But in a world where risks are changing all the time, what McKinsey refers to as turbulent times, those are features of a slow-moving or even static risk landscape.

Reporting through nice dashboards and charts is fine. But by the time you share those reports with management, they reflect the state of the risk landscape that used to exist – when the data was gathered. They are an historical record rather than something that necessarily enables prompt and agile management.

The most critical feature for me is the ability to monitor and be alerted to changes in known risks, or the emergence of new risks. That kind of prompt risk intelligence means that the executive team and decision-makers across the enterprise are able to make business decisions with a picture of today’s rather than yesterday’s risks.

how does this affect the choice of a risk management solution?

While some place a priority on the integration of risk management with compliance and even internal audit functionality, my priority is on the integration of the risk management solution’s core system and the organization’s business intelligence (or equivalent) software – the software used to perform continuous risk monitoring. (If you are not performing continuous risk monitoring, that’s a different and serious problem – IMHO). Examples include SAP’s BusinessObjects, Oracle’s Hyperion, and IBM’s Cognos. I like to use them to monitor my risks and bring the results into solutions (usually from those same vendors, such as SAP’s Risk Management solution) for workflow, analysis, and reporting.

Do you agree? I welcome your comments.

Norman Marks, CPA, is vice president, governance, risk, and compliance for SAP's BusinessObjects division, and has been a chief audit executive of major global corporations for more than 15 years. He is the contributing editor to Internal Auditor’s “Governance Perspectives” column.
normanmarks.wordpress.com/