At Risk of Distraction: The Seductive Appeal of RMIS Software
An emerging hot topic in business continuity and risk management is the software known as a risk management information system (RMIS). An RMIS can help an organization identify, assess, monitor, and mitigate risks, but often they merely seduce and distract companies that are not in a position to make proper use of them.
Related on MHA Consulting: BCM Software Buyer’s Guide: Five Things to Know Before You Buy
Introducing RMIS
Recently, we’ve been getting many questions from our consulting clients about whether their organizations should consider investing in an RMIS.
For those for whom this is a new acronym, RMIS stands for risk management information system. Typically available as a SaaS solution, RMIS software is designed to help companies manage and mitigate risk. It is a product type that has been evolving rapidly in recent years.
The connection to business continuity is: according to best practice, BC should reside under the risk area. BC shares the risk department’s goal of reducing the organization’s risks, which is also the purpose of an RMIS.
Potential Benefits of an RMIS
An RMIS has the potential to be of great benefit—under the right circumstances (more on what those are in a moment).
If a company is truly in a position to take advantage of an RMIS, the tool can help with every stage of the risk management process. Key features of an RMIS typically include:
- Risk Identification. The system allows organizations to identify and document various types of risks they are exposed to, including operational, financial, strategic, compliance, and reputational risks.
- Risk Assessment. RMIS enables organizations to assess the likelihood and impact of identified risks, typically using qualitative or quantitative methods. This assessment helps prioritize risks based on their potential impact on the organization’s objectives.
- Risk Monitoring. It facilitates ongoing monitoring of risks by tracking key risk indicators or other relevant metrics. This allows organizations to detect changes in risk levels and take timely actions to address emerging threats.
- Risk Mitigation. RMIS supports the development and implementation of risk mitigation strategies to reduce the likelihood or impact of identified risks. This may involve implementing controls, transferring risks through insurance, or accepting risks within predefined tolerances.
- Incident Management. The system often includes capabilities for recording and managing incidents or events related to identified risks. This helps organizations track the effectiveness of their risk management efforts and learn from past experiences.
- Reporting and Analytics. RMIS provides robust reporting and analytics functionalities to generate various risk-related reports for stakeholders, such as executive management, board members, regulators, and auditors. These reports help in making informed decisions and demonstrating compliance with regulations or internal policies.
These are some of the benefits an RMIS can provide, assuming the company is in the right position to take advantage of them.
However, in our experience, many companies are not ready. For those organizations, RMIS has a high potential to be a boondoggle.
When RMIS Is the Wrong Way to Go
The biggest problem we see with organizations’ use of RMIS is that it can be a solution in search of a problem. (This is also true of many BC SaaS products.)
People tend to get excited about the tool and develop a bias in favor of acquiring it long before they figure out the best next steps for their organization in terms of risk management.
We also see a lot of magical thinking, where people come to believe that acquiring an RMIS will instantly give them a great risk management program. They think, if we just buy this tool, we’ll be in great shape.
It doesn’t work that way.
The tool can help you manage a program, but it can’t implement one that doesn’t exist. Shopping for software might be fun, but program implementation is more fundamental, and that’s what has to come first.
If your answer to the question “Why do you need an RMIS?” is “Because everybody else uses one,” then you’re not ready.
Nor should an RMIS been seen as an educational tool, as sometimes happens (usually with wasteful and unsatisfactory results).
The typical result of an ill-advised RMIS purchase is similar to what tends to happen when unmotivated people buy expensive exercise equipment: a lot of money is spent, the underlying obstacles go unaddressed, the equipment is underutilized, and the problem that prompted the purchase in the first place is still there.
Another issue with RMIS products is people tend to overbuy. In addition to spending too much, they end up with a product that is so complicated, it’s hard to learn and use. These hurdles can prevent the people who are supposed to use it from doing so. Far from helping them, the platform incurs the staff’s resentment, having the opposite effect of what was intended.
How to Make the Most of an RMIS
As stated above, an RMIS can be a great tool provided the organization is in a position to make good use of it.
The key requirements for doing this are:
- Making sure the risk management processes that the software is designed to support are already in place.
- Ensuring that the system is brought in to solve known problems (such as the need for better risk management metrics or improved tracking), rather than in the hope it will magically make everything better.
The organizations that do well with RMIS solutions (and every other sort of resilience-related technology system) are those that implement them based on need rather than want or hope.
Reaping the Benefits of an RMIS
The subject of growing interest by many in the BC and risk management community, RMIS holds promise for increasing organizations’ ability to identify, assess, and mitigate risk. However, it also has the potential to distract them from the essential work of building a sound risk management program.
Too often, companies buy risk management software in the hope it will magically give them a sound risk management program. The way to reap the benefits of an RMIS is to obtain it to solve known problems and support risk management processes that are already in place.
Further Reading
Richard Long
Richard Long is one of MHA’s practice team leaders for Technology and Disaster Recovery related engagements. He has been responsible for the successful execution of MHA business continuity and disaster recovery engagements in industries such as Energy & Utilities, Government Services, Healthcare, Insurance, Risk Management, Travel & Entertainment, Consumer Products, and Education. Prior to joining MHA, Richard held Senior IT Director positions at PetSmart (NASDAQ: PETM) and Avnet, Inc. (NYSE: AVT) and has been a senior leader across all disciplines of IT. He has successfully led international and domestic disaster recovery, technology assessment, crisis management and risk mitigation engagements.
