The short answer is “it depends”, but to thoroughly answer this question we must first make an honest assessment of the overall ERM program. While it is common to find point solutions being deployed for automation of relatively “simple” ERM programs to readily enable process automations and streamline program architecture, larger organizations are likely to have more complex programs that require more sophisticated solutions, which in some cases, require a mix of technology solutions. In such cases, the degree to which a single or multiple Governance, Risk and Compliance (GRC) systems can integrate different risk management activities and provide a seamless user experience, defines the success of the program and the level of user adoption. Additionally, program and process maturity is a key factor that affects the overall success of the solution. The organization, including its people, processes, systems, data, and policies must be thoroughly prepared for the adoption of technology.
Automation may not always be the right answer to drive maturity of ERM. If the size and complexity of the ERM programs and activities are such that they are able to be sustained with low degree of automation then perhaps the relative value-add for the technology enablement does not justify the investment.
While selecting an ERM solution agencies should evaluate to determine which solution(s) would provide the most value in terms of meeting requirements and sustainability. Figuring out the extent to which the solution can be used to integrate various risk management functions and processes across the organization, and clearing any roadblocks for onboarding critical risk functions onto the GRC solution will contribute to greater success of the overall program.