Controls exist to address risks, minimize surprises and pitfalls, and help an organization achieve its objectives.
Many risks happen every day, but are inconsequential. Others are a big deal. With so many controls and so many areas of an organization, it’s only logical that you should look at the ones that can bite you. In other words, look at the risks that have a high impact on the organization and/or a high probability of occurring.
The challenge is that “impact” and “probability” are highly subjective. Ask three different people and they’ll have three different opinions. Analytics can help to quantify risk, and help eliminate the subjectivity around topics like “likelihood” and “impact.” By analyzing 100% of the data, you can quantify this risk in a way that wasn’t possible before.
In fact, you can eliminate the subjectivity of the “how likely is this?” conversation by saying “last year this happened X% of the time.” And in some cases you can quantify the bottom line impact with “given both the direct costs of this type of error and the indirect costs of fixing it, the cost is roughly $XXX,XXX.” Analytics can help make a low/medium/high determination.
This doesn’t apply to all risks (e.g., risks that have not impacted you but may in the future, such as the likelihood of a water shortage in a key supplier region). But, where possible, analytics can be used to supplement the subjectivity of the risk assessment process, and add facts to areas where you also need to make educated guesses.
A real-world example of how data helps remove subjectivity
Acme Inc. had quite a few people with active IDs in their SAP financial reporting system who were no longer employed with the organization—a risk that many organizations face. According to Acme, the risk was low, because it:
- took people’s swipe cards when they left, so they couldn’t enter the building
- removed people’s network access, so they couldn’t log in to access SAP.
However, Acme’s external audit firm argued that the risk was high because people could have potentially shared passwords and could possibly remotely access the system. Acme and their external auditors could have spent weeks debating and not gotten anywhere, because both of the risk arguments were based on subjective assumptions. Instead, using a fairly simple set of analytics, they were able to quantify the exposure in a way that no one could argue with.
First, they ran a test to see, of the former employees that still had access to SAP, if there were any IDs that were used after the date of employment termination (which tells us the “likelihood” of this risk). Second, they also were able to look at the activities undertaken by those IDs (which tells us the “impact” of this risk). Now they could talk facts instead of assumptions, and agree together upon an appropriate course of action.