Determine whether the Pelican ERM system is right for your company
in 6 easy questions
Question 1: What is the main role of risk management in the eyes of your senior management?
- To compile and present periodic reports to executives on the top risks faced by the company
- To ensure compliance with regulatory standards
- To negotiate and purchase insurance sufficient to cover all major risks
- To organise employees to identify, evaluate and manage risks consistently across the business
- To comply with risk management standards like ISO 31000 and COSo
- I don’t know
Let's see what your answer reveals ...
- If risk management is only about presenting your senior management with a list of risks, then it’s doubtful that they will see the value of Pelican. Use PowerPoint.
- Governance and compliance were bundled up with risk management with the 2002 Sarbanes Oxley Act. This was a bad idea – it turned the perception of risk management in the eyes of many from a creative decision-making support into a box-checking standardised process. Pelican is not a GRC system. Try using one of the GRC tools like MetricStream or RSA Archer.
- If risk management in your company mostly revolves around ensuring you have sufficient insurance, it means that you haven’t progressed yet to think about how to stop the risks from occurring in the first place, and Pelican will be too much of a leap in thinking to get traction with your executive. List your losses in Excel.
- It looks like you are exactly the type of company that Pelican was designed for. Let’s keep going onto the next question.
- Risk management guidelines are very vague. Most GRC software vendors will tell you their product comply with them – and in general they do, though they have no focus on quantitative risk management. In our experience, if the main focus is to comply with some standards, the management will choose the simplest and probably the cheapest software option which will be a qualitative system, not Pelican.
- Find out first, otherwise you will be wasting a lot of time. We can help you do this.
Question 2: Which of the following types of risk impact are of concern to your business?
- Health and safety
So what did you pick?
Everyone picks financial, but if you have picked one or more of the others then Pelican will definitely be interesting to you. Pelican is the only ERM system that allows evaluation of different types of impact on a shared, quantitative scale. If you’ve only picked financial, you have a wider choice of ERM products to select from, although Pelican has the greatest capability for assessing financial risk.
A 2017 survey by KPMG reported that, for 39% of businesses, a better understanding of the company’s risks is the factor that would most improve the audit committee’s oversight effectiveness. Pelican is designed to deliver that understanding in unambiguous terms because it evaluates everything quantitatively. In order for the audit committee to provide genuine oversight of quantitative risk management, they must know a thing or two about probabilistic ideas. If they don’t know anything, they may resist implementing Pelican but we can provide assistance to improve their understanding of the concepts, so the question that needs to be answered is:Next question
Question 3: Does the audit committee support using a more quantitative ERM software tool to help improve how risks are evaluated?
If the answer is yes, then it looks encouraging - let’s move on to the next question.
Risk aggregation at any defined level (e.g. a business, country, process) is an essential aspect of risk management because it allows one to see where the risks are concentrated, compare different performance, select between different possible investments, etc.
In qualitative risk analysis, one cannot ‘add’ risks together to form an overall risk measure, so instead a count is made of the risks that fall into each Probability & impact combination and presented in heat maps like the ones below.
Which project would you say was the riskiest - Project 1 or 2?
In Pelican’s quantitative system, risks are added together using Monte Carlo simulation. This is done automatically within Pelican. One of the many benefits that one gets is to make comparisons. For example, the following cumulative probability graph compares the aggregate risk distribution for the same two projects displayed in heat maps above:Next question
At every cumulative probability, Project 2 has a lower risk impact score than Project 1, which means that Project 2 is indisputably the least risky option.
Project 1 has at least as many risks plotting in the same colour zones (red, amber, green) as Project 2, yet it turns out to be far less risky. Heat maps are widely recognised as being highly flawed and misleading, but they remain very popular. So, the question is:
Question 4: Which is more important to your company – sticking with heat maps because they are popular and easy-to-use – or moving to more quantitative methods because they are correct, even if they require a (very little) extra knowledge and effort?
If you prefer to stick to qualitative methods, Pelican is not for you.
Question 5: When selecting your ERM system, which of the following are critically important to you?
- The software vendor must be a large company
- The ERM software must have been in the market for several years
- The software vendor must have an office in my country/region
- The software must already be used by several companies in our industry
- The vendor’s product must be on Gartner’s IRM Magic Quadrant or Forrester’s GRC Wave
If any of these are critical, then we should talk in a couple of years. Pelican is a new product – and sales cycles are long so, although we have a growing number of users, and an even larger number of prospects in the pipeline, we probably don’t have a Pelican user in your industry. But is that really necessary? - risk management principles are very similar between industries, and Pelican is easily customised to your particular needs.
We will certainly have many users of our other software in your industry, however.
On the plus side, we are looking for new users in certain industries because companies often don’t want to be the ‘first’. If your company is a bit more adventurous than your competitors, we offer very good deals for early adopters that you can take advantage of. You'll also be managing risk a lot better than them.
Pelican is offered as SaaS (software as a services). We typically manage the installation and run the system for you remotely, using Microsoft Azure servers. We are based in Belgium, you probably aren't, but we have a growing network of consultancy support partners who can assist you with implementing Pelican.
Why isn’t Pelican featured by Forrester and Gartner? Because we aren’t big enough yet. They only feature large companies, sadly. However, we have demonstrated Pelican to Gartner, so you can always ask them of their opinion.
Question 6: Is your expectation of the cost of an ERM system in line with Pelican’s pricing?
A realistic comparison will show Pelican to be around 30-40% of the cost of competing risk management systems yet it offers many times more capability. Nonetheless, you should have an idea of whether the investment in Pelican is something your company can afford.
To get a realistic view of the cost of an ERM/GRC system, one must consider the following cost elements:
- The annual software license fee - we have priced Pelican very competitively. Our fee is dependent on the number of registered users but works out to be around €70-200k/year for medium to large companies.
- The cost of configuring the system for your company – this can be fairly trivial for very simple systems, but it can be enormously expensive for others. Pelican is on the trivial end (around €5k) and, if you wish, you can do it all yourself.
- The fees charged for any customisation or integration with other systems – again, this can be enormous, especially if a vendor knows you are locked into their system. We charge a fair hourly rate instead (around €50/hr).
- The cost of training personnel in how to use the system – Pelican has a very impressive range of tools for describing, evaluating, managing and reporting risks. Most are very easy to use and require little expertise, others are specialised for those who have very demanding requirements. Pelican gives access to every tool and interface according to each person’s needs. The training we provide is then matched to the role of the users. For the greatest majority of users, their needs are simple, and the training can be delivered at no cost via videos embedded in the context-sensitive online help file. Super-users can get targeted individual hands-on training at an affordable price. The overall training bill will be in the order of €10k, not €100k.
- The cost of running and overseeing servers – Pelican can be implemented either using in-house servers, or with Microsoft Azure. Azure works out to be cheaper when one takes into account the cost of IT staff to manage the system and the logistical difficulties of updating the Pelican system on a clients’ servers. We pass through the Microsoft Azure costs with no mark-up. It generally works out to about €20k/year.
- Salary costs for time spent by employees in using the system – complex systems can really tie up employees’ time as they struggle to navigate the system, enter and retrieve data. Pelican has a very simple interface that is customised to the individual user, so they only see what they need to, making navigation and familiarisation easy. Pelican also saves a great deal of time because many operations are automated. For example, email alerts and calendar entries. Reports are also easy to generate with the latest data using templates, which can be customised by your IT staff, and dashboards can be designed by them too, so you get the most pertinent information without searching for it.
If you’ve reached the end of this and none of the questions raised a red flag for you then, as the next step, we would be delighted to do an online presentation for the people who will decide on whether to adopt Pelican.
We invite you to send an email to firstname.lastname@example.org requesting a demo and offering some suitable dates.