Boards Must Embrace Analytics & AI to Mitigate Risk

By Chuck Saia
November 9, 2018

Deloitte survey finds investments are falling short


Business leaders are viewing risk management through an innovative lens. In my conversations with C-suite and board members, cyber risk and brand and reputation risk are often at the top of their list of concerns.

A new Deloitte survey, “Illuminating a path forward on strategic risk,” shows nearly 100% of responding CEOs and board members say they expect to face threats or disruptions to their organizations’ growth prospects in the next two to three years. But the same survey finds investment in technology that aligns with strategy and engagement of senior management and board members is, in many cases, falling short.

Leaders must monitor a broader set of devices and technologies across an organization while analyzing data to understand what it means to their business.

And that means more reliance on analytics and artificial intelligence, moving beyond looking at the traffic occurring to making deductions around potential threats. Analytics provides the ability to be more predictive in what they’re seeing and what that might mean in future events.

A forward-looking cyber risk strategy should include investment in continuous innovations that address evolutions on many fronts:  the organization’s business ecosystem, technology changes and a more immediate threat landscape. If cyber risk capabilities aren’t continuously evolving, they’re destined to fall behind. It’s also highly useful to have well-established sponsors in IT and risk management as well as a tech-savvy board member well-versed on cyber risk management.

Confronting “Hacktivism”

We’ve seen many examples of this malicious cyber activity designed to promote a political agenda, religious belief or social ideology. This is known as “hacktivism” and it continues to be a growing cyber threat across the globe. Hacktivists have targeted everything from foreign governments and corporations to local police departments and hospitals.

Innovative products and tools can monitor, detect and defend against these and other cyberattacks. Existing tools can be enhanced by bringing them together and overlaying analytical monitoring on top to deliver more actionable and predictive results.

Determining the hacktivist’s motivation and intent is essential. Leaders need to know what hacktivists may target, why and what they’re attempting to achieve. They also need to know whether the hacktivist’s intent is to identify specific data and leak it to cause brand damage or to disrupt the business to punish it.

Having the ability to monitor network traffic helps leaders know who’s doing what, where, and how. It can identify what accounts have been hacked or whether insiders are colluding with hacktivists.

Extended Enterprise, Extended Risk

At a time when third parties are moving closer to the core of businesses, the potential for risk increases.

Vendors, affiliates and service providers that make up the extended enterprise can make or break an organization. We’ve seen news coverage about damaged corporate reputations, but in many cases, the cause often wasn’t the organization itself but an entity in the extended enterprise.

Some high-performing organizations are using advanced technology to analyze vendor behavior and trends to identify risks associated with procurement.

Some of the largest tech/retail companies in the world use risk sensing and predictive analytics to look for supplier trends in cross-risk domains to choose where they push their business. And other global retailers use tools to look at buyer/merchandiser activity to determine how the third-party financial and quality trends are collating.

Using a cross-risk model, third-party internal scoring can evaluate how a third party is performing and identify any risks to the organization. Organizations also may do their own scoring evaluation of third parties. Additionally, progressive organizations have started supplementing their internal evaluation with light and dark web risk-sensing information.

The key is to look predictively at how to understand whether a third party would subjectively expose an organization to risks. Many CEOs fail to hold extended enterprise to the same standards as their organization, according to the latest Deloitte survey of CEOs and board members. In fact, our data shows 62 percent of responding chief executives acknowledge their vendors’ policies and procedures are weaker than their own.

Extending an enterprise makes sense on many levels, but an innovative, forward-thinking mindset involves a strategic, centralized solution to manage the risks in a cost-effective and efficient manner. Meeting the challenge of developing programs to better manage their third-party risk can elevate an organization’s position in the market.

Harnessing the Power of Analytics

Risk is an ever-present and ever-evolving factor in an organization’s planning and strategy. More business leaders are seeing the upside of risk and taking advantage of it.

CEOs and board members can harness the power of analytics by performing an important oversight role in developing the processes, tools, and governance to help effectively harness and manage enterprise data assets. This can help them mitigate risk and drive operational excellence, new products and services, competitive agility and growth.

Senior-level direction with a view across the enterprise—rather than an approach cobbled together by siloed, mid-level managers—can improve the process and maximize its benefits. Boards should embrace a shift in thinking that takes analytics beyond flagging potential compliance issues to an approach where analytical insights broaden the understanding to encompass reputational risks as well as opportunities to grow within and beyond current markets.

I’ve seen examples of a board asking questions of management about third-party risks and getting different answers from different executives. What directors need is a cohesive line-of-sight into those risks across the organization and a program to identify, track, assess and mitigate them.

Additionally, the CEO or a designate should be tasked with overseeing third-party risk across the enterprise with the help of analytics and streamlined risk assessment that cultivates a holistic awareness and understanding.

The Final Word

In the examples of hacktivism and extended enterprise risk management, risk is embedded with strategy. Data collected by cutting-edge tools and services is informing leaders in the C-suite and board. When organizations disrupt through innovation, risk becomes a discipline that not only protects value, but one that has the potential to accelerate performance. It’s an approach that strengthens reputational resiliency.

And that’s good because reputation is one of an organization’s most valuable assets.

Chuck Saia is CEO of Deloitte Risk and Financial Advisory.