In addition to their stewardship of the company’s financial health, CFOs play an integral role in its risk management process. While the company may have a comprehensive enterprise risk management framework in place, the effectiveness of the risk assessment process—the foundation of an ERM program—must be continuously evaluated and improved. Data analytics is necessary for today’s risk assessment process with the ever-increasing complexities of businesses, technology and external factors.
Here, we present critical practices CFOs should implement to integrate data analytics throughout the risk assessment process.
The first step in the risk assessment process is identifying any event that may occur and adversely affect achieving a company’s financial, operating and compliance objectives. Traditional methods of identifying risks—top-down, bottom-up or a hybrid of the two—may not sufficiently consider all the internal and external factors, especially emerging risks.
Data analytics can both accelerate and improve the quality of bottom-up risk assessments. In many cases, risk assessments are annual, semi-annual or event-driven (e.g., proposed M&A activity) exercises requiring significant time and personnel investment. By centralizing key risk-assessment inputs and past results in an information management platform, business-intelligence tools can quickly identify periodic changes in likelihood and impact ratings and visualize the geography and product/business lines driving such changes. This shifts the focus from information gathering to more meaningful and timely discussions around whether bottom-up assessments coincide with top-down.
By integrating internal operational and external data into the risk-assessment process, organizations can anticipate and better manage emerging risks. For example, a global organization might take a geographical look at its sales and business development pipeline to identify potential high-growth areas for aggressive investment. At the same time, some of these areas could present significant geopolitical, regulatory or climate risks that should be examined and accounted for. Some of these topics are a recurring theme at board meetings and can be measured with a combination of free and subscription indices or reports. Yet, something as simple as determining whether an organization’s short and long-term strategy to manage these risks has changed over time can be a good health indicator on their emerging risk management.
Advanced text-mining techniques can enrich the risk-identification process and uncover nuanced risks by benchmarking against peer organizations. For example, a simple document-scraping algorithm can capture financial, operational and strategic risks disclosed in public filings (e.g., 10-K/Q), which can easily be tabulated against an organization’s risk register to identify potential gaps. Moreover, the same techniques can be applied to key customer disclosures to build a robust risk-intelligence portfolio that allows organizations to stay abreast of critical risks relevant to their industry and factors impacting their customers’ solvency and appetite for their products and services.
After the company has identified risks at both the entity and transaction levels, those risks are assessed to determine their likelihood of occurring and their impact on the organization. Here again, data analytics can significantly enhance the precision of impact and likelihood measurements.
By combining and analyzing data from internal sources such as audit findings, operational loss events, turnover statistics and financial performance records, organizations can corroborate qualitative likelihood and impact assessments with quantitative measures and make more granular, strategic risk decisions that otherwise might be applied in broad strokes. For example, consider a scenario where a risk committee assesses turnover risk to be minimal given that output and profitability have increased over time while turnover rates have been flat over the same period. Yet, after analyzing regional or business-unit specific data, the organization observes that just a minor (e.g., 2%) increase in a particular division’s turnover results in a double-digit increase in operational losses. At a minimum, the organization might rethink its turnover impact rating. Alternatively, this could be highly influential in changing compensation strategy or investments in automation technology.
Monitoring external data sources and analysis can also provide valuable insights into financial risk. A powerful and relatively cost-effective technique to enhance quantitative risk measures is sentiment analysis—examples include monitoring social media commentary about an organization’s (or competitors’) products and services, negative news alerts or consistently monitoring unstructured artifacts and publications from regulators.
Monitoring response to risks
After responding to the risks determined to have the most significant impact and likelihood, an organization needs to ensure that its response is effective and is appropriately mitigating the risk to the desired level. Therefore, using data analytics technology to monitor quantitative metrics continuously is paramount to achieving a level of risk management maturity that becomes an organization’s strategic asset.
Common analytics frameworks make good use of both direct risk measures and indirect risk indicators. A direct risk measure might be trending the quantity and financial impact of operational loss-events over time versus new business intake to understand whether current risk-management practices are scaling commensurately with revenue growth. An indirect risk indicator could be the number of logins/emails sent after hours, security badge swipes on weekends or increases in contractor procurement activity which could be a signal of employee burnout or degrading workplace culture.
The advantage of a risk-intelligence framework using data analytics is that many enterprise monitoring platforms can passively monitor risk metrics and generate alerts once quantitative measures exceed a defined threshold. This saves time and does not necessitate dedicated personnel reviewing a deluge of reports. Instead, risk professionals can spend more time on critical activities such as investigating root causes, remediating issues and mitigating emerging risks.
While it is impossible for an organization to completely avoid risks, incorporating data analytics into the critical elements of an ERM program—risk identification, risk assessment and monitoring implemented risk responses—allows companies to anticipate, manage and respond to adverse events more effectively. In addition, incorporating the analysis of “big data” allows a company to move from the traditional reliance on past events to the ability to make more informed decisions based on forward-looking “what-if” scenarios.