Companies whose strategy is not driven from the top may resort to using a data sampling approach in their risk assessment. Some make no attempt at using data at all. And some spend months or even years planning how to encompass all their data in its entirety, thereby lengthening the time it takes to prioritise and validate business risk – and never quite getting there.
Of course, using business data to manage risk requires investment in the right people, processes and technology, as well as alignment of goals and accountability. Companies that do incorporate a data-driven approach to risk management are continually able to define and redefine what their business risks are, rather than using a traditional annual or periodic risk assessment cycle.
Take the case of a multinational pharmaceutical company that wanted to be able to prioritise multiple strategic risks across the business. Inappropriate user permissions, part of overall IT security, had been an area of some concern for years. With tens of thousands of employees in many countries, it was taking up to three months of “stare and compare” to find anomalies in user access data from their corporate network, their disparate accounting systems and their e-mail accounts.
Every three months an audit found that current and terminated staff, as well as former contractors and other entities, still had access to systems they shouldn’t, long after they had left the company or ended a third-party contract. In one quarter, there were more than 400 unidentified “users” across 30 facilities.
Large volumes of business data should always be analysed in accordance with strategic risks and in partnership with key stakeholders
Because of such findings and the length of time for audits to come to conclusions, IT security was routinely viewed by senior management as a source of significant strategic and financial risk.
Of course, it must always be a factor in any company’s risk profile, but the implementation of real-time data analytics, instead of once a quarter, in this single area meant the risk of potential fraud, non-compliance and the impact on the company’s reputation was vastly reduced. Precious time and resources could be directed elsewhere.
So what data should the business analyse? And where to start? Without a top-down approach to risk, many risk professionals might be tempted to start with the clichéd “low-hanging fruit” because it’s relatively easy to show results in those areas to leadership. They may want to show that risk management is more than just a cost centre exercise, so they may tend to focus on financials like purchasing or travel and expenses.
But is this quantifiably where most business risk is? Based on the impact and likelihood of such risks materialising, will efforts here keep the company out of the news or the executives out of jail?
Although it can appear to be a chicken-and-egg problem, large volumes of business data should always be analysed in accordance with strategic risks and in partnership with key stakeholders, such as leadership and IT.
The results of compliance and controls-based analysis of all relevant data enable the continuous validation of risks that the business believes are important, while prioritising human and financial resources to address those risks, and ultimately achieve the alignment of goals.
Find out more at acl.com/risk
