In ever more complex business environments, risk software is being deployed to address a widening array of challenges. The way in which the risks are being assessed and the tools accessed is also changing. David Adams looks at the market

If vendors of risk management software had been hoping for a year that would show just how unpredictable and risky our world is, they really couldn’t have asked for anything more than 2016 delivered. While the unexpected political and economic events of the year played out alongside extreme weather, terrorism, cyber attacks and other risk events, providers of risk management software saw their products deployed across a broadening range of organisations and projects. These wide ranging deployments help users develop their understanding and enhance their management of risks; improve efficiency, productivity and compliance; and reduce operational and other costs, including those relating to insurance.

Ladd Muzzy, principal and subject matter expert at Nasdaq BWise, observes that codifying the value that risk management brings to the business is something that is capturing attention. Risk and risk management is dynamic and having a software that is nimble and flexible enough to respond to rapid risk changes is essential to effective risk management. He iterates that governance, risk and compliance (GRC) software is an enabler, something adaptable by the end-user. This ensures that risk management practices are aligned with the changing risk environment and assures that all stakeholders (the business, audit, executives, regulators) have holistic information to make informed decisions.

It is still the case that larger organisations, particularly in highly regulated sectors such as finance, energy, utilities and government, are more likely than are smaller entities to be using risk management software. Gisle Bråstein, global product manager for enterprise risk management solutions at DNV, says his company’s client base can be split into two groups: organisations that face safety-critical operational hazards, like energy companies or airlines; and financial sector companies, where the key concerns are more likely to be issues such as fraud or cyber security. But across both groups, he says, there is increased acceptance of the need “to embed risk into decision-making”.

Bråstein believes the fundamental challenge for every organisation trying to do this is gathering and analysing the relevant data. The need to meet this challenge is often one of the most important reasons why an organisation moves away from the use of spreadsheet-based risk management to a solution-based approach. The need to do so becomes ever more pressing as an organisation’s operations become more complex, particularly if it is operating in multiple geographical locations.

Angus Rhodes, product marketing and business development at Ventiv, sees similar trends among his client base. He believes the drive to consider using risk management is also often part of a more wide-ranging review of corporate governance processes in general, with one important driver the need to reduce costs.

Yet it is still organisations that face risks that could have the greatest impact on society and the physical environment that are most likely to be using risk management software, says Mark Brown, vice-president of software solutions and services at Active Risk.
His company’s software enables organisations to use a focused project-based form of risk management, within an enterprise risk management (ERM) approach designed to improve overall operational GRC; and counts Lockheed Martin, Rio Tinto, Skanska; and government organisations such as the US Department of Homeland Security and the UK Ministry of Defence among its client base.

Anagold Madencilik, part of Alacer Gold Corporation, has been using the Active Risk Manager (ARM) solution to manage risks at its Çöpler Gold Mine in Eastern Turkey. John Ebbett, project director for Alacer Gold, says the company values the way the solution tracks project risks and compliance requirements, with tools for advanced risk scoring and analysis to help prioritise risk mitigation activities.

He points in particular to the way the solution uses information drawn directly from frontline employees to identify emerging risks and to highlight the relationships between risks; information then presented to managers through dashboards and reports. “This functionality has enabled the team to take an upside view of risk and identify opportunities throughout the project, delivering opportunities with financial benefits of several millions of dollars,” says Ebbett. “The insight provided has delivered immense value to this project and has helped to raise the profile of project risk and the importance of managing it across the organisation.”

One recurring theme in the development of these technologies in recent years has been a focus on making the software more user-friendly, to enable employees across an organisation to use the solution, so assisting the process of gathering risk information.

Brown lists the different job roles within organisations where individuals may now be using the software, from risk managers to engineers and frontline staff who actually own specific risks, to senior management and board members. This means there needs to be a flexible user interface, able to suit these different audiences.

Ross Ellner, managing director, EMEA, at provider Riskonnect, emphasises the value of an end user organisation being able to configure the system easily to meet specific requirements. He says its product has been designed to allow end users to make over 90 per cent of the configuration changes to the software themselves, with assistance from a provider only required for the most intricate one-off changes.

New ways of working

The way the solutions are used has also changed: many providers enable end users to access the device via mobile technologies; many solutions can be delivered on a software-as-a-service (SaaS) basis, or via other cloud-based platforms. This can offer cost benefits and flexibility in terms of user access.

Specialised forms of risk management software are also continuing to evolve. HawkSight, a customisable security risk management tool, is attracting interest among smaller organisations that may have used spreadsheets to manage security risks in the past, but can see the value in using software to do so, according to HawkSight managing director, Paul Mercer. Other end users include larger organisations operating in multiple locations, including corporates, hotels, airlines and energy or construction companies.

Mercer says this sort of software delivers include a more consistent way of evaluating and managing security risks; and more effective communication between security functions and senior management. His solution also provides risk mapping and visualisation tools, allowing security managers to see very quickly the status of incidents and risk management progress across different geographical areas.

End users include the British Council in Nigeria, the largest British Council operation in sub-Saharan Africa, with four main offices and over 200 staff. It runs multiple education and development projects across the country, sometimes in areas that present significant safety risks.

Lucy Pearson, director of business services for the British Council in Nigeria, led a review of the organisation’s security risk management strategy when she began her current role in 2014. The aim was to create a security risk management framework that would inform decisions over bidding for specific projects financed by the UK Government or the EU, as well as enabling detailed planning for security risk mitigation.

“We now do that at a really granular level,” says Pearson. “What’s the activity? Who’s taking part? What’s the risk environment? We look at that against a risk appetite we’ve defined, looking at controls we need to put in place to go ahead safely and securely.”

The organisation spent a year planning and designing the security risk management framework and a further year going through software implementation and training processes. Pearson claims that within the first six months of the project going live it had enabled the organisation to win over £500,000 worth of new business; and that it is helping to drive double-digit growth in the numbers of people working on educational qualifications in high risk areas of the country. “It has enabled us to deliver projects in places that previously would have been no go areas,” she says.

Increasingly, risk management technology is also being integrated into other business systems, to help organisations consolidate control of overall GRC processes and risks. A capability to integrate data from multiple systems is a vital part of providing senior managers with a single version of the truth within their organisations, according to Ellner. “The most common integrations we see are between risk, audit and compliance, with a heightened interest from business continuity management and strategy,” he reports.

And there is evidence that risk management software can help organisations reduce insurance costs. Brown claims that at least five major Active Risk customers have enjoyed significant savings on insurance costs as a result of their investment in ERM.

The need for risk management software and the potential benefits it can provide are clear; and the variety and capabilities of these solutions each continue to increase. While 2017 may be met with some trepidation following the turmoil of 2016, risk software providers, and their ever wider client base will be arguably better placed to prosper throughout the coming year.


This article, part of CIR's Risk Software Report, was published in the January 2017 issue of CIR Magazine.

Download in PDF format

Click here for more interviews and analysis

Contact the editor

Follow us on Twitter

Share Story: