ERM Technology Tools: A Contemporary Look



Similar documents
How To Save Money At The University Of California

CRM. Best Practice Webinar. Next generation CRM for enhanced customer journeys: from leads to loyalty

RSA ARCHER OPERATIONAL RISK MANAGEMENT

Creating a Business Intelligence Competency Center to Accelerate Healthcare Performance Improvement

Next Generation Business Performance Management Solution

How To Improve Your Business

Implement a unified approach to service quality management.

Choosing the Right Project and Portfolio Management Solution

Metrics that Matter Security Risk Analytics

Operational Risk Management - The Next Frontier The Risk Management Association (RMA)

Simplify and Automate IT

Cisco Process Orchestrator Adapter for Cisco UCS Manager: Automate Enterprise IT Workflows

CA Service Desk Manager

How To Manage Risk With Sas

InfraStruxure Data Centre Management Software. Holistic open standards integrated data centre management solution.

Chartis RiskTech Quadrant for Model Risk Management Systems 2014

Welcome to Modulo Risk Manager Next Generation. Solutions for GRC

The College of New Jersey Enterprise Risk Management and Higher Education For Discussion Purposes Only January 2012

<Insert Picture Here> Oracle and Stellent Acquisition Announcement

IBM Tivoli Netcool network management solutions for enterprise

Explore the Possibilities

solution brief September 2011 Can You Effectively Plan For The Migration And Management of Systems And Applications on Vblock Platforms?

WHITE PAPER. Building Blocks of the Modern Data Center

Oracle s Primavera P6 Enterprise Project Portfolio Management

Bringing Control to Global Supply Management Business Process Management (BPM) and Advanced Project Management Practices

can you improve service quality and availability while optimizing operations on VCE Vblock Systems?

Transforming Internal Audit: A Maturity Model from Data Analytics to Continuous Assurance

How To Choose A Successful Guided Selling Software

can you effectively plan for the migration and management of systems and applications on Vblock Platforms?

Elevate Customer Experience and Engagement in the New Digital World

Simplify and Automate IT

Common Situations. Departments choosing best in class solutions for their specific needs. Lack of coordinated BI strategy across the enterprise

IBM Software IBM Business Process Management Suite. Increase business agility with the IBM Business Process Management Suite

I D C T E C H N O L O G Y S P O T L I G H T

Directory of. Advertising Supplement

Accenture Human Capital Management Solutions. Transforming people and process to achieve high performance

Next Generation Telecom Expense Management

Reduce Trial Costs While Increasing Study Speed and Data Quality with Oracle Siebel CTMS Cloud Service

Address IT costs and streamline operations with IBM service request and asset management solutions.

IBM Cognos Business Intelligence Scorecarding

W H I T E P A P E R B u s i n e s s I n t e l l i g e n c e S o lutions from the Microsoft and Teradata Partnership

ORACLE FINANCIAL SERVICES ANALYTICAL APPLICATIONS INFRASTRUCTURE

IDC MarketScape: Worldwide Service Desk Management Software 2014 Vendor Analysis

ORACLE ENTERPRISE GOVERNANCE, RISK, AND COMPLIANCE MANAGER FUSION EDITION

Cybersecurity The role of Internal Audit

The IBM Cognos family

CA Virtual Assurance for Infrastructure Managers

IDC MarketScape: Worldwide Service Desk Management Software 2014 Vendor Analysis

Pragmatic Business Service Management

ENTERPRISE RISK MANAGEMENT SURVEY RIMS Enterprise Risk Management (ERM) Survey SPONSORED BY:

Patient Relationship Management

BROCHURE. KenCloud TM Customer Relationship Management. Brochure- KenCloud TM CRM. Swash Convergence Technologies Limited

Three Strategies for Implementing HR in the Cloud

Financial Management Systems

Module 6 Essentials of Enterprise Architecture Tools

Anatomy of a Decision

RealTests.M questions

ARIS 9ARIS 9.6 map and Future Directions Die nächste Generation des Geschäftsprozessmanagements

Digital Marketplace - G-Cloud

ElegantJ BI. White Paper. Achieve a Complete Business Picture with a Business Intelligence (BI) Dashboard

Select the right configuration management database to establish a platform for effective service management.

Strengthen security with intelligent identity and access management

The Impact of PaaS on Business Transformation

Building for the future

Introduction to BPM. Dr. Setrag Khoshafian. Chief Evangelist & VP of BPM Technology

Vulnerability Management

CA Virtual Assurance for Infrastructure Managers

Three Asset Lifecycle Management Fundamentals for Optimizing Cloud and Hybrid Environments

Enabling HR service delivery

ElegantJ BI. White Paper. The Enterprise Option Reporting Tools vs. Business Intelligence

ORACLE SOCIAL ENGAGEMENT AND MONITORING CLOUD SERVICE

Analytics Strategy Information Architecture Data Management Analytics Value and Governance Realization

MANAGEMENT AND ORCHESTRATION WORKFLOW AUTOMATION FOR VBLOCK INFRASTRUCTURE PLATFORMS

The Total Economic Impact Of SAS Customer Intelligence Solutions Intelligent Advertising For Publishers

Improving Service Asset and Configuration Management with CA Process Maps

Introduction to SOA governance and service lifecycle management.

1.0 Introduction and Report Overview

Measuring Success Service Desk Evaluation Guide for the Midsized Business: How to Choose the Right Service Desk Solution and Improve Your ROI

CA Oblicore Guarantee for Managed Service Providers

Address IT costs and streamline operations with IBM service desk and asset management.

7 things to ask when upgrading your ERP solution

WHITE PAPER Business Process Management: The Super Glue for Social Media, Mobile, Analytics and Cloud (SMAC) enabled enterprises?

Application Monitoring for SAP

Integrated business intelligence solutions for your organization

REDEFINE CUSTOMER EXPERIENCE with ITC INFOTECH

Vendor briefing Business Intelligence and Analytics Platforms Gartner 15 capabilities

Advanced Case Management. Chris den Hoedt

How can Identity and Access Management help me to improve compliance and drive business performance?

Operationalize Policies. Take Action. Establish Policies. Opportunity to use same tools and practices from desktop management in server environment

How To Choose A Business Intelligence Toolkit

BRIDGE. the gaps between IT, cloud service providers, and the business. IT service management for the cloud. Business white paper

Transcription:

RIMS Executive Report The Risk Perspective ERM Technology Tools: A Contemporary Look A Report of the RIMS Technology Advisory Council and RIMS ERM Committee

CONTRIBUTORS Grace Crickette, Chief Risk Officer, University of California Carol Fox, Director of Strategic and Enterprise Risk Practice, RIMS Leslie Lamb, Global Risk Manager, Cisco Systems, Inc. Russell McGuire, Senior Consultant, Milliman Risk Advisory Services SPECIAL THANKS Emily Cummins, Director, Tax & Risk Management, National Rifle Association of America William Montanez, Director, Risk Management, Ace Hardware Corporation, RIMS Board of Directors Michael Peters, Director of Information Technology, RIMS Mary Roth, Executive Director, RIMS Nowell Seaman, Manager, Risk Management & Insurance Services, University of Saskatchewan, RIMS Board of Directors ABOUT RIMS TECHNOLOGY ADVISORY COUNCIL The mission of RIMS Technology Advisory Council is to review new risk management-related technologies and increase member access to them; facilitate the development and use of risk-related technologies that enable and enhance RIMS member services; identify initiatives where RIMS can provide industry leadership in driving technology-related change benefiting risk managers; and identify and establish information and technology standards to facilitate the ease of use and communication among different technologies and providers. RIMS ENTERPRISE RISK MANAGEMENT COMMITTEE The mission of RIMS Enterprise Risk Management (ERM) Committee is to develop, deploy and update tools, training and other support for RIMS to accomplish its vision of establishing itself as the premier resource and support organization for ERM practices. 2 ERM Technology Tools

EXECUTIVE SUMMARY This RIMS executive report is intended to provide commentary on the use of technology in enterprise risk management (ERM) programs based on survey results from the 2011 RIMS Benchmark Survey and a separate survey of ERM technology vendors conducted by the RIMS Technology Advisory Council (TAC). It is designed to share technology-related information that may be relevant and useful to RIMS members as they embark or continue on their ERM journey. While this report may offer useful insights to product developers as well as ERM technology adopters, no endorsement for a particular technology is intended to be expressed or implied. The key points to consider are: An ERM technology process is something that supports or enables ERM. ERM technology can reasonably be linked to the ERM maturity of the organization. As maturity levels rise, the need for and complexity of ERM technology increases. Few organizations have fully integrated ERM, but with nearly 80% of survey participants citing some form of an ERM program in place or in progress, the market for effective ERM technology tools appears very strong. Risk managers should assess the current ERM maturity level of their organization using the RIMS Risk Maturity Model and other benchmarks to consider the maturity levels they want to reach and how available technology may provide an acceleration tool for achieving the longer-term outcomes they desire. RIMS Executive Report 3

Introduction and Background In early 2011, two surveys were approved and distributed by RIMS. The technology tools provider survey was distributed to approximately 40 ERM technology vendors and the technology tools user survey was incorporated into the annual RIMS Benchmark survey and directed to risk practitioners. Participation in the surveys was voluntary. As the results may not be considered to be representative of the entire technology-solutions industry, additional information has been introduced to provide a broader understanding of the issues. Before proceeding with the survey results, it may be useful to define ERM technology. For the purpose of this report, ERM technology is computer-based (regardless of platform) and supports significant components of an ERM process, including: It facilitates communications with key stakeholders, such as risk owners, board and management, control owners, etc. It is contextual and includes capabilities to support management of policy, procedures, plans, risk rating criteria, training, reporting, etc. It has risk assessment capabilities It records and reports on risk modifiers It has monitoring and reviewing functionality An Overview of the Technology Tools Provider Survey As a general guide, an ERM technology process is something that supports or enables ERM. (For this paper, governance, risk and compliance (GRC) tools are considered to be enablers of ERM, not replacements.) Vendors were asked to describe the key features of their ERM module (Figure 1). The functionality was grouped into three segments: Analytics, Visualization and Activities. It was apparent that no single solution will contain all possible features. Therefore, potential buyers and builders of these tools need to understand the components and consider their own requirements and specifications in order to determine the optimal combination of functionality at a realistic cost. This list or requirements could become a useful design and negotiating tool particularly if estimated values to the organization are applied against the costs to incorporate (i.e. a simple return on investment (ROI) calculation). Readers are strongly recommended to assess the current ERM maturity level of their organization using the RIMS Risk Maturity Model and other benchmarks, such as ISO 31000, COSO and others found in RIMS 2011 Widely Used Standards and Guidelines Executive Report, to consider the maturity levels they want to reach, and to form a value proposition for achieving the long term outcome they desire. ERM technology is not a risk management information system (RMIS) that only addresses insurable risk or primarily provides claims management functionality. It is also not a purely policy management tool, such as a governance document, or an incident management tool. Figure 1: ERM Modules / Features Activities Workflow Alerts Escalation Audit Assessments AREAS FOR FUNCTIONALITY COMPROMISE Predictive Analytics Trends Fault Tree / Root Cause Performance Measurements Heat Maps Dashboards Reports Bubble Graphs Risk Appetite Views Analytics Visualization 4 ERM Technology Tools

When preparing to seek bids for ERM technology, it helps the process if the buyer has a clear understanding of not just the functionality required but also of the more general issues that surround the acquisition of the technology. Vendors were asked for the most common objections raised during discussions with potential buyers of ERM technology (Figure 2). Buyers should consider these responses to help them determine whether foundational issues need to be addressed before seeking a tool. Lack of ERM Knowledge Information Technology Limitations As part of the process of selecting a tool, it may be useful to know the top benefits that vendors have heard from their clients who have implemented ERM technology. These included: Enterprise Risk View Risk prioritization One risk data repository Improved risk focus Better risk understanding Figure 2: Common Objections Heard by Vendors Organizational change No ERM process Total cost of risk (TCOR) analysis Budget constraints Time required to maintain data Risk practitioners may want to consider these benefits as part of their analysis of functionality to see if they are getting the best combination of features and benefits. There are over 600 ERM/GRC tools available to risk practitioners. Details of products can be obtained directly from vendors, ERM consultants or commentators such as Open Compliance ethics Group (OCEG), Gartner and Forrester Research. Additionally, home-grown tools may have been developed in-house. Buyers of ERM technology need to ensure they have established a clear vision of what they want to accomplish with ERM technology and understand their own unique framework and maturity model. Trying to fit their organization into a nonspecific ERM tool solution provided by the vendor could result in considerable delays, potential turf battles within the organization and the increased possibility for failure. An Overview of the Technology Tools User Survey Every year, members of RIMS and other risk practitioners are invited to participate in the annual RIMS Benchmark Survey. In 2011, the RIMS TAC included specific questions relating to ERM technology. The use of the RIMS Benchmark Survey resulted in over 300 responses to the TAC questions. Participants were first asked about the extent to which their organization had adopted ERM. (See Figure 3) Only 17% of participants have a fully integrated ERM program; another 63% are in various stages of implementation and planning. With 80% of survey participants citing some form of ERM program in place or in progress, the market for effective technology tools appears very strong. The key to making technology tools effective is to match capabilities with risk practitioners needs. Those who have Partially Integrated or Have Begun to Investigate may be using existing technology systems. However, these may not be sufficient to reach the desired maturity level. Considering short-term and long-term technology needs by planning the integration of their ERM technology in support of an organization s desired maturity progression would seem a more strategic and valuable approach than designing an ERM program based on available ERM technology solutions. Improved Communications User interaction Unified business units Enhanced reporting Board involvement Better Organizational Resilience Optimized risk controls Stakeholder confidence 3% 23% 20% Figure 3: Extent to Which ERM Program is Adopted 17% Fully Integrated ERM Program Partially Integrated ERM Program Begun to Investigate ERM Program No Program - Plan for Next Year No Program or Plan for Program 37% Source: RIMS 2011 Benchmark Survey RIMS Executive Report 5

What Forms of Technology are Risk Practitioners Currently Using? Participants appear to be using all forms of technology with no strong rejection of any of the options noted in Figure 4. Less than 5% reported no benefit from using any of the technology types. PC/laptops are by far (and not surprisingly) the most extensively used at more than 80%. Considering the relatively brief period in which smart phones have been available, they appear to have obtained a strong foothold with 41% of the respondents using these devices extensively or in a limited way, and 5% indicating they would use them if available. With regard to equipment usage, PCs and internally created software tools were strongly favored over other types of equipment. Figure 4: What Forms of Technology are Risk Practitioners Currently Using? PC / Laptop Internally created system / platform Client / Server on your organization s site Mobile devices - smartphones Mobile devices - tablets Extensive Use Limited Use Would Use (or Use More) If Available Find No Benefit From Using Do Not Use Client / Server on third party host site Cloud (Third party host site with access via internet) 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% 120 Source: RIMS 2011 Benchmark Survey 6 ERM Technology Tools

What Types of Technology Tools are Risk Practitioners Using to Uncover and Assess Risk? Participants were asked about the tools they use to uncover and assess risks (Figure 5). Clearly, spreadsheets are the most commonly used tools (over 80%), with document management tools also being used extensively by a third of the participants. Survey tools seem to have found favor with over 60% of the respondents. Predictive models, simulation and voting tools, which typically are used in live facilitated meetings, are used by just over 30% of the respondents. Risk prioritization tools, analytic software, predictive models and simulation would be used (or used more) by more than 20% of the respondents. It is worth noting that very few survey participants (5% or less) find no benefit from using ERM tools, which supports the position that ERM tools generally are considered useful. Figure 5: What Types of Technology Tools are Risk Practitioners Using to Uncover and Assess Risks? Spreadsheets Document Management Survey Tool Risk Prioritization Tool Analytic Software Extensive Use Limited Use Would Use (or Use More) If Available Find No Benefit From Using Do Not Use Predictive Models Simulation Voting Tool 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% 120 Source: RIMS 2011 Benchmark Survey RIMS Executive Report 7

What Do Risk Practitioners Want ERM Technology to Do? Participants were asked to list the specific capabilities or features in ERM technology that they use to monitor and report on risk today (See Figure 6). Risk registers, risk maps and governance rules (e.g., ethics, internal procedures) are used most extensively (by approximately 20%). The key areas for use (regardless of depth) are governance rules, key performance indicators, key risk indicators and portfolio view of risks (approximately 80%). Usage for risk maps and compliance activities are reported to be over 70%. The least usage is for performance incentive management (over 50% not at all), followed by automated internal reporting, dashboards and risk registers (approximately 30% not at all). Figure 6: What Do Risk Practitioners Want ERM Technology to Do? Risk Register Risk Maps Goverance Rules Dashboards Compliance Activity (e.g., attestation) Key Performance Indicators Portfolio View of Risks Extensive Use Moderate Use Partial Use Minor Use Not At All Key Risk Indicators Automated Internal Reporting Preformance Incentive Management 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% 120 Source: RIMS 2011 Benchmark Survey 8 ERM Technology Tools

What Does the Future Hold for ERM Technology? Participants were asked to list the specific capabilities or features in ERM technology that would help improve the maturity of the ERM programs. Responses were varied, but the most frequently mentioned capabilities were dashboards, analytical tools and automated monitoring of risks. Other noteworthy responses included risk maps, risk registers and survey/voting tools. These responses reinforce risk practitioners needs for immediate and accurate information. In order to grow effectively we need timely, dynamic risk and dependency information that is well understood and embedded in the business, says Leslie Lamb, global risk manager at Cisco Systems, Inc. These findings also underscore the participant responses to the technology solutions that most would use (or use more) if available : risk prioritization tools, analytic software, predictive models and simulation. So, based on the survey data and the professional experience of the RIMS TAC, the ideal ERM technology solution would contain the following features: Web-enabled single source of truth View of risks at multiple levels Automated risk input Auto reporting and calculations across the collected data Ability to set and calculate risk tolerance levels or triggers Project management capabilities Import/export capabilities in order to expedite the sharing of risk information and actions End-to-end tracking of risks as they are identified through their eventual resolution Common and consistent approach, traceability of accountability, ownership and actions Conclusion Prospective buyers and users of ERM technology would be wise to prepare a clear understanding of what they want to achieve before they start looking at available technology. They should understand their current and target ERM maturity levels before looking for tools to support their organizational goals. There appears to be significant scope for the use of multiple technology tools in the ERM process, and it is unlikely a single set of tools will meet all needs. The decision to acquire a technology tool should incorporate the cost/benefit analysis of the tool. Direct and indirect costs for the tool may range extensively, but without a clear return on investment (ROI), it may be unwise to proceed with any acquisition of tools. One of the most meaningful insights that emerged from the 2011 technology-related surveys resulted from a comparison of vendor responses and risk manager responses. It seems that vendors offer many of the tools requested, but have not yet been able to match their services with potential client needs. In light of the substantial portion of the market that intends to increase its maturity level of ERM, there may be a deep educational opportunity for vendors they may need to gain a better understanding of the needs of their prospects as well as what the prospects hurdles are. Therefore, this report is offered to foster a healthy marketplace by bringing buyers together with technology developers in shared educational progress. RIMS Executive Report 9

APPENDIX ERM TECHNOLOGY AT THE UNIVERSITY OF CALIFORNIA The University of California (UC) has integrated its ERM program throughout its 10 campuses, three national laboratories, five medical centers and world-wide research initiatives, with the assistance of its enterprise risk management information system (ERMIS). As it developed its technology needs over time, UC s enterprise risk services team began with an overarching strategy: create efficiency, reduce the cost of risk, improve the cost of borrowing and reduce IT and operational redundancy. UC started its risk assessments in 1997, developing its risk technology capabilities over a period of time. Even so, UC still finds value in spreadsheets, albeit greatly enhanced since the early days. In 2008, the Office of the President released an enhanced Excel-based risk assessment workbook. Workbooks have since been developed for general and focused risk assessments. Use in actual risk assessments has led to enhancements such as user definable impact and likelihood scales, the ability to evaluate and adjust the current level of control and the creation of a risk and control library. The ERM program at UC is supported by a wide variety of business resources, processes and applications: No Tech: Informational content distributed via web/email (e.g. ERM bulletins and reference materials) Low Tech: Partial automation of data collection and analysis such as Excel based risk assessment tools High Tech: Information systems such as Cognos-based business analytics and optimization and custom-built information systems (e.g., UC Tracker and UC Action) UC utilizes a customized platform, drawing on multiple data sources and facilitating multi-channel intuitive user interfaces (See Figure A). The ERMIS is the High Tech component of ERM. UC s ERMIS architecture will be discussed from three perspectives: end users, information systems and information technology. End-Users Perspective Business participants are the end-users of the system. These are individuals who will access the ERMIS functionality. End-users access the ERMIS functionality through variety of channels, including online and through email. A variety of business services are available to the business participants provided through the ERMIS, including dashboards, surveys, data collection, financial controls tracking and other functionality. Figure A: UC ERMIS Business Architecture Business Participants Channels Business Services Information Systems Data Sources End Users Perspective Financial Controllers Risk Managers UC Staff Managers/ Directors Others Web Email Dashboards Surveys and Other Data Collection Financial Controls Tracking Retrospective Claims Review Portal User Admin UC Tracker Cognos BI UC Action Lotus Forms Operational Data Analytics ETL Campus Sedgwick CDW Financial LMS Personnel/ HR Waste/ Mgmt Recycling Legal Construction Travel NFPA Equipment/ Assets Information Systems Perspective Integration (EAI) UC Trust Authentication Technical Services Infrastructure & Technology File Transfer ERMIS Hosted Infrastructure System Management Security Hardware Hosting Information Technology Perspective 10 ERM Technology Tools

Information Systems Perspective Information systems are custom-built (e.g. UC Tracker and UC Action) or a commercial off-the-shelf solution (e.g. Cognos Business Intelligence and Lotus Forms). Data from various authoritative data sources is extracted, transformed and loaded into the operational and analytics data stores. Information systems encapsulate business rules and analytics logic to manage the data stores and provide ERMIS functionality to end-users. Information Technology Perspective The technology layers enable the information systems. The integration layer facilitates information sharing (e.g., user identity data), and reduces functional redundancy (e.g., dashboard reporting of financial controls tracking). The technical services layer consists of services that support specific functions such as single sign-on, secure file transfer, etc. The infrastructure and technology layer represents the hardware and software components, and their management. The technology layers are implemented at the UC ERMIS hosted infrastructure facility. UC ERMIS Dashboards While the UC ERMIS-produced dashboards are primarily used by its risk managers enterprisewide, they also are used by campus and enterprise leadership, general counsel s office, external finance staff, UCSF Police Department personnel, and medical center HR and quality departments. The dashboards are designed to provide: Better quantitative analysis capabilities Improved analytical and reporting capabilities Support for leading risk governance and compliance processes System-wide visibility, with local flexibility Scalability without creating additional burdens on UC staff UC ERMIS dashboards are built using a Cognos web-based business intelligence solution, customized by the university to help quantify and track new and pre-defined key performance indicators (KPIs). They are not intended to replicate or replace any existing system. They are user-friendly, comparable and easy to understand. Because they are produced using real-time information, they contain credible and reliable information. Our solutions allow the university to take greater risk by improving outcomes, says Grace Crickette, UC s chief risk officer, as she describes how the technology tools that she and her team have deployed use risk to create new opportunities. We have learned that by focusing on developing tools that address a broad array of risks, both frequent and catastrophic, small and large, we create a more efficient and effective program. UC has not only been able to reduce its cost of risk over time with the support of its technology tools, but its information system has been described by Standard and Poor s as a credit strength. Copyright 2011 Risk and Insurance Management Society, Inc. All rights reserved. www.rims.org RIMS Executive Report 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information