15 must-have capabilities of ERM software

John Verver

John Verver


How do you make the right choice when purchasing ERM software? These 15 capabilities can make all the difference.

An enterprise risk management program (ERM) is crucial in helping an organization achieve its strategic objectives. But considering so many risks and their aggregate impacts on the organization isn’t an easy undertaking—and that’s where the right software can make all the difference.

So what should you look for when you’re ready to purchase an ERM platform? Ideally, you’ll want software with the following capabilities:

1. A comprehensive risk library

It’s critical to have a centrally-maintained risk library that any stakeholder can access, with real-time information. That way, everyone can make decisions based off the same source of information. As things change (and we all know they will), this becomes the one source of truth your organization can depend on.

2. Linking risks to strategic objectives

ERM shouldn’t exist on its own. You’ll want a software that makes it possible to look at risk through the lens of your organization’s goals. Being able to see exactly how your risks relate to what you’re trying to achieve helps you identify any weak spots. You can then better allocate your resources towards the right initiatives.

3. Mapping risks to policies, processes, and control objectives

Mapping risks to policies, processes, and control objectives helps you prioritize resources. It’s extremely important to quantify risk treatment and response—making sure you prioritize resources by focusing on areas with the highest risk, or the least amount of coverage.

4. Risk management frameworks and regulations

While COSO and ISO are both valuable risk management frameworks, they are sometimes too theoretical and can be hard to apply. Some technology can apply those frameworks for you. You can then map frameworks, standards, and regulations to your internal controls to track regulatory compliance.

5. Connections to a wide range of data sources

Having access to data to measure, monitor, and predict risk is extremely important. Without data, risk assessments can be highly subjective and biased. Getting access to more meaningful data means risk assessments are better informed and your organization maximizes performance and monitors changing risks in real time.

6. Smart exception monitoring

Automating the routing of issues and exceptions means you can be certain that the proper escalation happens if problems are not promptly resolved. The proper people are notified, and bad things can’t go unnoticed.

Set triggers in HighBond to notify owners when the value of a KPI/KRI crosses a given threshold, automating a remediation workflow.

7. Massive data blending and analysis capabilities

By analyzing 100% of transactional data, organizations can detect, prevent, and predict risk events, gaining even more assurance. Without the use of technology, analyzing that much data would be near impossible. Many organizations have data in disparate systems and it can be a big challenge not just to access the data, but also to blend it together in meaningful ways.

8. Libraries of specialized analytics

We know that 60% of business processes (e.g., accounts payable, payroll, and vendor management) are common across different organizations, 30% are industry-specific, and the final 10% are often organization-specific. Analytics designed to automate the monitoring of common key controls and processes, and industry-specific needs, can save you a lot of time and have you up and running with continuous monitoring in a few days.

9. Data visualizations and trend analysis

By purchasing a tool with strong visualizations and trend analysis, fuelled by your organizational data, you’ll remove the manual, and often error-prone process of updating Excel spreadsheets, or heatmaps within PowerPoint. You’ll be able to see when your risk assessments change, and how they change over time.

“You’ll want an ERM system that makes everyone aware of issue status, creates collaboration in a central place, and captures additional evidence or information.”

10. Smart response management

When problems are identified, being able to centrally track, manage, and remediate them is critical so you know that the proper measures are in place. You’ll want an ERM system that makes everyone aware of issue status, creates collaboration in a central place, and captures additional evidence or information. Some also provide workflows to confirm proper steps are taken and appropriate people are involved in resolving issues.

11. Questionnaires, surveys, and attestations

Surveys help gather, aggregate, and analyze information from the people who manage day-to-day operations. Surveys are a convenient way to gather information from a lot of people in a consistent way, to identify trends and find common themes. This is especially helpful during risk identification and assessment, and even for monitoring purposes.

12. Hotline management and monitoring

Risk and incident hotlines provide an escalation process within risk management teams. Risk event forms or hotlines are an effective way to provide a central place for employees to report incidents, risk events, or even fraud and theft. Using technology to gather these events and send them to appropriate teams for follow up is crucial to building a good risk management program.

13. Risk scoring

Being able to assess risk on impact and likelihood (and potentially other factors like velocity) is important for organizations in making critical decisions and prioritizing risk response efforts. Software creates a consistent approach to risk assessments and automates scoring models and heat maps.

Conduct risk assessment voting workshops within HighBond to determine risk scores.

14. Dashboard views of risk monitoring and assessments

Real-time dashboards are essential for key stakeholders to monitor and report on key risk indicators. Customizable dashboards give executives and stakeholders access to the information they deem most important in making key decisions that affect performance.

15. Integration with specialized risk management systems

Embracing a culture of open data makes it possible for organizations to aggregate and blend data in meaningful ways. No organization has one system to manage their business—instead, they use the best tool for the job and that often means that a variety of technology for a variety of activities. So you’ll want a system that makes it easy to integrate data across other systems, both from workflow and data analysis perspectives.

We hope this list helps you out when it comes to choosing ERM software. All of these essential ERM functions and capabilities (and a lot more) are included in the HighBond platform.


7 Steps to Performance Enhancing ERM

This eBook highlights:

  • 7 key trends in the “era of ERM”
  • 6 characteristics of data-driven, performance-enhancing ERM
  • The ERM process flow that will help you identify, respond, monitor, and manage risks, report on results, and continuously improve the process
  • How to identify if you’re making common (and risky) ERM errors

Download eBook

Related Articles


Galvanize is now part of Diligent.

To stay up to date on the latest product offerings, research and GRC resources please visit or to login to your Galvanize products please visit www.diligent.com

Visit Diligent Login