Howard Javies, chief information officer of Act Now Inc., was pumped. This was one meeting he was looking forward to: selecting and implementing an enterprise risk management software application that would best serve the risk management and compliance needs of his multinational employer. This was his area of expertise, and getting other department heads to agree was going to be a slam dunk, or so he thought. So, there he was, looking sharp in a new suit, projecting confidence and expecting to take charge. Department heads Jack Ambers (CRO), Susan Eller (CFO), Zach Daniels (SVP Operations), and Lee Westin (VP Audit) were all there. There was no time to waste. Javies cleared his throat to speak, but . . .
Jack Ambers [CRO]: We've made progress over the past two years implementing an enterprisewide process for managing risk. We're still using paper-based tools for documentation, analysis and activity-tracking. Sometimes I feel like I'm still living in the 20th century--no, make that the 19th century. Can't we just finally get away from whiteboards and flipcharts and use software to collaborate?
Lee Westin [Audit]: I can't think of anything more important than using software to help us sustain Sarbanes-Oxley compliance. We need a risk-based audit system to move away from a project approach to Section 404 compliance. Last year, we worked unbelievably long hours just to comply with Section 404. And it wasn't just us. All of our operational and financial managers were involved. The whole exercise cost us $5 million.
Ambers [CRO]: While an important part of our ERM initiative, compliance with Section 404 isn't enough and should not be our primary goal. Obtaining value from our ERM initiative requires a common database and analytical platform to help us capture and tie risks to strategic objectives. By scoring the likelihood and impact of risks, we could create risk maps.
Susan Eller [CFO]: I agree that we've made strides in getting our silos on the same page, but we're still coming up short in our reporting and communications abilities. Just last week, the board requested a simple report summarizing our major risks and recent mitigation actions. We could barely produce it. We had all the information--just no simple way to produce the needed report.
Zach Daniels [Operations]: Forgive me for being blunt, but I'm not sold on the need for another new software system, especially one where success or failure depends so heavily on adoption by our operational managers. We've already got enterprise resource planning software to coordinate financial and operational functions, and business performance management software to get reports from our data warehouse. If we're aiming for integration, why do we keep implementing "one-off" software applications?
Westin [Audit]: Because process owners have to be responsible for documenting and updating processes, risks and controls. Only then can our internal audit staff get out of the compliance checklist business and focus on governance activities. Our auditors need to be reporting on issues and reportable conditions, weaknesses and corrective actions, and corresponding follow-up, not processes. Give me a break!
Daniels [Operations]: Look, I'm all for technology that helps us do our jobs better. For those of us in line, and not staff, management, we could use assistance in determining root causes of loss and identifying potential problems before they become a crisis. I just don't understand why we need new technology. Shouldn't our ERP system do this? We paid more than $3 million for the system just two years ago, not to mention what a nightmare it was to get it implemented. Are you telling me it's not good enough?
Howard Javies [CIO]: Let's all try to get on the same page. Every department seems to want something different. Operations would like to improve analytical capabilities but is concerned about having to use new software. Audit and Financial Management seek better corporate governance. Enterprise Risk is looking for comprehensive support for its value proposition.
Yet, the market for third-party risk management and compliance software is fragmented and confusing. There's literally a bewildering array of technologies to assist with everything from regulatory compliance to business-process re-engineering. It's unlikely right now a single technology platform could offer the level of integration required to satisfy us all. Even if it were possible, I question whether benefits would outweigh costs.
Eller [CFO]: Our internal resistance seems to be the real issue. We don't seem to be ready to implement an integrated enterprise application that would be supported by both staff and line management. We must choose between needs that are most important today versus longer-term needs.
Javies [CIO]: Before we can prioritize, though, I need to know what else is on everyone's wish list.
Ambers [CRO]: Other than database tracking and analytical scoring, we need some type of knowledge-management system, risk-control self-assessment guides, a threat-scenario function, voting tools and the ability to benchmark. But, as usual, these capabilities won't mean much if our operations people don't use the system.
Westin [Audit]: The system has to produce an audit trail for evidential testing and validation purposes.
Eller [CFO]: I'd like the software to offer some sort of dashboard function, where we could monitor critical risks and activities related to those risks.
Javies [CIO]: Excellent. Now, back to priorities. What are our most important needs today versus those that would be best addressed in subsequent years?
Westin [Audit]: Automating Sarbanes-Oxley processes will save money for years to come. I believe that this is our highest priority.
Daniels [Operations]: We need to give our operations managers considerable time to adjust to and use something new.
Ambers [CRO]: It seems to me that ultimately delivering on the value of an enterprise risk management approach, as well as critical governance and movement to a risk-based audit system, depends upon our operations people adapting to and using the new system.
Even if we choose not to immediately implement these changes, these needs are still a high priority for us. I suggest that any technology that might be selected should have these functions currently in the software.
Eller [CFO]: Howard, could you provide detail on the state of the software market for enterprise risk management technology?
Javies [CIO]: The market is rapidly evolving with no simple way to segment. Enterprise risk management systems vendors are taking a Sarbanes-Oxley detour.
Operational risk systems vendors are in the process of moving beyond sophisticated analytics, such as Basel II compliance, and adding both Sarbanes-Oxley compliance as well as qualitative risk measurement capabilities. Documentation-oriented Sarbanes-Oxley systems vendors are beginning to add enterprise risk management enhancements suggested by the Committee of Sponsoring Organizations of the Treadway Commission, or COSO.
Eller [CFO]: What about costs and implementation time frames? Do we even know who's out there and what they can provide for us?
Javies [CIO]; Quite honestly, while we could certainly move to a more detailed discussion of the vendors, I haven't really evaluated their capabilities. How can I evaluate software functions and reporting capabilities when clarity and priority of our internal needs is just now starting to come together?
While ERM may be about process, vendor and software functions, including implementation scheduling and cost-benefit analysis, are driven by the data that we collect. If nothing else, this meeting illustrates our lack of consensus in moving forward with a process that requires consistency.
Eller [CFO]: Clearly, we have more work to do, so let's hold off on additional discussion until our next meeting--doesn't that sound familiar. We'll refine the ranking on the needs analysis and then compare the results to Howard's report on third-party software and vendor capabilities. This should allow us to narrow the list of potential vendors to a small population where we can begin RFP and demonstration activities.
EVAN R. BUSMAN is a senior consultant with Towers Perrin.
Editor's note: All references to companies and people in this article are entirely fictional.
May 1, 2006
Copyright 2006© LRP Publications