Users pushing for a consolidation of multiple risk management tools

A tool consolidation trend may be coming to the enterprise risk management (ERM) space, but some observers caution while this is a good idea the market may not be ready yet.

Currently, risk management tools for functions like physical security, IT security, fraud detection, business continuity, disaster preparedness and crisis management mainly exist in their silos, often monitored by different staff, making it difficult to determine interrelated events.

In Canada recently for a series of presentations, Rebecca Whitener, director of privacy services for, Plano, Tex.-based IT outsourcer EDS Corp., said in an interview she has observed the beginning of a trend, driven in part by compliance issues, of users wanting those siloed tools together in one enterprise-wide risk management platform.

She added that the banking sector is leading the push.

“I think we’re being driven toward a model that will encompass a more enterprise-wide view than we’ve had in the past,” said Whitener. “The inability to communicate risk across the organization and up to the right people in a timely manner is why (we’ve had) failures.”

Whitener envisions a dashboard with scenarios and accepted risk levels built in, which could be monitored for deviations from accepted levels. This would be a cost savings for companies, but she added it would also provide more timely and comprehensive information to those in management. “We’re being glutted with information (today), some that’s useful and some that’s not,” said Whitener. “Trying to weed through and determine what’s important… is critical.”

The trend is in its early stages in the U.S., and Whitener said she couldn’t point to any vendors leading the way. Consultants can help to integrate disparate siloed applications, and she said some companies and incubators linked to universities are at the research stage. Joe Greene, vice-president of IT security research with IDC Canada in Ottawa, said such a trend hasn’t come to Canada yet, but he does agree it’s an issue.

He said firms in Canada have been slow to take a holistic approach to security, but they should. Pointing to a recent IDC Canada study, Greene said just 65 per cent of companies have lumped issues like security, compliance and privacy together.

“In Canada, I don’t think people are actually screaming for this just yet, because in Canada the majority of companies aren’t at the point where they need to be,” said Greene. “There aren’t sufficient numbers of companies out there taking a holistic approach to this that would merit that kind of investment (by vendors) in Canada.”

With larger companies and more pressure around compliance, Greene said he could see such a trend coming out of the U.S. into Canada. But he said Canadian companies would be wise to get on board.

“There’s no question they should be taking a more holistic approach,” said Greene. “You can’t manage risk properly if you’re only looking at it within the silos.”

Business intelligence vendor SAS Institute plays in the ERM space, and works with the banking industry in the U.S., Canada and internationally.

Jim LaRue, business solutions director in SAS’s Toronto office, said the firm’s tools can give the wider view companies are looking for but the market demand has been for siloed applications.

“There was a great deal of interest (about two years ago) in an enterprise-wide view of risk, but in general, when they made the buy decisions they tended to go with some of the more point and boutique solutions that address a specific risk.”

Compliance issues drove many of these projects. However, LaRue said some of these projects didn’t go too well and are being revisited.

Overall, though, LaRue said that while there has been talk in the Canadian financial sector around consolidation, in most cases their applications remain in their silos. “There’s interest, but I haven’t seen a lot of buy,” he said.

QuickLink 051544