Thoughts on ERM Software

December 2022 / 2 minutes of reading

Over the past year, I’ve had several conversations on the value of ERM-focused software. Some of these organizations are actively pursuing software while others are just checking in. Most of these organizations are currently using Excel and PowerPoint.

In looking at the various products on the market, there were two general classes. One group was solely focused on ERM. Others are part of an integrated suite of products. All seemed similar and were generally strong in:

  1. Capturing risks, risk assessment, tracking mitigations, etc.
  2. Tracking changes over time, often much better than Excel
  3. Assigning and tracking tasks e.g., periodic updates

Despite this, most were also weak at:

  1. Linking to objectives – some were able to link risks to objectives but any analysis by objectives was limited
  2. Considering interrelationships – most looked at risk in isolation only
  3. Reporting – They typically offer various historical reports such as heat maps and risk lists, further reporting is sometimes accommodated through 3rd party software only
  4. Considering risk appetite/tolerance – again most had a very a risk-centric lens and did not look at appetite through a broader lens.
  5. Rolling-up multiple risks to an enterprise level – as such entity-level risk reporting is often weak

I am sure that at least a few software vendors will take exception to my comments. These are just my views based on conversations and demos from several vendors. There seems to be more vendors entering the market and perhaps one will one day crack this nut. Yet it seems that none have yet been able to move very far from what I saw in the market 15 – 20 years ago.

My overarching sense is that those using these tools get good results in terms of process management – documenting and tracking information.  Any true ERM analysis though will still need to be created and reported outside the tool. I just don’t see Excel and PowerPoint losing prominence.

Of course, none of these software tools can address the overarching fact that ERM needs to be integrated with strategy-setting and decision-making.  Strong-risk driven decision making can, and often will, occur regardless of software.