Successful enterprise risk managers are a rare breed. They must have (1) confidence to be trailblazers, (2) enough savvy to delicately handle sensitive communications up and down an organization, and (3) incredibly thick skin to endure the finger pointing when any risk management failures occur.
While the requisite independent, self-confident ego has a tendency to resist third-party support, most risk managers recognize, although sometimes grudgingly, there is a role for risk management consultants and risk management software in their organizations. So, what is that role?
Based on the enterprise risk management trends observed in the most mature programs in large financial institutions, as well as the dynamics of early-stage ERM adopters in other industry sectors, risk management program development is an evolutionary process. Each organization must build their own approach considering their unique risk culture, risk appetite, and resources capable of identifying, assessing, and addressing risks.
There are very few third-party solutions that are robust and/or flexible enough to meet these unique enterprise risk management implementation demands from initial to mature phases. In turn, risk managers must create their own enterprise risk management framework and set a long-term program deployment plan leveraging third-party risk management solutions when needed to overcome organizational challenges as the program advances through ERM maturity stages.
It is important to first note what risk management consultants and risk software products cannot provide. They cannot impose a risk framework, specifically identify key risks, or set a risk appetite for individual organizations. While they can support these important components of risk management processes, a company’s risk manager, front-line decision makers, and executives hold the ultimate authority and responsibility to establish these parameters in line with the unique characteristics of their business and corporate culture.
What business value can risk management consultants and enterprise risk management software vendors provide enterprises?
- Based on feedback from successful risk managers and the perspective of risk management consulting firms, risk consultants can suggest and help implement effective enterprise risk management processes, help deploy supporting technologies, provide peer group benchmarks, identify organizational change requirements, quantify specific risks, help establish key risk indicators (KRIs), and assess the corporate value of risk management programs.
- From a product perspective, the core value of risk management software can include supporting risk data management, providing risk analytics tools, assuring controls, and enabling efficient risk reporting. Recent technology advances create a tremendous opportunity to accelerate capabilities for big data management, analytics, reporting, communication, and data visualization capabilities within risk management programs.
For a view of what capabilities and value risk management consultants and risk management software vendors should provide to meet customer needs, a Zurich-sponsored Harvard Business Review study presents a broad cross-industry and business-size view for current gaps in delivering on risk program expectations. Nearly two-thirds of the 1,419 business executives surveyed indicated their company’s risk culture was still basic or reactive. In this context, consider the gaps in delivering on the top-rated risk program capabilities expected by these executives:
- Link risk information to strategic decision making (34% consider this an important capability vs. only 14% who believe they are doing it well)
- Embed a risk-aware culture at all levels (34% vs. 11%)
- Embed risk management practices/responsibilities into strategy and operations (30% vs. 12%)
- Ensure all decisions are within corporate risk tolerances (28% vs. 11%)
- Drive risk mitigation activities (28% vs. 10%)
- Proactively identify current/emerging risks (29% vs. 10%)
- Regularly analyze and report on risk data (25% vs. 11)
- Aggregate risk types for a holistic enterprise risk picture (21% vs. 8%)
- Identify and assess risks both within and outside the organization (18% vs. 8%)
- Leverage enterprise risk management for competitive advantage (17% vs. 8%)
The message for risk management services and ERM software vendors? Set your offering development goals to extend beyond support for risk identification, data management, and risk assessment processes. This means enabling more efficient risk reporting communication and embedding risk-aware guidance for both strategy and front-line decision makers. Simplify reporting forms and processes to encourage more frequent consideration of risk strategy in both daily operations and strategic business decision-making processes.
Enterprise risk management companies providing software, services, or information should not impose new ERM framework requirements on their customer's organizational decision makers. Instead, they should help integrate risk management principles with existing business processes to encourage a risk-aware culture across enterprises.
If you are a risk management service or software vendor interested in assessing where your offering value can expand to meet more of your customers' needs, contact IMT to find out how we can help. IMT industry market research consultants conduct custom research projects to assess vendor perception, value statements, offering portfolio, and capabilities in the context of specific customer interests. Contact us for customer insights, win-loss analysis, customer needs research, and more.