Computer programs can make risk management more efficient. But not all programs are the same. Carole Edrich compares two systems to explain just how different they can be
Post 11 September all organisations are reconsidering their continuity, contingency and disaster management strategies. Many companies are using risk management and business continuity software to help this re-evaluation. Whatever the size of the organisation, it is difficult to assess what may be at risk. More importantly, how can these risks be managed and how can plans and strategies be prioritised at a level and consistency that helps organisations to recover and, at the same time, provide insurers with a degree of confidence?
Risk management software is used to ensure that a viable plan for recovery and business continuity is developed and kept up to date. It assesses the risks in a business that would hinder recovery and establishes levels of action and accountability. Two software systems reviewed here highlight trends in best and current business practice for small and large organisations.
Life Goes On (LGO) is software designed to manage business continuity for the small and medium enterprise. It is considered a leading example of its type in the market. Cyclick Software is intended for larger organisations and supports enterprise-wide risk management and, more explicitly, Turnbull compliance (which it calls business risk management). This system is more flexible and has a larger scope. It requires trained administrators and users who, ideally, would understand end-to-end risk management.
Many enterprise-wide or local continuity and emergency provisions are revised versions of those derived before Y2K. It is self evident that any analysis or plan made before the year 2000 or World Trade Centre events requires considerable review, or even a complete re-write.
Both LGO and Cyclick hold an extensive library of generic business risks. Cyclick's risk library can be customised to the user's organisational requirements, expanding the scope and potential detail considerably, while LGO's questionnaires are less flexible. Arguments exist for both approaches.
If the software user is sufficiently experienced, such customising will improve the software performance, but a less well informed user would not benefit from the same facility.
Company law requires that directors are required to exercise due diligence, reasonable care and skill, which includes having adequate controls and processes in place. The Financial Services Authority (FSA) N2 requirements extend this to anyone with influence and a significant functional responsibility. In fact, it shifts responsibility further up the management ladder - in some cases, to the boardroom. There is, therefore, a need for formal processes and documentation at every level of the organisation, both for the process and for later review.
As expected of corporate governance software, the Cyclick system correlates independent control check processes and associated risks. Business continuity software such as LGO should not attempt to do this, although both sets of software facilitate a reasonable level of self assessment through extensive questionnaires.
Although the aspect of control is not strong in LGO, the questionnaires could allow users to develop a wide ranging picture of the risks facing their businesses. This would help them to derive and implement controls.
Both applications provide audit trails. LGO provides a file transfer protocol (FTP) facility for uploading data via the internet to a remote storage location. Cyclick assumes that its client base has sufficient resources to undertake this independently of the software.
Company law, Turnbull recommendations and N2 also require that responsible individuals' roles are clearly defined. LGO provides for identification of individuals and teams for normal business functions, as well as for software administration. But it does not make a clear distinction between staff's general and risk management responsibilities. Cyclick has the facility for such definition, but it is not mandatory.
Guidelines are new and, although it may currently be considered sufficient for any board or directors to rely on risk management software for the identification and management of their risks, this is unlikely to remain the case for high risk organisations.
Current thinking indicates that a business impact analysis (BIA) should be undertaken on a regular basis, and that continuity, contingency and emergency plan provisions are revised regularly as a result of the BIA.
Since the risk industry as a whole cannot agree on what a BIA is, it is unsurprising that this is reflected in the way the two applications deal with it. While Cyclick has a facility for constant reviews of any rolling programmes and projects, this is not quite the same as a BIA. Over time any user may become dependent on extensions to the risk library. With LGO a more significant revision of the software would be required for the same result.
Neither approach is likely to be completely successful as it is human nature to respond to the same sets of questions in the same way, thus endangering the value of the information on which the entire programme relies.
It is important to prioritise the organisations assets, hardware, software and applications so that, at first, any continuity, contingency or disaster plan invokes the recovery of only those instruments vital to the organisations core processes.
Less important facilities, assets and applications can be invoked at a later date. LGO does analyse impact to the asset base. However, some may consider the resulting prioritisation to be limited.
Current trends indicate that as much work as possible is likely to be undertaken at the enterprise risk management level. This substantially affects the way that impact analysis, business continuity planning, contingency and disaster planning are undertaken.
It is likely to mean that a gap analysis between the different levels of risk management strategy is vital. Cyclick supports this trend indirectly and it is out of LGO's scope, which is not unreasonable provided the users are aware of the fact.
Cyclick and LGO are available in both stand-alone and multi-user versions. Cyclick provides a self assessment tool for the on-screen capture of business data that can be emailed anywhere, while LGO relies on user access to the central tool.
While the former may give a multi-site organisation slightly more assurance as to the level of security, this may not be relevant in others.
Most organisations were so focused on Y2K risks that, before 2000, enterprise wide risk was rarely considered at all.
And while the principles of sound control were often intuitively adopted, Turnbull and the FSA had not issued guidance for larger organisations.
The software itself has become more flexible as the vastly increased memory and processing power now available enables the inclusion of large rules and risks databases at a relatively small cost to the user.
Despite, or maybe because of, the fact that enterprise wide or total risk management is still an immature science, there is a wealth of apparent choice in software. While it is possible to find applications that support 60 - 80% of an organisation's requirements, all risk management software extant is dangerous if used with blind faith.
Reliance on software or external logic without recourse to gap analysis or even common sense is always a mistake. In the worst case it could lead to business failure and even prosecution for failure to comply with the regulations.
Carole Edrich is managing director of Kai Corporation (Risk)
Risk management software comparison at a glance
Life Goes On (LGO)