Given the many shakeups (and downs) companies have experienced through the last few years of economic, security and technological turmoil, risk management has had to evolve and move to front-of-mind of most corporate executives.
“With a recent jump in regulatory mandates, losses and increasingly active shareholders, many organizations have become increasingly sensitized to identifying areas of risk in their business, whether it is financial, operational, IT, brand, or reputation related risk, explained Vishwas Urs, manager of Marketing Programs at MetricStream, a provider of governance, risk, compliance and quality management solutions.
“Companies are looking to systemically identify measure, prioritize and respond to all types of risk in the business, and then manage any exposure based on the organization's strategy and priorities.”
Enter the age of loaded dice; for the odds can no longer be left to a game of chance.
Not new, evolved
Risk management used to be the bean counters’ province and thus the focus was solely on financial risk. The primary focus of risk management software, until very recent times, has been to get a better view of credit and market risks. But that didn’t work so well as evidenced by the 2008 U.S. financial sector meltdown.
“It is now generally accepted and understood that the models used pre-2008 often incorporated oversimplified and/or inaccurate ways to represent risk and uncertainty,” said Randy Heffernan, VP of Palisade, a risk analysis and management company. “Ranges of values may have been used to represent risk and return, but the models often ignored ‘the tails,’ or the more extreme possible outcomes. Historical market data existed which, if properly analyzed, contradicted many of the assumptions that were being used during ‘the bubble.’ It turns out the rare, extreme events weren't quite so rare after all.”
Once everyone in the financial world figured all that out, they set about tweaking and growing the risk management model.
“The evolving scenario on risk management in light of the sub-prime crisis and ensuing challenges faced by financial institutions has also brought focus onto the liquidity risk management, which is now getting to be an additional focus area from regulatory perspective,” explained L. N. Balaji, president of ITC Infotech (USA), and head of the company's operations in North America. ITC Infotech is a global IT services company and a fully-owned subsidiary of ITC Limited, a $7 billion diversified conglomerate.
“The ability to measure and insulate business from impact of such events, i.e., to ensure business continuity under impaired economic conditions, can also create the difference between organizations that can survive and grow in such times and those that fail,” he added.
Established vendors in this space targeting Tier 1 and 2 institutions are Algorithmics, Moody's KMV, SAP, SAS, and SunGard, according to Balaji. Those targeting Tiers 3 and 4 in banks include Misys Almonde, Financial Architects and Reuters. Prominent vendors also include Palisade and Crystal Ball, which was acquired by Oracle in 2007.
Risk management, however, is evolving beyond the lone boundaries of financial risk. This is because companies began to realize that bubbles tend to grow in siloed environments.
“Risk cannot always be divided into separate categories,” explained Heffernan. “All risks are interrelated, and so too must an organization's risk modeling. It's unrealistic to assume that what goes on in the credit risk department is not going to affect what happens in operations risk, for example. IT organizations are building new models to unify these different areas of risk.”
In other words, there is now even more elements of risk converging for IT to handle.
Risk management has evolved to include financial, insurance, hard assets, and technology portfolios plus operational, supply chain, distribution, warehouse and storage, and data risk factors, among others. Then there is everything in the cloud to manage, as well -- certainly there’s plenty of risk there.
“Risk management has classically revolved around spreadsheet activity, but now it’s cutting across every silo in the enterprise and into every corner of its realm,” said Robert Cruickshank, CTO of Rev2, a risk management software maker.
Risk management also considers external factors in order to account for economic or industry changes that can add or negate risks to the organization.
The evolved creation even has a name: enterprise risk management (ERM).
Players in the space include many vendors who previously focused solely on financial risk. SAS, Oracle, IBM and MetricStream tend to top the various ranking lists. Startups, such as Rev2, are increasingly entering the field, too. Given the uncertainties of the times, more players are expected to follow shortly.
A prolific and versatile writer, Pam Baker's published credits include numerous articles in leading publications including, but not limited to: Institutional Investor magazine, CIO.com, NetworkWorld, ComputerWorld, IT World, Linux World, Internet News, E-Commerce Times, LinuxInsider, CIO Today Magazine, NPTech News (nonprofits), MedTech Journal, I Six Sigma magazine, Computer Sweden, NY Times, and Knight-Ridder/McClatchy newspapers. She has also authored several analytical studies on technology and eight books. Baker also wrote and produced an award-winning documentary on paper-making. She is a member of the National Press Club (NPC), Society of Professional Journalists (SPJ), and the Internet Press Guild (IPG).