18 Apr 2023
by Phil Walden

Senior management should be asking the risk team for quality information and be monitoring it. That being said, it is worth remembering that enterprise risk management (ERM) software, however good, is not a panacea for a badly implemented strategy.  

The ability to run reports from within the software provides valuable information quickly and easily, which is essential when making business critical decisions.  

A central system also demonstrates, for auditing purposes, that risk management is being undertaken. When challenged, personnel can very quickly identify that risk has been considered and oversight implemented. 

What to consider before implementing an enterprise risk management software project:  

Do you have senior management buy in and support?  

Without a senior sponsor it is unlikely the implementation will be successful. The key is to get them to articulate what data they need to do their jobs better, or how ERM will improve business strategy, efficiency, service delivery, resilience and reputation. 

Do you have authority over the project?  

A not uncommon problem is that an ERM implementation, with the potential to impact on other facets of management, becomes ‘owned’ by another department. Although IT, finance, audit, performance, business planning are important areas in this project, it has to be owned by the risk team. Lack of clarity on this important point can dilute the requirement set out by the risk team, affecting implementation adversely. 

Is your risk framework accepted?   

Don’t start implementing technology until all stakeholders are happy with the methodology. Get a framework agreed and stakeholders engaged before beginning the IT project. 

Is your IT team on board?  

Many ERM solutions are hosted externally to make support easier and to offer a greater level of resilience. Is your internal IT team supportive of your externally hosted solutions? Are there questions around security that need to be addressed before the implementation? 

Good to go? What’s next?  

If your organisation has an existing digital risk register, most software suppliers can migrate historic data as part of the implementation process. This register will mirror the risk management framework you have unless you specify a redesign. 

Recording risk 

The reporting and recording of a risk should be an easy process. It is apparent that push back often stems from users either not understanding the importance of risk and how its management works within the organisation, or how the digital system operates.  

Often user interaction is limited to just a few, regular tasks, so an ERM tool needs to offer simple access.  

Consider: 

  • A data entry wizard to simplify the process of recording a risk.  
  • Auto email reminders of activities. 
  • A simple review process limited to a few mouse clicks and some narrative. 
  • Departmental reports that can be pre-defined and run at the push of a button. 
Training 

We would also recommend you spend some time reconfiguring the system’s online help to reflect your own framework. During implementation configuration of system terminology, classifications, organisational structure and matrix will all be undertaken. This facilitates quicker embedding and acceptance within the business as users already recognise much of what they see. 

Another useful practice is the creation of a network of risk champions, or designated team or department risk co-ordinators, which help filter the risk message throughout the organisation and support users of the software. These co-ordinators not only act as a conduit between the business and the risk team, they guide people through the process of identifying, monitoring, and mitigating risks and using the information gained to subsequently make informed business decisions. 

Another important facet of this network is the ability for the organisation to retain invaluable knowledge should someone leave. Too often, great work in rising ERM up the agenda is lost when a vital member of staff is lost. Good knowledge transfer and handover is key. Avoid this common risk! 

Engagement - how risk management helps achieve organisational goals 

Often for change to be implemented you need to lead by example. If you can establish one area, department or project that can make positive use of risk management, they can help promote their successes to the rest of the organisation.  

Engaging with such departments during the early phases of the software implementation is extremely important. This will allow for real life examples to be demonstrated. For example, if a local council’s objective is to reduce the number of pothole claims it receives by 20% per annum, it needs to understand what circumstances would stop this objective being met. Perhaps staff shortages, bad weather, lack of equipment and lack of budget for repairs, for example. It then stands a greater chance of meeting the objective as it can look to mitigate these problems. 

If the reports you provide to management are valuable it will foster reliance on the information you provide. This will in turn improve the perception and value of risk management within your organisation. 

A dedicated software solution for risk management will also often allow you to mature naturally. You can start simple to encourage engagement but then add in more risk management sophistication, such as opportunity management or risk appetite, when the business is ready. 

Risk culture 

Creating a risk culture will take some time but ensuring an environment where people can talk openly about any issues or problems they are experiencing will help to embed a risk culture across an organisation. If everyone is aware of any problems, then there is a greater opportunity to rectify them.  

An important part of risk management is to learn from previous failings so that an organisation can be pro-active rather than reactive. Having the appropriate mechanism to discuss lessons learnt in a positive and educational manner is essential to avoid repeating the same mistakes.