Your Embedded ERM Infrastructure May Have Become A Risk Enabler…What You Can Do About It

Enterprise software has a reputation for strength, resilience, and robust capabilities that enable it to fulfill all the expectations of management and lead to solid justification for the expense of staff resources, time, and treasure needed to establish its presence. Or so the story goes. This is the sales pitch, and candidly, it’s sometimes what does happen. Whether it’s an enterprise resource planning (ERP) system, a Customer Relationship Management (CRM) offering, an enterprise risk management (ERM) system or any one of a number of other categories of enterprise-in-scope integrated software solutions, there is much more to delivering the promise than making a purchase, installing the software and marveling at the delivered wonders. And the problems often begin with the buyers and the “process” they use to make purchase decisions.

It Begins With Problems, Issues, Needs, and Requirements
No one just decides to invest in enterprise software. There must be an identified issue or problem, which is expressed as a need. That need leads to a question: “what must we do to satisfy the need?” The answers create a set of requirements, and they become the criteria for “shopping” for a solution. This must seem pretty straightforward, and it may be. However, sometimes cloudy thinking, brought on by participants who may have another agenda, or lack a deep understanding of your current business, its operations, and the issue or obligation that started the whole process, may alter this effort in unknown ways. Of course, different departments may insert requirements reflecting the “how” of any solution. Finance may be concerned with the costs. IT may have standards for platform technologies that favor some offerings over others. There may be existing relationships with some solutions providers that may incent purchasing and procurement managers to favor their offerings. You can see how this process could build quite the divers set of “requirements to satisfy the original business issue”. But the final, aggregate requirements list eventually becomes the evaluative tool for selecting a solution.

Shopping For Value vs Political Safety
There is no single process or means to this end. But there are some interesting factors that can come into play originating from sources extraneous to operating requirements determined in the process just outlined above. One is “political” risk related—the perceived risk of making an error in selection. Another is over-compensating. The first often leads to screening out all solution providers who don’t have an existing relationship with your firm. It can also lead to limiting consideration of only solutions with a significant brand reputation built by years of catering to Fortune 100 enterprises and providing solutions whose scope and power have been touted by many analysts, pundits, press, and business groups who follow industry leaders as determined by characteristics like revenue, employee population, number of installations, offices, and partners, to name a few metrics. These are valid considerations in some instances, where requirements merit. But in many cases, this can lead to only exploring battleship-scale solutions when a sailboat would suffice admirably. Once upon a time when considering computer hardware, company procurement managers were cautioned that “nobody ever got fired for buying IBM,” even when their product features were not the best match against identified needs. The second risk, of over-compensating, attempts to address all possible needs identified now while foreseeing any others that might occur tomorrow. It’s an aggressive approach that mistakes complexity and feature diversity with capability and fit to the specific situations and requirements of your own organization. This is analogous to the scenario where one person purchases a major home appliance based on all the bells, whistles, lights, and buttons, while the primary user’s need for some key, and simple features is completely overshadowed by the sparkling promise of a device that can “do everything”.

Either course of action leads down a path to encounter several problems for risk managers who need actionable solutions at appropriate scale that can deliver timely results and useful information to guide executive decision making that enables effective risk management:

  • Complex, rigid enterprise solutions set in place as the institutional “standard”
  • A user environment that’s not streamlined for ERM processes
  • Dependence upon IT for ERM requirements and configurations… e.g. reports, workflows, etc.
  • A GRC system focused on managing process related risks instead of enterprise risks, prioritizing the “how” over the “what.”

Let’s look at each of these in a bit more detail.

Complex Enterprise Solutions
The needs of specific divisions, subsidiaries, or other organizational parts of a business, however they are determined, may require more flexibility and adaptability than an enterprise solution may offer if it was installed and customized or configured to always address the enterprise as a whole. Such an implementation leads to standards-based rules and procedures binding its processes into a rigid framework that cannot easily flex for one area alone. Also, the process of making change is often bound to a management decision and approval hierarchy that’s slow to adapt.

A User Environment Not Streamlined For ERM Processes
Some systems are designed around a set of user standards and information management rules that can lead to panel designs, process steps, roadmaps and data groupings optimized to those standards rather than the key practices and requirements for ERM processes. Some enterprise systems began life focused upon one discipline or topical area, and “evolved” into enterprise ERM solutions over time, while retaining the user attributes best suited to their origins. This can make training users who otherwise understand ERM processes harder to achieve, take longer to complete, and may require much more supporting documentation that would otherwise be needed, adding time, resources, and cost to risk management processes.

Dependence Upon IT
This may be the most frustrating concern of all. Seeing the need for change, knowing what it needs to change from to adjust a process, trying to produce a report to communicate effectively with key stakeholders and executive management, or trying to respond to new configurations of workflows, organizational groupings, or compliance rules and needing to reach out to a centralized IT function with its own priorities and resource schedules can be deeply frustrating. Also, there may be inadequate training for this centralized support service so requests may lead to referrals back to the vendor, then to IT and finally, back to requesting units. This all consumes valuable time, and deteriorates the responsiveness and ability of the risk management unit to effectively perform in a responsive manner to the business and to its operating environment, and its regulatory and compliance obligations.

A GRC System Focused On The “How” Over The “What.”
Such a system really pays most attention to managing process related risks instead of enterprise risks, prioritizing the “how” over the “what.” It delivers rigid, difficult-to-change methods for performing ERM processes, to ensure consistency and reliable repetition. Such centrally controlled IT schedule and resource priorities may not match your business’ risk management obligations. Regardless, when you need specific reports, modifications to workflow parameters or escalations, email routing, or any other automated provisions of this ERM system, a request into a centralized IT department is necessary. And not all the changes you request may be granted. You may be focused upon the delivery of a risk assessment, seeking flexible response and input options to facilitate dynamic situations, or a simplified review workflow to speed findings delivery, while such an enterprise ERM may be managed to assure standardized process methods are followed without exception to address data integrity, management approval hierarchies or other internal process standards and practices.

Navigating Change In A Structured World Of Standardization
There is no single path to successfully garnering the use of alternatives to deeply embedded, standardized ERM implementations. There are some options that may provide leverage and lead to success:

  • Find a solution that does fit your needs now, with means to extend in scope and function if or when needed. Show how using that solution would help you better align risk management with current business needs and foster achievement of company goals now. This can include noting that resilience to sustain and recover from incidents of all dimensions greatly improves with responsive, nimble, and informative risk management processes.
  • Compare your local requirements to the enterprise ERM in place, highlighting opportunities to gain efficiencies, accuracy and responsiveness by employing a more responsive ERM solution, to demonstrate how this favorably impacts risk management and program value.
  • Offer your situation as a trial test of a new solution’s ability to deliver more, with less support, while preserving quality, increasing alignment to your current state, and improving timeliness; all effectively increasing and returning value for investment while strengthening operating resilience. These are brand and bottom line contributions you can measure.

Demonstrating that your risk management program returns value to the business requires careful alignment of program objectives and operating business goals. You would have implicitly done some of that through your effort to determine requirements for your ERM solution. It also makes sense to examine the design of your organization to see how to best model it’s nature and culture in the ERM processes of your solution offering. Being able to demonstrate that alone can make a solution very appealing to management. And if a small scale solution can be extended in features and scope by building upon an initial implementation, rather than discarding and re-deploying a solution under a different configuration, that’s a real win for you, for Finance, and will be very attractive to your IT organization, particularly if they participate in those efforts. Lastly, being able to respond directly to management requests for reports, charts and other analytical information, without filing into an IT processing queue, will be a bonus for all.

Identifying Alternatives
There’s already an enterprise solution in place. And for any number of reasons, it’s not enabling your risk management program efforts, but adding to its burdens and obstacles. Evaluating ERM solutions in the marketplace that meet the requirements you’ve documented may seem at once daunting yet unavoidable. There are approaches that may reduce the task in size and duration. You know your requirements—don’t compromise. That will narrow your field quickly and dramatically. Seek providers who will offer a hosted solution, reducing reliance upon any IT resources, and time to deploy. See if there’s a sandbox or field test option to try and take the software for a spin on a trial basis. If not there may be other options offered by your vendor. Remember, you’re really seeking a nimble but fully functional ERM platform that will do what you need now, and give you control and operating autonomy. The best offerings will support your expansion in features to other areas or to manage larger organizations by growing your base install, not retooling everything from scratch. Include reporting and data analysis features that are simple to use in your search. A big part of the value you’ll enable will be timely reporting and risk guidance to leadership. It’s an area where tangible demonstration of why you are deferring use of the 10,000-pound instantiated ERM solution can be made. Also, your ability to operate without dramatic resource drain, relying upon a configuration approach to tailor workflow, naming, automated process features and output management will go far in showing gains in timely responsiveness to change. These are always areas of weakness for oversized, overdeveloped enterprise implementations.

From this vantage point, you should have clear artifacts to support your initiative to bring responsive, comprehensive, value-generating ERM services to your business in a clear, cost effective and efficient manner, demonstrating a model for operation and growth that’s compelling for today and tomorrow.

Enter DoubleCheck ERM One™
ERM One™ is a revolutionary, yet straightforward, application that builds upon the lessons in Enterprise Risk Management (ERM) that DoubleCheck, over time, has been privileged to learn from its clients. In short, ERM One™ incorporates into one intuitive, turnkey application the best-practices tools and content to help optimize the crucial discipline of Enterprise Risk Management (ERM) and thereby put your firm on a path to achieving its strategic business objectives. DoubleCheck fully understands and supports the merits of ERM and the benefits of its adoption by all companies.

ERM One™ follows the Best Practices of Risk Management. It is predicated on the understanding that there are three attributes of an effective ERM Solution (Product, Process and Content). These attributes, in combination, deliver the critical services, tools and capabilities that companies require to tactically execute upon the four elements of day-to-day risk management (Identify, Assess, Mitigate and Monitor) with efficiency and effectiveness.

DoubleCheck has structured the tool in a modular manner, with options available to add incremental GRC functions or advanced business intelligence (BI) capabilities to extend functionality. Further, services and features are highly integrated into one package. Reporting is embedded rather than independently aligned to content and processes, making the risk management practice a seamless effort rather than a disjointed one. It is delivered as an immediately-operational ERM platform, through a unified combination of its:

  • Product – automated workflows; embedded business intelligence; project management; automated notifications; system generated heat maps, comprehensive risk reports, navigation through visualization; assessments; documentation management
  • Process – risk identification, quantification, mitigation documentation, reporting and review
  • Content – pre-populated (“running start”) risk universe, risk categorization, rating scales, individual controls by line of defense

Want to trial ERM One™? Here’s what do you’ll get:

Key Features:

DoubleCheck ERM One™ trial includes all components of our innovative, turnkey ERM solution:

  • risk structure pre-configuration
  • risk content pre-population
  • risk process integration
  • modular construction, capable of significant functional enhancement
  • embedded reporting and robust business intelligence (BI)s
  • navigation through visualization
  • alignment to ERM standards and best practices

Here are ten (10) top reasons to try ERM One™ at your firm:

About the Author:
Simon Goldstein is an accomplished senior executive blending both technology and business expertise to formulate, impact, and achieve corporate strategies. A retired senior manager of Accenture’s IT Security and Risk Management practice, he has achieved results through the creation of customer value, business growth, and collaboration. An experienced change agent with primary experience in financial, technology, and retail industries, he’s led efforts to achieve ISO2700x certification and HIPAA compliance, as well as held credentials of CRISC, CISM, CISA.

Newsletter Signup
Interested in being informed when a new blog post is released?

Leave a Reply

Top

DoubleCheck ERM One™

An out-of-the-box tool that delivers an integrated ERM process together with a comprehensive, high-level categorization of exposures (Financial, Core Business, Operational and Strategic), fully loaded with over 60 associated, pre-populated risks to be used as a starting point.

X