Crowdsourcing: Enriching Corporate Data for Risk Management

IT Risk & Cyber Risk | 5 Min Read |28 April 17|by Gaurav Kapoor
Blog Image

Crowdsourced information from internal and external sources can enrich insight generated by governance, risk and compliance (GRC) teams to help companies mitigate risk and perform better in challenging environments.

The public and collaborative nature of unstructured shared data sources (such as social media) can bring issues of interest to light faster than they may show up in formal reporting. This gives companies the benefit of being able to act quicker than they may otherwise be able to do, provided they can harness and interrogate the data to extract usable intelligence.

Crowdsourcing is probably most associated with funding, software testing and development. However, the collective pooling of inputs that it represents can equally apply to information and data sharing. It has the potential to add significantly to the view companies have of external risks, internal weaknesses and possible points of non-compliance.

When it comes to gathering risk information and stimulating ideas around corporate governance and control, companies can be limited by the finite resources of their GRC teams — but only if they allow themselves to be. In fact, they not only have at their disposal the significantly larger pool of minds inside their entire organization but also an entire community of external experts within the connected world.

Thanks to the rapid growth of social media, public crowdsourcing is becoming more widespread. Companies can leverage technology to help them integrate this data into their analytics. Risk applications can be made available beyond the core GRC team to capture input from employees who are invited to raise concerns and call out risks.

Widening the scope of inputs in this way has a range of compelling benefits. It adds volume, geographical variance and diversity of thought and reaction into the mix — and can fill in gaps left by the knowledge and resource capability of GRC professionals.

This is useful across a range of industries. Take pharmaceuticals, for example; from sources in the public domain, such as social media, companies can extract information to build intelligence on geographical areas at high risk of an epidemic. Meanwhile, across industries and inside organizations, companies can formally or informally involve employees from all disciplines in risk and compliance management.

Richer Insight Results from a Broader Set of Inputs

Crowdsourced information can take GRC professionals to the root of risk much faster. It can expose a fast-moving risk or compliance issue (such as a cyber-attack) in one part of the organization more quickly, assisting efforts in neutralizing its impact before it spreads wider. Moreover, it can highlight internal risks — such as ethical contraventions — before they take root.

Some companies choose to incentivize people to take part proactively in risk management, even offering rewards to employees who raise risks and/or suggest how the company might improve. This not only motivates engagement but also helps create a culture of involvement in risk and control throughout the organization. What’s more, it supports training efforts to instill in all employees a sense of responsibility for effective GRC.

Data can be gathered through periodic online, email or telephone-based surveys — or via mobile applications that make it easy for contributors to provide input anonymously. With the right technology, companies can monitor, gather and analyze inputs for pattern recognition, revealing key trends that can be fed into risk management and control planning.

Of course, huge volumes of data are created all the time without companies asking for it. The insights it can provide can be valuable to those companies with the capabilities to access and process it.

From big data, for example, risk assessors can develop patterns to read, predict and forecast risks. This can create a richer, more complete view of the total environment that can help inform corporate GRC strategies and tactics.

Risk predictions are based on the analysis of data points, and more data points make for better predictions. By widening the net to capture a broader set of inputs, companies can expand their predictive capabilities for more accurate forecasting. The financial services industry is a case in point: it relies on risk predictions to offer credit, loans and insurance, recognizing the power of big data to increase its approval rates while still minimizing risk.

Companies operating in competitive markets don’t have the luxury of time. Unfortunately, a need for speed is counter to the traditionally methodical approaches of researching, analyzing and forecasting. To speed up the process, companies need two things: more inputs and automated assessments.

Crowdsourcing — together with innovations in technology that facilitate data capture and automate analysis — can help companies continue to contain risk and stay compliant while operating at the relentless pace required of today’s competitive markets.

Navigating the Pitfalls

Companies exploring the opportunity of incorporating crowdsourcing into their GRC model should be mindful to avoid the potential pitfalls of such an approach. To start with, there is the possibility for false alarms based on biased or incomplete information. Companies therefore must be careful to ensure the completeness, accuracy and veracity of crowdsourcing data.

Furthermore, there is the possibility that individuals or groups with a particular agenda will purposely set out to generate biases within the data that can end up heavily influencing the collective view and, ultimately, outcomes. Fake news and campaigns designed to sway public opinion have generated news headlines in recent months, creating a climate of distrust not only in the media we consume but also in institutions that stand accused of undesirable practices.

While social media provides a platform for information sharing and collaboration, it becomes a “threat posed to traditional media” when it falls prey to disinformation and the dissemination of fake news.

Risks and threats tend to have a multiplicative and accelerated effect in the “crowd.” Risk information has to be analyzed by removing personal orientations of “groups” to ensure, for example, that the risk of attrition cannot be accelerated by information coming in from a biased group of low performers in the company. This is one risk factor that needs to be monitored.

Looking Ahead

As more companies become open to the opportunities presented by crowdsourced data, we will see the introduction of organized programs that are able to tap into this intelligence. More sophisticated algorithms will be developed to recognize and understand patterns. Moreover, higher levels of automation will be brought to data analysis and the feeding of insight into business decisions and actions.

Common information exchanges like the Operational Riskdata eXchange (ORX) may emerge in other industries and areas, assisting companies that wish to tap into industry-wide information to help them combat common threats, vulnerabilities and risks.

What begins with companies collaborating within their own corporations can extend out to companies collaborating within sectors, then across industries and territories. The ecosystem can expand further still to involve regulators and auditors.

Opening up sources of input to include communities (both within and outside the enterprise) can help companies develop deeper insight to influence their GRC strategies and policy implementations. More insight makes for better predictions to help companies effectively manage risk, preserve their operations and maximize performance.

To take advantage of the opportunity that crowdsourcing provides, companies also need the right technology to capture and analyze data — and to feed the insights that data generates into business planning and processes automatically.

The original post was published by GARP. You can view it here.


Leave a Comment

The content of this field is kept private and will not be shown publicly.
1 + 1 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Gaurav Kapoor

Gaurav Kapoor

Posted Article: 5

Read More

Top Posts

The Next-Gen CISO - Building Cyber Resilience with Cyber GRC

IT Risk & Cyber Risk | | 5 Min Read

AWS Security Lake and OCSF: A Cyber Risk Perspective

IT Risk & Cyber Risk | | 4 Min Read

10 GRC Trends to Watch Out for in 2023

GRC | | 1 Min Read

Experience the Power of Connection

GRC | | 3 Min Read

Insurance Industry. Strengthen Cyber Resilience Now!

IT Risk & Cyber Risk | | 3 Min Read


Ready to get started?

Speak to our experts Let’s talk