Thanks to Sarbanes-Oxley's new Auditing Standard 5 (AS5), which fosters a top-down, risk-based approach to compliance, enterprise risk management (ERM) solutions are likely to see a surge in interest in coming months. By providing insights into the multiple risks a company faces, ERM technology enables top management to dig through the morass of organizational layers to gain a holistic view of risk. The technology is all about "gaining more of an enterprise perspective on risk versus a siloed approach," says Lee Dittmar, a principal at Deloitte Consulting. As a result, "By saying that top down is better than bottom up, AS5 has provided a shot in the arm for ERM," says Steve Minsky, CEO at LogicManager, a provider of ERM software.
While ERM implementations vary widely across companies and industries, there's consensus that an ERM system must incorporate real-time visibility and analytics about all categories of risk, enabling the management of operational and compliance risks and controls across lines of business, legal entities and processes. It should follow a COSO-based ERM framework that supports Sarbanes-Oxley and other compliance initiatives. It should also provide a means for tracking losses, plus automated alerts that notify management when risks exceed company-specific thresholds. The latest versions offer personalized dashboards with drill-down capabilities.
Recommended For You
ERM systems are distinguished by the sophistication of their risk assessment, loss management and risk modeling. "Some have simple graphs doing heat maps in a simplistic way. Some do more qualitative modeling. At the extreme end, [solutions offer] quantitative modeling, such as Monte Carlo simulations," says Michael Rasmussen, president of Corporate Integrity, a newly created governance, risk and compliance (GRC) consulting firm. Loss management, he adds, is especially important. "A significant piece of any ERM is not only predicting the future, but where you've been in the past."
To achieve ERM, companies must transcend the conventional wisdom that equates risk management with compliance. "Many companies are using SOX-specific software to build their ERM, but SOX sees risks as being controlled rather than being optimized for opportunity," says John Phelps, director of business risk solutions at Blue Cross Blue Shield of Florida. "I don't know of many companies that have fully integrated an ERM technology tool with an ERM program."
BCBS Florida is in the midst of implementing an ERM system developed using software from LogicManager, which provides risk assessment, what-if analysis, dashboards and reports, and categorizes risks into manageable groups (taxonomy management).
Taxonomy management enables BCBS Florida to "see how a risk manifests itself across the entire enterprise," says Phelps. "In the past, we looked at risks in silos. Privacy risk, for example, might manifest itself in four or five different areas within the company. We needed to have an aggregate view in order to determine how to optimize resources to control that risk."
Another goal of the ERM is to make risk management synonymous with seizing opportunities. The LogicManager system provides a tool for reducing uncertainty associated with business opportunities such as new product launches or incorporating the company's business continuity strengths into its advertising, Phelps says.
There has been "a paradigm shift where ERM will become an integral part of a common platform," LogicManager's Minsky says. "ERM technology success will be measured by how many senior and frontline managers are directly engaging with dashboards."
Finding all ERM capabilities within a single product is daunting; Rasmussen counts more than 100 vendors offering ERM technology either as a separate, add-on component or embedded functionality within existing products. "There's no one-size-fits-all, out-of-the-box ERM solution," says Rasmussen. "There are some generic ERM solutions, but it takes a lot of lifting to get a true enterprise view."
The provider ranks are heavily populated by vendors that once lumped themselves in the GRC space. A partial list of best-of-breed vendors offering specific ERM technology includes Axentis, BWise, Cura, OpenPages, Paisley, Qumas and Strategic Thought.
The capabilities and emphasis of each are varied. For instance, OpenPages' ERM technology includes a loss-event database that supports consistent capture of loss events and near misses, allocation of events to multiple business entities and automating root cause analysis through workflow and decision support. The data and analysis reaches executives through a dashboard with heat maps that aggregates loss data by event category or business line.
The Qumas EnterpriseRisk platform provides a framework for defining, measuring and managing risks, internal controls, and compliance mandates. It captures losses that exceed the company's risk appetite and provides a remediation structure for reassessing risks and controls, compliance policy reviews or business process changes. Core components include risk and control self-assessment; a framework for establishing and accelerating the rollout of best practices; oversight of key processes and controls: loss and event management: and management reporting.
Some rationalization is likely to take place soon, however. The next 18 months will see commercial ERM software evolve from its SOX-based roots to a more ecumenical view of risk. These products, Rasmussen says, will increasingly employ "risk and control assessment workflow combined with dashboards to identify real-time business performance indicators and analytics." Not surprisingly, the trend–as it has been with all finance technology–will be to make ERM tools Web-based.
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
