Enterprise Risk Management (ERM) software helps organizations identify risks in information systems and critical technologies, so the organization can make plans to deal with those risks, document the response when something does happen, and improve the response process.
To do this, ERM software needs to be able to perform several critical tasks. Here are 7 things your ERM software should do.
1. Audit Function Management
Your ERM needs to handle all of your audit functions in one single location. This includes several parts:
- Audit Planning: When was your last audit? When is the next one due? What is the priority and focus of the audit?
- Audit Execution: You should be able to manage and carry out fieldwork for audits in one location. You should also be able to track both individual and the overall audit program, and link related risks and their controls to each audit.
- Audit Findings: Your ERM should contain and be able to display all report data from audits along with the actions recommended \ following each audit. Also, you should be able to assign and track actions taken.
In short, your ERM should enable you to contain and manage all of your audit functions under one umbrella.
2. Complete Risk Assessment and Management
Essentially your ERM is your home for all things risk assessment and management, everything from determining acceptable risks and operations within them to risk governance.
The first step is to identify and control risk, while at the same time keeping all of the data in an auditable format (see the point above). Once risks have been identified, you can manage and monitor them through your ERM software. When an event occurs, you can document the sequence of events and the response to it.
All of this works together to help you create reports that enable data-driven risk management decisions, once again allowing those risks to be assessed and audited.
3. Compliance Readiness
Compliance contains two different elements: internal and external compliance. Internal compliance includes your own policies, procedures, and standards you hold your employees to and expect them to abide by. This minimizes both your internal risk and risk from external auditors or events that could result in litigation.
Of course, often one of the reasons for internal standards and policies is to comply with external regulations. Your ERM contains both: the internal policies you have in place, and the reports you need to show external regulators the steps you have taken toward compliance.
The two work together to mitigate both risk and liability. They also reduce the financial risk involved with failure to follow legal requirements set by external agencies or organizations.
Your ERM handles audits, risk assessments, compliance, and much more.
4. Governance
When it comes to governing risk, your risk boards and committees need a couple of things: data and analysis of that data. Your ERM gathers data constantly and should keep it board and report ready at all times. This saves time and money, and creates governance efficiency.
5. Information Security
When it comes to information security, there are standards that must be met, including ISO standards but also compliance with privacy regulations like GDPR, the California Consumer Privacy Protection Act, and recent legislation enacted in North Carolina. Most IT security personnel feel that federal regulation is not far behind.
Your ERM helps with reputation management, avoiding the embarrassment and poor publicity from a data breach, but also from the potential financial penalties that go with it. Keeping your consumer's and client data safe is one of your highest risk management priorities.
6. SOX
Since the Sarbanes-Oxley Act of 2002, SOX has been an integral part of financial risk management. It’s important that you maintain a certain level of transparency when it comes to your accounting. Your ERM should include progress tracking of SOX evidence and control testing.
It should also include customizable workflow and approval checkpoints for controls and programs. Any movement in risk-relevant MI results in an alert enabling your team to take action to keep your risk profile within the boundaries you have set.
7. Business Continuity and Operational Resilience
To meet the requirements of ISO 22301 and PS 21/3 to keep your business functioning properly and with reduced risk, your ERM should have a business continuity plan (BCP) and operational resilience component. The key is to identify the key Products and Services you need to protect. You’ll need to determine which of these qualify as an Important Business Services (IBS) from a regulatory perspective, and assessment criteria should be built into your ERM.
Key metrics like Maximum Tolerable Period of Disruption (MTPD) and Minimum Business Continuity Objective (MBCO) are contained in your ERM also, and the data provided enables you to identify and assess the risks which threaten the availability of resources your business needs.
Your ERM should also allow for self-assessment of all components of your operational resilience framework for consideration by your organization’s governing body.
Your ERM Does a lot for you and your business, and the more automated it is, the greater its power to protect your business and keep it running smoothly and on the right side of regulations, requirements, and risk. It’s an essential tool in your risk management suite.
