risk assessment supplement - cir magazine · 2019-09-02 · maturity models, of which many are...

30 Raising the bar

The decade ahead should see less talk aboutenterprise risk management and more action,reports Graham Buck

32 A technical detail?

Nick Martindale looks into preparations forSolvency II and investigates how technology is paving the way for compliance

RISK ASSESSMENTSUPPLEMENT

34 CIR Risk AssessmentSoftware Survey: the products

42 CIR Risk AssessmentSoftware Survey: productfeatures matrix

29 supp cov.qxd 10/12/2009 15:00

management in order to have anintegrated approach. A usefulmechanism for this is the use ofmaturity models, of which many areavailable online. These measure thelevel of risk management maturityand the quality of informationbeing generated and reportedwithin the company.

“An assessment is carried outacross all of the business units atleast once a year, and you set thelevel of maturity appropriate to theorganisation,” he says. “Results onthe company’s maturity of riskmanagement are now reported atboard level and pressure from theboard to achieve targets helps toembed the process.” This may meansome organisations deciding thatthey do not need to operate at thetop level of maturity. It’s up to itsexecutives to decide what isappropriate.

While it’s likely that embeddingERM within the organisation willprove an uncomfortable experiencefor them, it’s also part of a much-needed cultural change he adds.

Message from the top

Companies on a learning curvequickly recognise that ERM is acontinuous process. As MikeAngelina, chief actuary and riskofficer for Bermuda-based specialtyinsurer and reinsurer Endurancenotes: “You can’t ever let up, asthere is a need to continuallyimprove as the bar is raised higherand higher.” Angelina agrees thatthe lead on ERM must come fromthe very top. “The best thing for anorganisation is to have a risk-aware,risk-sensitive and risk-mitigatingculture in place. That culture startswith the chief executive and it’s upto the board to push forward withERM initiatives.”

He believes that in NorthAmerica, a changing approach toERM predates the financial crisis.Four years ago hurricanes Katrina,Rita and Wilma exposed theshortcomings in many programmes,and served to push the insuranceindustry further down the ERM path.

If the so-called Noughties weremarked by an acceleration ofinterest in the benefits to business

of enterprise risk management, sothe oddly named Teens are likely towitness more companies actuallyembedding an ERM frameworkacross the organisation.

As Tom Teixiera, vice president of enterprise risk solutions at ERMsoftware and services group,Strategic Thought confirms, it’sclear that the financial crisis haschanged attitudes towardsmanaging risk.

He reports that companies,particularly in the financial sector,are once more adopting a ‘back tobasics’ approach to risk andlooking to get the essentials right.This means having a mechanismthat covers all of their businessunits, detects emerging risks andlinks them to the appropriatecontrol mechanism.

“So ERM management schemesneed to establish the context of risk,identify the coding data and look atbusiness relationships,” he suggests.

“The industry sectors already goodat this are those that are highlyregulated – particularly energy and

utility companies whose businessplans and regulatory requirementsare quite similar to one another’s andwhich have implemented thesedetection systems.”

Add to these the tech companies,which are generally prudent thanksto their bruising experiencesduring the dotcom bubble and havebecome adept at managing whatare often complex supply chains,suggests Grant Foster, an associatedirector of Aon Global Risk. Healso cites supermarkets as a sectorskilled in supply management, duelargely to their vulnerability shoulda major supplier go bust. But othersectors now need to move up thelearning curve and implement ERMacross the business, says Teixiera.They include aerospace anddefence which, he suggests, isgenerally good at bottom-up riskassessment and technical risk butless skilled at integrating a top-down approach at both strategicand management level.

So how can companies identifyareas in which their programmesare lacking? “When firms come toexamine the gaps in the ERMframework they will see commonmistakes, such as the absence of acommon database, a lack ofreporting and executives who donot subject the risk information to aproper review,” suggests EdMoorby, managing consultant at PAConsulting.

“These mistakes are unlikely tohave changed very much since theprevious review.”

He describes reporting as toooften the “Achilles heel” of an ERMframework, whereas it needs to bedynamic and free of any set formatto deliver the flexibility needed.Teixiera stresses that the tone onERM needs to be set by top

RISK ASSESSMENT SOFTWARE SUPPLEMENT > ERM

Raising the barThe decade ahead should see less talk aboutenterprise risk management and more action,reports Graham Buck

CIR December 200930 www.cirmagazine.com

30-31 feature.qxd 08/12/2009 16:40 Page 1

excited about the deal and toooften either overlooks or ignoresthe clash of cultures and/ordifferent risks that results,” he observes.

While risk managers should beable to recognise the warningsigns, too often they have beendismissed as doomsayers. So therole of chief risk officer has to becredible in a business sense;he/she must be able to talk aboutrisk in a real way, as well as riskmitigation and controls andwhether they justify the investmentrequired. The issue of ERM costsversus benefits will be very topicalover the coming years, in whichcorporate budgets are likely to berestricted – particularly as the riskmanagement function doesn’talways demonstrate its valueimmediately. “Administration of riskregisters is often one of the firstthings to get cut,” says Foster.Moorby adds that investors andstakeholders “have had their eyesopened by the crisis”. Both groupswill seek assurance that bankexecutives fully understand riskand are able to talk about itknowledgeably.

“The impetus behind ERM meansthat companies will invest, althoughthey are likely to focus investment onareas that are of greatest concern,”he suggests. “So they will prioritiseand strengthen their ERMframework over time, although it willbe some years before we can expectto arrive at any ‘ERM nirvana’.”

As we enter a new decade, howdoes the UK rank internationally asregards ERM implementation?Campbell’s verdict is that there arecertain areas in which the UK leadsand others in which it lags.

“France’s financial institutionswould appear to be marginallymore advanced and French banksare generally better prepared.However, the UK’s major resourcescompanies generally have goodrisk management processes,” heconcludes. “Having said that, thebar really needs to be raised acrossthe whole of Europe.”

The impetus for ERM has alsocome from US regulation and theintroduction of Sarbanes-Oxley in2004, adds Karl Campbell, vicepresident Europe and the MiddleEast at Cura Software. “However, ithas also been driven by America’sbusiness schools, which havepromoted the message thatcompanies need to recognise theirrisk vulnerabilities and threats,using them to decide whichopportunities they wish to pursue.”

Among these weaknesses was theover-reliance of capital modelswhich, while a useful tool, arebackward-looking. Angelina saysthat as an insurer, Endurance alsofound that models based on ValueAt Risk (VAR) were too focused onone area, with the industry focusedon once in every 100 years andeven once in 250 years events. Hesuggests that companies mightmore usefully look at scenarioplanning – basically a method forlearning about the future byunderstanding the nature andimpact of the most uncertain andimportant driving forces affectingthe world – although “you reallyneed to review which events aredriving the tail of your distribution, tohelp you with your hedging strategy.”

Angelina is encouraged bycompanies’ increasing focus onmanaging emerging risk, whichdovetails neatly with a moreuncertain economic outlook. “Youcan see what might drive your ERMand what the company is – andshould be – doing about extremeevents that are not being capturedor are being missed entirely.”

He also feels that the companybenefits from bringing moreindividuals in to contribute to itsERM programme. Endurance’s ownteam is multi-discipline andrepresents a cross-section of theorganisation. “Bringing in the nextlevel down of executives helps byintroducing new ideas and ifdirectors are brought in from arange of different disciplines thenassumptions can be challenged,and revised if necessary.”

The company is better able to“own” risk through this approach,he adds. This tends to be moreeasily accomplished by smallercompanies, which tend to havefewer layers and greater flexibility.

While consensus may not alwaysbe possible on risk decisions,people have a better understandingof the issues involved and dialoguecan include debate on aspects suchas risk versus reward trade-offs.

A robust framework

What are the hallmarks of a matureand effective ERM framework? Arecently-published internationalsurvey by Aon identifies thefollowing nine major features:• a board level commitment, with

risk handled as part of corporate strategy;

• a dedicated risk executive in place to drive the process;

• engagement and accountability in the ERM process at all levels of the organisation;

• engagement in the process by the company’s stakeholders;

• corporate communications are fully transparent;

• financial information and strategic information are integrated into decision making;

• the process identifies new and emerging risks, while also making time to look at what lies ahead;

• a move away from risk avoidance and mitigation to instead extract value from risk.

What the financial crisis exposedwas that institutions had becometoo wrapped up in models, addsGrant Foster. So companies need torecognise the root of risk and thehuman aspect, rather than beingoverly reliant on ratings or numbers.Risk must be embedded intocritical decisions. Too manycompanies get caught up in “doingthe deal” – particularly in economicbooms, with joint ventures andacquisitions offering a classicexample. “Management gets too

RISK ASSESSMENT SOFTWARE SUPPLEMENT > ERM

CIR December 2009 31www.cirmagazine.com

30-31 feature.qxd 08/12/2009 16:40 Page 2

helping them to create competitiveadvantage,” he says.

The last 12 months have alsoseen simpler and cheaper softwarepackages come on to the market,says Margetts, making them morefeasible for smaller companies.These are often explicitly linked tothe QIS 4 template, he says, givingfirms a simple starting point for theimplementation of an internalmodel. “Most providers have arange of options in terms of thesoftware and support that they offer.This goes from providing an off-the-shelf product along with sometraining to a full hand-in-handmodel implement, where the modelis handed over along with theassociated software at the end ofthe project,” he explains.

The key issues for most insurerswhen it comes to upgrading orinstalling new software aretransparency, power, flexibility andscalability, says Karl Murphy, apartner at EMB, which offersdifferent versions of its Iglooproduct for those with smallmodels, those running largermodels on desktop PCs and verylarge models to be run acrossmultiple processors and computersand over the internet.

“They require transparency in thesense that they need to see whatthe model is doing and interrogatethe results; power in terms of therange of stochastic techniques andbusiness applications within thesoftware and the time it takes to runsophisticated models; andflexibility from the point of view oflinking models and importing andexporting from other packages,such as Excel or an economicscenario generator,” he says. “The scalability issue is alsoimportant as firms might want

With Solvency IIregulations due to comeinto effect in less than

three years, the pressure is oninsurers and reinsurers to improvetheir risk frameworks. A recentsurvey commissioned by theEuropean Commission found that41 per cent are currently in theprocess of doing just that and those that have yet to do so willhave to make it a priority for 2010.

“It is fundamental that insurersdo not underestimate the level ofcost and management time that willbe needed to implement Solvency II and demonstrate compliance by October 2012,” says KirstieGordon, an insurance specialist atfinancial services group BDO. “A

timely, detailed GAP analysis is thekey to a smooth implementationprocess and to managing associatedcost effectively.”

According to Simon Margetts,senior manager in Ernst & Young’sEuropean Actuarial Servicespractice, organisations should by now have started their projects in relation to satisfying the pre-application criteria, be well on the way to completing theirimplementation plan for theirinternal model and have startedpreparing for the pre-applicationwork and documentationsurrounding their data streams and systems.

A vital part of all of this is toselect the appropriate riskassessment software that will allow insurers to consolidate datafrom multiple sources into a single,centralised solution that will enable them to generate concisereports and audit trails through asingle interface. Meeting such arequirement will not only helporganisations comply with theSolvency II demands but will alsoallow senior managers to makemore informed decisions about risk and manage their cash reserves more effectively.

Bart Patrick, head of insurance at business intelligence softwareprovider SAS UK, saysorganisations have been graduallyreplacing more tactical solutionsbased purely on the commercialaspect of risk assessment andimplementing more strategicsystems over the past two years.“Insurers are now looking atadopting group-wide solutions to enable them identify, assess,measure and control risk exposures,creating an accurate understandingof risks in line with appetite and

RISK ASSESSMENT SOFTWARE SUPPLEMENT > SOLVENCY II

Nick Martindale looks into preparations for Solvency II andinvestigates how technology is paving the way for compliance

A technical detail?


32-33.qxd 10/12/2009 15:04 Page 1

population architecture andvarying sources of data, and thecontrols and governance aroundthe data storage architecture. It isnot always acceptable to pointsoftware at the most convenientdata sources because ofimplications on control frameworksand the wider architecture.”

There are other barriers, too,relating to hardware performancethat must be taken into account,says Johnston. “The extensivecomputing power required toperform projections can createbottlenecks in the reportingprocess,” he warns. “Additionally,manual interfaces such as Exceland sequential processes arerequired to intervene and preparethese calculations. The more layerson the reporting process, the morecomputing power is required.”

Internal communication issueswill also need to be addressed iforganisations are to benefit fromthe efforts being put in now toensure compliance with Solvency II and improve their riskmitigation. EMB’s Murphy arguesmodels need to becomeembedded within the organisationand used right across the business.“That means everyone within anorganisation understanding howthey input to the model andbenefit from its outputs,” he says.“Modellers themselves have to beable to communicate theiranalyses in the language that thesenior management team willunderstand.”

The Solvency II requirements are not about to go away and timeis running out for those insurers or reinsurers that have yet toseriously tackle this issue. But those organisations that can createa transparent organisation with easy access to data early on will not only ensure they meet theregulatory requirements but ensure they are working on a viable model going forward. Inlight of the recent failures of thefinancial sector in general, that iscertainly no bad thing.

to start modelling in a small wayand grow their capability.”

But while insurers and reinsurersare being forced to confront theissue of which model and softwarethey wish to deploy, so too aresoftware vendors facing a criticalperiod, claims Thomas Brouwer,head of product management atrisk compliance software providerFRSGlobal. “Vendors have to satisfydemand from the insurance industrynot just for improved modellingtools, but also faster computingspeeds involving ever-more complexcalculations,” he says.

“There’s also a demand for awhole range of other features insystems, including coverage of thebroader regulatory issues relating tomodels and the more qualitativerequirements of pillars II and III ofSolvency II.” Solutions range fromin-house built solutions to bespokeand tailored packages, he adds, butto reduce maintenance costs mostinsurers tend to opt for standardsoftware with a high degree ofintegration that also offer elementsof customisation.

Margarita Von Tautphoeus, headof the Solvency II consultancy teamat reinsurer Munich Re, agrees thatservice providers have work to do.“They tend to offer more solutionsbased on the current QIS4-standardformula spreadsheet but there mustbe a trend towards server-based,auditable software solutions,” she says.

She believes there will be a mixof different software tools in thefuture, run by either an in-houserisk management unit or anexternal provider. These couldinclude a local data warehouse, atailored actuarial calibration toolfrom a service provider and another license for externalscenario generators. But she warnsagainst the so-called “black box”solutions, as regulators will need to audit not just the findings but

also the data, methods and toolsused to reach decisions.

Locally stored files spread overdifferent countries or legal entitieswithout a well documented conceptbehind will not be accepted byEuropean regulators in a few years’time, she adds. “Open sourcesolutions with customised modellingapplications and data integrationare one way of overcoming this,”she says. To this end, Munich Re isthe main sponsor for an open-sourcesoftware platform known as PillarOne, which focuses on ERM needsfor insurers, she says.

The race to prepare for SolvencyII has, however, revealed otherissues that need to be factored intoany decisions around softwareinvestment. Srini Venkat, vice-president for product strategywithin Oracle’s Global InsuranceBusiness Unit unit, points out thatmany insurers still rely on multiplelegacy core applications, whichhas led to unreliable data and areliance on manual processes.

“This aspect of theimplementation needs to becarefully considered to produceaccurate and up-to-date data,” hesays. “Carefully designed datamodels and corresponding analyticapplications will ensure the datatransparency necessary to quicklymeet the Solvency II demands.”Indeed, due to volume andcomplexity, data organisation andplanning typically represent 60 to80 per cent of a risk project’s cost.

“In terms of implementation ofsoftware, insurers need to considerthe underlying sources of data,their provenance, management andquality, and the associatedcontrols,” adds Chris Ling, senioradviser, Ernst & Young IT AdvisoryServices. “Most software tools willreside in and around the reportingarchitecture area andimplementers need to consider the

RISK ASSESSMENT SOFTWARE SUPPLEMENT > SOLVENCY II


“Carefully designed data models andcorresponding analytic applications will ensure the necessary data transparency”

32-33.qxd 10/12/2009 15:04 Page 2

RISK ASSESSMENT SOFTWARE SUPPLEMENT > PRODUCTS


@RISK

Palisade’s @RISK provides quantified results which can be used by the decisionmaker as a basis to develop appropriatemeasures to mitigate or manage risk. @RISKreplaces fixed model input assumptions withuser-defined probability distributions andthen conducts a ‘what if’ Monte Carlosimulation thousands of times. Results arepresented in a clear and user-friendly visualformat. @RISK produces a full statisticalreport on simulations. One-page “QuickReports” can be produced with a singlemouse click. These include graphs, tornadocharts for sensitivity analysis and summarystatistics. The software is accompanied witha free tutorial. Making the best decisionsmeans performing risk analysis. @RISKoffers an easy, affordable, and effective way to start performing risk analysis in the familiar Excel environment. Palisadealso provides hands-on training, tailoredtraining and risk consulting.

www.palisade.com

ACTIVE RISKMANAGER (ARM)

ARM from Strategic Thought is enterpriserisk management (ERM) software deliveringan integrated approach to identifying,documenting, mitigating, monitoring andanalysing both risks and opportunities. This enables companies to act withincorporate governance requirements andindustry standards. Enterprise-wide visibilityof risks, controls and mitigating strategiesallows risk-adjusted planning and facilitatesimproved credit ratings, the identification of the right levels of capital contingencyreserves, reduced borrowing and insurancecosts and minimises the likelihood ofincurring project and contract penalties.ARM has the breadth and depth ofcapability to support organisations’ riskmanagement processes as they mature and evolve over time. Whether the start point is project risk, supply chain resilience,health and safety, business continuity, bidmanagement, reputational risk, insurancepremium reduction or improving credit

Risk AssessmentSoftware Report 2010

Your guide to risk assessment software:product summaries

36-41_products.qxd 09/12/2009 17:00 Page 1



ratings, ARM is the ‘risk engine’ which will deliver value at each step of the journey.

www.strategicthought.com

ACUITY STREAM

Acuity STREAM Risk Registers providesreal-time management dashboards andreports that present a consistentintegrated view of the risks to businessperformance. Gauges and barometersprovide ‘at a glance’ views of currentresidual risk and compliance status with drill-down and aggregation through the enterprise. A set of real-time graphical reports includes top 10risks, risk history, compliance history,event history, action status and return on investment. Acuity STREAM RiskRegisters is used for enterprise-widecorporate and programme/project riskmanagement and reporting. The productis commonly used where clients wish to measure their risks in relation toperformance metrics and compliancewith control standards, such asregulatory compliance, security, health and safety and businesscontinuity. Users can also drill down toinvestigate areas of concern and, viewaggregate risk and compliance status.

www.acuityrm.com

AGENA RISK

AgenaRisk offers a unique risk analysis and knowledge-based decision supportsolution to help organisations gaincompetitive advantage and enhance value for stakeholders. Using the latestdevelopments from the field of artificialintelligence, AgenaRisk providesenterprise level modelling andpredictive analytics to support businesscritical decision making, enablingsenior management to focus on the keyrisks and controls within their business.AgenaRisk is deployed across a numberof industry sectors including banking,defence, aerospace, energy, telecomsand technology, supporting key businessissues including operational risk,

business continuity and ensuring thesafety and reliability of critical systems.

www.agenarisk.com

AON RISK CONSOLE

Aon RiskConsole is a web-based risk management information systemwhich maintains a wide variety of riskand insurance information for allindustries, with extensive multi-lingualand multi-currency capabilities. Inaddition to manual data entry,RiskConsole can consolidate data frommultiple external sources as well asinternal systems such as humanresources, payroll and fleet. This meansthat clients can establish a centralrepository of risk information with allrelated data, giving a complete picture.Organised as a series of modules,RiskConsole is designed to be flexibleand to cover as few or as many areas needed, seamlesslyintegrating workflows from across the entire business, as well as with third parties such as insurers, claimsadjusters, captive managers andsolicitors. By accommodating theadministrative, reporting and analyticalneeds of insurance and riskmanagement operations, clients usetheir data and reports to drive downcosts through loss prevention andimproved insurance premiums.RiskConsole also facilitates a widerange of risk management initiativesincluding support for legislation such asSarbanes-Oxley and Basel II.

The ERM Risk Register – Aon’s latestproduct, provides a robust method forrecording and consolidating riskregisters with full audit and control, andpresents a transparent and auditableprocess that can be included as part ofa formal corporate governance andrating submission. The product has alsobeen designed to facilitate reporting toand consolidation from multiple

divisions/sources and allowsidentification of changes betweenreporting periods.

www.aonriskconsole.com/CIR

CCH SWORD

Much of the power of CCH Sword isderived from its focus on ensuring thatevery implementation is tailored to thespecific structure and needs of each client. Specialised implementationteams work closely with clients tounderstand their systems and structureand use this knowledge to design anddeploy a bespoke CCH Swordimplementation programme. CCHSword is implemented as an operationalrisk management tool by largeinternational finance companies such asAnglo Irish Bank, Schroders, SwissRe,Pearl Group, Barclays Global Investorsand Henderson Global Investors. Thesoftware’s latest enhancement is anenterprise risk and compliance function.

www.cchsword.com

CITICUS ONE

Citicus ONE is a web-based applicationthat offers an efficient, constructive andcontinuous method of measuring andmanaging information risk, supplier riskand other areas of operational riskacross an enterprise. The productprovides top management with anoverview of the risk and compliancestatus of their critical operational assetsand processes. Citicus ONE is availableboth as an in-house intranet applicationand in a software-as-a-service (SaaS)model. This allows rapid implementationthat can be scaled up or down asrequired. Successful implementation ofCiticus ONE does not require lengthyconsultancy engagements, leading to avery cost-effective approach to riskmanagement.

www.citicus.com




CS STARS

CS Stars delivers software and servicesfor managing risk, claims, andinsurance. More than 1,000organisations and 35,000 users acrossthe globe use CS Stars’ solutions for consolidating risk information,analysing and reporting risk exposures,administering claims, trackingcorporate assets, and automatingcompliance audit processes. The web-based solutions include datatransformation services to support the consolidation of risk and claimsinformation from multiple carriers and administrators into a single,comprehensive data repository; claimand incident event management tools –including internet-accessible claimreporting tools to expedite claiminterventions; workflow managementfeatures to automate routine risk andclaims management tasks and notifyusers of events warranting specialattention; standard report templates; ad hoc reporting capabilities includingbusiness objects and the ability toautomatically distribute reports to bothsystem and non-system users; tools totrack complex insurance policy designsand monitor policy erosion; property,fleet and asset management screens to collect asset values and supportinsurance policy renewal discussions;solutions to enhance business auditdata collection and improve auditremediation plan monitoring; andmulti-lingual and multicurrency support for use worldwide.

www.csstars.com

CURA

Cura is deployed as an ERM tool by

large international companies across anumber of industry sectors. Theproduct is 100% configurable andsupports multiple frameworks(including ISO 31000, CobiT,ISO27000 and COSO). It can be deployed on-site or as a SaaS.The Cura Enterprise GRC solutionallows companies to capture, aggregateand assess GRC data across adistributed environment. It is fullycustomisable and compatible withmultiple methodologies. This product is commonly used in the banking,financial services, insurance,consulting and accounting,construction, energy, government,manufacturing, mining and resources,pharmaceuticals and healthcare, realestate, retail and distribution,telecommunications, transportation and supply chain management. Cura provides multiple reportingcapabilities.

www.curasoftware.com

DELTEKWELCOMRISK

Deltek WelcomRisk provides astructured means of identifying,responding to, and reporting projectrisks. Risks are identified, categorised,and quantified using a comprehensiverisk register. All identified risks arecentrally logged and are typicallyassociated with different elements of a project or organisational structure.Deltek WelcomRisk aims to simplifyidentification, management and response to risks, whether threatsor opportunities. The ability to exportreal risk to a Monte Carlo analyticssystem enhances the quantitative riskanalysis. The software is used globallyin the aerospace and defence,healthcare, IT, construction, and oiland gas industries. Deltek WelcomRisksupports PMI PMBoK, US DOD 5000and AS/NZS 4360:2004. Deltek Risk+is a comprehensive risk analysis toolthat integrates seamlessly withMicrosoft Project to quantify the costand schedule uncertainty associatedwith project plans. Predicting how

long a project will take or how much it will cost is almost impossible andsingle point estimates for task durationand cost can be misleading. Risk+brings these capabilities to MicrosoftProject, the world’s most widely usedscheduling tool. The combination ofRisk+ and Microsoft Project provide an extremely powerful projectmanagement tool set that is bothaffordable and easy to use.

www.deltek.co.uk

EASYRISK MANAGER

EasyRisk Manager is an easy-to-useweb-based tool to support riskmanagement activities both internallyand externally. The software provides a clear picture of threats in the valuechain and enables companies to takeaction before an incident escalates into a crisis. Based on more than 17years of methodology, research andinsight from other risk managementtools, the software provides a highlycustomisable interface without theneed for extensive consultancyservices. Users can set up specific risk categorisation schemas for process and ISO standards,according to individual needs. By capturing every change andincident in a central location, users can also perform rapidperformance reviews; follow up on risk groups, check actions andresults, and easily maintain riskprofiles. The product will also produce reports to check the currentrisk status and statistics to show thedevelopment over time. EasyRiskManager also provides automatedalerts about notable incidents requiring immediate action. More than 5,000 users spanning industriessuch as oil and gas, banking, telecoms, transportation, finance and food are using the solution in


Extraordinary Times, Innovative Strategies

A pioneer and long-term leader in enterprise risk management software and services, Marsh continues to innovate — delivering creative, modern strategies to help risk managers meet the extraordinary challenges of our times.

Through CS STARS, Marsh helps organisations around the world gain essential capabilities to simplify risk management.

STARS™ Enterprise is a modular, Web-based risk management software platform that delivers a set of integrated features for incident, claim, resolution, policy, value collection, compliance and reporting operations.

To learn more about how Marsh can help you, please visit marsh.com or call your local Marsh representative.

csstars.qxd 14/12/2009 10:23 Page 1



order to reveal pressing issues,prioritise resources and manage risk.

www.dnv.com/industry/food_bev/easyrisk_manager

ENTERPRISE RISKASSESSOR

Methodware’s Enterprise Risk Assessor(ERA) is a scalable, flexible and costeffective software solution designed tohelp organisations manage risk-relateddata, assessment processes andreporting. Critical success factors suchas ERM, internal audit, regulatorycompliance and corporate governancerequire data and analysis. Use ERA as acentral repository to integrate and shareany or all of these key elements. Savetime and resources for your risk andcontrol assessments, audit planning anddocumentation and loss event tracking.

www.methodware.com

FIGTREE RMIS

Using Figtree’s workflow automation,document management, reporting andweb-based data capture, users canincrease productivity, lower costs andimprove their service to their owncustomers. Figtree’s risk managementproduct offerings include extensivefeatures to capture and review risks, and assign controls and actions thatmitigate or reduce their impact at variousorganisational levels. It providesautomated notifications, as well ascapturing all costs associated with aparticular risk. Graphical risk matricesprovide an instant snapshot of risk profile,along with the ability to drill down to theactual risks. Figtree provides softwaresolutions to local authorities, centralgovernment, police forces, insurers,brokers, TPAs, utilities, transportation andconstruction companies.

www.figtreesystems.com

JCAD RISK

JCAD have been developing specialistclaims and risk managementapplications for 15 years and now havea client base of over 150 organisations.The JCAD RISK solution was developedwith input from key local authorityclients and conforms to the riskmanagement standards as advocated by ALARM, AIRMIC and the IRM. Theapplication enables risks to be linked at any point within an organisation’shierarchy as well as associated withcorporate objectives, plans andprocesses. It also provides the clientwith the ability to easily customise theintuitive user interface; in this way theapplication is shaped around theexisting risk framework, not the otherway around. The system makes use of atraffic light methodology allowing risks to be assessed at gross, net and targetstages while extensive workflowcapabilities allow risk and controlmeasure reviews to be automaticallygenerated and audited. Reporting ispowerful, flexible and customisable.

www.jcad.co.uk

KEANE SCORE

Keane Score measures, manages andmonitors risk and compliance processesand internal audits. Used predominantlyin financial service organisations, itworks via dynamic profiling based uponassociating self assessment, variablecapital impacts, controls results andstatuses to risk registers. With KeaneScore, users can benchmark data forcontrols, risk profiling, capital impacts,self assessment scores and BIA. Training for administrators usually takes abouttwo days. Users can be trained in aboutan hour. Keane Score is a processmanagement platform. Content insystem is customisable, so the limitationsof types of compliance are bound onlyby the adopter’s limitations on contentrequirement. An important feature of

this software is its multiple simultaneousdistribution of interactive processes and hub and spoke command and control infrastructure.

www.keanebrms.com

KNOWRISK

KnowRisk is used as a safetymanagement system in a number ofblue-chip corporates who haveembraced ERM. KnowRisk enablescorporations from a range of industriesincluding mining, construction, financeand insurance and energy to addressdifferent risks strategies includingbusiness risks, business continuityplanning, project risks, reputation,safety, security, compliance andinsurance under one common platform.A suite of products exist to cater forsmaller operations to corporations withglobal operations, serving all levels from board to executives to staff.

www.corprofit.com

MEGA SUITE

MEGA Suite is the foundation for a complete set of integrated GRC solutions for risk managers, compliancemanagers, internal control and audit. It integrates global GRC across silos,based on common GRC processunderstanding. It provides complete riskmodeling via risk event data entry, riskmodeling, statistical CAR calculation,risk evaluation, integration with externaldatabases and predefined risk models.The product delivers all four primaryGRCM functions (audit, compliance,risk and policy management) andsupports standard/basic to advancedmeasurement approaches to ORM and




ERM. It also includes risk frameworkwith Basel II events (as well as Sarbanes-Oxley) mapping, risk/control self-assessment; loss data collection and KRIcapabilities; and a calculation engine for risk capital as well as quantitativeanalytics. MEGA Suite has the ability toperform risk control cost analysis andintegrated ORM with business processanalysis, through integrated businessprocess analysis capabilities, such asmapping of processes against risks and controls – thus enabling businessprocess improvements and better control.

www.mega.com

METRIC STREAM

The MetricStream solution supports risk assessment and computations basedon configurable scoring methodologies,criteria and algorithms. The systemallows for user-defined risk criteria and scoring methodology to be definedat any level of the organisation forcalculation of inherent risk, residual risk and related risk tolerance. Itprovides a robust and scalableinfrastructure that offer powerful coreservices and capabilities such asworkflows, configurable forms,collaboration, real-time exceptiontracking, email alerts and notifications,integration, reports, executivedashboards, business intelligence,analytics, and secure access control. The solution includes a strategicusability framework based on Web 2.0 technologies that has an intuitivestructure. MetricStream provides strongintegration between corporate reporting,strategy, and performance managementwith risk and compliance throughpowerful tools for performancemonitoring and decision support such asbalanced scorecards and risk heat maps.The solution offers powerful capabilities to provide the most up-to-dateinformation on risk management throughmultiple channels built into the platformssuch as external loss data and egulatoryalerts. According to requirements,application forms, fields, and workflows

can be rapidly created and modified to match specific business processes,terminology, and rules without anyprogramming or code change. TheMetricStream product for riskmanagement is used by companies from several industries includingbanking, financial services, insurance,energy and utilities, healthcare,pharmaceuticals, medical devices,automotive, food and high-techmanufacturing.

www.metricstream.com

MIMS RM

MIMS RM is a comprehensive web-based application allowing riskmanagement benefits to be gainedthroughout an organisation and its key partners. It deploys a single riskregister with an aggregated risk matrixthat is overlaid by a range of filterswhich, when set, allow drill down and reporting. The system is primarilyobjectives-driven, compares risk toappetite (adjusted for differentorganisational levels) and, inter-alia,records control measures, attachesdocumentation and provides emailalerts when actions become due. Each risk can be further assessed for itsimpact on key process continuity and an audit feature is included to assurethat control measures are effective.

www.stewart-software.co.uk

MKINSIGHT

MKinsight is a fully web-enabled riskmanagement system designed to enableusers to create and assess risks based on their own chosen methodology. The range of information that can beattributed to an individual risk is diverseand fully user definable. In addition,users can record controls, proposedcontrols and actions associated witheach risk. As a .Net application

MKinsight allows the management of user privileges and access rightsacross the entire system. The productalso comes with a comprehensive set of alerts to keep users and risk ownersaware of outstanding risk assessmentsand actions. MKinsight includescomprehensive processes for all riskcreation and approval processes alongwith detailed reporting capabilities inwhich the user can specify and filter a whole array of different reports whichcan then be exported to Word, Excel,Adobe PDF, html, .csv and text files.

www.mkinsight.com

OPTIALOptial provides flexible, scalable web-based audit, compliance and riskmanagement solutions across a variety of industries. Optial solutions enableorganisations to work within a structuredframework allowing them to managerisk more effectively; while generatingoperational cost reductions andimproved transparency. The softwareincludes a comprehensive suite ofstandard, parameter and user-definedreports, such as dashboards andindicators. Built-in KRIs and lossdatabase allow firms to align theirsystem with a variety of compliancerequirements, including Basel II,Solvency II, Sarbanes-Oxley, MiFID,ISO2701 and FSA for operational riskmanagement. Optial’s new generationbusiness intelligence reporting tooldelivers slice and dice managementinformation. This product’s web servicesinterfaces and software developer kitenable simplified integration with othersystems, eg. HR and CRM systems, fortwo-way automated data exchange andsingle sign on.

www.optial.com

ORACLE GRC

Oracle GRC is a comprehensiveenterprise GRC platform that integrates




business intelligence, processmanagement, and automated controlsenforcement to enable sustainable,consistent, and efficient risk andcompliance management. This producthighlights key risk and performanceindicators with executive-leveldashboards and dynamic drill-downreporting. Oracle GRC is used by a risk,finance, IT and audit executives in avariety of industries, including but notlimited to financial services, IT andmanufacturing. The platform, whichconsists of Oracle GRC Intelligence,Oracles Enterprise GRC Manager and Enterprise GRC Controls, delivers aunique, closed-loop approach to reg-ulatory compliance, risk management,and controls automation. Oracle GRCrequires professional services to supportcustomisation and implementation.Oracle Consulting Services, OracleUniversity and several other partnersoffer both implementation and training.

wwww.oracle.com/grc

PENTANA

Risk management professionals usePentana software for such daily riskactivities as maintaining risk registers,performing risk reviews and managing risk reduction activities. Specific benefits of the software include: built-in risk assessment scheduling; theability to track risk reduction activitiesand report on progress; risk registerand maintenance tools andautomatically generated risk reporting.Pentana’s clients span the public andprivate sectors in industries worldwide. Customer support is available through the UK headquarters, US andAustralian subsidies and registeredresellers in many other countries.

www.pentana.com

PREDICT!

Predict! Risk Analyser & Predict! RiskController from Risk Decisions are web-based ERM solutions that willidentify, manage and help mitigate risks, providing an effective framework to establish the right balance ofstrategic, programme, project,functional or operational risk andreward. An integrated riskmanagement and analysis solution,data can be imported, eliminating theneed for manual, duplicate keying inand enabling different ‘what if’scenarios. A fast and powerful MonteCarlo simulation engine calculates thecumulative effect of cost or scheduleuncertainty on business and projectplan deliverables. Bespoke simulationmodels can also be built within afamiliar spreadsheet environment. RiskDecisions has a track record ofsuccessful deployments of bestpractice risk management solutions indiverse market sectors includingconstruction, infrastructure, defence,utilities, transport, aviation, oil andgas, and government. Predict! Riskcontroller has reports for all levels of the organisation from practitioner to senior executive. Predict! is userconfigurable to meet the compliancerequirements of constantly evolvingglobal risk standards including Sarbanes-Oxley, Turnbull and Basel II. The software also meets therequirements of ISO3100, PMI, PRAM and OGC and provides asingle, holistic view of risk across the entire business.

www.riskdecisions.com

RISKVISION The RiskVision product line enables acost-effective, repeatable andcontinuous process for IT compliance.It provides complete visibility intocurrent risk status and delivers theaccurate intelligence and analyticsrequired to ensure that informedbusiness decisions can be made with

ease and confidence. Agiliance offersa highly automated, off-the-shelfsolution for IT compliance; deliverscomplete visibility into current andaccurate risk status; provides tools forcommunicating risks across anorganisation; enables informed business decisions based on risk posture; and leverages a sustainable risk management model that easilyevolves as business requirements andregulations change. Agiliance is a Silicon Valley-based company, withoffices in the UK and Canada, and isbacked by Walden International, IntelCapital, SVIC, Red Rock Ventures andCastile Ventures.

www.agiliance.com

SAS OPERATIONALRISK MANAGEMENT

The SAS Operational Risk Managementsolution automates and simplifies theprocess of collecting, storing, analysing,tracking and reporting on informationabout operational losses, risk andcontrol assessment, scenarios and keyrisk indicators. The solution’s self-documenting risk data infrastructureautomates the entire data managementprocess, enabling risk managers to make optimal business decisions thatenable organisations to meet and adaptto regulatory compliance mandates andother requirements. The software is abrowser-based application that collects,manages, tracks and reports onassessment data, key risk indicators(KRIs) and operational loss data. TheSAS Operational Risk Managementsolution helps to enable companies toestablish a comprehensive organisation-wide view and optimise their return oncapital, based on a scalable, flexiblemulti-dimensional and fully integratedrisk management framework providingthe breadth and depth required to bringtogether organisational, operational, risk and governance structures to meet a firm’s current risk measurement andmanagement as well as future changemanagement requirements. SAS




Operational Risk VaR is an advanced,yet user-friendly operational risk VaRmodelling engine. It facilitatesintegration of internal ORM data (such as loss data, assessment scores,scenarios and KRIs) with external ORMdata (including public loss databasesand consortium databases,) within theVaR modelling. It is based on actuarialscience techniques for modellingoperational risk VaR, the Extreme ValueTheory estimate of VaR (EVT), and theConditional VaR (CVaR) for calculatingand allocating capital includingforecasting and economic capital. SASOpRisk VaR is designed to perform theanalysis of all the operational risk datausing a hybrid approach complying withregulatory requirements, benchmarking,and process improvement. It provides the ability to slice, dice, drill-down,adjust, trend and plot operational lossdata to enable a sophisticated user to efficiently assess the quality of that data and subsequently to modeloperational VaR, following a fullytransparent, intuitive and sequentialprocess. It incorporates datamanagement capabilities to ensureconsistent data integrity and data quality used for capital modelling.

www.sas.com

THESIS

THESIS uses the Bowtie concept to assist the user in undertakingsimplified, yet integrated risk analysisand management across its wholebusiness portfolio. The THESIS BowTiemethodology is highly visual, allowingthe management process andinterlinking of control elements to be readily understood across all levelsof the business. The structured processallows the user to identify each hazard,consequence, controls (barriers) andescalation factors. It then identifies the critical tasks in order to maintainthese control measures and assignsresponsibility to appropriate individuals.THESIS software is easy to use as anERM tool and for its ability to develop

and represent business managementsystems. It provides a powerful means ofdemonstrating compliance to top levelmanagement, regulatory bodies andlegislators, principle investors and to thepublic, while simultaneously serving as an invaluable channel forcommunicating to the workforce critical procedures and individualresponsibilities. BowTies can be createdto encapsulate many risks and hazardsfacing the modern business includinghealth, safety, environmental, businessand security. The software is usedworldwide in a multitude of industries,including but not exclusively, oil andgas, power generation, petrochemical,pharmaceutical, aviation, shipping andlogistics, IT and public sector. THESIS5.5 is available as a standalone productor as a fully web-based tool for servinglarger multi site clients.

www.absconsulting.com

WEBRISK

Completely web-based, WebRiskrequires no third party software to runand is generally delivered hosted on an unlimited user basis. WebRisk ismodular and encompasses renewal datagathering, insurable and non-insurablerisk identification, evaluation andcontrol, policy management andincident/claims management. Thisproduct also features an ad hoc report writer and a comprehensive suiteof tailorable reports. WebRisk iscommonly used as a risk portal acrossthe enterprise, providing local managerswith information as well as gatheringrisk profile information and incidentnotification.

www.effisoft.com

QUANTATE RISK &COMPLIANCE

Quantate Risk provides tools for

the prioritisation of risk, creating an understanding of the relativeimportance of control and cost benefitanalysis of risk treatment. Reporting isperformed through user configurablereporting. With these products, risk isquantified using organisational criteria.Risk assessment criteria can beconfigured to suit any type oforganisation and each organisation may create different criteria for differentrisk contexts. This software is built to be intuitive ensuring training is minimal.Quantate Compliance is a flexible toolthat allows compliance frameworks to be built for any type of compliance,including legislative, contractual orprocedural. Quantate Risk andCompliance are web applications thatare delivered via the internet – oftencalled cloud computing. They are easy to set up and use and provide risk managers with tools that can bedistributed within the business, allowingrisk managers to facilitate the process of risk management to ensure that theresponsibility for a risk lies where therisk exists. Quantate Risk andCompliance are licensed as anenterprise license meaning that risk and compliance frameworks can bedeveloped that involve as many peoplethat are necessary without worryingabout license costs. Quantate Risk and Compliance are scalable andflexible making them work for any type and size of organisation. Thisproduct is commonly used amongelectrical generation and distributionfirms, in airports and ports, within local and central government, in education, and for transport andlogistics firms, among many others.

www.quantate.com

If you would like your product toappear in our next Risk AssessmentSoftware Survey, please contact:

Deborah Ritchie, [email protected] 7562 2401

Murray Barber, associate [email protected] 7562 2434


www.cirmagazine.com

RISK ASSESSMENT SOFTWARE SUPPLEMENT > PRODUCT FEATURES

CIR December 200942

@@rriisskk

AAccttiivvee

RRiisskk

MMaann

aaggeerr

AAggeennaaRR

iisskk

CCuurraa

CCSS SSttaarrss

DDeelltteekk

WWeellcc

oomm RR

iisskk

EEnntteerrpp

rriissee RR

iisskk AA

sssseessssoo

rr

FFiiggttrreeee RR

MMIISS

JJCCAADD RR

IISSKK

EEaassyyrrii

sskk

KKnnoowwRRiisskk

MMeeggaaMMIIMM

SS RRMM

MMKKIINNSSIIGG

HHTT

OOppttiiaall

PPeennttaann

aa

RRiisskk CC

oonnssoo

llee

RRiisskkvviiss

iioonn

AAccuuiittyy

SSttrreeaamm

CCCCHH SSwwoorrdd

TThheessiiss

CCiittiiccuuss

OONNEE

WWeebb

rriisskk

SSAASS OOppRRiisskk

OOrraaccllee

GGRRCC

General

Full process analysis hierarchy

Full process escalation hierarchy

Objectives hierarchy

Asset hierarchy

Financial accounts hierarchy

Expand and collapse hierarchy

Risk assessment / analyses

Audit findings / trail / log

Scalable and tested to 100 users

Scalable and tested to 1,000 users

Scalable and tested to 10,000 users

Automatic alerts

Risk Identification

Knowledge base

Risks and issues

Custom IDs

Risk description

Risk estimation

Risk categorisation

Risk treatment

Risk register

Risk quantification

Risk comments

Linked documents

Loss and Accident identification

Linking losses to risk

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

42-45 matrix.qxd 10/12/2009 12:17 Page 1

www.cirmagazine.com


CIR December 2009 43

@@rriisskk

AAccttiivvee

RRiisskk

MMaann

aaggeerr

AAggeennaaRR

iisskk

CCuurraa

CCSS SSttaarrss

DDeelltteekk

WWeellcc

oomm RR

iisskk

EEnntteerrpp

rriissee RR

iisskk AA

sssseessssoo

rr

FFiiggttrreeee RR

MMIISS

JJCCAADD RR

IISSKK

EEaassyyrrii

sskk

KKnnoowwRRiisskk

MMeeggaaMMIIMM

SS RRMM

MMKKIINNSSIIGG

HHTT

OOppttiiaall

PPeennttaann

aa

RRiisskk CC

oonnssoo

llee

RRiisskkvviiss

iioonn

AAccuuiittyy

SSttrreeaamm

CCCCHH SSwwoorrdd

TThheessiiss

CCiittiiccuuss

OONNEE

WWeebb

rriisskk

SSAASS OOppRRiisskk

OOrraaccllee

GGRRCC

Multiple risk types

Risk linkage

Risk review process

Risk approval

Risk surveys

Control surveys

Risk Assessment

Risk matrix

Impact categories

Scoring schemes

Qualitative Assessment

Quantitative Assessment

Gross, Residual, Target

Opportunity

Frequency

Financial years modelling

Multiple risk impacts for single risks

ROI

Escalation

Risk mitigation

Control type

Control description

Control status

Control Assessment – qualitative and quantitative

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

42-45 matrix.qxd 10/12/2009 12:17 Page 2

www.cirmagazine.com


CIR December 200944

Control effectiveness

Evaluation

Testing

Actions

Fallback

Plan

Waterfall charts

Provision management

Plans linked to multiple risks

Linked actions to multiple plans

Analysis and Reporting

Multiple application reporting

Standard reporting

Aggregated risk matrix

Monte Carlo simulation – cost

Monte Carlo simulation – schedule

Sensitivity analysis

Provision management

Drill-down interactive reports

Schedules reporting

Data driven reporting

Report delivery

Risk adjusted balanced score cards

Risk adjusted GANT chart

Functionality / administration

Context sensitive help

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

@@rriisskk

AAccttiivvee

RRiisskk

MMaann

aaggeerr

AAggeennaaRR

iisskk

CCuurraa

CCSS SSttaarrss

DDeelltteekk

WWeellcc

oomm RR

iisskk

EEnntteerrpp

rriissee RR

iisskk AA

sssseessssoo

rr

FFiiggttrreeee RR

MMIISS

JJCCAADD RR

IISSKK

EEaassyyrrii

sskk

KKnnoowwRRiisskk

MMeeggaaMMIIMM

SS RRMM

MMKKIINNSSIIGG

HHTT

OOppttiiaall

PPeennttaann

aa

RRiisskk CC

oonnssoo

llee

RRiisskkvviiss

iioonn

AAccuuiittyy

SSttrreeaamm

CCCCHH SSwwoorrdd

TThheessiiss

CCiittiiccuuss

OONNEE

WWeebb

rriisskk

SSAASS OOppRRiisskk

OOrraaccllee

GGRRCC

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

42-45 matrix.qxd 10/12/2009 12:17 Page 3

www.cirmagazine.com


CIR December 2009 45

Screen customisation

Multi-language support

Spell check

Calendar

Interactive charts

Search and filter

Personal filters

Public filters

Group filters

Roll-forward capability

Templates available

Security

User role-based security

User group-based security

Business activity & project access

Folder-specific security

Integrated project access security

User security clearance

Technical Compatibility

Web application

External hosting SaaS

Web service API

Synchronisation with active directory

Import and export of risks to/from MS

OLAP and data warehouse support

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

@@rriisskk

AAccttiivvee

RRiisskk

MMaann

aaggeerr

AAggeennaaRR

iisskk

CCuurraa

CCSS SSttaarrss

DDeelltteekk

WWeellcc

oomm RR

iisskk

EEnntteerrpp

rriissee RR

iisskk AA

sssseessssoo

rr

FFiiggttrreeee RR

MMIISS

JJCCAADD RR

IISSKK

EEaassyyrrii

sskk

KKnnoowwRRiisskk

MMeeggaaMMIIMM

SS RRMM

MMKKIINNSSIIGG

HHTT

OOppttiiaall

PPeennttaann

aa

RRiisskk CC

oonnssoo

llee

RRiisskkvviiss

iioonn

AAccuuiittyy

SSttrreeaamm

CCCCHH SSwwoorrdd

TThheessiiss

CCiittiiccuuss

OONNEE

WWeebb

rriisskk

SSAASS OOppRRiisskk

OOrraaccllee

GGRRCC

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

42-45 matrix.qxd 10/12/2009 12:17 Page 4

RISK ASSESSMENT SUPPLEMENT > SUPPLIER DIRECTORY

Aon eSolutions10 Devonshire SquareLondon, EC2M 4PL

Contact Craig Torgius on +44 (0)20 7086 0149

[email protected] with any queries, or visit

www.aon-esolutions.com/CIR for further information.

Offered by Aon eSolutions, Aon RiskConsole is an award-winning, web-based risk management information system (RMIS) that uses risk,exposure, claim, and policy data to provide CFO's, CRO's and risk managers with an integrated enterprise-wide view of their risk profile.More than 300 global clients in 40 countries now trust RiskConsole to deliver critical risk management intelligence, allowing them to makebetter-informed decisions to manage, control and finance their risk.

RiskConsole provides a risk register tool set to support your ERM program. The solution can be fully tailored to match your specific ERMprogram requirements. With its modular design, the risk register can be used stand-alone or as part of an integrated solution withRiskConsole's other modules.

The ERM Risk Register offers a sophisticated alternative to a spreadsheet approach and provides a robust next step in the development ofan ERM process, with full audit and control facilities, expanded reporting and analysis that can be deployed across your organisation.

CS STARS LLCTower Place, London EC3R 5BUTel: 020 7357 3149Fax: 020 7357 1643Email: [email protected]: www.csstars.comContact: Andrew Duttine

CS STARS delivers industry-leading software and services for managing risk, claims, and insurance. More than1,000 organisations and 35,000 users across the globe rely on CS STARS' solutions for consolidating risk information,analyzing and reporting risk exposures, administering claims, tracking corporate assets, and automating complianceaudit processes.

Our comprehensive, web-based solutions include:

Data Transformation Services - Consolidate risk and claims information into a single, comprehensive data repository.Event Management Tools - Manage risk-related events based on individual business requirements and industry best practices.Workflow Automation - Automate routine tasks and alert users of events warranting special attention.Values Collection - Collect asset values to support insurance policy renewal discussions.Audit Solutions - Measure and monitor compliance with loss prevention guidelines and safety and health regulations.Reporting - Create sophisticated reports which can be easily shared throughout an organisation.

Strategic Thought Group plcStar House 20 Grenfell Road Maidenhead Berks SL6 1EH

Tel: +44 (0) 1628 582500Fax: +44 (0) 1628 582600 Email: [email protected] Website: www.strategicthought.com

From project and program risk through to full Enterprise Risk Management, Active Risk Manager (ARM) softwarefrom Strategic Thought Group uniquely delivers an integrated approach to identifying, documenting, mitigating,monitoring and analyzing both risks and opportunities. Using ARM can enable business performanceimprovements and make risk-adjusted business planning a reality.

ARM has the breadth and depth of capability to support organizations’ risk management processes as they matureand evolve over time. Whether your start point is project risk, supply chain resilience, health and safety, businesscontinuity, bid management, reputational risk, insurance premium reduction or improving your credit rating, ARMis the ‘risk engine’ which will deliver value at each step along your journey. ARM aids compliance with project,operational and enterprise-wide guidelines. The effective management of risks and opportunities allows companiesto act within corporate governance requirements and industry standards while balancing the risk/reward mix tomaximise the return on opportunities.

Strategic Thought was founded in 1987 and has main offices in the UK and US. Active Risk Manager is used bymajor organizations around the globe including BAE Systems, British Nuclear Group, Rio Tinto, Lockheed Martin,Nestle, NASA, London Underground, Raytheon and SABIC.

Cura Software SolutionsSuite 123Berkeley Square House1 Berkeley SquareLondonW1J 6BDwww.curasoftware.comTelephone: +44 (0) 207 887 1595

Cura provides smarter software solutions designed to enable businesses world wide to meet their Governance, EnterpriseRisk Management, and Compliance requirements Cura does this through fast implementation, easier configurability, and trueenterprise architecture. Cura is a fully web-enabled risk management system designed to enable users to create and assessrisks based on their chosen methodology and puts the power of configuration in the hands of our customers through the useof innovative technology.Cura is used by Global 1000 enterprises such as Vodafone, Coca Cola, Allianz, Dubai Holdings,BHP Billiton, MTN and over200 organizations worldwide. Cura also partners consulting firms in focused areas of risk and compliance. Cura is ranked asa Magic Quadrant Vendor and visionary by Gartner Research and as a leader in the GRC domain by Forrester Research. • ERM, ORM, Financial Controls, Project Risk and Risk Maturity• Basel II, Solvency II• Supports Multiple Frameworks (ISO 31000, CobiT, ISO27000, COSO)Cura can be deployed on-site or using Software as a Service (SaaS)Cura Software Solutions has offices in London (UK, Europe and Middle East Headquarters), Boston, Johannesburg, Sydneyand Melbourne, Singapore and Hyderabad.

London office address: DNV Palace House 3 Cathedral Street London SE19DE

Contact: Karen Dodds (London) +44 (0)20 757 6080 Robert O’Keeffe (Aberdeen) +44 (0)1224 335000

DNV helps clients manage risks on all levels in a variety of industries.

• Enterprise risk management implementation: DNV has developed an enterprise risk management framework in which technology, activities, systems and business environments are seen as a whole and the risk pictures of relevance are established at all organisation levels.

• Project risk management: DNV helps clients manage project risks through the delivery of advanced project risk management services

• Operational Risk: DNV has developed frameworks to manage risk based decisions that will help your company build quality in business processes and help prevent operational failures.

• Supplier chain risk assessment: Using EasyRisk Manager, DNV has developed processes and tools for effective SCR management.

For further information on EasyRisk Manager and DNV risk management services visit www.dnv.com, send an email [email protected] or call +47 67579900

46_mg.qxd 11/12/2009 11:01 Page 1

RISK ASSESSMENT SUPPLEMENT > SUPPLIER DIRECTORY

Palisade Corporation is the world's leading developer of software and services for risk and decision analysis. Foundedin 1984, Palisade's leading products include @RISK, the DecisionTools Suite, NeuralTools and more, providing decisionmakers with Monte Carlo simulation, optimisation, and other cutting edge techniques. Palisade's ingenuity in softwaredevelopment is one of the driving forces behind the company's position at the forefront of the industry.

‘Over 90% of today’s global Fortune 100 list use Palisade software solutions’.

Through a partnership with Duxbury Press, publisher of leading business textbooks, the DecisionTools Suite is includedwith five of today's top MBA textbooks. 50,000 students annually now use the DecisionTools suite.

Additionally, Palisade offers extensive, customised on-site training classes to help users maximise their software investments. Tailored consulting, seminars and programming services are also available.

The international DecisionTools Seminar Series teaches professionals in all fields how best to apply the software to theirreal-life situations. The series has grown to include over twenty seminars a year held in major cities worldwide.

Visit www.palisade.com or email [email protected] to learn more.

Palisade31 The GreenWest DraytonMiddlesexUB7 7PNUK

Tel: +44 1895 425050Fax: +44 1895 425051www.palisade.com

Phil WaldenJC Applications Development LtdManor barn, Hawkley Rd, Liss, Hampshire, GU33 6JS

Tel: 01730 712020Fax: 01730 712030Email:[email protected](JCAD are an iso9001 accredited company)

At JC Applications Development Ltd we believe that our commitment to providing simple to use yet feature rich applications forclaims and risk management, is what has enabled us to grow a successful and satisfied client base of over 160 organisations.Although our clients can occupy very different sectors of business, for instance; UK Central & Local Government, US Government,Housing Associations and Construction, sentiments converge when looking for a proven technology solution provider.

In recent years Risk management has been acknowledged as one of the cornerstones upon which a modern organisation relies if itis to ensure that its ambitions are achieved. If you are looking to improve upon the way you manage risk and to embed within yourorganisation then JCAD have the right mix of products and services to guarantee a cost effective and timely implementation. Welook forward to meeting you.

PentanaTel: +44 (0) 1707 373335 (Europe)Fax: +44 (0) 1707 372992 (Europe)Tel: 800-350-8034 (US)email: [email protected]

Pentana Ltd was established in 1992 and since then our team of commercially experienced risk, audit andcompliance experts have driven Pentana software development.

Successful risk management professionals are actively using Pentana software for their daily risk activities such asmaintaining risk registers, performing risk reviews and managing risk reduction activities. Specific benefits of thesoftware include; built in risk assessment scheduling, the ability to track risk reduction activities and report onprogress, risk register maintenance tools and automatic generation of risk reports for the board.

Pentana's clients span both public and private sectors in industries across a truly global arena. Internationalpresence and customer support is provided by our UK headquarters, US and Australian subsidies and resellers inmany other countries.

MEGA UKArgentum, 2 Queen Caroline StreetHammersmith, London W6 9DXTel: +44 (0) 20 8 323 8033Fax: +44 (0) 20 8 323 8312Email : [email protected] : www.mega.com

MEGA helps companies understand and reduce operational complexity, establish successful governance, and manageassociated risks. To do this, MEGA provides software solutions for business process analysis, enterprise architecture,governance, risk and compliance, enterprise risk management, operational risk management, internal audit and compliancemanagement, complemented by specialized consulting services.

Established in 1991, MEGA is a privately owned company with 18 years of process expertise. Used by over 70,000 peopleworldwide, MEGA solutions are recognized by leading analysts as a major GRC player. Based on powerful technology, theMEGA Suite integrates all GRC practices into a common web platform, providing the dedicated control tools to meet allstakeholders' objectives.

These tools allow to map data, identify relationships between risks/controls and the business, manage content and workflows,and produce superior reports. They help coordinate risk, control, compliance, and audit activities, and ensure accuratedocumentation to track and evaluate information.

Contact us for more information.

The definitive guide to products and services for theprofessional risk, insurance and continuity buyer

For further information on promoting your company call Murray Barber 020 7562 2434 or email [email protected]

46_mg.qxd 10/12/2009 17:36 Page 2

risk assessment supplement - cir magazine · 2019-09-02 · maturity models, of which many are...

Documents