EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.
How EY can help
-
Discover how EY can help transform your business to navigate disruption with agility, stay competitive in the market and help generate long-term value.
Read more
Identify risk through data-driven inputs
The “risk then data, or data then risk?” conundrum has plagued the risk assessment process for years. Historically, companies have conducted interviews to identify risk, then found data to substantiate the risk. Today, organizations must leverage internal and external data to identify a broader set of rapidly changing and emerging risks in addition to what management has identified.
Dynamic risk assessment incorporates four types of inputs, including:
1. Qualitative assessment – balancing interviews and data
Qualitative assessment is the risk professional’s subjective determination of likelihood, impact and velocity of a risk occurrence based on data consulted, current factors and general knowledge of the business. This inherent risk quantification is offset by qualitative review of management preparedness or control effectiveness to produce a residual risk rating.
Interviews remain a valuable source of information for qualitative analysis; however, they must be balanced with data-driven inputs to produce a truly dynamic risk assessment. Leading organizations are utilizing modern tools to drive efficiency and deeper insight, reaching greater audiences in facilitated sessions and turning feedback from interviews into structured data inputs.
2. Quantitative metrics – deriving risk from business performance
Quantitative metrics include financial, operational and other business performance indicators that are considered key to operational success. While the first line leverages these KPIs to run the business, second and third line functions turn them into key risk indicators (KRIs) by assigning tolerance thresholds and aligning to specific risks within the taxonomy.
Ideally, analytics are never built solely for the purpose of executing a risk assessment; they can and should be adapted from existing operational indicators or developed and fed back to the business as continuous monitoring.
3. Risk performance – leveraging the same taxonomy
Risk performance refers to history and findings from internal and external audits, compliance and other assurance activities, including management’s self-reporting of issues. When functions use the same taxonomy, risk performance easily maps into the assessment process. In the next blog, we’ll dive into assurance mapping and coordinated response, the basis for your risk performance inputs.
4. External data – challenging perspective with the “bias buster”
Notable organizations leverage external data as a bias buster to challenge the completeness and prioritization of their internal risk assessments. Many companies struggle to identify and access meaningful information; luckily, there are platforms and solutions available to aggregate multitudes of data and identify threats aligned to your risk universe.
Organizations should consider adopting a leading risk platform that aggregates external data sources, including peer company risk factors from publicly available reports, sentiment analysis from news and social media, credit analysis, cyber health ratings, geopolitical factors (including a corruption index and AI-based country risk ratings), and publicly available information about key and second-tier business relationships (e.g., suppliers, customers, joint ventures).
Leveraging new data will likely expose additional risks, so we highly encourage a loop-back mechanism to evaluate and update your taxonomy.
Prioritize the risks that matter today
A risk assessment is considered “dynamic” when it continuously ingests new data from multiple sources to quickly identify and reprioritize emerging and increasing threats. This aggregation and orchestration is your “secret sauce,” with weighted scoring of inputs producing a composite risk score aligned to your integrated risk taxonomy (remember the snowflake structure we talked about in a previous article). Each function may weigh inputs differently based on its mandate that was established in the orient phase, and the weighting may change as new inputs become available.
Respond to fit your organization’s risk posture
Leading organizations leverage modern technology to enable this process on a continuous basis and expose the risk posture of the enterprise to management in real time rather than waiting for a prescribed risk assessment refresh cadence. A dynamic risk assessment that prompts the right response at the right time is critical to protect and build organizational value.
A special thanks to Megan Duggan and A.J. Spalding for contributing to this article.