bob's guide to... risk management systems: Five questions to determine if you need a new risk management system

By David Beach | 4 October 2017

A well-articulated and reliable risk management system, can free up much needed manpower to put towards exclusively human risk management. The trouble is, it’s not always clear where the best risk management solutions are, or what would work best for individual organisations. This article is the first part of bob’s guide to acquiring risk management systems - how to choose them and how to implement them successfully. This article however, starts by answering the first question you should address.

How do you know when you need to invest in a new risk management system?

More specifically, how do you determine when you’re due an upgrade on an ailing system? It seems, like most technologies, that far too many erroneously adhere to the motto ‘if it ain’t broke’. Minutely improving and tweaking a current risk management system seems to be preferable to a complete overhaul, but who’s to know when it’s time to say enough is enough, and go out on a limb and acquire any number of cutting edge risk systems?

If it were easy, firms would switch risk management systems at the same pace they switch smartphones. But the reality is far more complicated. On top of the previous conundrum of ditching old, but minutely improvable systems, how do you transition to a new risk management system? How do you implement that risk management system and make it compatible with your own? But, before all, what questions do you need to consider before acquiring a new system?

Do you have a clear idea of your risk appetite?

Know your risk appetite, is both an obvious but healthy principle for all risk professionals. It may be better to include in that principle ‘know inside out’. Whilst the major risks to look out for are well known to risk professionals, the complexity of risk management comes from the variables and interplay between those risks, and the degree of penetration.

Whilst only a computerised risk management system can quantify risk it is nevertheless important that the human risk professionals have a clear understanding and guidelines as to their risk appetite. More so than ever with the greater need to comply with extensive and untested regulations and the ever changing technological landscape, risk managers not only need to know their risks, but to keep on top of them with a scrutinous eye.

How satisfied are you with your current risk management system?

According to the 200 risk professionals who undertook the bobsguide risk management survey, 52% indicated they used a dedicated system for risk, whilst 16.9% were exploring the market and 9.1% were actively prioritising the acquisition of a risk management system. Only 4% indicated that they did not have a risk management system and had no appetite to buy one.

We then asked respondents to indicate the reason of that satisfaction. Easy to use, multi-function and wide coverage risk management systems were the factors most likely contributed to an extremely satisfactory experience (25%). Very satisfactory (42%) risk management systems provided a quality and bespoke system that was able to integrate and adapt to many business platforms whilst real-time feedback was a highly desirable trait.

A somewhat satisfactory (20%) risk management system did not exceed expectations and “addressed most requirements”.

Those who were not very satisfied (13%) with their current risk management technology indicated it was “unwieldy, unreliable and unsupported”.

A significant proportion then are both dissatisfied and looking to acquire risk management systems.

What sort of system would you consider?

The survey results suggest there is a sizable market keen to acquire new risk management technology, either as an addition or a complete overhaul.

A combined 62% of the bobsguide survey indicated they were exploring the market for risk management systems, whilst the remainder were either happy with their current technology (26%) or did not require any current risk management on the market (12%. N.B. the survey also included RMS providers). Of the total number who indicated they were interested in acquiring new RMS, 40% were looking to acquire new RMS in order to augment existing systems, whilst 12% were looking to acquire their first piece of risk management technology and 10% were looking to replace their risk management system entirely.

Who would have the final say on which RMS?

Decision about acquiring RMS have traditionally lain in the boardroom and dictated by the executive level. Of course, much has changed since with the chief risk officer rising in seniority and more vocal on key business decisions. Indeed, it may very well be the evolution of the CRO role to a more prominent position in the business that led to 36% of respondents indicating that the CRO was the principal decision maker on the acquisition of new risk management systems. 27% said responsibility lay with the CEO, COO or EVP and 18% that it lay with the CFO or Finance Director. Only 8% said it lay with the chief technology officer, further suggesting a displacement of responsibility for a previously technical issue residing within the departments of IT and/or technology.


Indeed, it is a strange and pressured environment in which risk professionals operate, standing in the shadows and from there, protecting business ventures. They are the steady hand to rein in executives and keep the boardroom afloat in the rising seas of increased regulatory rigor - even if their concerns and inputs make them thoroughly unpopular.

It is exactly that constantly changing regulatory landscape that has made it increasingly difficult for organisations to keep up to speed with compliance. The regulators themselves are reacting to the great dictator of innovation - technology. To use a cliche, the technology that has developed around financial services is a blessing and a curse.

Along with the increased ease and capability of payments, AML also needs to be tightened with the implementation of a more sophisticated system of records to comply with the 4th EU AML Directive and, to a broader extent, MiFID II. Whilst the turbulent toing and froing between tech and regulations will hopefully reach a state of equilibrium, the risk manager is left to make educated provisions for risk management systems. We hope that this article will have provided some initial clarity. 

Become a bobsguide member to access the following

1. Unrestricted access to bobsguide
2. Send a proposal request
3. Insights delivered daily to your inbox
4. Career development