Choosing a risk management platform is an important process. First, and foremost, companies often think this software must reflect the priorities, practices, and processes of your current operating risk management processes— “model what we do and how we do it”, so to speak. This can be a fundamental, strategic error. If you are in the process of creating a risk management program, it leaves you with no guidance. If you already operate one, it drives you to maintain the status quo, with some automation added. But it may avoid or ignore different and useful program features while searching for familiarity. This can be an opportunity to explore new processes and practices to advance your risk management program while preserving what’s working well.
Exploring the market for an initial, or a replacement platform to help manage and coordinate all the activities inherent in a comprehensive, integrated risk management program requires some diligence dedicated from the start on goals, processes, and functions. Requirements need to be documented, vetted with stakeholders, prioritized, and justified. The investment in the software platform, and in the costs to implement it, will likely be significant. Planning to gain value is vital to success. Let’s examine what and how to proceed so you start off headed towards a productive end. The path will be described by answering a series of key questions.
Question 1: Framework? Frameworks? or Nothing?
Seems like an awkward question, but it’s absolutely critical to consider this up front. The handling and support for frameworks is as important to your risk software platform as it is to your overall functional risk management program. If your cyber risk management program is founded upon NIST, and that’s all you have in scope, that defines one requirement—incorporate and support risk control content from NIST. If you will be supporting an integrated risk management program in conjunction with IT, Audit, Operations, and other functional disciplines, you might need to also consider support for other frameworks, like COSO, COBIT, HITECH, ISO2700x, or others. A key feature set to look for is one where the software can
- load and store multiple frameworks
- manage independent updates to each standard
- compare standards and offer a combined set of net “common controls”
- support construction of custom frameworks by “cherry picking” content across multiple standards
If a software platform offers only one, hard-coded option, or worse, no framework support, consider this to be a fatal flaw in 2019. It restricts flexibility to adapt to changes in the risk, compliance and operating environments of your company. It also implies an approach that’s fairly rigid and may offer problems in other areas and attributes of the software and its support methodology going forward.
Question 2: Is the user interface intuitive?
This is a clear indicator of well-designed and “thought through” software. An interface that makes finding functions simple, with a minimum of navigation, and organizes content logically, increases the value delivered to all its users. First, it makes it easier to gain awareness of the features available. Logical groupings also hint at the utility of features, making it more likely they’ll be explored, understood, and adopted where applicable by your user community. Second, an intuitive interface speeds learning and adoption by all users. It makes the development of training more efficient and cost-effective. And its delivery will yield great understanding and support situations where learning curves might otherwise be steep. It’s particularly important for the occasional users who might otherwise require repetitive retraining. Even if retraining is offered by some “canned” delivery through a remote learning service, the associated cost could be avoidable. Last, an intuitive interface puts more control into the hands of users sooner, fostering successful operation, exploration and satisfaction with the program supported by this important risk management tool.
Question 3: Customization or Configuration?
The answer to this question was often a deal maker or breaker for me when evaluating risk management software! Platforms that require extensive customization to accommodate tailoring operation to fit the processes, workflows, labeling and nomenclature inherent to a client business lead their customers down a path that can be expensive and inflexible. Customizations, depending upon software architecture, can be troublesome to implement, time-consuming, expensive, and lead to complicated upgrade problems when new releases are published by the vendor. There is no guarantee a customization will be absorbed into the core offering so that it’s supported in future releases without still more customized work. Regardless of whether that rework is done by the vendor or dedicated in house staff, it adds a layer of complexity and operating expense that’s avoidable.
Platforms that offer diverse means for tailoring through configuration avoid all these challenges. The configuration schemes are part of core software and sustain support through releases. The content is often just data and can offer broad flexibility to tailor processes, nomenclature, appearance, workflow attributes, and more, without risking the pratfalls of software customization. The world of risk management, and cyber risk, in particular, is fluid and subject to rapid change. Configuration supports your ability to respond rapidly as you need to, customization does not.
Question 4: What can you know and what can you share?
I’ve written in the past about the value of strong information analysis and reporting to a risk management program (see Reporting Risk Assessment Findings… enriching content with context). The value of any risk management software lies in its ability to inform decision-makers and stakeholders of where they are and what they need to do to align their risk management performance with the needs and expectations of the firm’s customers, clients, shareholders, and other stakeholders. To do that, the software needs to do a few critical things easily and well:
- Create meaningful, easy-to-understand reports
- Organize and store past reports for retrieval as needed
- Support historical trend analysis
- Support a means to publish and distribute reports to key stakeholders
If the software you’re considering offers a business intelligence or reporting strategy that accomplishes these four critical goals, then you are on the right track. Do not be misled by the line that “…we support anything you already use for decision support…”. If that’s the case understand exactly, from a technical level, how that’s done. This is an important step because the requirement, and hence the answer, will vary for different business intelligence tools, and their own ability to import data in different formats with/without retaining relationship or other metadata content. If the software comes embedded with a robust means for reporting and data analysis, so much the better!
Question 5: Is it secure?
There is little more disappointing than a cyber risk management platform that is fundamentally weak in its own security capabilities. Password management, rollover support, user and super user entitlement management should all be flexible and robust enough to administer without compromise to normal security operations. So, should the creation, deletion, and management of user accounts. If users will operate the software remotely, support for doing so through a VPN is recommended… think about the data stored in your risk management platform, the details about weaknesses, vulnerabilities, remediation efforts in progress… would you want a threatening outside actor to gain access to this information? If the software will reside in a cloud service, be sure it’s protected at least as well as you’d protect client and financial information. Monitor its usage daily, and be rigorous in your attention to usage data. Collaborate with your internal cyber resources to assure the best possible security for your risk management system.
Question 6: How strong is the software company?
The software vendor you choose to deliver your risk management platform is going to become a partner to your program. This is not going to be a “one-and-done” relationship. They’ll be there with new releases. Hopefully, when you have complaints or suggestions to improve performance, operation, features, or functions, they’ll be active listeners and thoughtfully consider your input. You also want them to be around to be your partner. Are they financially stable? Are they growing? What do other users say about their own experience with this vendor? How do they handle customer service and support? Do they have an escalation process for operating emergencies? What do analysts offer as opinions? Has their management been stable or subject to frequent, extensive, turnover? Have they been responsible and cooperative throughout the sales process? Remember, if they are not great partners while trying to attract your business, they will not likely grow more engaged once you’ve exchanged funds and become a customer.
About the Author:
Simon Goldstein is an accomplished senior executive blending both technology and business expertise to formulate, impact, and achieve corporate strategies. A retired senior manager of Accenture’s IT Security and Risk Management practice, he has achieved results through the creation of customer value, business growth, and collaboration. An experienced change agent with primary experience in financial, technology, and retail industries, he’s led efforts to achieve ISO2700x certification and HIPAA compliance, as well as held credentials of CRISC, CISM, CISA.