Michael Rasmussen, The GRC Pundit | October 20, 2021
As Sir Arthur Conan Doyle stated . . .
"It is a capital mistake to theorize before one has data. Insensibly one begins to twist facts to suit theories, instead of theories to suit facts."
Data is critical to risk management, and the more objective and quantitative the data is, the more value risk provides to the risk owners in the business.
Organizations take risks all the time but fail to quantify these risks effectively in an environment that demands an understanding of the risk exposure to objectives in order to make decisions.Too often, risk management is seen as a compliance exercise and not truly quantitative analysis that is of value to the organization’s strategy, decision-making, and objectives. A cavalier approach to risk management stuck in subjective and qualitative risk assessments leads to the inevitable failure of risk management.
Gone are the years of simplicity in business operations. Exponential growth and change in risks, regulations, globalization, distributed operations, competitive velocity, technology, and business data encumbers organizations of all sizes. Keeping business strategy, performance, uncertainty, complexity, and change in sync is a significant challenge for boards and executives, as well as management professionals throughout all levels of the business. Organizations need structured quantitative risk models, simulations, and analyses to provide objective risk intelligence to the risk owners and risk-takers throughout the business.
Quantifying risk effectively requires multiple inputs and methods of modeling and analyzing risk. This requires information gathering—risk intelligence—so the organization has objective information on probability and loss/impact to make better business decisions. Mature risk management is built on a quantitative risk management process with accurate information supported by a technology architecture that delivers on risk analytics. The demand is for quantitative analytics to extract from this mass amount of data what exactly will help to prevent future significant losses, events, as well as incidents, and further help strategic business objectives succeed.
Some key questions organizations should ask in context of quantitative risk analysis:
How does the organization know it is quantifying risk effectively to achieve optimal operational performance and meet its strategic objectives?
Which objectives could fail as a result of current risks and what is the financial impact on the organization?
How does the organization make the right business decisions?
What financial impact does risk have on products and services?
What is the impact or potential financial impact on customers?
Do businesses understand the interrelationships and correlations between risks?
Does the organization understand the relationships generally between cause and effect, processes, end-to-end process flows, and products and services?
Does the organization understand the quantifiable risk exposure to each individual objective or process, and how it interrelates with other risks to aggregate into an enterprise perspective of risk?
Can the organization accurately gauge the financial impact risk has on strategy, performance, project, process, department, division, and enterprise levels?
Does the organization have the information it needs to quickly respond to and avoid risk exposure and seize risk-based opportunities?
Is the organization optimally measuring and modeling risk in a quantifiable manner?
Organizations are best served to take a quantifiable approach to risk management that measures risk on objectives. This can then roll into overall enterprise and operational risk exposure and reporting that supports strategic objectives and planning while being integrated with decision-making processes. Quantifiable risk management is delivered through a risk information and technology architecture that supports overall risk management activities from the process level up through an enterprise view. Some key things to look for in enterprise risk management technology are:
Performance management. Any good risk management solution does not start with risk but begins with performance. What are the objectives the organization is trying to achieve, and what are the risks to those objectives?
Risk mapping. Can the solution enable multi-dimensional mapping or risk and objective relationships in a many-to-many fashion?
Risk visualization. Does the solution deliver rich risk visualizations, maps, charts, graphs, and modeling to engage both the left and right-brain risk thinkers?
Risk quantification. Does the solution deliver structured quantifiable risk analysis through things like Monte Carlo simulations that can give you solid objective information on risk probability and impact?
Risk scenarios. Does the solution allow you to create multiple quantifiable risk scenarios and document and measure multiple impacts and exposure to a risk event to look at various outcomes on different scales?
Risk normalization and aggregation. This often gets missed. Does the solution allow for risk normalization and aggregation? What happens when a department/project's high risk is measurable to another departments/project's low risk? From an enterprise risk management perspective, it is necessary to be able to compare apples to apples and not apples to oranges.
This blog was written by Michael Rasmussen of GRC 20/20. GRC 20/20 providesinsight into governance, risk management, and compliance (GRC) solutions and strategies through objective market research, benchmarking, training, and analysis.