How to achieve risk intelligence
Risk intelligence aggregates risk information from across the business to deliver actionable insight.
Our key topics
Related topics
- Risk teams are data-rich but intelligence poor.
- Current risk management frameworks exacerbate the problem (although they work well for middle management and BAU).
- To achieve risk intelligence, we need to go further.
- The PAGER approach uses international intelligence agency principles of corroboration and aggregation.
- We help our clients to achieve this via bespoke risk taxonomies.
Achieving risk intelligence
This is our first article in a series on achieving risk intelligence.
In simple terms, risk teams are often data-rich, but intelligence poor.
If risk is to have a seat at the strategy table, it must be earned. If it is going to be earned, this paradigm must be reversed.
In this blog, we explore the first step on the risk intelligence journey.
Where risk management fails
Risk management is facing a systemic failing. Being rich in data but poor in intelligence is all too common.
This causes a range of flow-on effects:
- Board members and executives are dissatisfied with what they get out of their risk programs
- Reporting generates a list of risks, but doesn’t answer the ‘so what’ or drive meaningful conversations
- Risk programs generate a lot of activity, but don’t inform strategic decisions
- Organisations have blind spots around key risks and lack resilience to ‘black swan events’
- Organisations don’t optimise risk, balancing freedom and flexibility with proportionate control and conservatism (i.e. risk-taking!).
When current frameworks do and don’t add value
This doesn’t mean that all our current risk activity is a waste of time. Far from it.
While there is always room to improve, current risk management frameworks often work well for middle management and BAU.
For example:
- Large complex organisations need a record of their key risks and associated workflows (i.e. risk registers). As anyone who has worked in a large complex organisation would know, if you don’t track these things, they can quickly become impossible to manage.
- The maligned heatmap is a blunt tool, but when used correctly is useful to provide a repeatable framework to escalate the right level of risk to the right level of management (but not more than this).
- The Three Lines of Defense can become theoretical and arbitrary, but when applied pragmatically, it gives a robust guide to establish proportionate assurance relative to risk appetite and risk exposure.
These tools are some of the foundational building blocks to most risk programs. The challenge is not that they are universally wrong and need to be thrown out. It is that these tools are not the complete solution.
They are not enough to achieve risk intelligence. They are just the first few chapters, not the whole story.
Corroboration – the pre-cursor to risk intelligence
Intelligence is not achieved from a single data point.
PAGER has worked with intelligence agencies and experts from around the world to develop its approach.
To achieve intelligence, information must be corroborated. Rarely does a single data point achieve intelligence. Rather, multiple data points must be connected.
A risk assessment is just that – one data point among many that informs part of the story. A good risk assessment is a point-in-time, accurate assumption of the risk. (A bad risk assessment is something less than that.)
But, when we connect risk assessment information with diverse additional data, that is how we advance from foundational risk management toward risk intelligence.
There is a wealth of additional data possibilities that may be useful including audit and assurance information, incident experience, resource allocation, KPI / KRI metric performance, signpost monitoring in the external environment and more.
But the practical reality of connecting it all up is this is difficult to achieve.
Aggregation – the key to risk intelligence
The key to unlocking corroboration is aggregation.
Large complex organisations will be managing many hundreds, if not thousands, of risks at any point in time. This is a plain reality.
It is also a reality that we cannot talk to boards and executives about this many risks. Nor can we meaningfully corroborate information against this many risks.
What doesn’t work
So, what is the answer?
To start with, it is NOT:
- Arbitrarily reducing the number of risk records to be only a top few that the board and executive can keep abreast of
- Nor is it creating a bottom-up ‘parent-child’ relationship between risk records.
We have all seen both of these approaches tried repeatedly without success.
What works
Rather, PAGER’s approach is to establish a bespoke, top-down risk taxonomy aligned to 3 things:
- The value chain of your organisation
- The operating model and authorities of your executive team
- The principles and core values that matter most in how you do business.
This gives your organisation the right structure for aggregation. It allows you to meaningfully connect information in 2 key ways:
- Top to bottom – enabling you to talk to the board and executive in aggregate, yet connected to the detail
- Left to right – enabling you to practically corroborate risk assessment information with other data to tell the full story, also connected to the detail.
Next step: Aggregating into a risk taxonomy
The second article in our risk intelligence series looks at achieving practical aggregation. See the PAGER approach to aggregating into a risk taxonomy.
Get in touch
At PAGER, we provide Advisory support and an AI Technology platform to help organisations transform their enterprise risk value.
Get in touch if you would like to learn more.