The article by Evan Busman Handling Twin Takes of ERM is a great overview of evaluating technology for Enterprise Risk Management, especially in highlighting the pitfalls of compliance software not addressing the more strategic business risk and performance management objectives of the firm. Risk Management has traditionally been associated with risk elimination, insurance and compliance. Most software vendors have predictably added some risk features onto their existing compliance packages because it is easier from them to sell. You can put lipstick on a pig, but it's still very much a pig.

The true Enterprise Risk Management approach is best described by Dan Borge in his The Book of Risk, as "Risk Management means taking deliberate action to shift the odds in your favor - increasing the odds of good outcomes and reducing the odds of bad outcomes". Enterprise Risk Management is about building business value in support of better decision making rather than only providing oversight of major compliance issues or satisfying the requirements imposed by external auditors. New software built from the ground-up to meet the very different needs of true Enterprise Risk Management is required.

Enterprise Risk Management software must manage the complexity for an ERM program. Based on my research, I have identified the following key characteristics:

1) Root Cause: A framework that gets to the cause of issues makes follow-up straight forward and logical.

2) Motivation: Performance Management functionality that makes it easy to help line managers achieve process improvements to reduce costs, bottlenecks, and unnecessary risk translates into their embracing risk management.

3) Process Driven: Selecting the most relevant 30 to 50 key risk indicators for each core business process from thousands of possibilities.

4) Cross Functional Risk: Features to deliver a portfolio view with interactive dashboards to drill down or cut across silos to identify dependencies between risks.

5) Operational Controls: Go beyond financial controls to also quantify the effect of controls on business goal achievement while maintaining accountability throughout the process.

6) Risk Tolerance: Embedding risk management processes within the existing corporate culture from enterprise-wide board room strategy to tactical planning and analysis.

7) Maturity Model: Enable the risk management department itself to accelerate adoption of best practices, to set program objectives and measures and to manage ERM program activities.

With this criteria you can evaluate new software coming to the market from true ERM vendors and use risk tolerance to achieve the strategy and performance targets for your organization. There is more on the evaluation criteria for selection of Enterprise Risk Management technology in my ebizQ column, The Dos and Don’ts of Enterprise Risk Management

Posted by stevenminsky in Compliance • Enterprise Risk Management • Software | Permalink | Comments (1) | TrackBacks (0)

CNN recently published a new report Identity theft: The new way to rob a bank. The CNN article is about how a bank employee recently committed identity theft by selling customer information which resulted in $12 million in losses to their employer. The folks inside are just as likely to be the perpetrator as the folks outside.

This article highlights the need for organizations to identify the root cause of risks so that appropriate action can be taken. The field of Enterprise Risk Management is doing just that. Does your Enterprise Risk Management program and tools help you to identify, assess and track issues from a root cause perspective? ie. Not only tracking the losses attributed to Identify Theft for example, but what is the specific root cause that is allowing this Identify Theft to occur? For example, is it outside hackers or your employees? IT systems? relationships with vendors?

When we hear Identify Theft, we jump to the conclusion, often incorrectly, that bank information is stolen by outside hackers and when we hear Bank Robbery we think of the infamous "cell phone bandit" that robbed a series of Wachovia bank branches recently.

The FBI reports that there are about 7,600 bank robberies a year, amounting to roughly $77 million in losses to the institutions. However, this compares with a 2003 Federal Trade Commission report estimated identity theft losses to financial institutions to be at $47 billion.

There is more on root cause and Enterprise Risk Management in my ebizQ column, The Price of Fraud where I wrote about how Enterprise Risk Management Tools are helping in the battle against fraud.

Posted by stevenminsky in Identify Theft • Risk Identification | Permalink | Comments (0) | TrackBacks (0)