Compliance

Data - The Key to Risk Management

Gidi Farkash
August 31, 2022

As they say, nothing ventured, nothing gained.

Every time you do, well, anything, you're taking a risk. Whether it's deciding to leave your house in the morning, to electing to go banzai-skydiving (you know, when someone dives from the plane–sans parachute–and **fingers crossed** catches the also-falling parachute in time. It’s a thing, look it up), to figuring out which new company to invest in, life is full of risks, some calculated, and some, not so calculated. The truth is that we don’t even think about the vast majority of risks we take because we have already—consciously or not—decided that the risk, i.e., the potential exposure to negative consequences as a result of performing the desired action, is worth it.

Which Risks Are Worth it? The Risk Management Perspective


“We don't manage risks so we can have no risk. We manage risks so we know which risks are worth taking, which ones will get us to our goal, which ones have enough of a payout to even take them” - Alla Valente, Forrester analyst

But if all of life breeds risk, how can someone assess which risks should be taken (aka, risk appetite), which ones are worth abandoning (risk avoidance), which ones are worth moving to someone/something else risk transferring), and which ones could be worth it, if the potential negative results could be reduced to an acceptable level (risk mitigation and acceptance)? Because, let’s face it, while banzai-skydiving sounds cool, you probably want to do something about the bulk of risk that comes along with it.

In this blog, we’ll explore the topic of risk management: the discipline that can help you decide which risks are worth taking, which are not, and which are worth taking on in a more mitigated way. We will look at why risk is an embedded aspect of business, how companies tend to deal with risks, why these approaches aren’t the full answer, and how data is transforming the risk management discipline.


(Corporate) Risky Business

In the corporate world, risk and risk management are, unsurprisingly, super hot topics. The reliance on digital everything means that every day, companies open themselves up to countless risks and potential vulnerabilities. This is simply the price to pay for doing business. Thanks to the reliance on third parties, the cloud, and SaaS platforms, risk is now, more than ever before, an embedded part of how companies work.

In this potentially vulnerable environment, topics such as how well a company can minimize their dependence on concentrated platforms, how to avoid outages, and how to prevent data exposure have escalated the issue of risk management from the exclusive purview of IT teams and developers to the C-suite. If you need a reminder on the inherent risks that come with the cloud, look at December 2021’s multiple AWS outages, which should serve as a reminder that dependence on the cloud and SaaS tools can be a double-edged sword.

But trying to understand what actually constitutes risks and then managing those risks can be daunting. Professionals dealing with risk continually attempt to build generic models that adequately address these issues, while taking into account the need to make sense of this risk analysis to business stakeholders—showing them how risks can impact the business in terms of dollars and cents—all without the use of technical jargon to confuse or distract them.

In order to determine, explain, and then continaully manage risk, companies use the following interconnected processes:

  • Identifying potential failure points,
  • Assessing the probability and impact of such failure,
  • Controlling the situation by setting up and executing mitigation plans, combined with continuously monitoring how risk levels are affected,
  • Decide on the risk strategy, which is either to avoid, transfer, accept, or of course mitigate (and then decide what controls to implement for that purpose).

With these risk management processes in place, teams can begin to build their risk management plan. Traditionally risk management plans are crafted using risk management tools that serve to optimize the project management capabilities of the risk team, and may also provide a central risk dashboard. But problematically, they still require the risk team to chase information throughout the organization to define and update the risk status.

There are also tools for Integrated Risk Management, which define a methodology by which companies can see and address risk to make better, more informed decisions. Risks are identified using a combination of assessments and meetings with pertinent parties and then they live inside a spreadsheet or other legacy solution. They are then analyzed with IRM tools, which use predefined formulas based on manual input from the risk manager in an attempt to try to prioritize those that are most pressing.


Okay, great. So we have now determined that skydiving is only a bit risky….while banzai-skydiving is, shall we say, riskier.  

Data is the Key to Understanding Risk

But how much riskier?

That question can only be answered with true data. By incorporating objective data, i.e., intelligence pulled directly from sources, instead of basing risk management on interviews, assessments, and feelings, and then putting that information to a static spreadsheet, levels of risk can be defined according to the underlying live data.

That data could then be used to make impactful data-based decisions in real-time (yes, you could theoretically make that jump right now. True, you might be lucky and catch the falling parachute. But, by looking at all the underlying data points, you’ll see it’s only been done successfully 10 times in over 1,000 attempts. And those were skydivers who had at least 5,000 successful skydives under their belts. Now that might make you change your mind).

With normalized structured data pulled from sources as your guide, instead of relying on inherently unreliable elements like spreadsheets, workflow GRC tools, and conversations, you can get a full, comprehensive picture regarding the risks you're taking. Data is the key to understanding the true story behind the scenes. It gives companies a far more accurate observability tool with which to (1) understand the corporate risks they must address and then (2) take appropriate, timely action.

With data as a starting point, companies are much more equipped to understand what constitutes risk and subsequently create a comprehensive risk management plan. They can then begin to determine whether they should mitigate the risk, accept the risk, transfer the risk (which can be accomplished, for example, through taking on an insurance policy–although, g’luck finding an insurer to cover your free fall to Earth), or avoid the risk altogether.

Introducing data into the risk management equation changes the score. With data to lead the way, risk professionals can rest assured that their risk decisions are based on information which is trusted, timely, and relevant. Yes, being alive is one big game-o-risk. Data pulled directly from sources makes your chances of survival a whole lot better.  

Gidi Farkash
Cyber security and GRC professional with over two decades of experience, loves compliance like MJ loves basketball, Director of Compliance at anecdotes.

Our latest news

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Non eget pharetra nibh mi, neque, purus.