With a myriad of risks and limited security budgets, how do organizations decide which projects to prioritize? Many governance, risk management and compliance (GRC) professionals believe risk quantification is the answer. Because risk-free operations don’t exist, risk quantification isn’t merely desirable — it’s necessary. And it plays an essential role in every business decision and risk type.
When incorporated into an existing GRC program, this tactical tool helps companies understand and evaluate key risk scenarios so stakeholders can make informed decisions and determine the financial impact of potential risks on an organization.
The Open FAIR model: Supporting risk quantification
Risk quantification ranks and prioritizes risks according to the size of potential loss guided, in part, by models such as the Open FAIR (Factor Analysis of Information Risk) model. Developed with cyber security or risk use cases in mind, the Open FAIR model is used in risk quantification to determine threats and asset vulnerabilities within an organization.
Within the model, companies scope down to a particular scenario rather than attempting to quantify all risks at once organization-wide (which would quickly become overwhelming). This strategy takes a more granular approach — quantifying risk exposure to a hacker attempting a data breach resulting in the exposure of personally identifiable information (PII), for example.
To start with risk quantification, companies input historical information about risk: items like past vulnerabilities or events expected to occur within a given year. Different levels within the FAIR model drill down further to derive the information. It allows for uncertainty other formulas don’t, enabling GRC pros to enter a range of risk and their confidence level of it occurring. By presenting the information in a shared language of dollars and cents — terms understood by company executives and boards — it becomes easier to quantify and understand the potential risk.
A shared language brings clarity organization wide
How do risk professionals quantify risk? Using dollars and cents. Taking the information gathered in the Open FAIR model simulations, risk quantification further breaks down primary and secondary losses into six different types for each loss, allowing the organization to determine how best to categorize them.
CISOs and other risk professionals can consider data points from the market, their data and additional available information. They can classify each type of data they’re inputting as high or low confidence. Primary loss equals anything that’s a direct loss to the company due to a specific event. Secondary loss includes something which may or may not occur (or not occur immediately), like reputational damage or potential lost revenue.
Risk quantification also enables risk professionals to communicate risk to leaders and other stakeholders in a shared language everyone understands: dollars and cents. Quantifying risk in financial terms enables organizations to assess where their biggest loss exposures may be, conduct cost-benefit analyses for those initiatives designed to improve risk activities, and prioritize those risk mitigation activities based on their impact to the business.
Wondering how to make the most out of risk quantification data? Find a GRC platform where risk quantification integrates with your other risk information to keep everything in one place. This holistic approach:
- Provides an overview of company-wide risk
- Offers clear visibility into how connections are in play with each other
- Gives an in-depth risk analysis
Tips for introducing risk quantification into your company
As companies continue growing and driving efficiency, migrating to cloud storage and remote access, outsourcing and working with vendors, their risk exposure increases. Risk quantification helps companies identify, prepare for, and mitigate cyber risk. While it may feel overwhelming to navigate, especially in the beginning, the following best practices help risk quantification’s implementation go more smoothly.
To mitigate cyber risk successfully requires multiple steps:
- Completing a threat assessment to identify applications and databases open to risk, understanding how a risk event might impact your organization, and quantifying those financial, operational and reputational impacts
- Defining your company’s risk appetite, building a framework to rate those risks, and communicating company-wide your plans to prioritize risks
- Investing in the technology to simplify risk reporting and compliance and support transparency by providing a single, organization-wide view of risk
- Committing to regular, ongoing training to keep abreast of technology and legislative, regulatory and requirement changes
Most practitioners recommend a tactical approach. Companies pick their top three to five issues or areas where they’re struggling to decide as a starting point. From there, they dig deeper and analyze their GRC processes to identify where and how risk quantification can prove beneficial.
1. Knowing when a GRC program is ready to leverage risk quantification
Evaluate your GRC program’s current status and know where its processes stand concerning maturity and coverage. Consider the following questions:
- Has your organization established responsibilities and roles for cybersecurity, data security and privacy?
- Have you identified, documented, and maintained compliance with the data protection/privacy regulations and rules relevant to your business? (And is the documentation up to date?)
- When did you last conduct a risk assessment — and how frequently do those risk assessments occur?
- Did you mitigate findings and identified risks — and are any risks still outstanding and needing attention?
- Do you follow any information security control frameworks such as NIST CSF or ISO 27001?
2. Find a partner able to help organize, prioritize, and quantify risks using a model like FAIR
The right partner can advise — and set you up with — an appropriate cybersecurity and privacy management framework designed to support your company’s GRC Program. The best frameworks help establish priorities and balance decisions. These frameworks are:
- Well-vetted, continuously updated, and flexible
- Designed to guide organizations to make decisions based on cyber/data risk and compliance risk
3. Connect quantitative data to qualitative insights for better reporting
By collecting and linking qualitative and quantitative data, you can evaluate, rank, and describe risk events relying not just on “high/medium/low” terms but in concrete dollars and cents. The quantitative element offers additional advantages like helping companies determine the size of cost and any mitigations, prioritize risks relative to other risks, and calculate potential impact. Quantitative data alerts companies to risk and provides the “why,” with more nuanced information, communicated in language everyone in the organization understands.
More and more companies have realized the value of risk quantification – when done right. Its tactical implementation is the tricky part. The GRC industry still lacks a standard methodology for its implementation; however, the FAIR model is the most widely accepted option currently in use.
For full benefits, companies need an understanding of:
- What model they plan to use
- Why they’ve chosen it
- The outcomes it’s expected to generate
- The data required to feed into the model
Companies starting to add risk quantification to their GRC programs should start small and grow. If 100 risks currently live on the risk register, don’t quantify them all at once. Start with the top five and work into the others. Don’t simply rely on a tool spitting out numbers without explaining how it arrived at this number.
A good risk program with integrated risk quantification capabilities helps organizations better than strategies requiring GRC professionals to manage point solutions or data living in unwieldy spreadsheets. This holistic, connected approach offers insight to prioritizing risks and deciding how to mitigate them.
Open FAIR is a trademark of The Open Group in the United States and other countries.