PART 3: TYPES OF ERM SOFTWARE
If you go and search for ERM software online, you will get a dizzying amount of results with no rhyme or reason. I can attest to this personally both in researching for this guide and in my role as an ERM Director for a large property insurance company in my home state of Florida.
The fact is ERM software can mean different things based on who you ask…many systems are designed for specific industries or even job function(s).
There are a couple of different ways we can separate out these types of software.
The first way is what the software focuses on…
1. One-stop shop (compliance-focused) – these are typically referred to as GRC* systems and have been around the longest by far, especially considering how demands for better corporate governance and risk management drove many companies, especially financial and publicly-traded firms, to adopt ERM.
The ‘risk management’ components of a GRC system come as part of a bundled package that also supports policy management, compliance, audit and other departments that have risk elements as part of their day-to-day activities, such as legal and HR.
Example systems include SAP, LogicManager, and more.
*GRC is short-hand for Governance, Risk, and Compliance.
2. Linking to strategy (performance-focused) – these ERM software systems are designed more exclusively for risk management applications, focusing more on the organization’s strategic plan and not so much on the compliance side of the coin.
They typically include tools that allow the user to conduct quantitative assessments such as Monte Carlo simulation. Any ‘visuals’ can be linked back to applicable strategic goal(s) or foundational issues your company is trying to address.
Example systems include ModelRisk, rPM3, GOAT, Essential ERM
Another way to categorize ERM software systems is how they integrate into the company. They can either be…
1. Web-based or physical installation – systems like this allow you to capture and analyze risk, store information, assign owners, monitor mitigation strategies, setup reminders and more. The advantages of stand-alone systems is they truly involve the entire organization in risk management by breaking down silos, improving communication, and eliminating or at least limiting manual processes.
They also provide managers and executives with risk information and its relation to strategy through easy-to-reference dashboards.
However, while these systems offer robust features, their life expectancy can be rather short largely due to users having to learn entirely different software. Also, as Alexei Sidorenko explains in this video, the challenge with these systems is that they “..reinforce the mentality that risk management is a stand-alone, separate process” and that risks “…should be captured on a regular basis instead of every single day as part of different business activities.”
Example systems include ones listed above.
2. Expand functionality of existing software – ERM software can also come as an add-on to systems the company is already using, such as enterprise resource planning (ERP) systems, Microsoft Excel, Microsoft Projects, and others. These add-ons integrate or enhance risk analysis into existing business processes. Through modeling and Monte Carlo simulation, companies can better assess the impact of uncertainty on strategic plans, budgets, and projects.
One huge disadvantage of this type of ERM software is that it doesn’t link risks to strategic objectives or to other risks…unless your organization has a tool/software for strategic planning. Although “systems” like this can better utilize analytics and big data, it can be challenging to visualize how a particular risk fits into the bigger picture of the organization.
Understanding the why and what of ERM software is undoubtedly important, but there is more that risk managers and their leaders must grasp before researching options and requesting demos. In the next section, learn more about how you should go about finding the right system for your organization’s needs.
