Risk scoring: bringing structure to quantified risk

Posted by Kristina King 13.05.21

It goes without saying, financial services firms can’t deal with every risk that comes their way. Fortunately, that’s not necessary either. What’s more important is that firms have the capacity to quantify and score risk so that they can act on the most significant issues quickly and effectively.

Quantification enables FSOs to divert their time and attention toward the risks most likely to impact their business. They can use this information to set a benchmark for data protection, allocate resources accordingly, and improve their regulatory compliance.

Of course, the quantification of risk also enhances firms’ ability to justify their data management practices to regulators. Equipped with a greater understanding of the risks they face, and the ones most likely to present a threat, firms can build strategies that reflect this information and put regulator concerns to rest.

Proximity, likelihood, and severity are just some of the factors that need to be considered when quantifying risk. So, it’s no wonder data management platforms are becoming increasingly popular. And with a selection of financial firms operating across international jurisdictions and regulations, allocating the right data to the right process is becoming more complex.

More frequently, we’re seeing data sets shared with third parties, especially during the pandemic, without the adequate systems in place to protect them. Information is made temporarily available, and not properly locked down after the necessary period leaving firms vulnerable to threats.

Lifting the veil

Some of the most common compliance risks stem from firms misunderstanding the purpose of their data. FSOs should be asking themselves the following questions on a regular basis: why are we keeping this data? Can we justify it to regulators? Do we understand the extent of what we’re retaining? Firms that can’t answer those questions properly, can’t protect their data.

FSOs also tend to create more work for themselves than necessary. Beyond the relevance of data, the duplication of it can be equally problematic. Firms can find themselves making decisions based on duplicated data, which threatens their ability to provide accurate reports, and increases the likelihood of misleading and inaccurate conclusions.

When data is inaccurate or incomplete, it loses value for firms hoping to derive critical insights. Opportunities are lost, and compliance risks heightened. Of course, data deemed valuable by one department may be irrelevant for another. Firms need a cross-organisational approach to the quantification of data, so it’s important they use a risk management platform that can map the entirety of their unstructured data.

Externally, regulators and consumers expect transparency. There’s a big onus on firms not to misuse personal data. Think about how irritating it is to get added to a mailing list you didn’t sign up for. An increasing number of fines are being tied to a lack of adequate controls and oversight from senior management.

With a risk score, firms can see what they need to act on immediately to avoid regulator intervention. They can implement systems and protocols that help them demonstrate control, and ensure their operations are always compliant. Silos create further opportunities for fragmented and disjointed datasets. This framework has to come from the overarching management team and filter down through the business.

Risk scoring can act as a guiding light for internal systems, showing compliance professionals a clearer path to data protection and security.  In the coming months, the FCA is moving towards a data driven approach. One day, regulators will do their own analyses via open APIs. Firms won’t want to be in a situation where the regulator knows more about their business than they do.

Increasingly, FSOs are facing service sanctions for the improper management of their data. Coupled with the threat of reputational damaged, unquantified risk can penetrate through the business and unleash a whole host of obstacles for firms.

Implementing a platform like hivera, with quantifying and risk scoring capabilities provides firms with proof of progress. FSOs can point regulators to evidence in their unstructured data and articulate their good governance measures. It’s a bit like having an insurance policy in place for your unstructured data.

Scores on the compliance doors

Beyond a great menu, there’s one thing we all look for when choosing a restaurant. Without realising, most of us check the scores on the doors to make sure we’re eating somewhere with high food health and safety standards.

And if you think about it, this isn’t the only instance where we rely on scores and ratings to guide our decisions. Would you prefer to stay in a 2-star hotel, or a 5-star resort? If you’re in the market for a new home, would an energy efficiency rating of E put you off? The same is true for risk scoring in the finance industry.

Firms can choose to only work with partners above a certain risk score, and reassure customers that high standards of data protection are always in place. Risk is inevitable, and so are data breaches. Firms that successfully prevent and manage risk have company-wide policies that are consistently acted on, reviewed, and adjusted to meet changing standards.

The approach should be holistic and cross-departmental. Scoring risk enables firms to see the status of their whole business and make decisions that decrease their score and ensure protection for sensitive information. Data security is entirely dependent on knowing exactly where it is, and who it is with at any given time.

When firms use a data management tool like hivera to quantify and score their data, they demonstrate control and proactivity to regulators, customers, and investors. Moreover, for the first time ever you can visualise the risk in your unstructured data with a tangible figure, calibrated to your firm’s risk appetite. Reflecting on the past 12 months, a multitude of companies have clutched at cloud native systems to keep their business up and running, without matching their data management systems to this ecosystem.

The question is, how are they controlling this new environment? Are they seeing it clearly? Particularly for larger firms where (data) risk is multiplied. What’s easier than having a numerical score that tells you exactly where you stand.