It’s Thursday September 13th and our latest edition of the Feagin Company Weekly Risk Report: What you need to know to stay current in risk management. Visit our website at feaginllc.com.
Risk Tools – Technology in Risk Management
Peter Firstbrook, Research Vice President at Gartner stated “security and risk management leaders have operated in the shadows for a long time. Now it’s their opportunity to shine.” He’s right! Security breaches, C-level jobs being threatened for inadequate risk management, complexity in external and geopolitical risks, and complexity in the supply chain are among those things driving risk management leaders out of the back office. Also a driver, companies can no longer focus on compliance and insurance as an adequate hedge to protect the organization. Visibility into risks is critical and technical solutions can help.
In my career, I’ve worked with Fortune 50 companies all the way to mid-cap firms who, incredibly, manage their risks on spreadsheets. Yes, enterprise risks are predominately managed on spreadsheets, even at large firms! There was a time when I thought that was adequate but not anymore…not after I personally benefited from the power and insights of Active Risk Manager. Spreadsheets are convenient, easy to manipulate, and in the grand scheme of things, low cost; or, are they? In reality, they are useless in understanding the complexities of complex risk environments and establishing interrelationships across the organization. OK, I hear some of you arguing already that your spreadsheet is working just fine and you can do all these neat tricks with it. Good for you but don’t go there. I’ll make the argument that I’ve seen risk managers, time and again and myself included, become beholden to their spreadsheet tool and end up on what I call “homegrown tool welfare.” Not good for you and not good for your company! Are you a risk manager or an Excel spreadsheet jockey? You decide. I chose the former.
Top 10 Mindset
Companies that use spreadsheets predominately focus on managing their “Top 10” risks but I ask, what company has only 10 risks or even 20? Again, experience speaking, each functional group within a company can have its own “Top 10” risk list, any of which are capable of causing catastrophic damage to the organization if they occur. Companies that use a risk tool see risks differently and more strategically. They handle the risks more effectively, more proactively and their process capabilities are far more mature. In other words, their risk management capabilities become a competitive advantage over their industry peers. You read that correctly…the right risk tool, with process, can create significant competitive advantages. It also drives stronger compliance and strengthens the risk culture. Been there, owned it, did it.
A hot topic in risk management but there’s a serious fault in the approach of many organizations…so much data, so little time…can lead to diminishing returns, counter productivity, and science projects you don’t need. Analytics are good BUT, they are not a “silver bullet’ by any means. Most organizations using risk analytics platforms do so myopically within a particular function and rarely does this information or the insights translate to the enterprise risk level. In fact, most C-levels I’ve worked with are often confused by the data and lack clarity and confidence to make decisions with it…going with gut instead. Analytics practitioners, don’t fret, I’m for you but your work is in vain if company risk communication and management capabilities are not set up to take your good work and make usable sense of it. I’ll dive deeper into analytics over the next few weeks…it’s a big topic.
I’ve gained tremendous insights into risks by using these methods to identify and understand them: You can find them here and it doesn’t cost much to use them… just the desire to learn and practice. Best compliment I received on the analytics and information these simple tools provided: the President of a multi-billion dollar company told me he doesn’t make any decision without using the SIPOC tool I taught him and his leadership team. It’s a 5-10 minute exercise in many cases and can help identify and mitigate risks before they occur.
Considerations – Risk Management Tools
Some things to consider…
- What are your organizational requirements?
- Are you managing the right risks? You can check this by comparing risk lists year over year with loss-runs, root causes of issues, and profit-loss statements against the risks you were or are managing.
- What are your goals with risk management? Strategic management or compliance? Compliance only? Just use the spreadsheet…even PowerPoint can take care of this “head in the sand” mindset. Watch out for class action lawsuits if your goals are strictly compliance driven; anyone can check a box.
- Investment and return…don’t forget to subtract the cost of those employees on “tool welfare” when you calculate returns on a risk tool investment.
- Economies of scale: in some cases, risk tools can manage issue tracking and continuous improvement efforts. In one scenario, we were able to sunset over 40 disparate IT tools by using a risk tool solution. Translated…over $10MM in annual savings.
For additional insights into risk tools, read this post I released in January 2016.
Solutions – Risk Management Tools
There are a lot of solutions out there…while I agree with Firstbrook’s quote above, I’m often skeptical that the reports put out by Gartner and the like are free of bias. I’m not alone and there is plenty of opinion out there on the topic for you to read about. Here are three tools to consider:
SWORD Group’s Active Risk Manager
I have extensive experience with this tool and found it to be easily configured to manage risks vertically and horizontally across the organization up to the enterprise level where I could see strategic information and handle it as such. Strong on compliance, process and project risk management as well. Very well suited for heavily regulated industries like Aerospace and Defense, Healthcare, and Pharmaceutical, especially those industries requiring classified or near classified management of data. Well rounded tool but upfront configuration is critical. Get it right and you have a Ferrari.
This solution integrates with existing SAP ERP platforms and covers the full spectrum of risks, including GRC. It can be costly and the KPI functionality is yet to be seen as functionally operational by me although I have sought it out. Companies with existing SAP ERP/HANA may find this to be a good solution and even obtain discounts based on current vendor relationships. Don’t go on price alone however. If you use SAP ERP solutions, shop around as you may find that your risk tool doesn’t need to be integrated with the company ERP system.
One of the first, if not the first risk tool companies to mount their solution on the cloud. Highly secure, configurable, scalable, and excellent visual representations. They have a strong presence in the retail and technology industry and may find favor with risk managers whose focus is primarily on insurance mitigation. The tool is considered a “visionary” according to Gartner’s 2018 Magic Quadrant.
Full disclosure: we are an ARM Partner and help companies integrate and optimize their ARM solutions. Bias accusation? That’s fair but in a recent client engagement where we helped an organization select their risk tool, independence was key and SAP GRC was selected. Our interest aside, what matters is what is best for your organizational needs and we put that first. I know all too well that once you invest in a risk tool, it’s a longterm commitment. Make the right choice and remember, risk tools are not and never will be “one-size fits all.”
- Alibaba’s CEO, Daniel Zhang, succeeded Jack Ma as Chairman of the Board on September 10th. Chairman and CEO dual roles are becoming more of a concern among institutional investors and regulators due to the potential for “unchecked” power.
- President Trump has given the Palestinian Mission a month to pack their bags and leave DC. Palestinian Leaders are weighing retaliatory measures against the US as a result.
- Risk management in the shipping industry may have some weak spots. Here’s a good read for anyone who relies on international vendors…supply chain.
- Cholera outbreak hits Zimbabwe…state of emergency declared.
- Russia’s largest war game simulation since the collapse of the Soviet Union, Vostok 2018, is underway. Chinese participation includes over 3,200 troops, 800 combat vehicles, and 30 aircraft. NATO concerned that Russia is preparing for a large scale conflict.
- Czar Putin wants a peace deal to end the 70 year dispute of the Kuril Islands with Japan. Former Russian Deputy Foreign Minister Georgy Kunadze doubts Putin’s sincerity while Putin says “Russia is a peaceful country.”
- Typhoon Mangkhut takes aim at 10MM people in the Philippines…a hub for semi conductors, copper products, and coconut oil among other things. Hong Kong could be next. Supply chain ripple effect…beware.
- Japan, a critical supplier for many companies, has been battered by a number of earthquakes and typhoons that have recently hit the island country.
- Hurricane Florence traveling at 5 mph with 120 mph winds…approaching the Carolina coast. These factors are predicted to lead to massive amounts of rain being dumped across the coastal areas of the Carolinas.
- Risk analytics
- The Takedown