How many times have risk executives lived through this scenario: You're in a product demonstration of the latest and greatest specialty risk management software product. The software has a slick interface and appears chock-full of useful functions. As the demonstration progresses, you ask a routine question about whether the product has a particular function to address a specific need. The vendor offers an emphatic positive response to your question, but then proceeds to demonstrate what seems to be a convoluted method for addressing what you thought was a straightforward request.
Adding to the confusion, the vendor further states that a new feature, which is currently in development, will exactly target the needed function. That function is scheduled to be released in the next version of the software. That version is, of course, "just around the corner."
Now place yourself in a series of product demonstrations from several leading vendors of enterprise risk management software. Your simple question about software functionality is now more complex, given that it references a broad range of corporate risk management needs.
With all the positive responses from the vendor technology community, you just might think the selection decision to be a no-brainer with little likelihood of making a poor choice. But without a great deal of thought, you would be setting yourself up for a nightmare.
Part of the difficulty is that regulatory compliance and corporate governance needs have been driving new interest in enterprisewide approaches to managing risk.
Sarbanes-Oxley specifically refers to a framework for managing risk and names the methodology of COSO, the Committee of Sponsoring Organizations, as an example. In turn, COSO refers to enterprise risk management, or ERM.
From this perspective, regulatory compliance, corporate governance, business risk management, and business performance management are all part of ERM. Regulatory compliance and corporate governance processes represent the base components of ERM. Business risk and performance management represent higher-level needs.
Typifying a corporate hierarchy of needs pyramid, the base-level needs must be met before higher-level needs can be adequately addressed. Efforts to address base-level regulatory compliance and corporate governance needs are tactical in nature. Business risk and performance management needs represent strategic considerations.
It is up to each organization to address where it currently resides along the ERM spectrum and where it should be going. Some organizations might focus exclusively on compliance and governance, while others might choose to pursue more comprehensive business risk and performance management objectives.
The right software can facilitate the implementation of almost any ERM approach. Finding the right software, however, can prove especially challenging.
ERM may be a relatively new paradigm but risk management is one of our oldest and most basic practices. Businesses have diverse risk management needs, which historically have been addressed on a functional basis. Responding to this need, vendors have developed a number of risk management products, each with its own unique use and capabilities.
As the need evolves from specialty risk management to a more integrated approach, each technology vendor begins to see integration through their individual expertise. The end result: a multitude of enterprise risk management software products with different technology underpinnings, functions, and reporting capabilities that all purport to address similar needs.
SEGMENTING THE MARKET
While there are an unlimited number of potential methods to segment ERM technology providers and products, market segments are more aptly represented by buyers, not sellers.
For many businesses, using software to automate and/or improve compliance processes is the beginning, middle and end of its ERM initiative. These firms are not interested in the more strategic aspects of ERM. Software represents an opportunity to more efficiently address the burden of regulatory compliance.
At the other end of the ERM spectrum, firms see ERM as a means of obtaining strategic advantage through improved quality and access to information for critical business decisions. For this segment of the corporate population, utilizing software to address regulatory compliance is more or less a given. The larger question is whether it also addresses the business risk and performance management objectives of the firm.
Most of today's ERM software vendors offer functional and reporting capabilities that put them somewhere between pure regulatory compliance and broad ERM one-stop shopping. At this time, there is no single product capable of addressing the spectrum of corporate risk management needs.
Automation of compliance processes is by far the most significant reason for implementation of ERM software. Here's why: Compliance isn't a choice. Corporations have no alternative when it comes to meeting the requirements imposed by laws like Sarbanes-Oxley or the Health Insurance Portability and Accountability Act. In addition, the inherent business value is simple to understand and communicate. Effective business automation saves costs.
Before implementing new software corporate best practices must be pre-defined. The software cannot drive what the best practices should be. This is a primary reason why enterprise software applications have a high risk of failure. Software developers are not experts in understanding critical business needs and processes. Further, they have a requirement to standardize around a specific methodology. The methodology employed by the vendor may or may not represent best practice for your firm.
Ultimately, software selection is tied to corporate need within the ERM spectrum. The broader the ERM initiative is, the greater the cost to implement appropriate software--and the greater the required return on investment.
Depending on the complexity of the ERM initiative, the costs of implementation can be significant. The cost of the software, however, reflects a relatively small percentage of the total implementation amount.
Though each vendor has a unique pricing formula, the average price for new ERM software is $1,500 per seat, with a 50-seat minimum license. The cost per seat drops based upon license configurations for more than 50 seats up to an enterprise license. A large corporate implementation could involve 200 to 500 total users.
In addition to the upfront cost of the ERM software, the license typically has an annual renewal fee, beginning in the second year, of 15 percent to 20 percent of the original upfront amount. The renewal fee covers continued technical support and software updates, including new releases. Average implementation time is 12 weeks from the time that the initial data is ready for input into the system. Significant customization needs may take longer.
The primary source of implementation costs is internal to the organization. Such costs can represent two to three times (or more) the cost of the software license and corresponding support. In addition, effective ERM practices must be in place along with a culture that supports such practices. Only then can software be successfully implemented.
ERM is an evolving practice both for software vendors and for corporations. Many corporations look to focus on compliance and corporate governance needs today, yet maintain the opportunity to grow the current ERM approach into a more valued, strategic initiative.
In this regard, selection of an ERM vendor and product isn't just about today's software for today's need. Rather, it's about that and tomorrow's software for tomorrow's need.
Adding this strategic element into the ERM vendor and software selection process greatly increases the complexity of the selection decision. Let the buyer be aware . . .
EVAN R. BUSMAN
is a senior consultant with Towers Perrin.
May 1, 2006
Copyright 2006© LRP Publications