Risk Management Information Systems
26 May 2022
Introduction – using Risk Management as a decision-making tool
“Organisations must develop the competence to use risk management as a decision-making tool and not merely as a compliance tool. Unfortunately, many organisations continue to lament that their risk-management processes do not provide a competitive advantage and are not a helpful tool for decision-making. An organisation’s governance policy should ensure that the organisation is making the best decisions possible and, to this end, directors and executives must demand more than a risk register, a report, or a heat map. They need to ensure that a structured process exists for improving the quality of decisions and the avoidance of costly errors at all levels throughout the organisation.”
The above is an extract from chapter 4 of the IRMSA 2021 risk report Section 4 on “Competencies we need to own our future”
What are some of the barriers to implementing an effective risk management system?
- Data that supports risk management is often captured in various disparate systems across the organisation. For example, key indicators, loss events, transactional data analytics etc. are managed by specific point solutions. These are often not integrated effectively into a risk management system.
- Risk management operates in silos with the result that the cause and effect across multiple areas of the business is not realised. Risk management is meant to act as an early warning system but it can only do so if risks and causal factors are linked intelligently across business and operational units. Risks do not normally just occur (unless a black swan event); they are normally the result of a build-up of events with many warning signs across various areas in the organisation. A common library of risks, contributing factors, controls with intelligent linking across business units and levels ensures that your risk management system acts as early warning system.
- Data is captured in Excel for the sake of risk management compliance. Unfortunately 100s of risk registers in Excel add very little or no value to an organisation. Whilst Excel is easy to use and familiar to the end user, it is a lost cause for those trying to derive any meaningful insights from the data. For example, it is impossible to pull accurate, up to date, consolidated reports with trends, up to date mitigation plans, not to mention drill-down dashboards with predictive analysis.
- Risk information is not kept up to date. Risk registers are updated intermittently. Regular risk and control self-assessments go a long way to more up to date information but often this information is based on gut feel and needs to be verified by 3rd line defence such as audit. Continuous risk monitoring using key risk indicators linked to real-time data analytics provide up to date information.
- Risk information is often too subjective (qualitative risk rating) rather than driven by facts and figures. Whilst risk management is part art and part science, the quantification of risk is often lacking. Key risk indicators linked to real-time data analytics assist with a more objective and robust risk rating methodology.
- Resistance from users and management. A risk management system provides an effective way to monitor and track action plans including audit trails. People don’t generally like to be monitored so revert back to Excel where there is very little monitoring and accountability.
- The famous adage: ‘garbage in, garbage out’ is a major problem especially where risk information has been maintained manually in Excel with no data integrity, no common risk taxonomy, no common risk & control library, no look-ups, no centralised database etc.
Why Excel doesn’t cut it?
- Data is not very well structured (inconsistent columns and naming conventions, free text, too many versions floating around),
- Limited data validation (free text versus drop down boxes),
- Duplication of data, quality of data, completeness of data, validity of data is compromised,
- Multiple ‘versions of the truth’ with little or no version control,
- Information is not automatically stored and consolidated in a single repository,
- Security access to data is non-existent in many cases,
- Excel is silo based and ignores interdependencies across business units and users etc.,
- Excel spreadsheets can’t easily be shared / worked on at the same time,
- It’s not possible to perform aggregated reporting without a lot of manual intervention,
- It’s not possible to generate trend reporting without a lot of manual intervention,
- Excel is a static system as opposed to a ‘living’ system and does not have the ability to send out automated email notifications, reminders, escalations etc. based on system triggers,
- Complex spreadsheets are ‘lost’ when the owner leaves / moves on and re-invented again by the new incumbent.
- No centralised database supporting data integrity and the sharing of information.
- 1000s of hours of wasted time is spent by expensive resources trying to cobble together management reports that could be generated by a database driven solution at the click of a button…. Provided users are capturing and updating their information in the system.
What should we be doing better?
- Get buy-in from the top for risk management and demonstrate value.
- Drive an effective risk management process with a common risk taxonomy across all lines of defence.
- Ensure the identification of relevant risk information, limiting the ‘garbage in, garbage out’ factor.
- Embed a living system at all levels of the organisation facilitating up to date risk registers, continuous monitoring, remedial action plans and continuous control improvement.
- Deliver insightful, up-to date, business decision reporting.
An organisation cannot manage its risks effectively without a risk management system, however, as with any system it is a case of garbage-in, garbage-out, so commitment to the risk management process and a system is fundamental to effective risk management.
Mature Risk management is forward looking, predictive, supporting business resilience and sustainability. Risk management when performed effectively, enables an organisation to continually scan and evaluate an ever changing landscape to make sure that new or existing opportunities are exploited and that risks are identified, prioritised and managed on an ongoing basis.
Written by Jonathan Crisp
Director – BarnOwl Risk management and Audit Software Solutions