This article was first published in Managing Business Risk – Edition 8 by Kogan Page in 2012
RISK COLLABORATION IN THE CLOUD – A NEW ERA FOR RISK MANAGEMENT SOFTWARE
Andrew Birch, Symbiant
THE NEED FOR A SOLUTION
When we first wrote Symbiant Risk Suite in 2004 most companies were using spread sheets to catalogue risks and produce the required risk registers. Some companies had moved on to Access databases and those at the cutting edge had expensive third party risk management software. The problem was, very few solutions were actually fit for purpose
Management is not only about cataloguing the risks you are aware of or producing nice graphs or fancy reports. Risk management is actually about identifying threats to the business and being prepared for those threats and managing the risks you know about.
This was the problem then and now with a lot of software solutions; they come at risk management from the wrong direction, from the ‘this is what we know’ direction. Obviously you need to report on what you know, but how are you identifying new threats and managing the threats you are aware of; how do you know the controls you currently have are sufficient and work; and which ones are redundant or costing more than the threat itself.
An effective risk programme needs to allow a business to collaborate on risk management; it needs to facilitate a company-wide embedded process, so all areas of the business can join in and participate. Collaboration should be the central focus of risk management. Without this you are on the path to failure; so we built Risk Suite with collaboration as a main objective.
To clarify, collaboration is all the different parts of the business fully participating in the risk process, helping to identify new threats and to measure the risks the business has identified. Making risk management is an ongoing and continuous business activity across the business and involving all key staff.
A solid risk management solution should allow you to do the following:-
Identify new threats.
Assess the risks.
Measure impact and likelihood with a voting tool.
Treatment of issues and giving ownership of action plans.
Monitoring of the effectiveness of treatments and controls.
Communicate results so management understand the risk profile and act accordingly.
Collaborate across the business so all key staff are involved in the process.
Embed risk management as an ongoing everyday business activity across the business.
Once you have the basics in place you can then start to use the information to make your business more robust, and this comes from the information the tool collects.
When we first released Risk Suite it was unique; it was probably the first truly web enabled solution and had a lot features other companies have since added to their own software. Interestingly many popular solutions still do not include a voting tool and have no mechanism to measure risks properly or allow collaboration across the business. Our solution was so on the mark that The Institute of Chartered Accountants in England and Wales (ICAEW) took the unusual step to endorse it by saying:
‘”The Symbiant Risk Suite is an advanced and comprehensive risk solution, it’s well thought out, easy to use and understand and very powerful. A very useful tool for any risk department’”
As far as I am aware it still remains the only Risk Management solution they have endorsed.
In the wake of the 2007 banking failure it became very apparent the way risk management was being conducted was clearly lacking in some quarters. The banks obviously had some measure of the risks they were taking and as liquidity is a bank’s core function this will have been a managed risk. Whilst it could be argued the banks were not fully or correctly assessing the risks or even took an arrogant ‘it will never happen stance’, the real shortcoming was that the banks did not have the basics in place. They were lacking in communication and collaboration, and did not have risk management embedded across the company.
For risk management to work you must have buy in from senior and executive management and they need to be involved in the process; that way they become more risk aware and get a better understanding of the issues. This makes it easier for them to adhere to an acceptable level of risk (having first decided what that is, and gotten the Board to agree to it, and then put the measurement of appetite into the system and communicated the risk profile against that appetite).
The failure of the banks has taught us many practical lessons which will be useless to companies who chose to ignore them, and this is why the powers that be will enforce the issue with legislation as they are currently doing. The problem is we do not know how far and deep the compliance requirements will end up going. I think it is fair to say if you are currently regulated or there is public interest in you (service or shareholding) it will affect you more than others. We can also make a good educated guess as to what companies will need to do, based on the current measures and those in the pipeline.
So the question is: if you as a company are unsure about your future requirements, how can you prepare for them. The chances are your current requirements will change in the months or years to come, especially if you are in the early stages of developing your own internal risk management procedures. It is also impractical, self-defeating and very costly to start with a sledgehammer approach. Some solutions are so over the top they can take years and years to embed because they are just too complicated for people to learn and use. I am aware of a company who are still trying to fully utilise the risk management solution they bought after 6 years.
To embed risk management quickly you need to take baby steps, keep it simple and let people get used to using the solution in bite-sized chunks. We have taken this approach with many of our clients and got the solution embedded in a few months. Even the internal managers who were against moving on from the way they currently did it, bought in once they joined in and realised it was easy to understand and use. The reason we give a free, no strings attached, unrestricted three month trial of our solution is because we know our claims are true. When you’re looking for a solution ask the vendor for a free three months unrestricted trial and judge the excuses you get from those who decline.
For the past two years, we as a software company have been planning for our future and writing the next generation of our Risk Suite. We have taken enterprise risk management to what we believe is the next stage. We were right in 2004 and we believe we will be on the mark, or very close to it, over the next few years. We have learned what problems companies face and what information they need or will need to run an effective risk management programme. We have even included things that nobody, as far as we know, has even thought of but that we believe will be useful information when assessing risks, like a target score. To date risk voting has used only two scores: Inherent (gross) and residual (net), so you can assess the risk without any controls and where it currently stands. But wouldn’t it be useful to know, on some risks, where you want to get to and what should be your target? These three scores will then give you the full picture, without controls (inherent), with current controls (residual) and where we need to be (target).
We have also included tools to help identify ‘Black Swan’ risks that are rare but have a high impact, and areas that are often overlooked, such as the range of possible business continuity events.
We developed our new solution by working with our clients to find out where they are now, where they need to get to and what information they will need to gather and report on. Our new software is a totally flexible framework that allows us to give each client a unique bespoke solution to fit their current requirements. Then as their needs change so can the solution; they won’t need to buy a new piece of software in two or five year’s time. We will be able to add or change what they need, when they need it.
This approach works on so many levels. It works for us as a company as we can expect much longer term relationships with our clients; and it saves the client having to worry about where they are now and how that may change, because the software will fit around them as they evolve and grow just like the skin you were born with. It also greatly reduces your costs as you won’t need to buy new software or go through embedding process again.
To help you understand how this type of solution will assist your businesses, imagine if the risk department, internal audit, compliance and customer services, all shared a common solution. Each department had different screen views and access to what was relevant to them. Selective information could be shared and reported on globally. Each department and/or division could manage their own areas and the business as a whole could access the parts they need to use. And if a new department needed to join in, the required interface could be added almost instantly and tailored to their exact requirements. Imagine being able to see problems occurring in the business in real time and not having to wait for the quarterly management meetings, or being able to give ownership of tasks and actions to anyone in the business and for them to keep you updated with their progress. A solution that is unique to your specific requirements created just for you and will evolve to your future needs, fluid and dynamic.
We cannot speak for other vendors or guess at how they are going to tackle the changes that are required to current methodologies or the evolving needs of clients but the past two years for us, have been challenging. The logistics in creating a one size fits all solution are enormous; we have had several re-writes and the project is 12 months overdue but we have done it.
Whilst you may have heard the term ‘cloud services’ or even ‘Saas’ you may not fully understand it; so I will first give a brief overview. The cloud is basically storing information on network servers rather than your own PC; in this case it is the Internet. Because storage has become so cheap as computer disk drives have advanced from MB then GB to TB, companies are finding it very cost effective to use this storage rather than their own servers. And in very much the same way, software solutions can be hosted and run on these servers. Saas (Software as a service) is a very effective way for a company to use software. It requires little or no involvement from your own IT and is available to any valid user who can access the network. In many cases including our software all the user requires is a web browser.
We have been offering a fully hosted service since 2005 but it is only in the past few years that it has become popular and more accepted. This may be due to it being talked about more as an accepted business practice or because company IT budgets have been hit and clients are looking for ways to save money. The fact is, letting the people who wrote the software manage it for you makes perfect sense. They can keep it patched with the latest releases and solve any problems quickly without any added costs to the business.
However, using this service is a choice not a requirement and I only mention it because it does have many practical benefits, and many of the companies who offer these services will, or should have, taken the required steps to keep your data safe and secure. We for instance not only keep our servers as secure as they practically can be, but we also encrypt the data in the database so that even in the unlikely event someone did manage to get past the server’s security, the data would be unreadable and useless to them.
Risk Management and businesses compliance needs are evolving in a good way. Whilst they may seem painful and even over the top at times, they do serve to make your company more resilient and viable; so it really is worth taking the long term view. It also doesn’t have to be expensive to do the job right but catastrophic to do it wrong. If you choose the right software you will find it not only makes you more efficient and your role more effective, but it will also save your company money by utilising your current resources.