Using Data to Drive Intelligent Risk Management

As credit unions continue their data maturity journey and strive to become more data-centric organizations, a key area of business that is often left un-transformed is risk management. Instead of using institution-specific data to augment risk management strategies, credit unions all too often rely solely on qualitative past experiences or industry trends. A credit union can develop more secure processes and do more to protect its systems from cyber threats by using data generated through its interactions with the outside world.

New database and relationship mapping technologies, which are readily applied in operational and strategic analysis, can be used to improve and optimize a credit union’s risk profile. Data-driven risk mitigation strategies can deliver dynamic and effective risk postures that increase the soundness of the credit union without introducing friction into member experiences. As lines of business that focus on remote interaction continue to become more business critical, data and analytics will play a critical role in the development of more advanced risk management strategies. This is necessary to protect the institution’s increasing number of access points. Data plays a part in five major arcs of the risk management story:

• Establishing context: Understanding the scope, impact and environment of a given piece of information is important in developing effective risk mitigation models.
• Identification of accepted risks: Using data, supported by context, enables a true risk evaluation to happen. Creating processes and protocols around data means that analysis of past situations can be used in conjunction with contemporary and future threat recognition and planning.
• Risk evaluation: Once threats are identified, big data tools can create precise, targeted analysis and provide deeper evaluations that pinpoint the actual high-risk areas at a deeper level. Being able to identify the true source of risks allows for more targeted risk management policies that meets standards without restricting information flow unnecessarily or inhibiting innovation.
• Monitoring/control: While data-informed polices can create institution-specific, tailored defenses, leveraging analytics can also boost the performance of monitoring risks and areas of known exposure more efficiently. Data clarity tools can create uniform streams of information that are more responsive to monitoring controls, allowing risk managers to oversee more data in more detail, and avert potential threats without overloading risk management professionals.
• Reporting/mitigation: Of course, one of the best uses of data is the enhanced reporting and actionable insight. These benefits are also available to risk management teams. Risk reporting, notoriously one of the most overlooked intrusion countermeasures, can be greatly enhanced with the use of data management tools. Risk reporting using data can also graduate from simply informational to actionable. Using data to suggest control and mitigation strategies that are in line with known context can allow decisions to be made faster and information more easily digested at all levels of the organization.

The new world of big data means that there is more information that’s more widely available than ever before, and risk management must take advantage of it. This new wealth of information demands that risk managers constantly review and forecast risk model performance while becoming more interconnected to the data-producing processes themselves. As data becomes a critical component of effective risk management, efficient data analysis becomes a foundational skill of a good risk manager.

Clean, usable information is the must-have asset when deploying a data-centric risk management strategy, and data collection is its first fundamental step. Information must reach the decision makers in an understandable, explorable and contextually accurate format in near real-time. Good data can make up for substandard analytical processes but even the best analysis and analytical tools will never be able to overcome the deficit presented by dirty data or poor collection practices.

Managing data and preparing it for impactful analytics is a specific, precise process in and of itself – and targeting, preparing and managing data for risk management is an even more specialized practice. The steps a risk management team can take to incorporate big data in risk assessment start with determining risks. Determining risks is done by ascertaining and documenting where the required data is stored, if it will be affected by the new process, and the who/how/why of the data handling. As with all processes that are being improved by the introduction of more data, it is important to set priorities based on the dollar and likelihood calculations of the risk.

The second step is identifying the Key Risk Indicators (KRIs), which will largely be influenced by the type of data contained in the targeted process. Data categorization and data classification by sensitivity is a further iteration of establishing KRIs. Carrying out the actual risk assessment may be the most influenced phase with the introduction of institution-specific rules engines, algorithms and potentially even machine learning. Risk assessments should focus on scanning data and reporting relevant discoveries quickly and in a digestible format; the actual risk reports should also follow suit to support – and be in context of – the overall risk management strategies for the credit union.

Big data and analytics are gradually becoming commonplace in the daily operations of credit unions. Using information to drive action and make risk management accessible, responsive and efficient is less common. As data becomes more accessible and more usable, the future of leveraging technology to improve risk management will evolve as well. Risk managers who use data are exposed to a world of complex analyses containing previously unobservable patterns, pre-attack indicators and intricate relationships that support more advanced, behavior-based cybersecurity. These evolutions will make for faster responses, more accurate analysis, more secure member information and a better protected financial institution.

Ray K. Ragan, PMP is the co-founder of Clear Core, a data cleaning and transformation provider focusing on increasing the value and accessibility of data for financial institutions, in Tucson, Ariz.

Timothy “Buck” Strasser is the founder of Clear Core in Tucson, Ariz.