Philipp Kiencke
Author: Philipp Kiencke
connect on xing
connect on LinkedIn

Data-based risk management

In this blog post I will show you how you can objectify and automate risk assessment within your company by linking it with data analyses.

Risk management has always been a key element of a company’s management process. Risks are identified and assessed, measures are taken to mitigate risks and new assessments are performed at regular intervals. This process is present in many companies. Risk assessment is often based on a professional judgement of one or more managers. But why should it always be individuals who have to re-assess risks when data can supply far more objective criteria? With its autumn 2017 release, ACL GRC prepared the way for data-driven risk management. I will now proceed to explain the Assessment Drivers (“key assessment factors”) and the associated benefits in more detail.

The process involves an interaction between data analytics results and risks which are assessed at company level as part of ERM (Enterprise Risk Management). The following diagram gives an overview of the architecture of the components and their interaction.

Assessing risks manually

To emphasise the benefits of data-driven risk assessment, I will briefly explain how risks can be assessed manually or with the help of a risk workshop.

Regardless of which manual method you choose, you first need to create a new risk and then assign this risk to your business processes. Once you have done this, the associated entities are automatically linked.

You can now assess your risks manually for each entity.

If you don't wish to do this yourself, you can also create a risk workshop. The participants then receive an automatically generated email. All participants can use a link in the email to take part in the risk workshop and assess the risks manually.

Once all participants have responded, the average of the assessments is calculated and you can then incorporate this into your risk profile.

So much for the manual method. But how can data analytics be used to support this process? I will now outline “Assessment Drivers” in more detail.


In summary, the process is as follows:

  1. Create database
  2. Analyse data, create and automate Assessment Drivers.
  3. Link with risk management and set weighting
  4. Administer notifications (where applicable)


1. Create database

To be able to base your risks on data, you first need a database. Creating such a database can take different forms and depends very much on what type of data you want to use. The results module in ACL™ GRC offers different options here.

You can, for example, automatically load recurring analytics results from your monthly CCM run into the data container. This ensures you always have up-to-date data which can be used as a basis for your metrics and hence also for your risk assessments.

You can also load data into the results module directly from your ERP or CRM systems. This gives you, for example, an up-to-date overview of leads and opportunities which you can use as a basis to build on in Enterprise Risk Management.

As ACL™ GRC allows different data formats for the upload, this gives you flexibility when making the data you require available.



2. Data analytics and Assessment Drivers

With ACL, Assessment Drivers are metrics which are used for risk assessment. They are thus performance indicators which are derived from data (or to put more simply, they are analytics results). Let’s now take a look at the “results module” to see how metrics can be added with ACL. Let's first look at our data collection. The analysed data are uploaded here. Click on “Display metrics” to display existing metrics, or to create metrics. Click on “New” to add a new metric.

In the example shown, we want to display the average salary of our employees as a metric. We select the field which is to be used to generate the metric. We then define the type of metric and save it. The metric is now available and can be used for different purposes, such as storyboards, for example.


3. Data-based risk assessment

As already seen in the manual analysis example, company-wide risk management is mapped in the “strategy module”. This module can be used to enter and administer your risks.

We have added “top talent loss” as a new risk for our example. Replacing well-trained specialist employees is extremely difficult and always involves high costs. Losing such expertise should therefore be avoided as far as possible. Assuming that the probability of occurrence for this risk depends on the average income of our employees, we can use the metric we created to automatically map the probability of occurrence.

We must first assign a metric to the risk. To do this, we enter risk administration, click on the “metrics” tab and then select our metric “salary average”. We then close the risk assessment and navigate to settings. This includes the tab “Key assessment factors”. We add a new factor here.

The risk assessment thresholds (i.e. the points from which the risk would, based on the metric, be assessed as low, medium or high) can be added manually. If we save this factor and at the same time activate the assessment factor, it becomes valid. If new data are subsequently uploaded and the metric changes, the probability of occurrence will also change.


ACL™ refers to its solution as “data-driven GRC”. This becomes especially apparent in the context of Assessment Drivers. Data provide a highly objective, well-founded basis for decision-making. The knowledge that can be drawn from analysing data should be used as much as possible. Data analyses are only of benefit if their results are actually used. Assessment Drivers make it possible to automatically incorporate results of data analyses into your company's risk assessment process and thus ensure a sound basis for your assessments. Moreover, your risks, which are automatically evaluated, are always kept up to date. As soon as a metric changes, this affects the linked risk. This real-time assessment offers a clear advantage over traditional processes where risks are usually only appraised at regular intervals, with the result that short-term changes are not included in risk management. You also save time as you don’t have to organise any risk workshops.

Comments (0)
Be the first who comments this blog entry.
Blog login

You are not logged in. Please log in to comment this blog entry.

go to Login