Modern organizations must contend with risk from many different sources. Disruptions can come from internal sources, such as process interruptions, accidental damage to physical operations, or a myriad of other potential problems. Even an organization that manages internal risks well will likely encounter difficulties from external sources.
Gartner predicts that by 2025, “70% of CEOs will mandate a culture of operational resiliency to survive coinciding threats from COVID-19, cybercrime, severe weather events, civil unrest, and political instabilities.”(1) We also saw evidence of the shift in risk profiles. Over 75% of respondents to our 2020 RSA Digital Risk Survey expected the risk profile of their organization to expand over the next two years. Only 7% of those surveyed anticipated a shrinking risk profile. Based on these changes, we analyzed Archer’s customer base consisting of a wide variety of organizations about risk challenges they faced over the last year, and outline the insights and lessons learned in our whitepaper, “The State of Integrated Risk Management”.
How Qualitative Methods Fall Flat When Sizing up Risk
One major observation we noted was the need for more precise measurement of risk. Qualitative risk analysis can provide a framework for thinking about individual threats or issues. A qualitative assessment can translate jargon like “supply-chain software update attack” into an appropriately category with an eye catching term like “critical threat”. It is important to make sure the relevant parties are aware of how dire the outcomes could be, even when a risk sounds unlikely or outside of a stakeholder’s domain.
Due to the wide-ranging nature of threats and disruptions in modern organizations, qualitative visual aids may still be useful when utilized with other measurement approaches. A heatmap that compares the likelihood of a given event to the consequences of said event can give a good idea of which issues are mission-critical but doesn’t necessarily offer a means of figuring out how much overhead should be devoted to mitigating those risks.
Replacing words like “mildly adverse” and “catastrophic” with green-yellow and dark red squares doesn’t get around the fact that ultimately a heatmap represents qualitative judgments. This might be a great tool for getting the attention of stakeholders, but real operational impacts will be felt in dollars and cents, not shades of red. The colors of a risk heat map give a false impression of hard data without offering concrete guidance.
Why Quantitative Methods Make for Better Risk Management
With so many different types of risk from so many sources with widely varying likelihoods, organizations need better ways to manage potential risk. Qualitative descriptions of risk using words and colors require human interpretation when implementing risk management processes, which can lead to inconsistent practices. It also clouds the picture when aggregating risks – what do two reds equal, or 5 yellows?
This is why quantitative risk assessment is so important for risk management. Assigning hard numbers to both the likelihood of a given threat and the consequence of said threat provides several advantages over qualitative assessments. Being able to say an event has a 15% chance of taking 90% of an organization’s operational capacity offline in a given year makes it easier to figure out how much time and money should be spent mitigating that risk.
Having hard numbers on eventualities also allows for risk assessment across domains. What may count as a catastrophe for one department may not have a very large operational effect. Conversely, creeping normalcy can lead stakeholders to become so accustomed to operating under what has been termed “unacceptable” risks that the term loses all meaning.
The numbers placed on risk by a quantitative approach can not only be compared directly but combined so that multidimensional risks can be translated into an easily understood number. Quantitative analysis can capture the probability and effects of a dozen low likelihood, low impact events happening simultaneously. The cascade of disruptions from COVID-19 should serve as a stark reminder that risk is increasingly hyperconnected.
Managing the Data of Quantitative Risk Management
We recommend organizations manage risk by coordinating efforts across organizational domains, such as resiliency, audit, compliance, IT, and operational risk. Archer provides a way to coordinate efforts between departments, just like quantitative risk analysis provides a common language between departments to communicate risk. Organizations that have established programs in individual domains should be working to expand their risk focus and improve visibility, analysis, and metrics. Finding common processes or data to share is a great first step to bring together risk management functions.
Quantitative risk analysis produces hard numbers that can guide decision-making in definite ways but can also produce a large amount of information. Real-time monitoring of evolving operational risk produces a flood of information. Risk is changing so dramatically across so many areas that siloed and manual processes make it difficult to get complete information to stakeholders quickly. Even the most successful point solutions will only magnify this challenge, with information stored in different locations and used in different ways by each department. This is exactly why our customers see such value in managing multiple dimensions of risk on one platform. Almost 80% of our customers manage multiple domains of risk on Archer. Of the 250+ customers that have been with Archer for over a decade, almost 60% have branched into three or more domains of risk management.
Measuring Risk in an Evolving Threat Landscape
The past year has shown just how quickly the risk environment can shift. Disruptions due to the effects of COVID-19, the wide variety of regulatory responses even within a single country, and the rapid transition to a fully remote workforce caught many organizations off guard.
2020 was a wake-up call for many organizations, leading to a growing recognition of the need for integrated risk management. When respondents to our 2020 Digital Risk Survey were asked about the need to coordinate risk management, the “extremely coordinated” response jumped more than 90% in the short time between the question being asked in a 2019 survey and the 2020 survey.
(1) Gartner: Predicts 2021: Operational resiliency. January 2021.