Your credibility is very important. For this reason, it is important that you deliver what you say you will deliver. If you fail to successfully implement a project, a risk management initiative, an audit programme or a compliance programme, not only will you have wasted time, money and resources but trying to engage people in another initiative in the future will be challenging! Tony Harb, risk specialist and auditor looks at some risk management and internal audit software options and provides organisations with strategies to improve the chance of successful implementation.
Types of Software
When people think of risk management and internal audit technology, most think of complex programmes, codes and relational databases. This need not be the case.
In a 2009 survey about Enterprise Risk Management (ERM) Technology Solutions conducted by the Risk and Insurance Management Society (RIMS), there were broadly three types of information technology used in ERM:
- Desktop software such as databases, spread sheets and word documents;
- Purchased ERM software or “off-the-shelf” software you can license and configure; and
- Custom built ERM software that is purpose built by either internal or external developers.
The RIMS survey revealed that desktop software such as spread sheets was the most popular type of ERM technology, used by 52% of respondents.
Research into risk management practices in NSW Local Government conducted by InConsult in 2006, revealed that the most popular type of technology used by Councils was also desktop software. At the time, a number of Councils were making attempts to introduce purchased ERM software that subsequently delivered little more than functional gaps and disappointment.
The RIMS survey revealed that purchased ERM software was the next most popular with 38% of respondents using this type of software.
The rise and rise of purchased Software
Desktop software may be the most popular, but purchased software is the fastest growing type of ERM software. This growth has been fuelled by improvements in technology, easy access to the web, improved web-browsers and technology savvy generation X’s and Y’s.
But that’s not all, a spate of major corporate failures around the world saw a significant increase in the various laws and regulation demanding proactive and structured risk management and compliance initiatives and this has increased demand.
After the collapse of HIH, the Australian Prudential Regulation Authority (APRA) introduced a series of prudential standards to ‘mandate’ minimum standards of risk management, governance, internal audit and capital management practices. Similarly, after the collapse of Enron and WorldCom in the US, legislators introduced the Sarbanes Oxley Act (SOX) which mandated improved risk management over the accuracy of financial statements. Whilst SOX was not enough to stop the failures relating to the sub-prime loan market, it did reduce some of the ‘creative accounting’ risk!
To purchase or not to purchase
For many organisations, desktop software works well enough for risk management, well enough for compliance and well enough for internal audit programmes. They work well because each area can easily customise their own spread sheets, quickly edit documents and quickly produce basic reports. Basic desktop software often requires little or no user training; documents can be emailed, stored, backed-up and accessed easily.
The problems start to arise when an organisations’ risk management framework matures and want the various governance functions to work together to leverage the information, align processes, produce better reports and involve more people. In this scenario, desktop software starts to get limiting (adding security and access restrictions); version history and audit logs get cumbersome, if they exist at all; scalability is difficult as to change one document, you will need to change all 20 and reporting gets cumbersome as you draw information from many source documents, hoping that all the data is up-to-date, accurate and is the latest version.
If spread sheets alone are not good enough to be used as an organisations financial information system; if flowcharting software is not good enough to be used for engineering diagrams and if document letter merge alone is not good enough for managing customer records; why should desktop software alone be sufficient for managing an organisations’ many risks, analysing controls, managing various compliance obligations, tracking incidents, conducting internal audits and reporting to the audit committee?
Are the risk management, governance, insurance, compliance and internal audit functions any less important?
Tips for implementing risk and audit software
- Purchasing ERM and audit software and expecting to solve all your problems is the first big mistake an organisation can make. organisations should ensure they have a well-defined risk management framework and an adequately (well may sound too extravagant) resourced and managed internal audit function. Good software will complement sound business processes but not create the processes for you.
- Don’t “dump” the purchased software on the users. We recommend you start evaluating the options whilst you formalise your ERM framework, select the most suitable system when conducting risk management training and then use the software during the risk workshops. This is bound to impress the risk owners and take up will improve.
- Selecting the right vendor is critical. Many “software houses” will sell you ERM software. But ask them a technical question about risk management (say “risk appetite”) and they will refer you to their external consultants to support you; often at extra cost.
- Don’t be fooled by a sleek looking system. In fact be extra careful. Many systems look “attractive”, but lack good and basic functionality. The sales person tries to impress you by the graphic design, a few “exciting” features and the overall look and feel. My tip, have a list of requirements and ensure the demonstration focuses on your needs. The extra bits will be a nice to have.
- Talking about extras, ensure you establish the full cost up front. Many software vendors suck you in to the basic package and then on sell user training, implementation support and system customisation for extra fees. Any additional functions that need to be “turned on” will cost extra.
- Let us be realistic, no system will ever provide you with 100% of your requirements. Even finance, human resources and payroll departments are not satisfied that their software does 100% of what they want; but these systems do the job well.
- Finally, a survey by IT research group Gartner revealed that organisations that purchase software specific for each compliance requirement will spend up to 10 times more on software. It is important to consider integrated governance systems as there are many synergies between risk management, WHS, internal audit and compliance functions that can be brought together.
Choosing an appropriate ERM, internal audit and compliance software solution is not easy but at some point in the future, your organisation will almost certainly implement one. Choose wisely!
Tony Harb is a risk management specialist and local government internal auditor. He can be contacted on 02 9241 1344 or firstname.lastname@example.org.