But while many boards are investing more resources into risk, some remain reluctant to integrate risk management with technology
The financial crisis of 2008 marked a significant turning point for risk management. Banks, which bore the brunt of the blame, were forced to review their risk management functions and governance structures, and organisations affected by the crisis carried out audits and rethought their risk culture. Regulators and think tanks also conducted extensive surveys of risk management practices, issuing reports of findings and recommendations.
One such report was EY’s series of reviews into the level of risk improvements made within financial services as a result of the crisis. Among several findings, risk management technology was found to be a vital component to effective risk mitigation. In fact, following the crisis, many businesses started investing more into risk management technology.
According to EY’s 2011 report, Making strides in financial services risk management report, commissioned by the Institute of International Finance, 73% of 62 global banks, upped their IT spend to support their risk architecture, with more than 40% estimating this increase to be more than 30%. Further, 76% expected these costs to escalate in the following five years.
The demand for risk management technology, however, extends beyond financial services – retail, transport and logistics, service industries and others have invested in risk analysis software – and technology providers have tried to capitalise on this demand. They have created new offerings to meet modern business needs and there is now a plethora of solutions: technologies for initial risk identification, assessment and evaluation, risk monitoring and tracking, and packages that do all of the above. Some have taken it a step further, creating new software to support those businesses implementing a new and modern risk function, that is an ERM framework.
For many multinationals and small- to medium-sized businesses ERM is a necessary investment, with many believing it will help them become more resilient. It has certainly become a bigger focus for many risk managers. But ERM has also recently undergone a facelift.
“ERM in today’s world means providing risk intelligence for driving business performance – a view of risk information aligned to business objectives for enabling decision-making,” explains Vinay Bapna, vice-president at risk management software company, MetricStream.
“As we live and do business in today’s increasingly interconnected, digital, global, mobile and social world, organisations have found that traditional, manual, and paper-based approaches to ERM are no longer effective, efficient, or sustainable.
“Organisations and risk managers are transitioning to a technology-driven ERM programme that can help them: (i) automate as many processes as possible; (ii) manage risk operations across multiple and disparate business units and geographies in a streamlined and consistent manner; and (iii) transform enterprise risk data into meaningful insights that support strategic planning and decision-making.”
The right balance
Moving towards a technology-based ERM programme is only one issue with which risk managers are contending. “The biggest challenge is to make enterprise risk actionable”, says Luc Brandts, chief technology officer and founder of BWise, a NASDAQ OMX company.
“Too often, risks are defined at such a high level that they become difficult to compare and match, making consolidation extremely hard and action items are little more than ‘let’s try better next time’. A good ERM programme will show concrete actionability for all risk owners across the company. The biggest mistake in implementing an ERM programme is not finding the middle ground between too simple and too complex. Too simplistic programmes will fail in a lack of concrete actions. Too complex programmes with intricate roll-ups, workflows, dependencies, risk dimensions, will fail in a lack of understanding by business users.”
This is where ERM software could help according to BWise and MetricStream. ERM software generally works by providing a platform on which risk data from across the business – risk libraries and controls for instance and external sources such as social media, news feed, could be aggregated. Processes for assessing risk could then be streamlined, helping to provide real-time reporting and monitoring through risk heat maps and statistical analytics.
“A well-designed ERM software helps risk managers by providing centralised control and visibility while enabling decentralised processes and ownership,” says Bapna. “It also helps in managing complex, multi-dimensional risk-control-organisation relationships with reporting and analytics that can be rolled up or drilled down.
“Some institutions leverage tools that can help them automate various aspects of their ERM programme, such as risk assessments and risk reporting. Others have different systems for each business unit to independently manage and monitor their risks. Others have a central database to aggregate and store all enterprise risk data. Ultimately, the technology chosen by the organisation should suit its needs based on its size and structure, as well as its broader vision for risk management.”
On the ground, some risk managers have found these systems to be helpful in their ERM journey. Ly Xuan Thu, head of risk and compliance at Vietnamese investment management and real estate development firm VinaCapital says: “These systems can help promote ERM within the company as they bring an integrated platform for risk assessment for all areas of the company from top-down and bottom-up.”
Take up of such software appears to be growing according to Kiran Nobeen, director account management EMEA at Aon eSolutions. She says: “ERM is much higher up in board meetings now. As a result, we are seeing more risk managers wanting to implement systems that have not traditionally employed the approach before.”
However, the benefits have not been fully realised by the risk management community, with many members preferring traditional methods. Pan Asian Risk and Insurance Management Association (PARIMA) board member Roland Teo says introducing innovative technology into the risk industry is not very popular among many risk managers.
“Many organisations and risk managers are contenting with managing risk from a spreadsheet,” Teo says.
“They are afraid of the technology because they are unsure of their objectives.
“This is understandable because, in this day and age, many are still averse to embracing technology.”
Technology providers acknowledge this reluctance and have to overcome it. “The culture of technology means people don’t want to be given a new password to remember and new system to familiarise themselves with,” says Nobeen.
Embedding a new system into the workflow of an organisation is a key problem for risk managers. VinaCapital’s Thu says the process undertaken by her team is laborious. Risk owners use Excel spreadsheets to conduct risk assessments before the risk team converts the data onto the system.
This approach has led her to question the software’s ease of use; she wants to see more user-friendly solutions because otherwise the efficiency and time-saving aspect of such systems are lost.
“People will feel comfortable conducting risk assessments when it is made easier but, currently, risk management software can be complicated,” Thu says. “We need a system that is easier to use.”
Brandts argues that spreadsheets do not work in a business environment. “A spreadsheet is a single-user ill-defined database and is the single largest IT risk in any company. If a risk manager uses a spreadsheet to manage risks, they ignore a large liability.
“Properly implemented risk management technology is not laborious and not hard to use. When it is, it’s either bad software or a badly implemented process. It is necessary to have people who understand risk management implementing, finding the right balance between simplicity and thoroughness. Quoting Albert Einstein: ‘Keep it simple, but not simpler than that’.”
Teo adds that if a company has incorporated a holistic risk reporting culture, embedding an ERM system can be simple. “The best approach is having most of the risk management policies and procedures in place for a while before embarking into software development. Software has to develop what is already embedded.”
This view is shared by Aon eSolution’s managing director EMEA Steve Cloutman, who says, first and foremost, the focus should be on the risk team and culture. “When you are evaluating a tool to buy, many people will be looking at the features and functions, which is important, but many systems will do what you want they to do.
“Therefore, one of the most important things is to evaluate the company you are buying the software from, its experience with its clients. It should be able to advise the best practices to bring into the system and to help implement this, because, for many, it will be a first purchase.”
Although many first-time buyers may be unaware of the necessary steps a firm should take to ensure the system is successful, as risk managers seek more control over their company’s data, Cloutman and Nobeen are seeing an increased interest in such solutions.
“[Interest in risk management technology] is mainly driven by volumes of data. A small enterprise without many claims can usually manage that through reports from a third party or in a spreadsheet, but a large retailer or a construction and logistics firm, for example, have lots of data concerning shipments and damages, claims from third parties, customers of the store; they therefore need of a professional system to help analyse and manage the information.”
A risk management system can cut out the middleman and bestow greater control, says Nobeen.
“Risk managers are becoming more cost-savvy. I am seeing more clients wanting to take more control of the reporting so that they are not having to pay their brokers, captives or insurers for those reports.
“There is definitely a trend where more risk managers are taking control of their data now than they did seven or eight years ago when they would always have a plan ‘b’ of an insurer giving them the report, but now they are realising they can do it in a system and do it better.”
Risk management technology is arguably a natural part of the industry’s evolution, enabling risk managers to become more self-sufficient and increasing the scope of available data information at their disposal.
“For bigger organisations that are serious about risk management, after a while, risk management software is a necessary evil. This happens when the organisation realises the importance of real-time information and risk intelligence to manage risk where manual tracking and reporting have their limitations,” says Teo.
The increasing support for risk management software among global corporates is a sign of the times and a window into the future as MetricStream’s Bapna and BWise’s Brandts identify a clear ERM benefit for larger organisations. However, challenges remain for system providers as current solutions can be too laborious and lack a user-friendly interface for risk owners throughout the company, says Thu. Despite these issues, Thu advocates the use of risk software in aligning risk assessments in a holistic way from the top to the bottom.
“If we don’t use the system or we don’t play the role of facilitator and we leave [employees] to do the risk assessments alone, they are likely to do this in a siloed way and assess the risks on their own without the benefit of an integrated platform,” she says. However, having used the current system for five years, Thu says the firm must consider alternative systems.
A matter of time
On the other hand, Teo argues a system’s capabilities and ease of use is secondary to the embedding of a risk reporting culture within the firm.
“Before buying a system, organisations should first and foremost establish the fundamentals of risk management and implement them,” he says.
“Having done that, firms must use available resources and IT tools such as Excel spreadsheet, Workflow and Sharepoint or even some business intelligence software for the users and key stakeholders to get a feel of what the risk software is like in the system.
“Once they are ready and clear about what they want, it’s a matter of time before they become your greatest supporter for a system.”
The advantages and benefits offered by risk software solutions are clear for multinationals, most significantly in enhancing a firm’s ERM capabilities, but risk managers must negotiate around outdated methods preferred by more traditional risk owners.
Firms must be forward-thinking in their approach to risk and adopting a risk management system is, as Teo described, “a necessary evil” for larger businesses. Although the accessibility and user-friendly interface of current systems is arguably a major weakness, ensuring that a thorough reporting culture runs through the business is paramount for the successful embedding and productivity of any new system.