ARIS Risk and Compliance Manager Reviews

I recommend it to my customers. Sometimes, we follow the normal cycle: risk identification, then evaluation, then mitigation, and lastly, monitoring. 

In other processes, we use the software to analyze risk patterns. So, it depends on the needs. It's possible to have an approach focused on risk or an approach focused on control of the risk within ARIS. You can do both. Normally, these risks are aligned with the business processes.  

I recommend it to banks, insurance companies, telecoms, other kinds of industries.

The automated control feature enhances our compliance processes. For automation, we have the workflow. We can set it so that for a specific risk, or for all risks if we want, people will receive automatic notifications to do the evaluation and implement or test the control at a set interval, like every six months or every year. 

For example, a month or two before the due date, the system automatically sends notifications to the responsible users. This is important because it's impossible to ask people to check manually. It's much better to have automatic notifications based on the customized parameters and the customer's specific needs. 

Usually, there isn't just one person responsible; there's a risk manager. Even with notifications, sometimes people don't have time to do the evaluation or implement controls. The risk manager takes care of this by using statistics and dashboards to monitor who's doing what and when. If someone is delayed, the system creates another reminder notification.

The most effective features are the basic ones to evaluate and control risk. We have many specific small models inside of ARIS Risk and Compliance Manager, like issue management. These are smaller add-ons depending on the needs. You are including specific models as well. 

The basic ones do exactly what is required for risk management: identification, evaluation, control, mitigation, and modification. 

And, we have dashboards with the possibility to configure compliance policies and risk limits based on which we can create alarms. If there are maximum limits, we create alarms attached to the responsible people. 

Normally, there is someone that identifies the risk, and then you have the risk owner. These people [normal users] can send notifications to the risk owner, who will evaluate the risk and decide whether it's important to control it or not.

I remember a project where the customer wanted to control all risks and assigned many people to identify them. They started identifying risks everywhere. After a few years, the customer realized that it didn't make sense to control all of them. So, they created limits—levels of risk the company was willing to accept because it was more expensive to implement controls than to manage the risk.

So, regarding ARIS Risk and Compliance Manager, you can implement all the risks and policies you can imagine because it's very customizable. You can customize a lot of things.

In future releases, I would like to see more features around AI (artificial intelligence).

I have been familiar with this product for around 20 years now. 

It's really stable. Sometimes you have small bugs, but this is nothing. I've been working with this tool for over 13 years. Normally, when they release a new version, it's thoroughly tested before being released to the market. So, sometimes we have small issues here and there, but not often.  

It's good. We have core functionalities, and then we can expand depending on the needs.

For example, if we use ARIS in the cloud, the customer doesn't need to buy licenses. They can subscribe annually. We can adapt according to the customer's needs, increasing or decreasing the licenses. In this case, it's a good thing, very adaptable. It depends on the situation. 

If you buy the licenses, it's another thing. Last year, Software AG launched this new cloud subscription option, and it's a good thing because it's much more flexible and perhaps less expensive than buying licenses. 

I recommend to customers to use the subscription instead of buying the license because nothing is forever. Things change all the time, and this option is much more flexible.

Many times we resolve the issues ourselves. We only refer to Software AG's support in a few cases, maybe 5% or even less. But my company has IT specialists, so it might not be the same as in other companies. 

In our company, we have people who might know much more than many people at Software AG. I started with this product early on. We have a global vision of the product. I know that many people in IT only know about risk management or process management, but we have a comprehensive understanding.

Dashboarding is something that customers are asking for a lot right now because it's important to have an overview of the statistics. If there are any deviations from the plan, you can go into the details to check what's happening. So, we have this whole view and understanding of the product. 

We use a suite of products. We have many different models depending on the process. For enterprise architecture, we use ARIS Enterprise Architecture. For the Risk Manager, we use ERCM Risk Management and GRC. BPA or BPM is an aspect of ARIS, our resources. We started it from time to time.

We usually help our customers implement the product. Newcomers normally need training and coaching. But, this is true for any tool because each has a specific methodology and specific features. 

The most important thing is not to dive into the product and showcase all its possibilities, as that can be overwhelming. Instead, it's crucial to first capture the specific needs of the customer and then create a solution within the product, using parameters and customizations to address those needs. 

It doesn't make sense to go to a customer without a clear understanding of their requirements.

We have some nominated licenses, which are per user, and concurrent licenses. The concurrent licenses are more expensive than the other ones but are better, at least for a big company. 

We can have many people using the product simultaneously, independent of the user. If we use nominated licenses, this is not possible because the license is assigned to a specific user and is much more limited.

At this moment, I would recommend this tool. This is the tool I know more than the others. I know a little bit about BWise and other tools like Spark. But ARIS is the one I know best because I've been working with it for a long time, maybe the last 13 years. I cannot recommend the other tools with the same confidence as I can recommend ARIS, simply because I know ARIS better.

Overall, I would rate it an eight out of ten.