RISK SOFTWARE: The big picture
Written by David Adams
The ability to gather risk data from across the whole organisation and to keep it in one central repository makes the job of managing enterprise risk more cost-effective and reliable. David Adams reports on developments in risk software
The language of risk management is everywhere: in organisations of every kind you will find sections of annual reports or executives’ presentations dedicated to it. While adoption of sophisticated risk management technologies is still spreading slowly, it is increasing, across all industry sectors, as more organisations recognise the value of these technologies, as a means of improving understanding of risks, thereby protecting the organisation and delivering efficiency and cost savings.
Adoption is also driven by the need to ensure compliance with various regulatory requirements: at present, many organisations are focusing on the EU Global Data Protection Regulation (GDPR), which comes into force in May 2018. Technology vendors are responding to the growing variety of end user needs by developing more innovative risk management technology.
As one might expect, use of these technologies is particularly widespread in the insurance sector. Since 2016 the Belgian insurance broker ADD has been using technology provided by risk software specialist Origami to collect and analyse risk and insurance data relating to its clients. It also uses the technology when collaborating with other insurers and brokers through the Worldwide Broker Network. Matthew Serck, commercial manager in the international department at ADD, cites the ability for both broker and client to access the same data, improved data quality and enhanced reporting and scheduling capabilities as the most important attributes of the system. “[The] technology has proved to enable all parties to work more efficiently,” he says. “This has been a resounding success.”
The market for these technologies is still divided into organisations using Risk Management Information Systems (RMIS) primarily as a means of gathering data for insurance purposes and to manage the total cost of insurable risk; and those seeking to take a broader approach to risk management. Origami’s Neil Scotcher believes the latter approach is becoming more widespread, as organisations of all kinds use risk information to inform business decisions.
The decision to invest in these technologies is determined in part by the industry or sector in which an organisation operates. In sectors like energy or mineral extraction, technology purchasing decisions are driven by the operational risks these businesses face; in the financial services sector the key risks may relate to compliance, vendor risks, or data management and security.
But cyber and digital risks demand more attention in almost every organisation, in part because of the increased use of online and cloud technologies, and software as a service (SaaS) solutions. The ever-evolving nature of digital and cyber risks also means there is a need for solutions flexible enough to be adapted as circumstances demand.
Gisle Bråstein, global product manager, enterprise risk management solutions, at Norway-based risk technology provider DNV GL, says the growth of the Internet of Things means data collection and analysis processes are becoming more complex. Many DNV GL clients work in the maritime, oil and gas and energy/utility sectors, so there is a need to collect risk-related data from a wide range of systems, facilities and both physical and digital assets, from power stations, oil rigs and pipeline infrastructures to operational systems on ships and in ports.
The need to gather data on risks from every part of any organisation makes it essential that risk management technologies are user-friendly, so they can be used by risk owners across an organisation, often via mobile devices, so that non-specialists become an organisation’s “eyes and ears when it comes to identifying and monitoring risks”, as Fusion’s Andy Mercker puts it.
Risk information then needs to be analysed effectively. Ventiv’s technology aims to put predictive data analytics that might previously have required a team of data scientists in the hands of risk managers, according to global product manager Angus Rhodes. His colleague, David Thomas, director at Webrisk (a RMIS acquired by Ventiv from Effisoft 2017), believes analytics capability will become the most important differentiator for risk management technologies.
Another differentiator is ease of integration. That can mean integration of tools delivering different forms of risk management, to create an ERM solution; or integration between risk management software and other business systems.
Some organisations want to integrate risk management capabilities with other solutions to create comprehensive governance, risk and compliance (GRC) capabilities. The aim is to ensure organisations have access to a single version of the truth when assessing risk and compliance status.
Bram den Boer, principal business analyst, market technology, at Nasdaq BWise, says the ability to access this kind of integrated overview forms an important part of the business case for these technologies. “That’s where they see the benefit, because they don’t have that overview at the moment,” he says. “For them it’s a case of ‘I would like to see all my risk issues, and who is taking action to mitigate those risks’.”
Nasdaq BWise provides organisations with complete GRC capabilities; and offers support to help align audit, compliance and risk management capabilities within the organisation. Its GRC platform includes solutions for internal audit, information security and sustainable performance management, alongside compliance management and its comprehensive risk management solution. Businesses using the platform include Orange, Roche and Swiss Life.
Any GRC platform stands or falls on the quality of the data it holds. Coca Cola European Partners (CCEP) is the largest independent Coca Cola bottler in the world. Created through a merger of three bottling businesses in 2016, it is a €12 billion business that operates in 13 territories and employs over 24,000 people. A RMIS solution supplied by Riskonnect and originally implemented in 2013 is now complemented with a Riskonnect GRC platform rolled out in 2017.
Risk analyst at the company, Joseph Tunstall is using the solution to aggregate risk data relating to the operations of the company and its predecessors going back 15 years, alongside new risk data captured from across the business: everything from liability claim schedules to employee and product data.
“The most important thing we’re trying to do with this system is to report on the total cost of risk,” Tunstall tells me. “Utopia for us would be to have all of our risk data in a central repository. I don’t view this process as something that will ever be completed: it’s about the continual aggregation of data. Off the back of that will come all the things we should be doing with that data: analysis, reporting, understanding where we should have more of a focus.”
There is also a growing trend for integration of risk management capabilities with business continuity and crisis management tools such as mass notification, according to Fusion’s Andy Mercker. His company describes itself as a “provider of business continuity risk management”.
“We find that this term really captures this confluence of not only the risk agendas but also, if any of these risks were to occur, of how organisations go about responding to and recovering from them,” Mercker explains.
All these capabilities may sound very attractive in theory, but there is always a need to gain buy-in at the top of an organisation for investment in them. For Ventiv’s David Thomas enhanced analytics capabilities, providing real time insights to the board, are of paramount importance. “It becomes easier to make a business case when you’re able to deliver real time analytics to help decision-making,” he says.
Mercker believes that while there may be many reasons why organisations choose to invest in these technologies, for a growing number it has simply become essential to be able to understand the risks that could disrupt their operations and the potential consequences of that disruption. Executives need to know that in the event of a major incident they can stand up in front of employees, customers, shareholders and the media and explain that all necessary precautions had been identified and taken, says Mercker. As he says: “Not having a clear understanding of risk and resilience is no longer acceptable.”
This article was published in the January 2018 issue of CIR Magazine.
Download as PDF
More interviews and analysis
Contact the editor
Follow us on Twitter