensure success?
Many ERM programs are just beginning to evaluate software. Having worked hard to build your business case, set aside a budget, and evaluate solutions, the worst case scenario would be selecting an ERM Software that could take months, even years, to implement effectively. Risk Managers cannot afford a lengthy implementation time frame while they work towards the milestones that will justify their solution. In addition, your solution should provide support tailored to your needs. Has your account representative supported the ERM programs of other organizations? Can they pass along best practices and build an implementation schedule around your milestones? And finally, can they do it in less than 90 days.
Evaluating ERM software can be a stressful experience, so we created a Business Requirements Template for download as an example that you can adjust to fit the needs of your evaluation.