A colleague of mine, also in the risk management field, and I were having lunch last week and we got on the topic of risk management systems.
I was aware that her organization (an international FS company) had installed an audit and risk management system about five years back so I asked her how that was going. She remarked that about three years ago, and shortly after she joined, all the nations in the international FS company stopped using the technology. It sounded like some kind of ERM mutiny.
Today they are using Excel and Word.
When used properly a tool can help consolidate your organization’s inventory of risks. But if you have no process for collecting the inputs that will go into the database then all you have done is wasted time and money (not to mention lost the hearts and minds of your people). If you have a process, but it is flawed or incomplete, then all you have is garbage in and garbage out.
My advice to you is create awareness and get the buy in for the importance of risk management first. Next you build the framework, implement processes, talk about risk management all the time, assign roles and responsibilities and document your risk clearly, etc. Then do this for a minimum of one year. (This time frame is arbitrary but if you only consider that you only update your risk reports quarterly, a year will provide 3-4 iterations to the process.)
Once you have a clearly defined risk management processes, and a robust database of risks, only then should you consider bringing in automation. Risk management technology is not a substitute for people, processes and or thinking. Nor is it the solution. It is only an enabler to the solution.