• First Reference
  • About us
  • Contact us
  • Blog Signup 📨

First Reference Talks

Discussions on Human Resources, Employment Law, Payroll and Internal Controls

  • Home
  • About
  • Archives
  • Resources
  • Buy Policies
You are here: Home / Information Technology / Selecting software for risk management

By Norman D. Marks, CPA, CRMA | 3 Minutes Read August 18, 2021

Selecting software for risk management

A number of people have asked me about the future of risk management.

I can tell you that I am seeing progress!

You won’t necessarily see this in surveys, for example those of the ERM Institute – which show no improvement, even possible degradation in the maturity of risk management programs.

But I am seeing it in a couple of areas:

  1. Practitioners who, based on their comments to my blogs, have not only embraced the need for change, but are on that journey. They are moving (or have moved) from the periodic review of a list of risks to a form of risk management that is more continuous, enables effective decision-making, and is focused on helping the organization succeed. This is what I talk about in Risk Management for Success.
  2. Software vendors are starting to see the light as well. Some have been in touch with me to tell me how they are moving their products in the direction indicated in my book. They are emphasizing the need to be objective-focused and help organizations understand the likelihood of achieving those objectives.

This latter is reinforced by my good friend Michael Rasmussen in his post from early November: Rethinking Risk Management RFP Requirements.

Here are some excerpts with my comments.

  • Organizations need to get beyond the marketing hype of buzzwords and misleading analyst rankings to really understand if the technology can deliver on the requirements of their risk management maturity journey.

I agree, but let’s also agree that a ‘risk management maturity journey’ is not about identifying and reviewing a list of risks every so often.

  • This involves a clear understanding of where you are now with risk management and where you want to be. 

Yes, find a solution that meets your needs for now and also for your future. It’s less about ‘risk management’ needs and more about the need for insight and information to fuel effective decisions.

  • There are basic risk management solutions that do ease the pain of human capital efficiency (e.g., time) in not having to manage documents, spreadsheets, and emails. But these are basic and typically aimed at tick-box exercise for risk management that is more of a qualitative compliance exercise and not true risk management. Mature and valuable risk management is more than forms, surveys, workflow, and tasks and requires risk quantification, modeling, analytics, and reporting that is aligned with business objectives and in the context of business objectives. It requires seeing the complex interrelationships and interdependencies of risk. 

The key here is that it is all about ensuring people have the information they need about what might happen to make the informed and intelligent decisions necessary for success.

  • ISO 31000 states that ‘risk is the effect of uncertainty on OBJECTIVES.’ So good risk management STARTS with performance and objective management. These can be entity-level, division, department, process, project, or even asset level objectives. Risk needs to be understood in the context of objective. 

Yes, although it would be interesting and beneficial to turn that on its head.

Objectives need to be understood in the context of risk (which includes opportunities).

  •  Risks cannot be understood and managed in isolation. 

Yet, everybody does that over and over again.

  • RISK VISUALIZATION IS MUCH MORE THAN HEATMAPS!!! 

1000% correct.

My question is this:

Are you evaluating software based on how it will help people get the information they need for informed and intelligent decisions, or are you limiting your sights to what is needed for compliance purposes?

I welcome your thoughts.

  • About
  • Latest Posts
Norman D. Marks, CPA, CRMA
Norman has led large and small internal audit departments, been the Chief Risk Officer and Chief Compliance Officer, and managed IT security and governance functions.

He retired in early 2013. However,he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.
Latest posts by Norman D. Marks, CPA, CRMA (see all)
  • Twitter and risk - January 18, 2023
  • When the board insists on a list of the top risks - December 9, 2022
  • The greatest risk and the greatest asset - November 25, 2022

Article by Norman D. Marks, CPA, CRMA / Business, Information Technology / Analytics, business objectives, modeling, risk, risk heat maps, risk management, software, workflow

Share with a friend or colleague

Get the Latest Posts in your Inbox for Free!

Electronic monitoring

About Norman D. Marks, CPA, CRMA

Norman has led large and small internal audit departments, been the Chief Risk Officer and Chief Compliance Officer, and managed IT security and governance functions.

He retired in early 2013. However, he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.

Footer

About us

Established in 1995, First Reference is the leading publisher of up to date, practical and authoritative HR compliance and policy databases that are essential to ensure organizations meet their due diligence and duty of care requirements.

First Reference Talks

  • Home
  • About
  • Archives
  • Resources
  • Buy Policies

Main Menu

  • About First Reference
  • Resources
  • Contact us
  • 1 800 750 8175

Stay Connected

  • Facebook
  • LinkedIn
  • Twitter
  • YouTube

We welcome your comments on our blog articles. However, we do not respond to specific legal questions in this space.
We do not provide any form of legal advice or legal opinion. Please consult a lawyer in your jurisdiction or try one of our products.


Copyright © 2009 - 2023 · First Reference Inc. · All Rights Reserved
Legal and Copyright Notices · Publisher's Disclaimer · Privacy Policy · Accessibility Policy