Build Digital Risk Insight - MetricStream · 2019. 3. 28. · Build Digital Risk Insight February 27, 2016 2016 Forrester Research, Inc. Unauthorized copying or distributing is a

Build Digital Risk InsightImprove Brand Resilience By Monitoring And Analyzing Data Across Social, Mobile, And Web Channels

by Nick HayesFebruary 27, 2016

FOR SECURITy & RISK PROFESSIONALS

FORRESTER.COM

Key TakeawaysSourcing Digital Risk Data Requires A StrategyA foundational element of digital risk insight is the data you choose to aggregate. The challenge is that all vendors purport to cover a wide gamut of channels and data types, but they vary drastically in data quality and monitoring frequency.

Advanced Analytics Have Real Value For Risk Management But Are Rarely UsedDespite major innovation in data science -- including psycholinguistics, machine learning, and visual analytics -- risk managers continue to apply the same methodologies for monitoring and measuring risk that they used fi ve to 10 years ago.

Risk Visualizations Go Far Beyond Bar Charts And Pie GraphsBeyond analytics, there are new, sophisticated, and interactive ways to visualize and uncover risky patterns and relationships, including cluster diagrams and geospatial dashboards.

Why Read This ReportWhile sales, marketing, and other business functions have advanced tools and techniques to make the most of data across digital channels (including social, mobile, and web), risk functions have no such luck. Stuck with legacy systems and outdated frameworks, risk professionals struggle to keep up with the vast amounts of available data they need to identify and mitigate risks taking place within and outside of their organizations. This report describes key strategies to help you build digital risk insight that improves how you detect and manage risk and how you support strategic business priorities.

© 2016 Forrester Research, Inc. Opinions reflect judgment at the time and are subject to change. Forrester®, Technographics®, Forrester Wave, RoleView, TechRadar, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. Unauthorized copying or distributing is a violation of copyright law. [email protected] or +1 866-367-7378

Forrester Research, Inc., 60 Acorn Park Drive, Cambridge, MA 02140 USA+1 617-613-6000 | Fax: +1 617-613-5000 | forrester.com

Table Of Contents

Risk Data Lacks Digital Context And Timeliness

Digital Risk Insight Improves Digital And Physical Risk Context

Use Digital Risk Insight To Achieve Critical Risk Objectives

Continuously Monitor Digital Channels For Risk Insight

Aggregate Data From A Broad Range Of Public, Proprietary, And Internal Sources

Apply Advanced Analytics Techniques With A Risk Mindset

Enhance Risk Analysis With Intuitive Data Visualizations

Recommendations

Face It, You Need Better Tools And Techniques

Supplemental Material

Notes & Resources

Forrester interviewed 35 subject matter experts and vendors, including BrandWatch, Catelas, Cyveillance, Digital Reasoning, Digital Shadows, Digital Stakeout, Ditto Labs, IDV Solutions, ListenLogic, MarkMonitor, OpSec Security, Palantir, Proofpoint, RiskIQ, Spallian, Stratfor, Verint, and Wolters Kluwer.

Related Research Documents

Brand Resilience: Understanding Risk Managers’ Key Role In Protecting Company Reputation

Market Overview: Brand Monitoring And Protection

TechRadar™: Risk Management, Q4 2015

FOR SECURITy & RISK PROFESSIONALS

Build Digital Risk InsightImprove Brand Resilience By Monitoring And Analyzing Data Across Social, Mobile, And Web Channels

by Nick Hayeswith Christopher McClean, Claire O’Malley, and Peggy Dostie

February 27, 2016

2

2

5

11

13

http://www.forrester.com/go?objectid=RES117862





http://www.forrester.com/go?objectid=BIO4584

http://www.forrester.com/go?objectid=BIO1835

For Security & riSk ProFeSSionalS

Build Digital Risk InsightFebruary 27, 2016

© 2016 Forrester research, inc. unauthorized copying or distributing is a violation of copyright law. [email protected] or +1 866-367-7378

2

Improve Brand Resilience By Monitoring And Analyzing Data Across Social, Mobile, And Web Channels

Risk Data Lacks Digital Context And Timeliness

Current risk analytic techniques are stale and fail to address the increasing complexity of firms’ risk environments. In particular, the data collection and analytics methods risk pros employ today have two major flaws:

› Risk management efforts focus on known internal systems and controls. Most risk pros focus on control gaps, such as ineffective governance structures, outdated compliance policies, or unaddressed access controls. The problem is that today, new, critical market imperatives increasingly determine a firm’s success (and failure) — particularly those pertaining to customer experience and corporate reputation.1 Without tools and techniques targeting their firms’ external and customer-facing risks, risk pros face widening blind spots.

› Risk data collection methods create latencies in decision-making. The volume and velocity of relevant risk data render legacy approaches to risk analytics woefully insufficient. Risk assessments, policy reviews, and audit spot checks remain integral techniques, but risk pros can no longer rely on the monthly or quarterly reports these efforts produce. For example, one global manufacturer reported that its supply chain was underperforming due to time- and resource-intensive data collection processes. These challenges ultimately increased the cost of operations because it took them so long to identify and correct distribution inefficiencies.2

Digital Risk Insight Improves Digital And Physical Risk Context

The good news for risk pros is that the data needed to build more valuable risk insight is richer and more available than ever before. Four categories of data help frame how organizations appear and interact online, providing insight into firms’ digital and physical environments, brand attributes, relationships, and more (see Figure 1):

1. Points of presence (POPs). POPs are the company-owned or -sponsored domains that publicly represent an organization, such as sites and access points that enable the organization to conduct business, sell products, transfer data, as well as market to and communicate with consumers.

2. Actors. Actors are the people directly or indirectly associated with an organization, including employees, customers, and even cybercriminals, as well as those associated with other relevant entities, such as third parties and competitors.

3. Assets. An organization’s assets are its property, information, and other material items that hold intrinsic or strategic value.

4. Affinities. Affinities are the tangible and intangible connections among POPs, actors, and assets, often understood as relationships, interactions, processes, and attribute and sentiment similarities.




3


FIGURE 1 Digital Risk Monitoring Leads To Key Digital And Physical Risk Insight

• Storefronts,manufacturing sites

• Websites, socialaccounts,mobile apps

• Employees• Customers• Cybercriminals

• Interactions• Relationships• Operational activity

• IP, trademarks,logos

• Products• PII, PHI, etc.

Points ofpresence

Actors

Af�nities Assets

Four categories of digital risk data1-1

InsightEnvironment

• Track employee travel, corporateproperties, or counterfeit sales.

• Visualize operational or supply chainactivity, logistics, or weather patterns.

• Detect emerging crises, such as productdefects, protests, or acts of terror.

• Track strategic or confidential information,trademarks, or intellectual property.

• Visualize workforce or consumerinteractions, relationships, or sentiment.

• Detect cyberespionage, data leakage,brand impersonations, or online fraud.

Physical risk

Digital risk

Digital context creates valuable insight into physical and digital risk environments1-2




4


Use Digital Risk Insight To Achieve Critical Risk Objectives

Risk pros are well positioned to take advantage of advanced analytics and the vast amount of data permeating digital channels. They are already experienced in data collection and risk measurement, and more importantly, business leaders need their help now more than ever to ensure their companies survive and thrive in the volatile age of the customer.3 Building digital risk insight will improve risk management efforts and bolster business objectives in four key areas:

1. Digital governance and brand protection defends corporate value. Today, a one-point improvement in customer experience scores can translate into $175 million in added annual revenue.4 Safeguarding this major contribution to revenue and protecting against reputational risk impacts should be a top priority — and monitoring digital channels is essential for doing this well.5 A compliance director at a top pharma manufacturer we spoke with leads his firm’s global digital governance program. He and his team monitor digital channels to identify instances of data leakage, violations of employee policy, social media account impersonation, false product information, and discussion of counterfeit products.

2. Workforce risk management identifies potentially harmful employee behavior. Organizations are under intense public and regulatory scrutiny to ramp up surveillance efforts to identify and prevent nefarious insider activity as quickly as possible. Risk pros now have access to tools to help analyze vast and disparate internal data for risky behavior and relationships. JPMorgan Chase & Co. recently improved its surveillance software so that it can correlate and analyze data across its communications, trade desk, and transactional systems, in the hopes of identifying rogue employees before they commit crimes. (Since the financial crisis, such crimes have led to more than $36 billion in legal fines for the bank.)6

3. Situational risk awareness and response sharpens crisis management. When a crisis hits, minimizing the impact becomes the top priority.7 This involves thorough preparation, effective tools for early detection, rapid understanding of the context, and efficient remediation. One global high-tech manufacturer we spoke with made an unpopular announcement in a third-world country, which led to a targeted brand attack online along with protests at the firm’s facilities. Using a digital-risk-monitoring tool, the risk team quickly detected the viral sentiment, monitored the firm’s physical sites to assure employee safety, and automatically removed hateful commentary from its digital channels.

4. Strategic risk intelligence guides long-term decision-making. Due to the rapid pace of change in the market (e.g., regulations, technology innovation, geopolitical trends, third parties, and more), business leaders increasingly seek risk insight to inform and ultimately make better strategic decisions. Dun & Bradstreet collects federal government compliance data, which CFO Richard Veldran productizes for making his own strategic risk decisions about his firm’s third-party ecosystem, such as determining supplier and vendor viability and future partnership opportunities.8




5


Continuously Monitor Digital Channels For Risk Insight

To keep pace with your firm’s rapidly evolving risk environment, you have to improve the speed and scope of your monitoring to uncover risk across all of today’s digital channels: social, mobile, and web. Review your current capabilities and techniques at each of the three core stages of the monitoring process — aggregate, analyze, and visualize — and determine ways you can improve your approach (see Figure 2).

FIGURE 2 Improve Digital Risk Monitoring Techniques At Three Core Stages

Aggregate

Visualize

Analyze

Expand data coverage with unique dataaccess and extraction techniques.

Optimize risk detection and relevance withadvanced technology and analytics.

Understand risk complexity with intuitivevisual dashboards.

Aggregate Data From A Broad Range Of Public, Proprietary, And Internal Sources

Carefully planning what data to aggregate is an obvious, but often overlooked, first step. Even with technical capabilities, deviations in data access, quality, extraction techniques, and query frequency can result in discrepancies in the final output and create major blind spots. To ensure you monitor digital channels comprehensively:

› Make the most of open source data and public APIs. Today’s digital environment is an expansive array of interconnected social, mobile, and web (including the surface, deep, and dark web) domains. Many of these sites are free to access or include public APIs that provide samples of the existing data it generates. Make sure you monitor this type of publicly available data through frequent data pulls or queries for the major digital channels in which your brand, products, and people are commonly mentioned.




6


For example, the digital crime team for a major credit card issuer we spoke with actively monitors a variety of digital channels to identify counterfeit mobile apps and social media accounts, detect potentially risky spam and malware, and investigate possible criminal behavior associated with the company.

› Source coveted pay-for-access data and extraction techniques. One major differentiating feature of monitoring vendors is their privileged access to various proprietary data sets, such as access to social networks, local business listings, text and file shares, and news sites behind paywalls, such as The Wall Street Journal. In addition, vendors also differentiate through data extraction techniques offering proprietary data classifiers, indexing models, and human analyst investigations that enhance the scope and relevance of their monitoring.

For example, organizations must pay to gain access to Twitter’s data firehose, which provides the full, unfiltered stream of Tweets that its public API strictly constrains.9 Similarly, Facebook grants only specific developers access to certain data types (e.g., photos, current city, and Likes).10

› Take inventory and govern your known digital footprint. your digital footprint is incredibly vast.11 To make sense of it, catalog your known footprint using three of the aforementioned digital risk data categories: POPs, actors, and assets.

For example, the brand security team for a large durable goods manufacturer determines its most critical assets, people, and points of presence and focuses monitoring on the 85 digital channels — including search engines, social networks, eCommerce platforms, and strategic partner sites — where related risk incidents and violations are most likely to occur.

› Assess ongoing regulatory and geopolitical developments. Risk and regulatory intelligence services, such as those offered by LexisNexis, Prevalent, Resilinc, Stratfor, and Thomson Reuters, track developments in specific industries or regions.12

For example, during the two years leading up to Eastman Kodak’s bankruptcy, LexisNexis mentioned the company in over 15,000 articles, increasingly using terms such as “insolvency,” “bankruptcy,” and “spikes in divestitures.”13 Other solutions can help with similar due diligence such as third-party risk assessments. Arachnys offers a platform that can query over 300 government databases around the world that host corporate registry data.

› Integrate and cross-reference data from internal systems. By fusing external data with internal data (e.g., data from operational systems, business applications, archives, etc.) and organizational attributes (e.g., user roles, policies, locations, project codes, etc.), you can improve the relevance and efficiency of your active digital risk monitoring.

For example, members of the security team for a global high-tech provider more quickly detected an active phishing campaign hitting its email servers because they first received alerts to a similar campaign targeting its social media accounts.




7


› Scour the dark web for covert, nefarious activity. Monitoring activity taking place on the dark web will help you detect and respond to planned cyberattacks, corporate espionage, fraud, money laundering, and other nefarious activity.14 This typically requires engaging cyberthreat intelligence (CTI) service firms to conduct investigations and monitor activity across darknets (e.g., Tor, I2P, and Freenet), “carder” sites, and other underground or otherwise hidden marketplaces and chat forums.15

For example, Brian Krebs was the first to publicize Target’s major data breach after seeing hackers discuss it on underground forums.16

› Avoid blind spots with other services, sensors, and language capabilities. you may need additional data to cater to the unique requirements of your risk function and business environment. This may include sourcing weather data, satellite monitoring capabilities, or even your own beacon or sensor data.

For example, Walgreens uses in-store sensors at its more than 8,200 US locations to monitor for power failures and other operational risks so it can take quick action to save refrigerated goods and temperature-sensitive pharmaceuticals.17

Apply Advanced Analytics Techniques With A Risk Mindset

The term “advanced analytics” may seem trite given its overuse today, but regardless of terminology, the evolving data dynamics it refers to have meaningful implications for risk management, in that there are new, sophisticated tools and techniques that analyze massive quantities of structured and unstructured data for building meaningful insight at unprecedented degrees of speed and scale.18 These tools and techniques will improve your risk acuity in several ways:

1. Rules-based monitoring improves detection of known threats. When configured with defined processes, policies, or lexicons, rules-based monitoring can quickly identify clear-cut risk events and violations.

For example, the compliance team for a top US bank uses a digital-risk-monitoring tool that continuously searches social media accounts and keywords to ensure that only approved spokespeople comment on the firm’s financial performance and future outlook.

2. Trend analysis establishes baselines and signals risky digressions. Digital channels often display common patterns of activity, behavior, and sentiment. Trend analysis will help determine standard baselines and improve the precision with which you can detect deviations and trigger alerts.

For example, the head of brand protection and cyberintelligence at a global transportation and logistics company actively monitors digital channels for upticks in sentiment regarding its services and drivers, as well as other trends within a region related to local traffic, crime, and even associated legal issues pertaining to its business.




8


3. Outlier analysis uncovers discrete risks. Outlier analysis looks for deviations from the norm that might indicate risky events or people, such as an insider running a money-laundering scheme. This includes analysis of increasingly rich data, such as unusual bcc’s, late-night communications, or unusual devices, applications, or locations.

For example, some advanced compliance departments at large banks benchmark their staff’s performance against their average use of internal communications, then use outlier analysis to detect discrepancies between their profitability and the number of messages sent to clients.19

4. Data-flow analysis identifies risky access points and process impediments. Data-flow analysis involves reviewing specific nodes or other types of access points to understand common patterns and data flow at these points of intersection at different points in time. This can help highlight bottlenecks in supply chains or logistics, flag fraudulent transactions, classify suspicious devices or access gateways, and identify potential cyberthreats.

For example, a CTI vendor used data-flow analysis to analyze activity occurring at Tor exit nodes to identify and block risky IP addresses that were likely to contain malware or result in other malicious cyberactivity.20

5. Psycholinguistics builds behavioral context and exposes illicit intent. Psycholinguistics and semantic analysis software analyze unstructured data to not just understand subtleties in word use (for instance, by “apple,” did you mean the major tech company or the fruit?), but even nuances in human behavioral constructs, such as sarcasm, mood, humor, or even clandestinity. Risk pros can use psycholinguistics to detect potentially covert wrongdoing, such as identifying language that suggests inappropriate manager pressure or unethical decision-making.21

For example, a team of researchers at the University of Washington built an algorithm that, from just Twitter data alone, can detect with 70% accuracy whether a person is depressed.22

6. Machine learning unearths risk that even trained eyes can’t find. At its simplest level, machine learning uses inductive reasoning to find data correlations that point to risky people, relationships, behaviors, or activities.

For example, Point72 uses workforce risk analytics tools Digital Reasoning and Palantir to analyze roughly 1 million emails, instant messages, and other electronic communications every week.23 To win the deal, the vendors fed 500,000 emails related to the Enron scandal into their software, which quickly identified dozens of suspicious emails about destroying or concealing information.

7. Visual analytics detects brand compliance violations, fraud, and counterfeits. Visual analytics tools, such as Ditto Labs, offer capabilities to scan web images for anything related to a firm’s brand, including logos, products, and even physical environments and scenery. For example, visual analytics can detect that a picture was taken in a specific restaurant of a fast food chain or that a man in his early 30s wore a branded sweatshirt while hiking.24




9


Risk case studies of visual analytics remain sparse, but identifying counterfeit products, misuses of logos or other trademarks, or violations of contractual agreements about in-store product placements are just some of the ways this capability can be put to use.

Enhance Risk Analysis With Intuitive Data Visualizations

Simple bar and pie charts can only do so much given the complexity and intricacies of risk landscapes today. Even when you have effective analytics, you still need to translate information into meaningful insight and demonstrate value to your stakeholders. Combine analytics with expressive visualizations that enhance your dashboards and reports:

› Illuminate risky patterns through cluster analysis and relationship diagrams. Clustering analysis involves running innumerable grouping permutations of data objects to uncover previously hidden deviations in common behavioral patterns, relationships, performance, and even sentiment. By visualizing the results of cluster analysis, you can see how people, groups, or entities connect to one another and easily identify risk based on those that fall outside of expected norms (see Figure 3-1). The head of digital governance for a top credit card provider reviews cluster analysis through relationship maps to track its social media presence and identify risky patterns and connections with its branded social accounts.

› Integrate geodata and interactive dashboards for spatial understanding. The exponential growth in data sources containing geography-based metadata (i.e., geodata) over the past decade means risk pros can monitor and understand their firms’ geographic risk environment more effectively than ever before (see Figure 3-2). In addition, you can leverage geofencing capabilities to track current activity within specific geographic boundaries, such as manufacturing sites, storefronts, corporate events, and supply chains. A major oil and gas company created a geofence around its entire pipeline to monitor for public activity that could disrupt ongoing production and distribution efforts.

› Use treemaps to evaluate multiple risk dimensions simultaneously. Treemaps are a composite display of hierarchical data using nested rectangles to represent relative size and risk of an overall organizational function or user base. Using interactive drill-down charts and risk color schemes (e.g., red, yellow, green), treemaps provide risk pros with quick, intuitive context to evaluate risk and investigate its origin. For example, risk pros can use treemaps to visualize total policy flags triggered in the past year and quickly identify specific departments that, relative to others, frequently engage in risky behavior.




10


FIGURE 3 Examples Of Advanced Risk Data Visualizations

Sales Product Research Finance

IndividualFlagged for risk

Actor in�uence

How clustering analysis builds intuitive relationship diagrams3-1




11


FIGURE 3 Examples Of Advanced Risk Data Visualizations (Cont.)

Risk environment

Recent events

Traveling workers

Corporate-owned site

Third-party site

How geodata and interactive dashboards improve spatial risk understanding3-2

Date range:

xx/xx/xxxx xx/xx/xxxx

Risk activity:

Social media activityPhysical threat activityCyberthreat activityWeather/natural disasters

Points of presence:

Corporate of�cesStorefrontsThird partiesCompetitors

Recommendations

Face It, you Need Better Tools And Techniques

you can no longer rely on manual processes and analysis to manage risk effectively. The amount of data is too vast, business operations too complex, and threats too sophisticated. To understand your risk environment and quickly detect an emerging risk event, you need technical capabilities so that you can continuously pull in and analyze data for risk, and do so in as close to real time as possible. As you ramp up your capabilities to build meaningful digital risk insight:

› Scrutinize the quality of vendors’ data sources. you can’t build accurate digital risk insight without the right data — this leads to blind spots that can go unnoticed until they result in large fines or major crises. Consider how vendors source data, how frequently they monitor digital




12


channels, and how they extract meaning and relevance from them. While they may not share their secret proprietary algorithms, they can describe where they get their data and what makes their offerings unique. And if they can’t, consider that a red flag and move on to the next option.

› Search for untapped data sources within your own organization. Often, risk pros overlook applications and systems that capture data that could be extremely valuable for risk analytics purposes. For example, archiving platforms are potential risk gold mines. Today, these systems are still primarily used to meet regulatory requirements for information archiving and retention purposes, but they host a valuable set of workforce communications data that, if leveraged correctly, could lead to valuable risk insight regarding workforce behavior and relationships.25

› Embrace the Internet of Things (IoT). With the rise of IoT and the proliferation of beacons, sensors, wearables, interconnected cars, etc., the amount of data you need to aggregate and analyze will grow, and it will grow fast. This may sound daunting, but risk pros should actually get excited about IoT because there are practical ways it will improve risk management. For example, mining contractor Thiess provides its field workers with wearable devices that track activity levels, blood oxygenation, temperature, and heart rate, so supervisors can advise at-risk workers to change behavior or send help more quickly to those who experience medical issues in the field.26

› Realize there’s no one-stop shop. Few vendors, if any, can meet requirements to effectively address all four objectives of digital risk monitoring. Even within a single objective, you may need multiple tools to source data from all relevant digital channels and build comprehensive digital insight.

› Still, always review your analysis with common sense and human perspective. Advanced analytics and visualizations will surely improve the risk insight you produce, but it remains just that — insight. Even with the best technology, you still need experienced risk pros who can apply years of experience and subjective reasoning to validate decisions and identify risk that machines cannot. For example, even though EMC has tools to monitor its supply chain, it still deploys 50 people in Asia Pacific to visit its suppliers, walking the production lines, speaking to workers, and reviewing the inventory, and thereby uncover risks that technology might miss.27




13


Supplemental Material

Companies Interviewed For This Report

Engage With An Analyst

Gain greater confidence in your decisions by working with Forrester thought leaders to apply our research to your specific business and technology initiatives.

Analyst Inquiry

Ask a question related to our research; a Forrester analyst will help you put it into practice and take the next step. Schedule a 30-minute phone session with the analyst or opt for a response via email.

Learn more about inquiry, including tips for getting the most out of your discussion.

Analyst Advisory

Put research into practice with in-depth analysis of your specific business and technology challenges. Engagements include custom advisory calls, strategy days, workshops, speeches, and webinars.

Learn about interactive advisory sessions and how we can support your initiatives.

BrandWatch

Catelas

Cyveillance

Digital Reasoning

Digital Shadows

Digital Stakeout

Ditto Labs

IDV Solutions

ListenLogic

MarkMonitor

OpSec Security

Palantir

Proofpoint

RiskIQ

Spallian

Stratfor

Verint

Wolters Kluwer

http://forr.com/1einFan

http://www.forrester.com/Analyst-Advisory/-/E-MPL172




14


Endnotes1 Protecting hard-earned corporate reputations takes on greater importance as companies shift strategic priorities to

win, serve, and retain customers. When a crisis strikes — whether the result of executive malfeasance, a product safety recall, a security breach, or another violation of a company’s brand values — the results can be disastrous. Given that, risk professionals can no longer overlook the growing value and vulnerability of corporate reputations. This report provides a framework of concepts, definitions, and best practices to prevent reputational catastrophes from occurring or mitigate their impact when they do. See the “Brand Resilience: Understanding Risk Managers’ Key Role In Protecting Company Reputation” Forrester report.

2 It took the firm long periods of time to aggregate data from numerous, disparate systems. Long time lags between risk data reports meant they couldn’t identify or correct distribution inefficiencies until long after the existing process had been in place, ultimately resulting in increased cost of operations. To begin to remediate these vulnerabilities and cross-organizational data gaps, the company consolidated disparate data sources, developed risk profiles for each of its suppliers, and ranked them accordingly. Source: Kelly Marchese and Jerry O’Dwyer, “From Risk To Resilience: Using Analytics And Visualization To Reduce Supply Chain Vulnerability,” Deloitte University Press, January 17, 2014 (http://dupress.com/articles/dr14-risk-to-resilience/).

3 The risk concerns of customer-obsessed business leaders (i.e., those who view improving customer experience to be a critical business priority for their organizations) are dramatically higher in comparison to other business leaders. In particular, their concern over customer-facing risks, such as reputational risk and corporate social responsibility and sustainability, are where the differences in concern are the greatest. See the “Dissecting Global Risk Perceptions And The Effects Of Customer Obsession” Forrester report.

4 Forrester used statistical analysis to reveal the relationship between the CX Index and revenue potential. Quantifying this relationship allows us to show how much the revenue potential changes when CX Index scores change, creating CX-revenue curves for each brand in the CX Index. See the “The Revenue Impact Of Customer Experience, 2015” Forrester report.

5 Risk pros must ensure a consistent experience across every physical and digital customer touchpoint, and protect related brand assets and stakeholders across an ever-expanding set of digital channels. Whether it’s social media, mobile app stores, websites, online marketplaces, or the dark web, each of these digital channels is intrinsically valuable to company success today but also expose organizations to greater risk. Individuals can make damaging claims (whether true or not) against your company or disclose proprietary information; hackers and other malicious actors can exploit vulnerabilities to access sensitive data; and third parties can violate license agreements and misuse your brand in more places than you can manually track. See the “Market Overview: Brand Monitoring And Protection” Forrester report.

6 JPMorgan Chase which has racked up more than $36 billion in legal bills since the financial crisis, is rolling out a program to identify rogue employees before they go astray, according to Sally Dewar, head of regulatory affairs for Europe, who’s overseeing the effort. Dozens of inputs, including whether workers skip compliance classes, violate personal trading rules, or breach market-risk limits, will be fed into the software. Source: Hugh Son, “JPMorgan Algorithm Knows you’re a Rogue Employee Before you Do,” BloombergBusiness, April 8, 2015 (http://www.bloomberg.com/news/articles/2015-04-08/jpmorgan-algorithm-knows-you-re-a-rogue-employee-before-you-do).

7 Not all risk events are preventable, particularly those that take place beyond the governance parameters of organizations (e.g., natural disasters, cyberattacks, corporate defamation, protests, and fraud).

8 Veldran has expanded the use of federal government compliance data culled by his firm, D&B, for broader risk management purposes. He looks at whether suppliers are shipping more or fewer goods than their competitors. “Is the company likely to go out of business?” he asks. “Is it a subsidiary of a troubled parent?” Source: David M. Katz, “Big Data, Smaller Risk,” CFO Magazine, October 5, 2015 (http://ww2.cfo.com/big-data-technology/2015/10/big-data-smaller-risk/).










15


9 Twitter recently terminated agreements with the few remaining data partners formerly capable of reselling Twitter’s data firehose access, including Datasift and NTT Data. Organizations must now work with Gnip, which is owned by Twitter. Source: Ingrid Lunden, “Twitter Cuts Off DataSift To Step Up Its Own Big Data Business,” TechCrunch, April 11, 2015 (http://techcrunch.com/2015/04/11/twitter-cuts-off-datasift-to-step-up-its-own-b2b-big-data-analytics-business/#.uq7cxp:ufD7).

10 In the spring of 2015, Facebook restricted data access for over 30 data types that had been publicly available through its social graph API. Now access to these data types is approved on an individual basis by Facebook, typically dependent on mutually beneficial business relationships. Source: Deepa Seetharaman and Elizabeth Dwoskin, “Facebook’s Restrictions on User Data Cast a Long Shadow,” The Wall Street Journal, September 21, 2015 (http://www.wsj.com/articles/facebooks-restrictions-on-user-data-cast-a-long-shadow-1442881332).

11 We can’t begin to list the entire range of components that comprise one organization’s digital footprint, but try to envision all of the elements it includes: physical locations, websites, public and anonymous data repositories (e.g., Pastebin), websites, social media, mobile apps, employees, third parties, strategic information, contracts, IP, logos products, and contracts. The list keeps going.

12 For a more complete list of risk and regulatory intelligence offerings and to understand how they fit into the broader risk management technology ecosystem, see the “TechRadar™: Risk Management, Q4 2015” Forrester report.

13 LexisNexis reported 15,000 news articles mentioning Eastman Kodak in the two years leading up to the company’s bankruptcy filing in January 2012; those articles increasingly used the terms “insolvency and bankruptcy,” “U.S. Chapter 11 bankruptcy,” “law and legal system,” and “spikes in divestitures” in the final months before Kodak filed for bankruptcy. Source: yossi Sheffi, “Preparing for Disruptions Through Early Detection,” MIT Sloan Management Review, September 15, 2015 (http://sloanreview.mit.edu/article/preparing-for-disruptions-through-early-detection/).

14 Cyberthreat intelligence (CTI) has emerged as a potentially powerful tool for S&R professionals who must defend their digital business from cybercriminals seeking to disrupt their operations and steal their most valuable information — their customers’ data and their intellectual property. CTI promises to give S&R pros advance warning of cybercriminals targeting their region, their industry, or even their specific firm — with enough time to do something about it. To learn more about the CTI vendor market, see the “The State Of The Cyberthreat Intelligence Market” Forrester report.

15 While the dark web isn’t well understood and isn’t all insidious, it is increasingly utilized as a conduit to conduct nefarious activities, conspire and plan malicious attacks, and sell illicit goods, software exploits, and valuable data. Source: Andy Greenberg, “Hacker Lexicon: What Is the Dark Web?” Wired, November 19, 2014 (http://www.wired.com/2014/11/hacker-lexicon-whats-dark-web/).

16 Brian Krebs broke the story about the Target breach in which 40 million people had their credit and debit card numbers stolen by hackers. Source: Cory Blair, “How an Independent Reporter Broke the Target Security Breach Story, and at What Risk,” American Journalism Review, June 16, 2014 (http://ajr.org/2014/06/16/reporter-mingles-criminals-cover-cybersecurity/).

17 For example, after a surprise blizzard shut down United Parcel Service’s air freight hub in Louisville, Kentucky, in 1994, the company hired five meteorologists for its global operations center. “Our customers in Barcelona and Beijing don’t care that it snowed in Louisville. They want their packages,” said Mike Mangeot, a UPS Airlines spokesman. “So we felt the need to have a greater read on the weather that was coming.” Source: yossi Sheffi, “Preparing for Disruptions Through Early Detection,” MIT Sloan Management Review, September 15, 2015 (http://sloanreview.mit.edu/article/preparing-for-disruptions-through-early-detection/).

18 Generally speaking, Forrester refers to advanced analytics as a new set of analytic techniques that predict, simulate, or optimize business outcomes at greater degrees of scale, automation, and foresight than in the past. See the “Seven Advanced Analytics Must-Knows” Forrester report.








16


19 Banks have long worried that staff may turn to personal cell phones or social media platforms such as Snapchat or Facebook to avoid having their work communications monitored by compliance systems. To combat that risk, some compliance departments are benchmarking staff’s performance against average use of internal communications — trying to detect discrepancies between their profitability and the number of messages sent to clients. Source: Tracy Alloway and Kara Scannell, “Banks tap into big data to trap wily traders,” The Financial Times, November 30, 2014 (http://www.ft.com/intl/cms/s/0/8c2452ee-72c9-11e4-803d-00144feabdc0.html?siteedition=intl#axzz3Km6zGbBt).

20 In one blog post, the cyberthreat intelligence vendor Recorded Future walks readers through how it can monitor Tor exit nodes for malicious activity and IP addresses. Source: “Monitoring Tor Exit Nodes for Malicious Activity,” Recorded Future, March 17, 2015 (https://www.recordedfuture.com/monitoring-tor-exit-nodes/).

21 For example, as part of security intelligence, you learn that an extremist group might refer to bombs as wedding cakes and bombings as weddings. So in finance, compliance teams could look for “gift-giving” language, such as a discussion of seats at sporting or other events. Source: Bradley Hope, “Spy Software Gets a Second Life on Wall Street,” The Wall Street Journal, August 2, 2015 (http://www.wsj.com/articles/spy-software-gets-a-second-life-on-wall-street-1438541720).

22 A team of researchers at the Center for Statistics and the Social Sciences at the University of Washington have developed a way to scan people’s tweets and determine whether or not they’re depressed with a claimed accuracy rate of 70%. Source: Sam Frizell, “How Twitter Knows When you’re Depressed,” Time, January 27, 2014 (http://time.com/1915/how-twitter-knows-when-youre-depressed/).

23 After being “taught” some key concepts about compliance, the technology solution identified dozens of suspicious emails in which participants were using language that suggested attempts to conceal or destroy information. It reads all the text files in a database, capturing metadata and creating links between people and institutions. Words are given sentiment scores to help detect emotion. Source: Bradley Hope, “Spy Software Gets a Second Life on Wall Street,” The Wall Street Journal, August 2, 2015 (http://www.wsj.com/articles/spy-software-gets-a-second-life-on-wall-street-1438541720).

24 For more on visual analytics, see the “Listening To Social With The Eyes: Visual Social Analytics” Forrester report.

25 your archiving data is a potential gold mine for risk and compliance use cases that can benefit from big data and predictive analysis. Actively monitoring social communications can also help uncover fraud, corporate compliance violations, and operational risk events. See the “Market Overview: Social Media Archiving” Forrester report.

26 The rise of IoT will lead numerous new use cases for risk and compliance, and many will be able to demonstrate tangible ROI right away. For example, one forestry products firm saved $1 million and reduced its insurance premiums by 75% by investing $50,000 in worker safety and training. See the “Brief: Smart Body, Smarter Workforce” Forrester report.

27 EMC uses a “trust but verify” approach to detect emerging risks with its suppliers. Trevor Schick, then vice president of global supply chain management and chief procurement officer at EMC, said that the company deploys 50 people in Asia (where it does its manufacturing) to focus on quality and identify red flags early. These people visit suppliers, walk the production lines, see the warehouses, and speak to the suppliers’ engineers and factory workers. They use a checklist of warning signs such as quality problems, capacity reductions, stopped lines, and excessive inventory. If a supplier is reluctant to let EMC people in the door, that is a warning sign in itself. Source: yossi Sheffi, “Preparing for Disruptions Through Early Detection,” MIT Sloan Management Review, September 15, 2015 (http://sloanreview.mit.edu/article/preparing-for-disruptions-through-early-detection/).




We work with business and technology leaders to develop customer-obsessed strategies that drive growth.

Products and services

› core research and tools › data and analytics › Peer collaboration › analyst engagement › consulting › events

Forrester research (nasdaq: Forr) is one of the most influential research and advisory firms in the world. We work with business and technology leaders to develop customer-obsessed strategies that drive growth. through proprietary research, data, custom consulting, exclusive executive peer groups, and events, the Forrester experience is about a singular and powerful purpose: to challenge the thinking of our clients to help them lead change in their organizations. For more information, visit forrester.com.

client suPPort

For information on hard-copy or electronic reprints, please contact client support at +1 866-367-7378, +1 617-613-5730, or [email protected]. We offer quantity discounts and special pricing for academic and nonprofit institutions.

Forrester’s research and insights are tailored to your role and critical business initiatives.

roles We serve

Marketing & Strategy ProfessionalscMoB2B MarketingB2c Marketingcustomer experiencecustomer insightseBusiness & channel strategy

Technology Management Professionalscioapplication development & deliveryenterprise architectureinfrastructure & operations

› security & risksourcing & vendor Management

Technology Industry Professionalsanalyst relations

122958