The Data-Driven Risk Assessment

Category: Enterprise Risk Author: Cody Swidler Tags: risk assessment, quantitative risk, risk scoring, ERM, data-driven, evidence

Most risk assessments are opinion surveys dressed up as analysis. Someone schedules a workshop, walks a room through a list of risks, and asks people to rate likelihood and impact on a scale of one to five. The numbers get averaged, dropped into a heat map, and presented as if they mean something. They don't. They're a snapshot of who was loudest in the room.

A data-driven risk assessment is different in one specific way: every score traces back to evidence. Not a feeling, not a consensus — a number, a trend, a control test result, an incident count. That single discipline changes what the assessment is for. It stops being a compliance ritual and starts being a decision tool.

Why the Workshop Model Breaks Down

The intuitive, workshop-driven assessment isn't worthless — it surfaces risks people are worried about, and that has value. But it fails the moment someone asks "why is this rated high?" The honest answer is usually "because the room felt it was." That doesn't survive scrutiny from an auditor, a regulator, or a board member who wants to know why you're asking for budget.

It also can't be compared over time. If this year's "high" came from a different group of people in a different mood than last year's "high," you have no trend. You have noise. And risk management that can't show direction — getting better or getting worse — isn't managing anything.

What "Data-Driven" Actually Requires

You don't need a quant team or a Monte Carlo engine to do this well. You need three things.

Defined criteria, written down before you score. What separates a 3 from a 4 on impact has to be specific and the same for everyone — dollar thresholds, hours of downtime, number of customers affected, regulatory exposure. The moment scoring criteria are explicit, the conversation shifts from "how do you feel about this" to "what does the evidence show against the criteria."

Inputs that already exist. Most organizations are sitting on the data and never connect it to the risk register: incident frequency and severity, control test pass rates, vendor SLA breaches, audit findings, vulnerability counts and time-to-remediate, change failure rates. Each of these is a signal you can anchor a score to. Pulling them in is most of the work — and most of the value.

A scoring model that's consistent and transparent. Likelihood and impact, a defined scale, a documented method for combining them, and — critically — the evidence cited next to each rating. When the model is visible, the rating is defensible. This is exactly what a well-built risk register and scoring model is supposed to enforce, and why a register that's just a list of risks with colored cells isn't doing the job.

Quantify Where It Pays, Estimate Honestly Everywhere Else

Data-driven doesn't mean every risk gets a precise dollar figure. Some do — and for those, express the exposure in money and probability rather than red/yellow/green, because money is what gets a decision made. For the rest, the goal isn't false precision. It's calibrated estimation: ranges instead of point values, stated assumptions, and a clear note on confidence. A risk rated "high, low confidence" tells leadership something a flat "high" never will — it tells them where to go get better data before acting.

The failure mode to avoid is the opposite extreme: spending three months building a quantitative model for a risk that a thirty-minute conversation would have resolved. Quantify where the decision is expensive or contested. Estimate cleanly everywhere else. Match the rigor to the stakes.

The Output Is a Decision, Not a Heat Map

The test of whether your assessment is data-driven isn't how sophisticated the math is. It's whether the output drives a decision. A good assessment ends with: here is the exposure, here is what it would cost to reduce it, here is the residual if we do nothing, and here is the recommendation. The heat map is a communication aid at the end — not the deliverable.

This is the same principle behind board risk reporting that actually drives decisions: the artifact exists to provoke a choice, not to demonstrate that work happened. An assessment that ends in a colored grid and no recommendation is activity, not outcome.

Where to Start

Pick one risk domain you assess today on gut feel. Write down the scoring criteria explicitly. Then find three data sources you already have that bear on it and anchor the scores to them. You'll usually discover one of two things: the rating was roughly right and now it's defensible, or the rating was wrong and you've been managing the wrong risk. Either outcome is worth more than another workshop.

Once a single domain is on evidence, the next problem becomes obvious — you'll have one rigorous assessment surrounded by a dozen that aren't, all using different scales. That's a integration problem, and it's worth solving deliberately rather than letting every team build its own. More on that in integrating risk assessments.

Opinion tells you what people are worried about. Data tells you what's actually happening. A real risk assessment uses the first to find candidates and the second to make the call.

Cody Swidler is the founder of PivotRisk and a Principal Program Manager, Enterprise Resiliency at Apex Clearing. He has built and scaled GRC, resilience, and risk programs across Microsoft, Twilio, Box, Zayo, and Miro.