Data-Informed Risk Management May Just be a DREAM

Data-Informed Risk Management May Just be a DREAM

Corporate privacy and compliance risk professionals routinely face a seemingly impossible task: reliably forecasting business risk for a potential future event such as a data breach or regulatory investigation. Those who prognosticate risk for a living sometimes feel as if they are crystal ball gazing, attempting to divine a foggy future with insufficient information from which to extrapolate potential outcomes.

On its face, risk management is straightforward. Risk is a combination of the total impact to an organization of a potential negative event, e.g., a regulatory investigation and fine, and the likelihood that the negative event will occur.

Risk = Impact x Likelihood

Simple, right? Not really. It’s easy to calculate risk once you know the impact and likelihood, but how do you evaluate those inputs? Most of the models and assessments that purport to inform both impact and likelihood are subjective rather than grounded in benchmarked data. With potential risks in the multiple millions of dollars, using static, old-fashioned subjective risk scoring is neither reliable nor prudent.

BRG’s privacy and information compliance team is certain that, with all the publicly available information at our disposal and the expertise of the GAT team, we can do better. To that end, we have partnered with GAT to build a tool to make information risk forecasting and mapping less subjective and more data-driven. The idea is simple. DREAM combines client questionnaires, public data, and expert analysis to perform a series of regressions resulting in a data-informed risk score and actionable, individualized risk mitigation recommendations to reduce that score to an acceptable range.

DREAM allows clients and the BRG expert team to visualize the impact of multiple individualized variables on the total risk score. DREAM provides a granular analysis of risk based on factors like industry, prior compliance investigations, market share, geographic area, applicable laws, governance maturity, or the amount or sensitivity of the data the client processes on the total public-data-informed risk score.

DREAM goes beyond simply analyzing and modeling public data by incorporating insights from our team of privacy and information compliance experts. This BRG team’s expertise is based on our current market experience gleaned from discussions with regulators around the world (we are a registered Data Protection Officer, or DPO, in numerous countries around the world), guidance documentation, the experience of similar clients or use cases, industry trends and best practices, and pending or trending legislation. The result is a much more comprehensive risk score that is both driven by data and informed by experts.

Using DREAM, clients can click through various visualizations to see what attributes drive their risk score. Is the risk inherent to the type of data the client processes (such as genetic or biometric data) or does it derive from transferring personal or trade secret data internationally? Is a client’s risk higher than average due to a unique regulatory situation, such as a consent decree or corporate integrity agreement, that increases the likelihood of government scrutiny? Is a client’s risk temporarily increased by a unique, time-limited scenario like mass onsite COVID testing? DREAM allows stakeholders to visualize the impact of individual variables on total risk to understand how business practices and contextual factors drive risk easily and fully.

The ability to drill down to the factors that drive risk gives risk professionals the data to provide factual, thorough answers to tough questions from internal stakeholders and board members about the risk impact of proposed business plans. DREAM goes a step farther and provides customized recommendations for mitigation strategies so that risk professionals can focus these discussions on solutions to help their business.

This ability to contextualize risk also allows companies to identify low-hanging fruit and take advantage of lower-cost, quick solutions first while planning longer-term remedial actions. It also allows companies to make more informed decisions about where to most effectively invest in measures to reduce risk across their information ecosystems.

DREAM marries empirical data and expert advice to help clients maximize their resources to reduce information-related risk.