Get a clearer picture of cyber risk. Discover a better way to understand risk in a complex, connected world.
In an ultra-fast-moving, hyper-connected world, we need a new way to assess risk. A new methodology from KPMG examines velocity and contagion, alongside probability and severity, to build a more accurate view.
We know far more about risk now than we did before the financial crisis. At a macro level, people place less trust in the efficiency of markets and behavioural science has moved centre stage. There is also widespread agreement that historic models have often failed to see how individual risks can combine to create systemic threats.
Companies also now realise that models based purely on statistical assumptions can only go so far in predicting how risks may spread, adapt and cluster. Thanks to the universal connectivity technology has delivered, we are all operating in a complex and extremely fast-moving environment.
Against this background, KPMG has developed a new approach to quantifying risk – Dynamic Risk Assessment (DRA). DRA is strictly empirical, drawing on a wide range of sciences to give business leaders a unique, holistic view of risk. As well as assessing its probability and severity, DRA examines two further dimensions - velocity and contagion.
The aim is not to replace existing risk management approaches, but to enhance them. Unlike conventional models, it doesn’t rely on historic data to make predictions about the future. Instead, it captures the wisdom of relevant experts using expert elicitation – a technique used in many scientific fields to predict rare events. This is a structured methodology that eliminates bias or ‘groupthink’ and instead records views as data points. The result is a more accurate and relevant assessment of risk than any one individual can generate.
Scroll down to continue reading...
The next step is to use network analysis – a branch of graph theory - to interrogate those expert views and present them as a neural network. This enables CROs and other risk leaders to grasp the views of a diverse expert group in a completely new and intuitive way.
DRA is ideally suited to managing cyber risk. Historic data about cyber risk is, of course, limited and rarely disclosed, for commercial reasons. DRA’s focus on the velocity and contagion of risk is particularly valuable when modelling cyber events. These can happen at lightning speed – defined by a ‘mitigation window’, often measured in hours – and there’s a huge danger of triggering reputational and other major risks.
Many KPMG clients have already experienced the benefits of DRA. In one case, for example, DRA identified a very high likelihood of cyber-attack and personal data theft. Unfortunately, however, the company suffered exactly such an attack before mitigating controls could be set up. Contagion was rapid and the event had a significant legal and regulatory impact.
At another company, DRA flagged up the fact that senior managers were focusing too much on acquisition integration and not enough on cyber risk controls. Neural risk networks helped executives identify the greatest areas of weakness and prioritise investment accordingly.
One theme emerges from academic literature on risk management: far better to have varied perspectives, rather than reliance on a single model. DRA can be perfectly suited to identifying the complex risks that can flow from cyber events and the broad smart picture it creates can also give business leaders a fresh view of risk across every area of their activity.
© 2020 KPMG LLP, a UK limited liability partnership, and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
KPMG International Cooperative (“KPMG International”) is a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm.