Risk management applications – Buyer advice for effective investment

Well-targeted investment in risk management software applications can yield significant benefits for decision-making and efficiency

Frameworks such as UK’s G-Cloud 13 emphasise cloud-based solutions, which are typically much easier to deploy and cheaper to implement and maintain. They also accelerate supplier selection and contract processes. However, other considerations are necessary to maximise your investment’s effectiveness.

Articles like this are more interesting when they include personal experiences of ‘sub-optimal’ situations. So, from former careers in the public sector, here goes…picture this scenario…

Management of safety risk is supported by a drawing tool. This helps a small number of people to understand the chance – but with only a handful of licenses in a department of 6000+ people, most rely on cut-and-paste images in MS Office documents and the occasional large print on a wall. Risks are tracked in spreadsheets and manually correlated to the risk drawings. Safety audits are conducted in more spreadsheets; findings are tracked in more spreadsheets, and actions are managed through meetings, calls and emails. Equipment risks are managed in separate standalone documents, as are deviations from standards and clearances. Incidents and near misses are tracked in a system that doesn’t connect to the risk drawing tool. Program risks are managed in a separate system away from safety risks –problematic because they are related: actions to decrease one type of risk often have the opposite effect on the other. Several times per year, there are board-level safety reviews – risk teams with limited capacity due to operational
demands spend significant effort attempting to collate all this disparate data into PowerPoint slides that are out of date before they are briefed and sometimes contain gaps despite best efforts.

This may resonate with what you are experiencing now. Targeted acquisition of a risk management application can unblock this scenario, and consideration in the following areas may help.

Risk management: be clear about what you want from what you buy

What do you need – a risk visualisation tool, a risk management application, or an analytic data platform? The drawing tool in the scenario helped people to analyse risk. But I recall frustration in risk teams at being required to produce endless risk visualisations that ultimately didn’t ‘do’ anything. Monitoring, communication, and action management are critical. For this, an application supporting more comprehensive access and processes is required, connecting multiple stakeholders in a single version of the truth backed by notifications that take on the heavy administrative lifting – although such applications may be less sophisticated in visualisation. Data analytic platforms such as PowerBI and Tableau offer significant self-help capability for data exploitation, which risk management applications cannot be expected to emulate – but API connectors bridge the gap and should be a ‘must have requirement. In summary, clarity in what you need will help release benefits and manage stakeholder expectations.

Coding versus Configuration

Look for applications that are tailored by configuration settings rather than coding changes, allowing your admin users to access these settings. This reduces vendor dependency, gives you control in keeping the system aligned with evolving business processes, and should reduce overall cost. When tasked to compare two software products for a government department, I asked the assessment panel to score in two ways: whether each product could deliver against the requirements and whether delivery required coding or configuration. The products scored equally on the first point, but the second point showed a significant (and helpful) disparity. During live demonstrations, demand that suppliers show how a data field is changed – it will give you a feel for how complex the ‘back end of the system is. If they can’t, it should tell you something.

It’s ‘just’ a database…

In many cases, buyers will need to select risk management applications from an industry-approved list. But in most cases, alignment to a specific sector is commercial vendor choice – and relational databases ultimately boil down to the same thing. They connect data (e.g. specific field types such as date or dropdowns), processes (e.g. transitions between lifecycle states such as draft and active) and people (e.g. permissions to add/amend data and change states). And they allow records to be related on a one-to-one, one-to-many basis, or many-to-many basis. If an application is genuinely configurable, it should be able to absorb any process. I have seen an organisation reject a product because the exact industry-specific dropdown field values they needed weren’t demonstrated. But they missed the point – those values could have been applied in minutes, and they threw away many other substantive advantages to select a product that was far less capable (but with the required dropdown field!).

Ease of use

If users don’t embrace a new application, you won’t get the data input necessary to build a rich picture, and you won’t get efficiency dividends. I have once tasked to kick-start the implementation of a product that was 18 months into a contract with no active use. Two separate teams had been charged with implementation – neither had received vendor training, and both had failed. The only ‘success’ had been getting the vendor to break its system logic to allow basic free-text entry into a few fields, making it a very expensive spreadsheet. My first step was to get vendor training, which set off alarm bells on several counts. The course was a full two days – which didn’t say much for ease of use. The cost was ~ £2000 per person, a significant organisational barrier to knowledge transfer. Most concerning, even after the training, it took me hours to enter a single risk. The system was wildly over-complicated, and the procuring authority had been seduced by marketing, highlighting a good score from a well-known software benchmarking company. So – focus heavily on this area. Bring a user representative to any demonstration and ask for a trial period if possible. If users are comfortable, you will likely see a successful rollout. If they are not, it’s almost sure that you won’t.

Giving you a flying start

Frameworks such as G-Cloud 13 give you a flying start in procuring applications that can unlock scenarios like the one outlined at the beginning. But ‘Buyer Beware’ still applies. Although the shopping exercise is much easier, diligence and judgment remain critical in setting requirements and matching a preferred solution to make the most of your investment.

Please Note: This is a Commercial Profile

More About Stakeholder

  • Corporate Governance Risk

    Adaptable software from Corporate Governance Risk, gives you confidence in decisions and actions through risk management.

Contributor Profile

UK Director
Phone: +44 (0)7780 986 929
Website: Visit Website


Please enter your comment!
Please enter your name here