Home' RMIA : RMIA 2015 Contents 43
2. Get your leaders to endorse the project
Your new system must be endorsed by your organisation's
leadership team. C-suite leaders will play an integral
role in a risk management system project -- not least in
providing project management discipline. Consider how
key performance indicators and performance management
plans can be used to support the project's outcomes.
Leaders aren't only people with a 'C' at the front of their
title. Every organisation has its internal influencers: wise
heads who've been around for a long time, often in a
technical capacity. They bring tremendous experience, and
can influence more powerfully than any email from the chief
executive officer to the board supporting the project.
Look to create opportunities for your leaders to give input,
and consider giving them roles in the project.
3. Know the purpose for, and functional
specification of, your system
Before surveying the market or engaging vendors, you must
have a strong understanding of what you want to achieve
with your new risk management system. There are obvious
efficiency and controlled workflow benefits. But also think
about who the primary users of your organisation's system
will be, and what their needs are. Since each department
may dabble in the system at different levels, and use it in
different ways, the system needs to be intuitive.
Among the primary users will be the risk team, which will
be excited about a new toy and its suite of sophisticated
capabilities. But the risk team's excitement will contrast with
the approach of other users, who will adopt the system in
the course of their normal day-to-day work. These users
will be less excited about functionality and more interested
in intuitive features, user-friendliness and minimal training.
If the system requires them to be as technically informed
about risk management as the risk team is, they'll be
unlikely to embrace it.
Then there's the board. Try to understand what information
the board wants, and in what format. If a system can't
provide good reports in the right format, ensure that it
allows for customised reports.
A good functional specification will outline these requirements.
The more detail, the better. No system is perfect, so knowing
what can and can't be compromised will help.
4. Attain risk identification guidance
The most important function of a new risk management
system will be how easily it can identify and evaluate
risks relating to your business objectives. Put yourself in
the shoes of your other staff members, who may not be
familiar with the risk management process. If a system
cannot identify and evaluate risks easily, figuring this out
will be time-consuming. A system should provide guidance
on how to identify risks and establish a risk management
context. Ideally, this will reflect the unique qualities of your
organisation, and will be customisable. If your chosen
system doesn't do this, think about the best way to do it
outside the system, by way of instructions or training.
5. Find a partner you can trust
There are some great risk systems out there, all with similar
levels of functionality. Perhaps the most important consideration
is how well you can work with the vendor. Implementation won't
be easy. Hurdles will come your way. Ensure that the vendor
has clear documentation about what their ongoing service
includes. Will they offer local support, or will it be a long-distance
relationship? Also question their reputation for success. Above
all, consider whether you can picture yourself working closely
and constructively with the vendor's project team.
About the author:
Liam O'Brien recently joined the team at GRC Solutions
as a Senior Consultant. O'Brien has worked for large
and diverse organisations in senior management roles
since 2003, including Suncorp, SAI Global and QR
Limited. His governance, risk and compliance expertise
comes from successfully executing:
• risk management frameworks
• compliance programs
• governance reviews
• bribery and corruption assessments
• audit programming.
O'Brien has provided expert content to professional
development courses for industry bodies, including
the Governance Institute of Australia, and universities.
He delivers courses and speaks at conferences and
networking events for professional associations such
RMIA, the GRC Institute, the Governance Institute of
Australia, the Institute of Internal Auditors, and the
International Association of Privacy Professionals
GRC Institute), Chair of the Compliance Committee for
Social Investments Australia and Foresters Community
Finance, and a founding Director of Help Me With It.
Links Archive RMIA 2016 Navigation Previous Page Next Page