One of the things that I do is build software. These days, I'm more of an end user, and for the past few years, I've been a bit selfish by focusing on building software I want to use myself. That isn't my first preference, and in truth, I'd rather buy commercial off-the-shelf (COTS) software or rent SaaS.
I've written about some of my favorite software in an article on how to write a non-fiction book. But today, I wanted to discuss picking a risk management software platform.
SEO IS NOT OUR FRIEND
Finding the right software solution for risk assessment can be challenging for several reasons.
The first reason is simple enough. When you search, the first 30 results will be a combination of paid links (ads) or websites with the best SEO-stuffed articles and landing pages. Typically Search Engine Optimized (SEO) pages don't have much in the way of helpful content. Useful perhaps for Google rankings but often not for the person searching.
In simple terms, search engines favor the products that spend the most money on marketing, not the ones that are necessarily the best solution for your needs.
Another reason is that many different types of software are available on the market, each with its features and capabilities. Additionally, some software vendors may market their products in a way that makes them appear more suitable for risk management than they truly are.
It is time-consuming to research and compare different software options and carefully evaluate their features and capabilities to ensure that they meet your specific requirements. It can help to seek advice from users and risk management experts. Word of mouth is helpful, so LinkedIn Groups and Capterra reviews are good places to include in your search, but that will only get you a subset of all available options.
MY CRITERIA FOR RISK MANAGEMENT SOFTWARE
The first place to start, however, is by defining your criteria. What are your criteria for a good risk management software solution?
Spoiler alert: I'm building version 2.0 of a risk management platform right now, but if you are looking for risk management software, you might find my criteria checklist is good to start the process.
Alignment with ISO31000:2018 risk management standard and professional standards: The software solution should be designed to comply with the international standard for risk management. It turns out that very few so-called risk management software applications are aligned with ISO31000. Including many that are produced in one of the 160 nations that have endorsed ISO31000 as their national risk management standard.
Live database with multi-user capability: The software should support multiple users with different levels of access and permissions. Critically, the risk assessments should be live editable living documents that can be adjusted by the assessors or risk owners as risks evolve or treatments are completed.
Secure data management: The software should have robust security features to protect sensitive data, such as encryption and user authentication.
Risk assessment templates: The software should provide pre-defined templates for conducting various types of risk assessments, and they should be user-customizable.
Collaboration and communication tools: The software should provide tools for team members to collaborate and communicate effectively during the risk assessment process.
Reporting and analysis capabilities: The software should be able to generate detailed reports and allow for data analysis to support risk management decision-making. The reports should include an online dashboard and be easily exportable into an editable format such as MS Word or MS Excel. Reports that export only to PDF and then have to be converted to Word for editing should be avoided.
Scalability: The software should handle increasing data and users as the organization grows. You should also be able to upgrade to provide additional assessments over the years.
Integration with other systems: The software should be able to integrate with other systems, such as enterprise resource planning (ERP) or governance, risk, and compliance (GRC) platforms.
Support and maintenance: The software vendor should provide ongoing training, user manuals, support, and maintenance to ensure the software remains up-to-date and fully functional.
User-friendly interface: The software should have an intuitive and user-friendly interface that is easy for team members to navigate and use. As users change over time, it should be easy for new users to pick up and use the system with minimal training.
I have many more detailed criteria than this, so feel free to contact me if you'd like more detail, but the above is the basic starting point for evaluation. One of the things you should insist on from any vendor is a free trial so that you can conduct an assessment against your criteria.
Your needs might differ, but it's important to define requirements, particularly regarding the problem being solved. I've developed an eight-step process that might be helpful. It's a straightforward process you can do on a page or run as a facilitated workshop. The process is deceptively simple, but when you run it and produce a short report with those eight headings, you'll be surprised at how effective it is.
The main problem such a risk management platform is likely to solve for you is providing a systematic approach to identify, assess and prioritize risks, and evaluate the effectiveness of risk management actions.
It also allows the organization to document and communicate the risks, actions, and results of the risk management process. The benefits of such a software platform include the following:
Compliance: Ensures the organization's risk management processes comply with ISO31000:2018 standards.
Efficiency: Streamlines the risk assessment process and facilitates collaboration among team members.
Data security: Protects sensitive data with robust security features like encryption and user authentication.
Reporting and analysis: Generates detailed reports and allows for data analysis to support risk management decision-making.
Scalability: Can handle increasing amounts of data and users as the organization grows.
Integration: Can integrate with other systems, such as ERP or GRC platforms.
User-friendly interface: Provides an intuitive and user-friendly interface that is easy for team members to navigate and use.
Consistency: Helps to ensure consistent risk management practices across the organization.
Continuous improvement: Supports continuous improvement by monitoring and measuring the effectiveness of risk management actions.
Better decision-making: Provides better decision-making by providing a clear view of the risks and the actions taken to mitigate them.
One last hurdle often emerges when you do find a platform that you like and that is the business case.
THE BUSINESS CASE
Getting funding for risk management software and training can be challenging for several reasons. One reason is that risk management is often seen as a necessary but non-revenue-generating expense. Furthermore, it's not always easy to demonstrate the specific ROI or tangible benefits of investing in risk management software and training.
Another reason is that many organizations may not fully understand the importance of risk management and the potential consequences of not investing in it. Without a clear understanding of the potential risks and costs of inadequate risk management, making a strong case for investing in software and training can be difficult.
Risk management is often viewed as a compliance requirement rather than a strategic initiative. It is a reality that can make it harder to get funding compared to other projects that have a more direct impact on revenue.
Yes, it requires a business case. Preparing a business case that clearly articulates the potential risks and costs of not investing in risk management software and training can help to secure funding. It should also demonstrate the potential benefits of investing in the software, such as improved risk management processes, improved compliance, and reduced costs.
It is also important to show how the software and associated training will support the organization's overall objectives and how it will help mitigate the organization's risks. The funding should be easy enough if you have found the right product. But if note, I've written a book on Business Cases for Risk Management that might be helpful.