Best risk analytics tool: RiskLens

The clue is in the name. For US technology provider RiskLens, seismic technological change has brought with it great risks as well as rewards, and those risks need to be closely monitored and managed at all times.

“Business processes have digitalised at an accelerated pace over the past decade,” says chief executive Nick Sanna, delivering “phenomenal business efficiencies and growth. It also brought a new range of technology risks that can materially affect business outcomes and that need to be understood and managed.”

RiskLens specialises in the quantification of cyber risk, and its software is based on the Factor Analysis of Information Risk (Fair) model, an international standard for information security and operational risk. Its offering comprises risk scoping, a risk calibration and analysis engine, sensitivity analysis, what-if capabilities, value-at-risk reporting and other capabilities, but cyber risk is the jewel in its crown.

The company has deep roots in cyber, having been launched in 2011 after co-founder Jack Jones was asked by Nationwide Insurance, a previous employer, to quantify the cyber risk faced by the company. The answers surprised him, and the idea for RiskLens was born. It was then called CXOWARE but relaunched in its present form in 2015, underlining its focus on risk measurement.

“Technology risk, whether driven by cyber attacks or other operational breakdowns, now ranks among the top three to four risks that organisations and boards must manage,” says Sanna. “In the past 18 months, the topic made it to the agenda of board meetings of virtually every large organisation worldwide.”

Judges agreed. “Many firms consider cyber risk to be one of their main risks and given [recent] events, it is difficult to argue against this assessment,” said one, writing shortly after a huge cyber attack in May 2017 undermined key infrastructure in multiple countries, including the UK National Health Service.

A case study submitted in the RiskLens entry highlighted its work helping a $5 billion asset manager wanting to overhaul its Business Impact Analysis (BIA) system. The RiskLens system provided a more comprehensive risk breakdown than the previous “high, medium or low” rating system and the client was able to assess its three processing centres, to take one example, in far more detailed quantitative terms.

“Too often, cyber and operational risks are expressed in high-level, qualitative terms such as high/medium/low or using ordinal scales (one to ten),” says Sanna. “[These] do not allow effective prioritisation and certainly cannot help to determine how much an organisation should spend on risk mitigation.”

Sanna believes RiskLens can help firms to handle these conflicts in a clearer way. “It is imperative for cyber and operational risks to be expressed in terms of financial impact to an organisation, like any other form of enterprise risk,” he says. “Only when risk is quantified in monetary terms and risk mitigation initiatives are evaluated in terms of possible monetary risk reduction, can organisations make cost-effective decisions.”

By using the quantitative Fair model, RiskLens has helped to drive common risk reporting. Fair was set up after the financial crisis by the Open Group, a global standards consortium with several hundred member firms, and it seeks to provide a model for understanding, analysing and quantifying different risk types in financial terms.

RiskLens decided to develop its offering around the Fair model for three reasons. “We did not find a better risk analysis model out there, that would decompose risk in its discrete factors to the point where they could be quantified,” says Sanna. “Second, Fair is a flexible and domain-agnostic risk model that proved to be very adaptable for analysing any type of risk. Third, Fair is an established international standard.”

One judge praised RiskLens for its ability to cover several non-financial risks in an integrated way, adding that the company’s strength in aggregating and managing data sets it apart. Another applauds the way the product can be integrated with governance, risk and compliance (GRC) platforms and its appealing modular format.

Integration with GRC platforms became a priority for RiskLens in response to client demand. “Customers that had invested in GRC products kept mentioning that they were struggling to analyse risk in a way that could be consistently measured, communicated and managed,” says Sanna. “As new risk analytics solutions such as RiskLens emerged, customers demanded that those capabilities be seamlessly integrated in the GRC processes already in place. Some customers are telling us that we help them substantiate the ‘R’ in GRC.”

As client demand for more robust defences against cyber risk continues to evolve, RiskLens does not plan to rest on its laurels. “Our long-term development strategy contemplates a progressive integration into our risk analytics platform of the many data sources that organisations are already collecting, to further automate data collection and further efficiencies,” says Sanna.