This chapter presents research results on user requirements related to enterprise risk management software. The authors developed a questionnaire to investigate the standpoints of risk managers, quality managers, and others in charge of risk management regarding the functionality they expect risk management software to support. In today's globalized and volatile world, the recognition, understanding, and management of risks is critical for an organization's survival. Adequate software support enables organizations to take an innovative, risk-based approach to governance and compliance and to gain a holistic, enterprise-wide view of risk exposure and near-real-time risk management and monitoring. Research results show the main attributes that risk management software should have in order to fulfill user expectations. The chapter also provides some important guidelines and suggestions for risk management software development and improvement.
TopIntroduction
This chapter presents research results on user requirements related to enterprise risk management (ERM) software. This research was based on a survey of companies in Bosnia and Herzegovina and it is a continuation of the preliminary research conducted by authors in 2015. The preliminary research was based on a limited number of respondents (41)—namely, participants of a risk management seminar organized by Oskar, a center for development and quality in Zagreb, Croatia. This preliminary research was used to test the questionnaire developed by the authors in order to investigate the standpoints of risk managers, quality managers, and others in charge of risk management regarding the functionality they expect ERM software to support. The results of the preliminary research showed that most respondents did not use ERM software. However, they were aware of the importance of ERM software for efficient risk management, and they declaratively supported the purchase and implementation of that software. According to the preliminary research results, there was no need to change the questionnaire for the new research substantially.
Today, organizations face global challenges regarding competition, resources (human and physical), business safety (especially digital data protection), exposure to terrorist attacks, and so forth. Generally, the world is becoming less benign, with more discontinuity and volatility. Organizations’ viability and success in this increasingly volatile world heavily depend on the extent to which their managers are aware of the environment in which they operate, keep up with the changes, and how fast and how successfully they can respond to them. This means that managers must think in multiple time frames—that is, work on immediate tactics to counteract new threats (competition, market changes, etc.), and in the long term, work on selection and development of new long-lived capabilities. Managers and risk managers across all lines of business have become accountable for a sustainable risk framework.
Although heads of successful companies have always given a certain degree of priority to risk management when handling daily business, they usually deal with individual risks one by one as they occur instead of having an integrated and proactive approach with the entire organization in mind. This is called the silo approach. A silo approach is when individuals or departments within an organization deal with a risk facing their own unit without considering that the entire organization (and, in particular, its overall reputation) is exposed to the same risk. A silo approach can be very dangerous in a globalized, complex, and volatile business environment. Such an environment needs a team of various people with different risk knowledge and experience working together in continuous interaction and coordination. Providing an efficient integrated and overall risk management approach is extremely demanding, and even an impossible task, without adequate software support.
Many ERM software solutions are available in today’s market, but they differ in features and maturity. Most organizations are faced with the problem of how to choose the appropriate software solution for their risk management processes. Finding the right software that will suit the organization’s needs is not always easy, but it is even more demanding to adjust the organization to the software’s requirements. Therefore, the software solutions that offer adaptability to user requirements can significantly shorten the implementation time. A major challenge in selecting and implementing risk management software is that there are many variations in the practical implementation of risk management, especially at the detailed level.
In order to ensure a structural approach to risk management, risk management frameworks like COSO Enterprise Risk Management and ISO 31000:2009 were developed. Risk management frameworks define activities that are required to manage risk effectively. Activities for managing issues and opportunities are not explicitly specified in the risk management framework. Although risk management can be integrated with the issue and opportunity management, the details for achieving an integrated approach to managing risks, issues, and opportunities is beyond the framework’s scope. The framework is implementation independent—it defines key risk management activities but does not specify how to perform those activities. In particular, the framework helps to provide a foundation for a comprehensive risk management methodology basis for evaluating and improving a program’s risk management.