Author: Sid Feagin.
When I first started my career in risk management I was a risk integrator working on a multi-billion dollar highly complex aircraft program. The risk management tool I used at the time was a “free” home-grown Access Database that stored information about each risk including handling plans, action steps, and assigned owner activities. The tool itself was primarily a “dumb” database that we were too proud of for our own good and determined to keep no matter what, that is until one day the risk tool became so overloaded it flat-lined and could not be resuscitated. It was a sad day when we realized that we had to bury our beloved risk tool and send our self taught Access DB guru packing; however, he did make a pretty good living by being the only person that could modify the database when we needed changes. Nevertheless, after a period of mourning, I was left with one option: cremate the tool remains and adopt an “off-the-shelf” Risk Management Information System (RMIS). Initially I hated this idea until I learned just how beneficial the right tool could be to the organization.
5 Reasons to Avoid Homegrown Risk Tools:
- Expensive: Die-hard tool owners often say the risk tool is “free.” By the time you do a true cost benefit analysis, many homegrown tools cost more than some excellent “off-the-shelf” risk tools.
- Distracting: Risk managers and other personnel become consumed trying to maintain and modify homegrown tools; thus, their effectiveness as risk managers is significantly diminished. This is not good for the organization or the risk manager’s career.
- Obsolete: Good RMIS vendors are always current on the latest standards and regulations, especially GRC; thus, they incorporate updates into their tool revisions at no cost or as part of yearly maintenance fees.
- Limiting: Advanced features like network mapping, analytics, metrics dashboards, and ERP integration are non-existent in homegrown tools. These features are necessary to look beyond individual risk events and make better strategic and informed decisions.
- Draining: Homegrown tools in general drain resources and promote what I often call “tool welfare.” Someone becomes so valuable to an organization, not because of their core product skills, but because they are good at science projects involving Access DB or some spreadsheet tool. The reality is that homegrown tools also cut against an organization’s ability to standardize which drives enormous costs into overhead burdens.
Once I sobered up and begrudgingly embraced the idea of a vendor supported tool, I was able to reap some tremendous benefits that empowered decision making like data aggregation and network mapping. Another benefit was for me personally. I was able to focus on facilitating and improving risk management capabilities, much to the betterment of my career.
5 Benefits to Purchasing a Vendor Supported Risk Tool:
- Process enforcement. RMIS tools often have a workflow designed into them; thus, they enforce the organization’s risk management process and increase user adoption across the organization. This benefit also ties directly to supporting a Board’s need for assurance around risk governance.
- Strategic analysis. RMIS tools provide various methods of aggregating and linking risks to each other to show relationships and other information. These are very powerful decision making capabilities that enable leaders to look beyond a single risk instance and think more strategically.
- Improved communication. Typically these tools integrate with email and other systems; thus, they provide a constant flow of timely information to ensure that risks are managed and kept current.
- Internal audit support. Robust features provide auditors and leadership with the ability to extract activity reports that can be used to assess the effectiveness of the organization’s risk management processes as well as adherence to compliance requirements.
- Regulatory compliance. Many RMIS tools “bake in” regulatory requirements such as Sarbanes-Oxley, Earned-Value, and other legislation requiring risk management integration. This can provide a very effective pathway to compliance.
After you understand the benefits of a RMIS and have funds allocated to invest in a tool, there may be a tendency to pick up the latest Gartner report to start calling vendors. Unless you want to throw away your capital allocation and be sacked with frustration, I highly recommend following these simple steps before you call a vendor:
- Know and document your risk tool requirements. Requirements use “shall,” “will,” and “must” language and should support your risk management process. Requirements are non-negotiables when it comes to the tool supporting the organization’s risk management needs. At no time should the tool dictate what your process will be; however, all too often, companies end up with risk processes that are dictated by poor tool choices.
- Understand your non-recurring and recurring budget needs for the tool: many tool vendors embed hidden fees in their contracts. Know and understand your budget limits in order to set proper boundaries with tool vendors and plan on evaluating 3, 5, and 10 year cost models as vendors will scale maintenance fees up over time.
- Align tool expectations with leadership and the process. Make sure that leadership’s needs for risk management information are well understood and that the tool requirements support those expectations. The last thing you want is a career limiting move where leadership hates the tool that you just spent many thousands of dollars on.
- Ensure that you are tool agnostic: There is a lot of money and investment at stake when purchasing a risk management tool. Don’t succumb to slick presentations. Make sure you do your homework and select the right tool based on objectivity, not emotion or what your fellow risk manager’s are using at some other company.
- Try the tool first, try it again, and yet again, and then buy, maybe. I will take the liberty of being redundant but all too often, buyers become enamored with slick presentations and sales talk. Don’t fall for this! Use your requirements list to create a scorecard and be as objective as possible.
- Incorporate the IT organization into the discussions as early as possible to ensure that special back-end software, servers, or other IT resources are not required. These unexpected requirements can drive costs up exponentially and may even compromise IT systems.
- Develop an RFP with all of your risk management and vendor requirements before you reach out to any vendors. They will appreciate the document and either bid or no-bid the tool. This gives you a competitive position and keeps unwanted vendor contact suppressed.
- Continuity clauses should be part of the negotiations. Assume your tool vendor goes out of business or no longer supports your tool, you should always make sure that you gain ownership of your instance of the software and the code until you can find a new tool.
Risk tools can be a significant investment ranging from $50,000 to over $1MM; however, with the right planning, you can maximize the investment and avoid many common and costly mistakes. Simply following the tips outlined will provide you with a better vendor experience and assurances that you are investing in the right tool for the right outcomes. Once the risk tool is operational, you can focus your attention on being an effective risk manager and delivering greater decision making capabilities to organization executives.
Sid Feagin is a risk management Subject Matter Expert who has organically designed, implemented, and managed numerous risk management processes to support Enterprise Risk Management, Supply-chain Risk Management, and Project Risk Management across many industries. His processes have gained the attention of senior government officials, Board members, and Corporate Officers and have also led to substantial cost avoidance, savings, and efficiencies well into the millions. Known for his sustainable and executable solutions, he provides fractional risk manager services for companies seeking to outsource non-core competencies as well as risk management coaching, and consulting.