Danny Wong, founder of Goat Risk Solutions explains how data can help risk managers engage the c-suite and make better business decisions
For many risk managers, introducing data into a risk discussion is new ground. Ultimately, it’s a game-changer because the narrative is now grounded in facts rather than subjective risk scores and anecdotal reporting which I believe is the root cause of why the profession struggles to engage effectively with the C-suite. No doubt, there are hurdles that must be overcome.
One initial difficulty is that most risk register templates are not designed for a data-led risk programme, but this is a fairly easy fix just by adding a few columns in your spreadsheet for key risk indicators. More problematic is the potential difficulties you may face getting hold of the data in the first place.
Some of the information may not exist creating awkward discussions, but it’s important to remember those data points are not needed for risk reporting, rather they are essential for the risk owners to manage their part of the business and to provide fact-based assurance to oversight committees. Our thinking is that you will be asking those that do reporting or have access to the systems and data to provide this information, so that the discussions with the senior stakeholders who own the risks can focus on interpreting the data and making decisions as needed.
My desire is to shift your business from the proverbial “risk maturity journey” to a “data-maturity journey” because the business will now be discussing why some important risks may not have sufficient data.
For example, here is a real-life discussion I’ve experienced at Board level. The Head of IT reported a summary of the Wannacry data breach a few years ago consisting of mainly external news narratives about what had happened.
Fortunately, the company was not affected but the risk owner said the risk should be shown as increasing due to these events. One Board member mumbled, you’ve given me a long summary stating the obvious, I read the news, so what?
I interjected and said the virus seems to have attacked known vulnerabilities on out-dated or unpatched equipment, anecdotally, I have heard we have a lot of out-dated IT equipment in our network.
The board member then said: “Let’s take an action and report next time the number or percentage of outdated/un-patched equipment in our network and track this metric as part of the IT Security risk.
So, by putting real data behind a risk, it takes the emphasis away from the subjective risk assessment scores or anecdotes and senior managers can track actual performance Further, if actions are taken, we no longer want to focus on the completion status, rather the impact the actions have on the metrics.
How you use data is dependent on the risk, the systems in place and organisational capability. Some risks are inherently data-light, so adoption of data is only needed if it helps inform the management of that area. Sometimes the absence of data itself results in a more meaningful dialogue which could result in standardising processes and adopting new systems.
For instance, I’ve had another client who believed they had high staff turnover related to talent which was a key risk to the performance of their business., When asked, “what is the turnover rate?” the Head of HR responded, “We have over 20 HR systems across the company and cannot easily report this statistic.” The discussion shifted the focus to a discussion whether we should centralise the HR system.
We believe a good risk strategy needs to incorporate key risk indicators which can give you:
- · More facts and information enabling better decisions
- · Less emphasis on the subjective risk scores, though this is still used for prioritisation
- · More credibility for risk management teams because it should drive measurable business value and improvement
At its best, data enables a more fact based and precise dialogue around risk, trends, risk appetite and gives you clear boundaries/escalation points.
In the training course, risk managers will learn how to introduce data into the risk dialogue, including practical tips and will also be given a template that can be incorporated directly into your business.