For more details go to Symbiant News...
The Total Risk Management Software Solution
6 Benefits of Internet/Intranet-based Risk Management Software Solution
Current state risk management
95% of organisations use Excel for risk management purposes (per the annual US-based IIA technology survey). Many also use voting technology with keypads in risk management workshops.
These technologies help record the results of the risk management process and, in the case of the voting technology, they facilitate measurement of the risks to the organisation. But that is all they do.
The Australia-New Zealand standard for risk management details a number of steps in the process: context (identify business objectives) – identify risk – assess risk – measure risk – treat risk – monitor treatment – communicate. A risk management tool needs to enable each step of the process and Symbiant Risk Suite does.
Workshops may give you a list of risks and a measurement of them; but workshops tend to take place infrequently and often, only at certain levels of the business. Risks, on the other hand, tend to make themselves known at awkward times and unexpected locations.
So what else is available to organisations wishing to embed a risk management framework?
6 things that a technology solution can do for you
Here are 6 things you get from implementing an intranet-based risk management tool like Symbiant Risk Suite
Participants log on to the system and log risks they see to the achievement of the business objectives of their function, project, process or organisation as a whole. The administrator then moves the process on to a voting stage producing risk maps and registers, then on to a treatment stage where actions are proposed and voted on, and finally a tracking process to confirm that the actions have been implemented. In short, it facilitates every step of the risk management process.
This is performed over a period of time that may comprise say, two weeks for participants to log the risks they perceive, another two weeks for them to vote on the significance of the risks identified by all participants, and a similar amount of time (possibly with different participants) for determining what actions should be put in place.
And the benefits this approach brings to an organisation are as follows:
1. Quality
By having an individual log a risk, you can ask them to fill in a large amount of relevant information. Thus, a risk may not be simply “competition”, but instead be specified to include the downside, the processes and departments affected, and what control, if any, exists to manage or mitigate it.
In addition, the relationship of this risk to other potential risks can be identified – risks that really hurt your organisation usually crystallise together. This detail is a long way from the simple identification of “competition” in a workshop.
2. Speed
When the administrator moves the workshop from the identification phase to the voting stage, the participant logs on and sees a voting form with guidance on the values they can input. Whereas workshops take 3-4 minutes for each risk, the intranet vote can be done in seconds; the overall task is thus much shorter and any reticence occasioned by a fear of a lengthy process can be banished.
3. Upside
If the potential upside of a risk is identified early on, then the risk may be turned round, turned into opportunity.
The risk identification page shown above asks for upside risk to be identified, and thus it has been considered before the step in the process when the treatment is determined.
When, say, competition risk is considered in detail, the upside may be the opportunity to get into a product or service where the competition is weak or has nothing to offer; doing that will then reduce the impact of existing competition on your organisation.
The risk management process will have led the participants into creating value, not just protecting against threats to value.
4. Embeddedness
The Turnbull report that brought enterprise risk management into good corporate governance recommended that the process be “dynamic, continuous, and embedded”. (at this point it should be noted that the ICAEW who were behind Turnbull have chosen Symbiant Risk Suite and Symbiant Tracker as their internal software solutions).
Embeddedness is an awful word but you know you have attained it when people just do it as a matter of course, as an everyday action.
Symbiant Risk Suite facilitate multiple virtual risk workshops with a wide range of people; workshops which can be set up and run with whatever frequency you desire, and with little administration overhead. Reporting is flexible, graphic, and immediate.
And as an ongoing process, you can monitor hits and near misses, reports of potential new risks identified by a network of “risk champions”, and traffic-light reporting of key risk indicators from around the business.
5. Risk Appetite
The IPSB (Integrated Prudential Source Book) requires financial services organisations to define their risk appetite. So do Stock Exchange Listing guidelines. So does the Treasury’s Orange Book. None of them say how to do it. Symbiant Risk Suite allows you to set a score for risk appetite by risk category and report on it in the risk register or as part of a risk map. If you prefer, risk appetite can be voted on by individual risk. You then compare the risk appetite score to the net risk score for individual risks to see if the current exposure is outside your appetite – in which case, doing something about it becomes a matter of urgency. Appetite refines the risk map and risk register – it may be that you have a high impact/high likelihood net risk but you are happy with it, you are deliberately and consciously taking that risk, accepting it (involvement in China is frequently in this bracket). However there may be a much lower risk which is nevertheless unacceptable to you, it is outside your appetite or tolerance. If you did not factor in appetite, you would probably not notice the latter risk, and spend too much time trying to lower the former risk which you have actually already accepted.
6. Treatment and Tracking
Deciding what you want to do, how much time, money and effort you want to spend on putting something in place to manage a risk is a separate step in the Risk Suite process. Participants propose actions they deem appropriate and other participants log their agreement or propose alternatives.
At the end of the treatment phase, the most popular actions are accepted and passed through to the tracking phase that provides management with a ready status of where the organisation is at in terms of preparedness for handling risk, and pro-activity in exploiting it. This is surely something that all stakeholders in the organisation want to see.
Enterprise Wide Risk Management System
Operational Risk Management Software
Enterprise Risk Management System
ERM Solutions
Copyright 2006 Symbiant
To Order a free 3 month Trial of Risk Suite
Click here
Click here