In business, risk is necessary. Risk is inherent in all of a company’s efforts to execute and to meet its goals. The amount of risk a company takes on determines how flexible it can be; how easily it can meet a particular growth target; and which measured, transparent, and calculated approach it should use to get to that target. So, in effect, an organization’s tolerance—or appetite—for risk determines how far it’s able to go based on market conditions and the external environment.
Risk management is not about eliminating risk. The purpose is to understand how much risk the company is facing and how it can reduce that risk to an acceptable threshold. Some businesses are turning to data analytics technologies for new insights into where they face risks and what they can do to mitigate those that exceed their basic tolerance.
Historically, companies have identified assets as risky or as critical, but they have not been able to quantify the value or liability associated with the risks to a particular asset. In other words, they’ve rated risk in terms of severity but haven’t been able to pin it to a specific dollar amount. For many companies, this limitation has led to challenges in fully integrating risk management into high-level decision-making. Traditionally, risk data has been reported in a very technical language that executives don’t understand. Risk analytics changes that by translating risk calculations into executives’ language, where everything is measured in dollars.
What Is Risk Analytics?
Risk analytics technologies define a company’s liability—which is to say, the amount of money it will have to spend in case of a particular event—along with the likelihood that the event will occur. Thus, risk analytics enables businesses to quantify the true risk-based liability that they own in each asset. Eventually, analytics processes will help companies determine how critical an asset is and whether they should assume the risk outright or take steps to reduce it to a level they’re comfortable with.
Consider, for example, cyber-risk insurance. A few insurance companies offer cyber insurance for financial institutions; however, they lack solid data for determining the true liability they’re assuming by insuring a particular institution against cyber threats. Today, cyber criminals take several forms. They’re no longer just individuals working out of their parents’ basements; state-sponsored, organized attacks also pose a risk. Nevertheless, insurance companies that are determining pricing for cyber-insurance coverage generally ask prospective customers only around 10 questions before determining which coverage and premium options to offer. The result is often coverage that doesn’t align closely with the needs of the insured and that may not be priced appropriately. Many large financial institutions have found that their insurance options for cyber crimes are insufficient.
However, some insurance companies have begun using risk analytics to make better decisions around coverage and pricing. They’re using these technologies to:
- Establish the value of each information or IT asset—such as a customer record or a critical application that processes billions of dollars in transactions on a nightly basis—by bringing in data from systems such as asset databases, Excel spreadsheets, data classification and inventory systems, and survey tools.
- Estimate liability or cost in the event of risk exposure or a compromise of the asset (e.g., customer record stolen, critical application unavailable).
- Run analyses of the probability that any of a variety of scenarios will occur, using the insured’s information security, operational, compliance, performance, and threat intelligence data.
- Pull together all of this information to build a risk posture scorecard for the organization.
By using risk analytics, insurance providers can offer products that more precisely match the needs of customers with a range of different profiles, and they can ensure that premiums and policy terms accurately reflect the level of risk they are taking on with each new customer.
Better Reporting, Better Decision-Making
Analytics software can make the risks a company faces both more transparent and easier to measure. By monitoring more metrics, providing insights into trends, and supporting risk forecasting, a risk analytics platform can help risk and finance managers, as well as business executives, to better understand their company’s risk exposures.
Today, most companies’ performance reporting is sorely lacking in business context. Reports explain “what” but fail to address questions of “how” or “why.” Their content is very technical in nature, and they fail to offer appropriate correlations to business drivers and objectives. Hence, these reports are often overlooked or ignored. For example, many businesses report to the board on data security, but they do so using only technical terminology. They discuss the number of breaches the company has experienced in a certain time frame and the number of threats found and addressed, but they offer no insights into how the business should react or what it can do to remediate the risks.
In contrast, a report based on risk analytics technology might explain the critical security risks to the business in terms of costs and probabilities, and it might prioritize recommendations for protecting the business, drawing on analyses of the likelihood and consequences of myriad very specific threats. The executives who rely on this type of report can better understand their business’s risks and can make more informed business decisions.
Risk Analytics for Growth
Most companies that deploy risk analytics use the technology to support their growth objectives. They evaluate the degree to which they should be willing to assume more risk in exchange for the prospect of higher returns.
Suppose that Acme Corp. is considering buying another company, and its managers want to evaluate the costs associated with the prospective acquisition. In determining whether to merge critical applications and processes, they need to answer these questions: What risks would we incur if we brought the processes in-house? What risks would we face if we outsourced them? What risks would we incur by acquiring the company and laying off many of its employees? What risks would we inherit by purchasing this company’s technology assets? Would changing the acquired company’s technology infrastructure pose a significant risk or have a significant impact on the value proposition? Acme managers can use risk analytics software to answer these (and many related) questions, as well as to determine the optimal way to integrate the acquiree’s IT systems into the larger organizational infrastructure.
A risk analytics solution would enable Acme to evaluate the prospective acquisition’s overall risk posture and to analyze different scenarios using data on HR (e.g., employee tenure by job function), compliance and controls assurance levels, country or geographical risk, the criticality of products and services, IT and data security supports (including data center security provided by third-party vendors), etc. The risk analytics software could draw on all this information to:
- calculate the risk posed to a business process or product line by a particular job function at a certain skill level in a given country or region;
- measure the effectiveness of controls, including those around employee background checks, data privacy, training, and awareness;
- rank different risks across various scenarios for better comparison; and
- make recommendations for mitigation, remediation, and/or acceptance of risk.
Such insights would enable Acme’s business managers to make much better-informed strategic decisions about key aspects of the acquisition.
Risk Analytics for Cost Savings
Over the past five to six years, many businesses have weathered the economic downturn in cost-saving mode. They haven’t had cash to spend on growth, so they’ve focused on streamlining operations to become more efficient. Now some of these same organizations are using risk analytics as a tool to reduce waste and eliminate redundancies in resources or effort. Essentially they are using insights into risk to streamline their processes and save money. The biggest opportunity for cost savings with risk analytics solutions comes from its support for companies’ efforts to effectively prioritize risks. Businesses can use the technology’s analyses to determine which risks actually matter to the business, which risks they should remediate, and which risks are worth attempting to eliminate completely.
This is currently an area of great potential for financial services firms. As they’ve worked to comply with an onslaught of new regulations, many financial services businesses have implemented an assortment of siloed controls. The result has been a set of inefficient, very high-cost processes. At the same time, their controls are largely ineffective because they’re not interconnected; instead, many overlap and some even conflict with other internal controls. A firm in this situation can take a risk-based approach to determine which compliance processes to adopt based on the business’s needs and risk appetite. Moreover, they can use risk analytics reporting to show regulators and auditors why they’ve accepted some level of risk in certain areas, rather than trying to eliminate all risks.
Embracing Analytics—and Embracing Risk
Risk in business is essential. By understanding and embracing the risk inherent in each of its many assets, a company can differentiate itself and grow more rapidly than its competitors can. Businesses that embrace risk analytics get better insights into the risks they own, which enables managers to make better-informed decisions. The alternative is to ignore risk as a factor when making business decisions, and doing that may be the biggest risk of all.
Businesses that do not embrace risk handicap themselves in their efforts to grow and achieve specific goals. They run the risk of wasting time, money, and resources on things that don’t matter. The bottom line: You cannot be competitive without taking risks—and you can’t be smart about the risks you take if you don’t understand both the probability that various scenarios will occur and the costs to the corporation if they do.
Amad Fida is CEO of Brinqa, a provider of an integrated risk analytics platform for essential data. Fida has more than 15 years’ experience in security software. Prior to Brinqa, he was co-founder and vice president of engineering at Vaau, a visionary company in compliance and role management.