I'm out in Chicago this week speaking at the Conference Board's annual Enterprise Risk Management Conference. ERM is a bit of a change in pace from my usual spiel on GRC, but the crowd was great and let's face it, there's a lot of room to both share and learn from your peers when it comes to risk management. I was speaking specifically about the overall technology landscape for Enterprise Risk Management and where we stand today as an industry. I received some great questions after the session. Some were predictable and to be expected, such as how much does all of this stuff cost. I did want to share a couple of the questions, however, and open up the discussion to a broader audience: Q: Do you see a lot of in-house developed applications for Risk Management?

A: Actually, in-house applications can be some of our fiercest competitors. In fact, if I were to wager a guess, I would expect that 80% of the organizations out there are using in-house developed solutions today. 90% of those are based on, you got it, Microsoft Excel.

Q: So what would be the tipping point for an organization that would cause them to migrate off of Excel?

A: Office 2007 has saved my hide on several occasions from a reporting perspective. Actually, I'm a pretty big fan of the ad hoc analytics and scripting functionality that later versions of Excel include as well. But let's be realistic, reporting is only one aspect of a technology solution when it comes to ERM. GRC platforms today offer much more robust functionality that can assist users in their risk identification and evaluation efforts. Features such as surveys, risk libraries, and loss databases help management collect and organize data related to various risk factors across the enterprise. GRC solutions also provide mechanisms for various parties to collaborate with each other and share that data in a way that eventually transforms raw data into actionable information. On the monitoring side as well, GRC solutions can help operationalize risk by establishing Key Performance and Key Risk Indicators. Sure you can do a lot with a spreadsheet, and spreadsheets can help companies just starting out with risk management model their approach and governance strategies. However, if you are trying to build repeatable processes within your organization and establish accountability for what is hopefully an enterprise-wide program, spreadsheets will have their natural limitations. The good news is that if you have a process that is good enough to use when reporting to executives in Excel, most GRC vendors can take those spreadsheets, along with any scoring mechanisms or algorithms, and embed them into their GRC platform as well.

Q: So how much would all of that cost again?

A: Drop me a line and I'd be happy to discuss. :)

[Ok, so that last bit was a dramatization, but my glass is half-full. Tune in next time when we'll explore risk appetite, what it is and why you should care.]