How to Sell Software as a “Risk Management” Expense

One of the real strengths of software as a product category is the ability to position your offerings in different ways to appeal to different customers. Right now, companies that buy software are increasingly obsessing on the notion of “risk management.” And that means an opportunity to sell more software.

Risk management is suddenly a hot topic. An increasing number of businesses are struggling to meet more government regulations and new accounting standards. However, many enterprises continue to take a narrow “silo” approach to risk assessment and management, often developing risk practices that are not effective or appropriate to their specific needs, according to Paul Proctor, a vice president and analyst at the market research firm Gartner.

“The term ‘risk’ has been appended to many traditional IT functions, such as security, business continuity, management, and privacy, without the accompanying changes in the processes and methodologies used for understanding and managing the risk associated with these areas,” Proctor explains, “This, in turn, has led to poor implementation of risk management as a discipline, limiting its effectiveness for many organizations.”

The situation is truly chaotic. In many enterprises, specialists with functional areas of responsibility for risk management operate independently from one another, use different definitions of risk, record information inconsistently, and fail to share information beyond the boundaries of their specific business or support areas. As a result, there is little transparency across processes and no holistic view of risk, which is necessary for enterprise-level analysis of exposure and mitigation decisions.

To make matters worse, there really isn’t any software that helps with “risk management.” Take, for example, software that’s intended to help companies cope with Sarbanes-Oxley audits. While numerous startup software vendors have emerged with solutions that patch Sarbox-compliant controls into existing software, such programs typically can’t do much more than create a framework that helps you understand what controls need to be added. What’s worse is that most firms lack the kind of integrated systems that would make a computerized compliance tool possible.

All of this chaos and confusion produce a rare opportunity to create a competitive advantage with key customers and (of course) sell more software. Gartner has identified seven key steps to enable IT managers to understand and manage the risks facing them and allow them to quickly contribute to an enterprise-level risk management effort as their enterprises evolve in that direction:

1. Implement a framework for risk assessment and mapping.
2. Establish the responsibilities of risk managers with their areas of responsibility.
3. Identify and define the risks to which the business is exposed and what constitutes a risk event or “near miss” so that incidents can be mapped to specific risks.
4. Determine the threat level, and focus on those risks with the highest impact on performance.
5. Establish levels of controls for processes commensurate with the perceived threat.
6. Record and retain risk incident and near-miss information.
7. Conduct periodic risk assessments to determine changes in the operation’s risk profile and assess control performance.

Needless to say, each of these seven steps offers an opportunity for you to help your IT customers, at a strategic level, to create a workable risk-management environment. Example: If your customer also runs software from your competitor, you can intervene at steps 3 and 4 by suggesting that the company standardize on your offering, thereby eliminating the need for duplicate controls.

Similarly, as the customer assesses risks, you can provide information about how and where your software has controls that make risk management easier, or features that help the customer monitor risk management in other software products.