This was a challenge that Kirsty Rutter was given and reflected on at the last Xactium Breakfast briefing. It was both an entertaining account of her roller coaster ride and an insightful view of how to go about undertaking such a task.
Risk Managers often complain that their discipline and the information they provide isn’t valued by executive boards, whilst conversely, the new COSO risk framework suggests that risk information should be a centre of corporate decision making. But how can you square the circle and get executive management to take risk information seriously?
Kirsty’s opening words set the scene: “In Financial Services we have a legacy of market driven investment, but a neglect for integration in the design, and rather than starting afresh we bolt new services on top of old. In addition, market consolidation and acquisition has often meant that systems never get fully integrated”
“At the same time as regulators are increasing their demands, margins are shrinking, technology is evolving faster than we can keep up and our culture and reputation have been mangled by a financial crisis, conduct scandals and public mistrust. We need to connect culture, business success and technology, to be on the front foot with regard to innovation rather than continually struggling to catch up”
Data, and the insight it can create, is the key ingredient for demonstrating value for risk management. All organisations create huge quantities of often siloed data that could, if connected, create impactful and useful information that would actually inform decision making. Risk management collects information from siloes across the business so should be well placed to bring it together to create a connected view of risks, opportunities and effects of one incident on another.
In Kirsty’s case, she found that there was a significant connection between incidents within IT and revenue effects observed in the business. In fact, the business was able to predict the revenue impact on the business of an IT incident and its timing – which often occurred several weeks later.
But where do you start? Kirsty reflected on the lessons she learnt on her route to that result.
One – choose something that is both achievable and will have a big impact
To win senior level support, a project needs to have relatively quick and tangible results.
“‘Big data’ is all the rage, but is often based on a mistaken believe that you can take a mass of data and put it through a magic data grinder and answers will pop out. In reality, gaining tangible results from this approach within a reasonable time frame, is an unobtainable dream”. So instead of looking holistically at the data for a pattern to merge, choose a problem that the organisation really cares about such as “is there a link between IT incidents and business incidents”. Start with a hypothesis and work from there.
Two – “data isn’t fit for purpose”
Departmental data is often not fit for purpose when trying to connect it with other data sets in the business. One significant cause is that nobody appreciates when entering data just how valuable it can be. Noone has ever bothered to demonstrate this to them. But with some additional education, training and coaching this situation can change rapidly. When people are included and brought into the programme, they become far more engaged and supportive. Data starts to become useful
Three – get a sponsor to overcome departmental politics
If you want to gain access to data, you will rub up against political brick walls, and you will need a good sponsor to ensure these can be broken down. Your choice of sponsor is really crucial; they need to appreciate what you are trying to do, that results aren’t instant and give you permission to fail in the early stages. They need to be willing to champion your cause and educate (silence) the resistant peers. All in addition to providing funding.
Four – skunkworks to scope it out
You may want to run an initial “undercover” project to determine the scope of what might be possible before approaching a sponsor. Look for friends around the business who can help in the initial stages, to understand what can be achieved and the likely challenges before you go public.
Risk management data and the insight it can provide is the key to getting senior executives to appreciate the need for it to be used in decision making. This means that any report or analysis that is presented to a board or executive team must pass the “so what test”. As Kirsty put it “what decisions can we make from the information you have just given us”. Given the mindset of senior level leadership teams, a four by four heat map of risks doesn’t cut it. But, by providing some degree of predictive narrative such as “these [IT] incidents, are likely to have these revenue effects [here] next month” it moves the dial closer to where it needs to be.