For starters, there are dozens if not hundreds of specific tools on the market today for helping you manage everything from Risk and Control Self Assessments (RCSA) to documenting processes for SOX 404 compliance. You can benefit from building your structures for processes, business strategy and tests for procedures. This still leaves many choices to evaluate and vendors who will flog you with powerpoints.
There are several key components of the ORM Framework Management that are essential when considering software tools to assist you:
Create security policies, standards and procedures, distribute them online, educate and train employees, and track compliance, exceptions and violations.
Comprehensive and customizable early warning system providing notification of physical and digital threats, vulnerabilities and malicious code to help prevent attacks before they affect the enterprise.
Manage enterprise assets such as buildings, vehicles, inventory, servers, applications or data centers and their relationships to ensure you are protecting your critical assets according to management expectations.
Perform online risk assessments to determine the proper controls to be implemented on specific assets based on their use and risk to the enterprise.
Report incidents, manage their escalation, track investigations and analyze resolutions.
In evaluating the current information security, regulatory and legal environment, consider these five key flaws with today’s ORM software solution programs:
1. Dependence on inadequate and incomplete technology-based point solutions;
2. Failure to integrate people, process and systems into an effective operational risk program;
3. Lack of decision support and an actionable understanding of the threat to the entire spectrum of corporate assets;
4. Reactive response to perceived problems rather than proactive initiatives based on sound risk management principles; and
5. Cost and shortage of properly skilled IT personnel to suport the programs.
The Gartner Group has identified three major questions that executives and boards of directors need to answer when confronting significant issues:
1. Is your policy enforced fairly, consistently and legally across the enterprise.
2. Would our employees, contractors and partners know if a violation was being committed?
3. Would they know what to do about it if they did recognize a violation?
If you don't know the answers to these questions then there is much more work to do and much more strategic planning necessary before any software system is implemented for Operational Risk Management.