Archive

Archive for the ‘Cyber’ Category

Risk Officers on the Front Lines of the Big Data Analytics Revolution

March 8, 2014 4 comments

I was intrigued to read that when McKinsey gathered together “eight executives from companies that are leaders in data analytics …. to share perspectives on their biggest challenges”, they included not only chief information officers and marketing executives, but the chief risk officer from American Express.

The McKinsey Quarterly report that reviews the discussion doesn’t have any ground-breaking revelations. They say what has been said before, although it is still important for all of us to understand the enormous potential of Big Data Analytics.

One key point is that the existence of Big Data by itself has very limited value. It’s the ability to use emerging technology (from companies like SAP, Oracle, and IBM) to not only mine the data but deliver insights at blinding speed (using in-memory technology) that will bring amazing results.

But I was looking for more, which I explain after these quotes.

Big-data analytics are delivering an economic impact in the organization… The reality of where and how data analytics can improve performance varies dramatically by company and industry.

Companies need to operate along two horizons: capturing quick wins to build momentum while keeping sight of longer-term, ground-breaking applications. Although, as one executive noted, “We carefully measure our near-term impact and generate internal ‘buzz’ around these results,” there was also a strong belief in the room that the journey crosses several horizons. “We are just seeing the tip of the iceberg,” said one participant. Many believed that the real prize lies in reimagining existing businesses or launching entirely new ones based on the data companies possess.

New opportunities will continue to open up. For example, there was a growing awareness, among participants, of the potential of tapping swelling reservoirs of external data—sometimes known as open data—and combining them with existing proprietary data to improve models and business outcomes.

Privacy has become the third rail in the public discussion of big data, as media accounts have rightly pointed out excesses in some data-gathering methods. Little wonder that consumer wariness has risen.

Our panelists presume that in the data-collection arena, the motives of companies are good and organizations will act responsibly. But they must earn this trust continually; recovering from a single privacy breach or misjudgment could take years. Installing internal practices that reinforce good data stewardship, while also communicating the benefits of data analytics to customers, is of paramount importance. In the words of one participant: “Consumers will trust companies that are true to their value proposition. If we focus on delivering that, consumers will be delighted. If we stray, we’re in problem territory.”

To catalyze analytics efforts, nearly every company was using a center of excellence, which works with businesses to develop and deploy analytics rapidly. Most often, it includes data scientists, business specialists, and tool developers. Companies are establishing these centers in part because business leaders need the help. Centers of excellence also boost the organization-wide impact of the scarce translator talent described above. They can even help attract and retain talent: at their best, centers are hotbeds of learning and innovation as teams share ideas on how to construct robust data sets, build powerful models, and translate them into valuable business tools.

What I was disappointed in was a lack of reference to how Big Data Analytics could and should be a fantastic opportunity for risk officers and internal audit executives.

All practitioners should be familiar with the concept of Key Risk Indicators (KRI). A useful paper by COSO defines KRI:

“Key risk indicators are metrics used by organizations to provide an early signal of increasing [ndm: they should have said ‘changing’] risk exposures in various areas of the enterprise. In some instances, they may represent key ratios that management throughout the organization track as indicators of evolving risks, and potential opportunities, which signal the need for actions that need to be taken. Others may be more elaborate and involve the aggregation of several individual risk indicators into a multi-dimensional score about emerging events that may lead to new risks or opportunities.”

Some vendors (including MetricStream, IBM, and SAP) are showing us the way in which Big Data Analytics can be used to produce KRIs that are more powerful and insightful than ever before.

However, I am not convinced that practitioners are seizing the opportunity.

I fear that they are concerned about the risks as their organizations embrace Big Data Analytics to drive performance while remaining blind to the opportunity to develop KRIs so that business executives can take the right risks.

I would appreciate your views. Is it a matter of cost? Or are happy simply unaware of the potential?

New book on risk management for government decision makers

March 4, 2014 2 comments

The authors of “Managing Risk and Performance: A Guide for Government Decision Makers” were kind enough to send me a copy for my review and comment here. (The above link is to the Kindle edition, but it is also available in hardcover).

Intended for those charged with oversight or performance of the risk management function in government, Stanton and Webster have provided us with a great deal of material to ponder. In addition to their own work, the book has chapters from a number of others – including my good friend, John Fraser.

I confess to being let down by the book. I don’t think it spends enough time talking about the need for decision-makers at all levels to consider the potential effects of uncertainty (both upside and downside), or the need for risk-adjusted performance management. It focuses almost exclusively on the narrow definition of risk as being something bad, rather than including opportunities for success.

But it does have some good information, including how enterprise risk management was implemented in one government agency, and always useful information about Hydro One’s program.

If you are in government and charged with either oversight or execution of the risk management program, this book has value that justifies buying it. Just be aware that there is more to mature risk management than is covered in these 284 pages.

ISACA releases white paper on Big Data

January 31, 2014 1 comment

ISACA has just released a new paper on Big Data that I like and recommend. (Full disclosure: I reviewed and provided feedback on a draft and I am quoted in the press release).

What I like the most is the title: “It May Be Riskier to Ignore Big Data Than Implement It”. It captures my belief that the value that can be obtained by the intelligent and creative use of analytics against the massive data sets that are available to every organization far outweighs both the cost of the effort and any associated risk.

Most organizations recognize that there is value, although in practice that value is usually limited by their ability to define the critical business questions that can be answered by the use of the wonderful new tools available today against Big Data.

They are also limited by their belief that they are constrained by inadequacies in their corporate systems.

My view is that almost any organization, no matter what size or type it is, not only can but should be taking advantage of the immense possibilities. Not to do so indicates that they lack both imagination and resolve.

Internal auditors, information security practitioners, risk professionals, and executives should be blinded to the great values and possibilities by the risks of moving forward.

Here are a few excerpts from the paper:

“New analytics tools and methods are expanding the possibilities for how enterprises can derive value from existing data within their organizations and from freely available external information sources, such as software as a service (SaaS), social media and commercial data sources. While traditional business intelligence has generally targeted “structured data” that can be easily parsed and analyzed, advances in analytics methods now allow examination of more varied data types.”

“Information security, audit and governance professionals should take a holistic approach and understand the business case of big data analytics and the potential technical risk when evaluating the use and deployment of big data analytics in their organizations.”

“For information security, audit and governance professionals, lack of clarity about the business case may stifle organizational success and lead to role and responsibility confusion.”

“By looking at how these analytics techniques are transforming enterprises in real-world scenarios, the value becomes apparent as enterprises start to realize dramatic gains in the efficiency, efficacy and performance of mission-critical business processes.”

“Understanding this business case can help security, audit and governance practitioners in two ways: It helps them to understand the motivation and rationale driving their business partners who want to apply big data analytics techniques within their enterprises, and it helps balance the risk equation so that technical risk and business risk are addressed. Specifically, while some new areas of technical risk may arise as a result of more voluminous and concentrated data, the business consequences of not adopting big data analytics may outweigh the technology risk.”

My friends and former colleagues at SAP have chimed in with an emphasis on the increased value when more sophisticated tools, especially ‘predictive analytics”, are used to mine and produce information from Big Data.

The SAP paper on this topic, “Predicting the future of Predictive Analytics” makes the point well. Here are some wise thoughts from James Fisher, an SAP executive, that focus on the risk of using analytics and Big Data without making sure that the information you are using to run the business is reliable:

“The opportunity of big data is huge, and the biggest analytical opportunity I see within that is the use of predictive analytics. The data shows companies favor taking advantage of the opportunities in front of then rather than minimizing risk.  Technology is playing a role here and making predictive capabilities even easier to use, embedding them in business processes, automating model creation. SAP is of course in a position to deliver all this.  The added question however to ask (and this is really my view) is that this does introduce an inherent risk that people don’t know what they are looking at and blinding follow what the data says…. When you read a weather forecast you immediately sanity check what it says by looking out the window, is everyone doing the same with data?”

You can read more from James on his blog.

My question to you is this:

Are you so risk averse when it comes to the use of analytics and Big Data that you are a barrier to the success of the organization?

What they don’t know will probably hurt them

January 18, 2014 8 comments

It is always interesting to read the various studies that report that directors don’t have an in-depth understanding of their organization’s business, its strategies, and the related risks. In fact, the studies generally report that the level of understanding is insufficient for them to provide effective oversight of management and governance of the organization.

I want to turn this on its head.

If you are the head of risk management, internal audit, information security, or a senior executive, answer this question:

Do you believe that your directors have a sufficient understanding of the reality that is the organization: its culture and politics; the effectiveness of its people, systems and processes; its strategies; and whether risks to the achievement of its objectives and delivery of value to its stakeholders are being managed within acceptable tolerances?

If not, do you have an obligation to help educate the directors? What are you doing about it and is that sufficient?

Now let’s ask another question?

Do you believe that your top executives (including the CEO and CFO) have a sufficient understanding of the reality that is the organization: its culture and politics; the effectiveness of its people, systems and processes; and whether risks to the achievement of its objectives and delivery of value to its stakeholders are being managed within acceptable tolerances?

If not, do you have an obligation to help educate them? What are you doing about it and is that sufficient?

If the directors and/or top executives don’t understand reality the way you do, if their head is in the sand or in a more pungent place, shouldn’t your priority be to help them get their head on straight, pointed in the right direction? If they don’t understand the current state of the organization, shouldn’t the process of informing and educating them be fixed before trying to communicate new areas of concern?

I welcome your views and commentary.

Digital Transformation

December 14, 2013 10 comments

I thoroughly enjoyed listening to an MIT Sloan video, “What Digital Transformation Means for Business”. It features executives from Intel, Avis (the president of Zipcar), a researcher into the topic from MIT, and a Capgemini consultant.

It’s about 45 minutes long, so allow yourself some quiet time and have a pad and pencil (or tablet) handy so you can take notes.

I found it inspiring to hear these influential leaders talk about the need for organizations to embrace disruptive technology (they mentioned cloud computing, ultramobile, advanced big data analytics, and social media).

They also emphasized that the risk of NOT embracing the technology of tomorrow, even when they are in the process of implementing the technology of today, is too great. It is critical to continue to watch and consider how the technology that appears on the horizon may affect the ability of the organization to excel.

I loved the story told by the Intel CIO of how she assigns her staff to work within the business to learn it, and then takes them back into IT so they can work on enhancing that business.

You should also listen to how Intel uses gamification to have a better handle on earnings forecasts. It was a great example of how gamification can be used as a technique for understanding and assessing risk. I have written separately about how an organization assessed risks to the success of a major software implementation by creating a stock market game around it. Individuals on the project team from IT and user departments, the consultants they engaged, and others with a stake in its success bought and sold fictional stock in the project. The stock price varied based on demand: when there was optimism, people bought stock and the price rose; when there was pessimism, people sold and the price dropped. The risk assessment considered the stock price and tried to understand why it moved.

Intel and Avis, together with Capgemini, talked about how much time executives were spending on digital transformation. Clearly, these companies (and I join them) expect leaders from the CEO on down to be spending a good amount of time looking at and considering the technology of today and tomorrow and how it can transform their business.

What do you think?

You might also consider this discussion on the battle between IT and the business for control over technology resources.

I close with my greetings to all for a healthy, prosperous, and joyous holiday season and new year.

Two new reports show improvement in and value from risk management

December 10, 2013 2 comments

Accenture (Risk management for an era of greater uncertainty) and Aon (Risk maturity insight report) have published new and interesting reports on the practice of risk management.

The Aon report is based on a maturity model (see table below) that I think is interesting. It differs a little from the one I developed. It includes these key requirements for the top level: “process is dynamic and able to adapt to changing risk and varying business cycles; explicit consideration of risk and risk management in management decisions”. I prefer the language of the top level requirements in my model: “Risk discussion is embedded in strategic planning, capital allocation, and other processes and in daily decision-making. Early warning system to notify board and management to risks above established thresholds”.

Aon assesses maturity based on ten characteristics, broken down into 40 specific components. I think it would be useful for any organization to participate in the Aon study and assess where their risk management standards, especially compared to where they want it to be.

This is useful information for risk officers, senior executives, and the board. I think using a maturity model to assess and report on risk management is an excellent approach for internal auditors. It provides useful information without punishing risk officers who are still working to implement and upgrade the maturity of their program.

Maturity Level Initial/Lacking

 

Basic

 

Defined

 

Operational

 

Advanced

 

Description Component and associated activities are very limited in scope and may be implemented on an ad-hoc basis to address specific risks

 

Limited capabilities to identify, assess, manage and monitor risks

 

Sufficient capabilities to identify, measure, manage, report and monitor major risks; policies and techniques are defined and utilized (perhaps inconsistently) across the organization

 

Consistent ability to identify, measure, manage, report and monitor risks; consistent application of policies and techniques across the organization

 

Well-developed ability to identify, measure, manage and monitor risks across the organization; process is dynamic and able to adapt to changing risk and varying business cycles; explicit consideration of risk and risk management in management decisions

 

In their study of 361 publicly traded companies, Aon found that 3.3% were in Initial/Lacking, just 0.7% were in Advanced, and the majority (56%) were at or around Defined. 30.6% were above Defined and 50.6% were below.

Aon found a correlation between the maturity of risk management and the performance of their stock, based on an analysis of market data between March 2012 and March 2013. Comparing organizations with the highest (Advanced) maturity rating to those with the lowest (Initial/Lacking):

  • Share price grew 18% vs. a drop of 10%
  • Share price volatility was 38% lower
  • Return on equity was 37% compared to negative 11%

They also reported that “Our initial findings indicate a direct relationship between higher levels of Risk Maturity and the relative resilience of an organization’s stock price in response to significant risk events to the financial markets.”

This, I suggest, is useful information to share with executives and the board on the value of mature risk management.

You might reference an older report by Ernst & Young that had similar results, Managing Risk for Better Performance.

The Accenture report was based on a survey of 450 individuals, described in one place as “global risk professionals, and in another as “C-level executives involved in risk management decisions.” The breakdown shows that 25% are CROs, 20% CEOs, 25% CFOs, and 22% are Chief Compliance Officers.

Here are some excerpts:

“The vast majority (98%) of surveyed respondents report an increase in the perceived importance of risk management at their organization. One phrase that resonated with us was “Action is not optional”. That is seen as true both for the broader organization and for the risk management function.”

“At one time, risk management in many organizations could be described by some as “the department that says no”. Today we would characterize risk management more as “the department that enables execution”.”

“The proportion of surveyed organizations having a CRO, either with or without the formal title, has risen from 78% in 2011 to a near-universal 96% in 2013.”

“We see risk management as being much more integrated and connected, playing a much larger role in decision-making across the organization—particularly in budgeting, investment/disinvestment, and strategy.”

“Survey respondents see risk management as enabling growth and innovation. In order to survive—and certainly to grow—every company should strive to innovate and move its business forward. Simply pushing forward without understanding and mitigating the risks ahead could ultimately lead to disaster in some form. To enable growth and innovation, effective and integrated risk management capabilities should be implemented early and throughout the process. And these capabilities are scarce – both within the companies we talked to in this research and also in the market at large. So risk management capabilities should be prioritized and focused on the things that matter to move the needle for the organization.”

However, Accenture warns that risk management in practice is still falling short:

“There appear to be large gaps between expectations of the risk management function’s role in meeting broader goals and it’s perceived performance— for every organizational goal we surveyed.”

The authors include four recommendations and a detailed analysis to support their findings.

One interesting section is where they describe “Risk Masters” (they have a “Risk Mastery capability scale, like a maturity model) and what sets them apart.

“Risk Masters include risk considerations in the decision-making process across strategy, capital planning, and performance management. Masters also better integrate their risk organization into operations, establishing risk policies based on their organization’s appetite for risk. And they delineate processes for managing risks that are communicated across the enterprise. These activities are supported by robust analytic capabilities that reinforce efficient compliance processes and provide strategic insight.”

I encourage the reading and consideration of both reports, together with a discussion of where your risk management program falls.

Are you at the maturity level you want to be? Are you taking the steps to become more mature?

Can you achieve the benefits these studies report?

I welcome your views.