This blog is cross-posted from the Commercial Risk Europe FERMA Forum daily newspaper (registration required).
Making the best possible use of new and emerging technology, including enterprise software, is vitally important for almost any organization. In our hypercompetitive, ever-evolving global economy, few companies can afford to become complacent when it comes to how they choose their software and what they expect from it. This applies to the discipline of risk management just as it applies to, say, operations, finance, logistics, or any other corporate function. As risk managers look to technology to help them adapt to turbulent times, what should they be looking for in their risk software?
Analytics, or, the risk manager as data scientist
Most organizations are placing big bets on analytics. Chances are, yours is one of them. Yet, how many risk managers are aware of what is perhaps the most powerful force driving the adoption of analytics today? That force is the democratization of access to data within organizations.
What is the democratization of access to data, and what does it mean for the risk manager? It means that the risk manager is now—or will soon be—expected to be a data scientist in her own right. The software now exists that empowers the risk manager and his peers within other departments to perform their own data analytics. Companies are adopting it, and risk managers must embrace it.
The centralized business intelligence or analytics team is on its way out. This shift is probably already happening within other departments at the risk manager’s company. How long can he wait to embrace this trend for his own department?
Risk managers have long been using tools that provide descriptive analytics, which answer the question of “What happened?” Moving up the chain of sophistication is diagnostic analytics, which answers the question of “Why did it happen?” More sophisticated still is predictive analytics, which answers the question of “What will happen?” And just breaking onto the scene is prescriptive analytics, which answers the question of “How can we make it happen?”
If we think about the importance of steering risk in turbulent times, which is of course a big topic we have gathered in Monte Carlo to consider, it’s easy to see how the risk manager of the near future simply must be able to answer the kinds of questions that predictive and prescriptive analytics will allow her to address.
GDPR and the role of your risk technology
Organizations subject to GDPR are grappling with these kinds of questions as May 25, 2018, approaches: What data do we have? Where does it reside? Do we have the right protections in place to protect that data? How will we manage it and document our management practices in light of GDPR’s requirements?
To become GDPR-compliant, organizations are establishing policies and procedures that ensure accountability and transparency in terms of how they manage and process the personal data in their possession. In practice, that includes:
- Data mapping
- Establishing formal data retention policies and procedures
- Putting more robust information security and privacy programs in place
- Updating their privacy notices and policies
- Implementing the necessary technical, physical, and organization controls
What kind of role should your risk management information system (RMIS) and its vendor play in your department’s response to GDPR? The RMIS itself won’t be GDPR-compliant, of course, but you should expect your RMIS to assist you in successfully executing the policies and procedures outlined above (and the many, many others not listed due to limited space).
If you’re still using spreadsheets or a homegrown system of some kind, it’s likely going to be a highly manual process (and thus time-consuming and challenging) to delete, redact, or move data offline—and then keep the necessary records to prove you did so. You should expect your RMIS to help fulfill these and other needs, and it’s critical that you understand what your vendor can do now and plans to do in future to help you be GDPR compliant.
The vendor’s security and privacy certifications and attestations are also an important consideration. Under the GDPR, the risk manager’s organization, as a data controller, has new and expansive responsibilities for what the data processors (like RMIS vendors) do or don’t do. Some of the key certifications to look for are the EU-Data Privacy Shield; Swiss Privacy Shield; SOC1 Type2; and ISO27001:2013.
What enterprise software is learning from consumer software
And last but certainly not least, let’s not forget the actual software itself and how you use it. Another very welcome trend in the enterprise software market is the move toward making technology more user-friendly and functional and giving it more self-service capabilities.
When you do your banking online or with an app, your bank doesn’t give you a user manual or send someone around for three days of training; you, as a user, simply expect to be able to log in and know what to do because you’ve done similar things in other apps. Thankfully, that same expectation is now driving the way enterprise software is developed.
Even as enterprise software is drawing upon the kinds of user-friendly functionalities we’ve come to expect in the consumer software we use, risk managers should expect their RMIS software to reflect the way they work and interrogate data. The future of the RMIS lies in easy-to-use yet powerful native dashboards, global search, and natural-language queries.
John Irving is Ventiv's regional director, EMEA. John can be reached at +44 (0) 20 3817 7407 and email@example.com.