In business, risk is necessary. Risk is inherent in all of acompany's efforts to execute and to meet its goals. The amount ofrisk a company takes on determines how flexible it can be; howeasily it can meet a particular growth target; and which measured,transparent, and calculated approach it should use to get to thattarget. So, in effect, an organization's tolerance—or appetite—forrisk determines how far it's able to go based on market conditionsand the external environment.

Risk management is not about eliminating risk. The purpose is tounderstand how much risk the company is facing and how it canreduce that risk to an acceptable threshold. Some businesses areturning to data analytics technologies for new insights into wherethey face risks and what they can do to mitigate those that exceedtheir basic tolerance.

Historically, companies have identified assets as risky or ascritical, but they have not been able to quantify the value orliability associated with the risks to a particular asset. In otherwords, they've rated risk in terms of severity but haven't beenable to pin it to a specific dollar amount. For many companies,this limitation has led to challenges in fully integrating riskmanagement into high-level decision-making. Traditionally, riskdata has been reported in a very technical language that executivesdon't understand. Risk analytics changes that by translating riskcalculations into executives' language, where everything ismeasured in dollars.

What Is Risk Analytics?

Risk analytics technologies define a company's liability—whichis to say, the amount of money it will have to spend in case of aparticular event—along with the likelihood that the event willoccur. Thus, risk analytics enables businesses to quantify the truerisk-based liability that they own in each asset. Eventually,analytics processes will help companies determine how critical anasset is and whether they should assume the risk outright or takesteps to reduce it to a level they're comfortable with.

Consider, for example, cyber-risk insurance. A few insurancecompanies offer cyber insurance for financial institutions; however, they lacksolid data for determining the true liability they're assuming byinsuring a particular institution against cyber threats. Today,cyber criminals take several forms. They're no longer justindividuals working out of their parents' basements;state-sponsored, organized attacks also pose a risk. Nevertheless,insurance companies that are determining pricing forcyber-insurance coverage generally ask prospective customers onlyaround 10 questions before determining which coverage and premiumoptions to offer. The result is often coverage that doesn't alignclosely with the needs of the insured and that may not be pricedappropriately. Many large financial institutions have found thattheir insurance options for cyber crimes are insufficient.

However, some insurance companies have begun using riskanalytics to make better decisions around coverage and pricing.They're using these technologies to:

• Establish the value of each information or ITasset—such as a customer record or a criticalapplication that processes billions of dollars in transactions on anightly basis—by bringing in data from systemssuch as asset databases, Excel spreadsheets, data classificationand inventory systems, and survey tools.
• Estimate liability or cost in the event of risk exposure or acompromise of the asset (e.g., customer record stolen, criticalapplication unavailable).
• Run analyses of the probability that any of a variety ofscenarios will occur, using the insured's information security,operational, compliance, performance, and threat intelligencedata.
• Pull together all of this information to build a risk posturescorecard for the organization.

By using risk analytics, insurance providers can offer productsthat more precisely match the needs of customers with a range ofdifferent profiles, and they can ensure that premiums and policyterms accurately reflect the level of risk they are taking on witheach new customer.

Better Reporting, Better Decision-Making

Analytics software can make the risks a company faces both moretransparent and easier to measure. By monitoring more metrics,providing insights into trends, and supporting risk forecasting, arisk analytics platform can help risk and finance managers, as wellas business executives, to better understand their company's riskexposures.

Today, most companies' performance reporting is sorely lackingin business context. Reports explain “what” but fail to addressquestions of “how” or “why.” Their content is very technical innature, and they fail to offer appropriate correlations to businessdrivers and objectives. Hence, these reports are often overlookedor ignored. For example, many businesses report to the board ondata security, but they do so using only technical terminology.They discuss the number of breaches the company has experienced ina certain time frame and the number of threats found and addressed,but they offer no insights into how the business should react orwhat it can do to remediate the risks.

In contrast, a report based on risk analytics technology mightexplain the critical security risks to the business in terms ofcosts and probabilities, and it might prioritize recommendationsfor protecting the business, drawing on analyses of the likelihoodand consequences of myriad very specific threats. The executiveswho rely on this type of report can better understand theirbusiness's risks and can make more informed business decisions.

Risk Analytics for Growth

Most companies that deploy risk analytics use the technology tosupport their growth objectives. They evaluate the degree to whichthey should be willing to assume more risk in exchange for theprospect of higher returns.

Suppose that Acme Corp. is considering buying another company,and its managers want to evaluate the costs associated with theprospective acquisition. In determining whether to merge criticalapplications and processes, they need to answer these questions:What risks would we incur if we brought the processes in-house?What risks would we face if we outsourced them? What risks would weincur by acquiring the company and laying off many of itsemployees? What risks would we inherit by purchasing this company'stechnology assets? Would changing the acquired company's technologyinfrastructure pose a significant risk or have a significant impacton the value proposition? Acme managers can use risk analyticssoftware to answer these (and many related) questions, as well asto determine the optimal way to integrate the acquiree's IT systemsinto the larger organizational infrastructure.

A risk analytics solution would enable Acme to evaluate theprospective acquisition's overall risk posture and to analyzedifferent scenarios using data on HR (e.g., employee tenure by jobfunction), compliance and controls assurance levels, country orgeographical risk, the criticality of products and services, ITand data security supports (including data center security providedby third-party vendors), etc. The risk analytics software coulddraw on all this information to:

• calculate the risk posed to a business process or product lineby a particular job function at a certain skill level in a givencountry or region;
• measure the effectiveness of controls, including those aroundemployee background checks, data privacy, training, andawareness;
• rank different risks across various scenarios for bettercomparison; and
• make recommendations for mitigation, remediation, and/oracceptance of risk.

Such insights would enable Acme's business managers to make muchbetter-informed strategic decisions about key aspects of theacquisition.

Risk Analytics for Cost Savings

Over the past five to six years, many businesses have weatheredthe economic downturn in cost-saving mode. They haven't had cash tospend on growth, so they've focused on streamlining operations to become more efficient. Now some ofthese same organizations are using risk analytics as a tool toreduce waste and eliminate redundancies in resources or effort.Essentially they are using insights into risk to streamline theirprocesses and save money. The biggest opportunity for cost savingswith risk analytics solutions comes from its support for companies'efforts to effectively prioritize risks. Businesses can use thetechnology's analyses to determine which risks actually matter tothe business, which risks they should remediate, and which risksare worth attempting to eliminate completely.

This is currently an area of great potential for financialservices firms. As they've worked to comply with an onslaught of new regulations, many financial servicesbusinesses have implemented an assortment of siloed controls. Theresult has been a set of inefficient, very high-cost processes. Atthe same time, their controls are largely ineffective becausethey're not interconnected; instead, many overlap and some evenconflict with other internal controls. A firm in this situation cantake a risk-based approach to determine which compliance processesto adopt based on the business's needs and risk appetite. Moreover,they can use risk analytics reporting to show regulators andauditors why they've accepted some level of risk in certain areas,rather than trying to eliminate all risks.

Embracing Analytics—and Embracing Risk

Risk in business is essential. By understanding and embracingthe risk inherent in each of its many assets, a company candifferentiate itself and grow more rapidly than its competitorscan. Businesses that embrace risk analytics get better insightsinto the risks they own, which enables managers to makebetter-informed decisions. The alternative is to ignore risk as afactor when making business decisions, and doing that may be thebiggest risk of all.

Businesses that do not embrace risk handicap themselves in theirefforts to grow and achieve specific goals. They run the risk ofwasting time, money, and resources on things that don't matter. Thebottom line: You cannot be competitive without taking risks—and youcan't be smart about the risks you take if you don't understandboth the probability that various scenarios will occur and thecosts to the corporation if they do.

————–

Amad Fida is CEO ofBrinqa, a provider of anintegrated risk analytics platform for essential data. Fida hasmore than 15 years' experience in security software. Prior toBrinqa, he was co-founder and vice president of engineering atVaau, a visionary company in compliance and rolemanagement.