NATIONAL HARBOR, Md. — Fidelity Investments wanted a better way to quantify its risks. It needed to find metrics and a language that were risk-informing and reliable across business units.
By standardizing risk language, its center of excellence for technology risk assessments would be able to tell business units "we understand you have a concern and we want to help codify it in proper risk syntax," instead of saying "these aren't risks," said Luke Domet, lead for Fidelity Investment's center of excellence for technology risk assessments, while speaking at the FAIR Conference in National Harbor, Maryland Wednesday.
Fidelity Investments used to perform technology risk assessments on "incoherent information" for low, medium and high risk before implementing a quantifiable risk practice, said Domet. But this year Domet and his team started working with a select number of company stakeholders to try out a proof of concept. The test was successful, eventually allowing Domet to derive management summaries; one page to show stakeholders where they stand in terms of risk.
The one page summary still uses the traditional "green, yellow, red" heat map indicators of risk assessment, though the team redefined the colors. Green indicates low to no risk, yellow is the limit of the risk appetite, and red is beyond the risk appetite.
Risk management summaries are part of how the financial services company standardizes risk scenarios. Domet's team spent significant time translating risk language to a digestible lingo for the business.
By Domet's admission, not all stakeholders were interested in the one page summaries. "They just want us to tell [them] what they need to do," he said.
But before Domet could present management summaries, his team performed workshops with with small- to medium-sized enterprises (SMEs) for developing scenario-based analysis. These kinds of analysis help better calculate the value of a portfolio under key stressors, like a cyberattack or changes in market.
When workshopping with the SMEs, in one use case, the team found that the enterprises believed that one control would be more efficient than a combination of controls.
Eventually Domet and his team were able to build a scenario where they could show controlled risk and capabilities for supporting two-factor authentication was already there, they just weren't activated. This is what convinced the business to pursue change.
Business product owners can ask the center for excellence to show them their specific risk. They can ask the excellence team, "if we deploy this specific capability, how much will that impact our risk?"
Domet and his team can answer the question by running analysis on scenarios to guide their decision. But when the results are in, put it in context the business unit will understand.
"What we learned is that it's really about the story telling … pulling out pieces that communicate what their concern is" and leaving out unnecessary technical jargon, said Domet.
It took Domet and his team eight months to develop scenarios for one business unit, a little less than one-third of Fidelity's business portfolio. Domet is looking forward to AI-derived insights for decision-making because risk is a "living organism," susceptible to constant change.
AI can pull risk snapshots of data that could later help make an analysis to build future scenarios, like a confidentiality insider threat scenario.
But one of the most important pieces of risk management is having a more strategic presentation of risk. "Bring the discussion to the right people who can implement the change," said Domet, "don't go just to IT."