As you may have seen, I’m joining the product advisory board of RiskSmart, a Risk Management software organisation. In my book, I wrote about some of the attributes a CRO needs to consider when acquiring risk management software. I’ve listed an expanded set of requirements below. Question to my network – does this fit with your view of what risk management software should do? Is there anything missing? Where are current solutions falling down?
Functional requirements
– Linkage to organisational goals and strategies;
– Standardised risk definitions and templates (end users should really try not to customise these – one of the benefits of these systems is the ability to compare yourself to others);
– Allows for qualitative and quantitative descriptions of risk appetite (not just financial; should include PR / reputation damage, business disruption etc.);
– Easy to capture templates for risk event details, including root cause analysis;
– Ability to map to organisation design; to look at risks at varying levels of detail and disaggregate risks per department, area, region, etc.;
– Library of standardised controls, including frameworks such as ISO and NIST;
– Ability to capture and integrate business metrics and map to risk metrics (e.g. capturing number of business complaints and mapping to the conduct risk measure);
– Assurance plans and templates;
– External-facing analysis; horizon scanning, losses incurred in other organisations, cross-sectoral risks etc.;
– Providing predictive analytics to anticipate where risks may occur;
– Providing access to peer group information and benchmarking;
– Intuitive reporting features, that express risk in terms business users will recognise and understand.
Non-functional requirements
– Intuitive user interface (easy for business teams to complete without lots of training);
– Cloud-based; so it can be easily updated and is accessible everywhere;
– Device-agnostic; usable on desktops, mobiles etc.;
– Meets all current security and privacy requirements;
– Regularly updated to take account of changing regulation.
What else do you look for, and how well is your current software shaping up?