Vendor Risk Management

Getting Started with Enterprise Risk Management Software

Kim Johnson | January 21, 2019

Enterprise risk management software helps businesses monitor, manage, and mitigate many types of risk. However, procuring and implementing ERM software requires a significant investment, and choosing the solutions that are right for your business is a perennial challenge for risk management professionals.

We put together this primer on ERM software to help you get a grip on what’s available and what you might actually need to reduce risk at your organization.

Categories of Risk Management Software

Enterprise risk management software comes in a variety of categories, distinguished by the types of risks the tools help manage. Gartner provides a great breakdown of the major categories, which we’ve summarized below:

  • Digital risk management (DRM) software is for managing risks associated with digital technologies like the cloud, big data, social media, AI, machine learning, and the internet of things.

  • Vendor risk management (VRM) software is for managing risks associated with third parties. Cyber risk is the largest component of VRM, but some organizations also monitor their third parties’ regulatory exposure and business continuity plans.

  • Business continuity management (BCM) software is designed to help businesses identify and monitor risks that could lead to operational disruption, as well as plan out and practice disaster recovery strategies.

  • Audit management (AM) software helps speed up and automate internal audit proceedings.

  • Corporate compliance and oversight (CCO) software helps businesses stay compliant by automating policy development, monitoring compliance risk, and facilitating the completion of assessments and attestation.

  • Enterprise legal management (ELM) software helps businesses manage their legal needs through paperless document management and e-billing, among other capabilities.

[Learn More About the Dangerous Gap Between Risk Monitoring and Decision Making]

These categories cover the majority of ERM software, but there are some solutions that fall outside of this scope. For example, solutions that helps manage logistical, reputational, and culture-related risks do not fall neatly into any of the above categories.

How to Buy Enterprise Risk Management Software

When exploring enterprise risk management software solutions, you’re going to come across the acronym IRM, which stands for integrated risk management. IRM solutions combine some, if not all, of the categories listed above into robust software platforms. Many IRM providers also claim that their platforms enable users to seamlessly coordinate data between their many tools, enabling deeper insights and faster reporting.  

In addition to IRM solutions, there are many smaller platforms that attempt to provide best-of-breed risk management support in just one or two categories. The BitSight Security Ratings Platform is one example of specialized ERM software. Our solutions are designed to go deeper than the IRM providers when it comes to vendor risk management and some parts of digital risk management, like cybersecurity benchmarking and digital supply chain discovery.

In addition, businesses in certain heavily regulated industries will likely find that IRM software solutions fall short of meeting their considerable risk management needs. Some firms offer enterprise risk management software designed specifically for healthcare, financial services, and other unique industries.

How much software do you need?

While it’s tempting to pull out all the stops and spring for a full-featured IRM solution, ERM leaders must consider how much software they absolutely need, especially if they’re operating with a limited budget.

While most organizations are exposed to risk from many different areas, the relative amount coming from each area varies widely depending on an organization’s specific circumstances. A software startup, for example, will be disproportionately concerned with digital risk management, while a bank will be more focused on corporate compliance and oversight, audit management, and business continuity management.

It takes time to develop a mature ERM program, and implementing software to monitor and manage each and every risk vector is not feasible for many organizations. Therefore, one might decide to forego a fully integrated solution in favor of more affordable, easier-to-use specialized tools, at least for short term. A handful of specialized solutions might get the job done nicely, and allow an organization to postpone the resource-intensive implementation of an IRM platform.

On the other hand, an organization that already has an IRM solution in place might find that it’s lacking capabilities in certain risk areas. In this situation, it could be necessary to add a specialized solution to the ERM software ecosystem. For example, when it comes to vendor risk management, no IRM solution can match the continuous monitoring capabilities of BitSight. Using the two in tandem enables further risk reduction.

In Summary

Enterprise risk management software solutions are distinguished from each other by the categories of risk management they’re designed to support. These solutions can either be grouped together, as in an integrated risk management platform, or sold separately, as with specialized risk management solutions.

For most organizations, a mature enterprise risk management software ecosystem will probably consist of solutions from several different vendors, the mix of which will depend on the organization’s industry, risk exposure, and budget. 

The Missing Piece in Enterprise Risk Management: Collaboration

Download The Missing Piece in Enterprise Risk Management

Suggested Posts

Third-Party Risk Management Best Practices for Enterprise

Companies are becoming increasingly reliant on third-party relationships, and cyber attacks originating in the systems of third parties are on the rise.

READ MORE »

Airbus Incident Shines Spotlight on Third-Party Vendor Security Risks

2019 has been a year of high-profile attacks, and, as we predicted, it’s only getting worse. That’s certainly the case for Airbus.

READ MORE »

A Vendor Risk Management Questionnaire Template

IT Risk Assessment Questions for Third Parties

Digital relationships with third-party vendors increase opportunities for growth, but they also increase opportunities for cyberattacks — a recent study found that 61% of U.S. companies said...

READ MORE »

Subscribe to get security news and updates in your inbox.