Building an internal risk tool

3 min read
Jun 23, 2021

Build vs buy: what’s the right route for new risk tools?

Off-the-shelf or build from scratch. It isn’t always clear-cut what system option works best for an organisation.

It’s up to the risk manager to steer the debate appropriately and ensure the solution they end up with meets all the business’ requirements, is user-friendly, and adds value.

No easy feat, then.


For risk managers deciding whether to build a risk system in-house or purchase from a vendor, it can feel like a minefield of possibilities. Members who attended a recent Risk Leadership Network meeting on this topic shared their experiences and highlighted ways to get the most bang for your buck when building a risk system.

These tips are helpful whether you choose to buy off-the-shelf from a vendor or develop a risk system in-house. We’ve taken four main considerations and outlined them below to help you on your risk system journey.

Members can enjoy the full meeting notes, as well as in-depth case studies outlining how risk managers have built in-house solutions, plus our latest collaborative tool – an extensive, collated list of business requirements members have used when implementing a system – on our Intelligence platform.

1) Budget considerations

While it’s generally true that the best vendor-developed systems also tend to be the most expensive, that doesn’t mean you have to go in-house for a customised tool. Speak to some key vendors for information on how they tailor their products and compare this to what you could do in-house - remember to consider the long-term time and efficiency savings of a robust risk management tool.
Also check the types of licences available from vendors - there are many! Typically, not everyone in your organisation will require a licence for a risk management tool, and not everyone needs to use it at the same time. Concurrent licences could help bring down the cost of an off-the-shelf product to better fit your budget.

2) In-house capabilities

Some organisations have better or more in-house IT capabilities than others. Having the expertise in-house doesn’t necessarily mean the build route is best for you, but it could make things easier in terms of getting quick fixes or grabbing a developer for a quick chat about a question or concern you have.
When examining your in-house capabilities, you should also include your internal risk champions. These individuals can be very useful at the test stage, finding bugs and providing important user-experience feedback.

3) Current tools

Do you already have a tool in place? Perhaps it’s an Excel-based tool, for which you would like to develop some additional capabilities. If so, this can be a great “proof of concept” to gain management buy-in for additional budget. This could help you develop a tool with more bells and whistles, or to create a more automated version that might lead to greater efficiency for the risk team, and for the rest of the organisation.

4) Managing change

This is important regardless of whether you build or buy - but consider what each option will allow you to do in terms of showcasing the new tool in the best possible light. This will only help to gain interest and support ahead of the launch of your new risk system.
Change is best managed if you can underline the benefits of the new system. For example, being able to show stakeholders and senior managers a live data dashboard with some KRIs can be a powerful introduction. Use your company’s intranet and marketing capabilities to prepare the wider organisation for launch – for example, by posting a video showing employees how to use the system and why it benefits them.


Are you an in-house risk manager who could benefit from collaborating with a global network of risk leaders? Find out how Risk Leadership Network membership could benefit you here.

Get new posts by email