Implement risk quantification in an existing GRC program
With a myriad of risks and limited security budgets, how do organizations decide which projects to prioritize? Many governance, risk management and compliance (GRC) professionals believe that quantifying risk is the answer. Because there are no such things as risk-free transactions, quantifying risk is not only desirable, it is necessary. And it plays a vital role in every business decision and type of risk.
When integrated with an existing GRC program, this tactical tool helps companies understand and assess key risk scenarios so that stakeholders can make informed decisions and determine the financial impact of potential risks on an organization.
The Open FAIR model: Supporting risk quantification
Risk quantification classifies and prioritizes risks based on the significance of potential losses, guided, in part, by models such as the Open FAIR (Factor Analysis of Information Risk) model. Developed with cybersecurity or risk use cases in mind, the OPEN FAIR The model is used in risk quantification to determine the threats and vulnerabilities of assets within an organization.
In the model, companies restrict themselves to a particular scenario rather than trying to quantify all the risks at once across the organization (which would quickly become overwhelming). This strategy takes a more granular approach: quantifying the risk exposure of a hacker attempting a data breach that results in the exposure of Personally Identifiable Information (PII), for example.
To start with quantifying risk, companies enter historical information about risk: things like past vulnerabilities or events that are expected to occur in a given year. Different levels within the FAIR model go deeper into deriving information. This allows for uncertainty that other formulas do not, allowing GRC professionals to enter a range of risks and their level of confidence in their occurrence. By presenting information in a language shared by dollars and cents – terms understood by company executives and boards of directors – it becomes easier to quantify and understand potential risk.
Shared language brings clarity to the entire organization
How do risk professionals quantify risk? Use dollars and cents. Using the information gathered in the Open FAIR model simulations, risk quantification breaks down primary and secondary losses into six different types for each loss, allowing the organization to determine how best to categorize them.
CISOs and other risk professionals can take into account market data points, their data and additional information available. They can classify each type of data they enter as high or low confidence. Primary loss is anything that is a direct loss to the business due to a specific event. Secondary loss includes something that may or may not happen (or not happen immediately), such as damage to reputation or potential loss of income.
Quantifying risk also allows risk professionals to communicate risk to executives and other stakeholders in a common language that everyone understands: dollars and cents. Quantifying risk in financial terms allows organizations to assess where their greatest loss exposures lie, conduct cost-benefit analyzes for initiatives designed to improve risky activities, and prioritize those risk mitigation activities. depending on their impact on the business.
Wondering how to get the most out of risk quantification data? Find a GRC platform where risk quantification integrates with your other risk information to keep everything in one place. This holistic approach:
- Provides insight into enterprise-wide risks
- Provides clear visibility into how connections are in play with each other
- Provides in-depth risk analysis
Tips for Introducing Risk Quantification in Your Business
As businesses continue to grow and become more efficient, migrating to cloud storage and remote access, outsourcing and working with vendors, their exposure to risk increases. Risk quantification helps companies identify, prepare and mitigate cyber risks. While it may seem difficult to navigate, especially at first, the following good practices make it easier to implement risk quantification.
To successfully mitigate cyber risk, several steps are necessary:
- Performing a threat assessment to identify applications and databases open to risk, understand how a risky event could impact your organization and quantify these financial, operational and reputational impacts
- Define your company’s risk appetite, create a framework to assess those risks, and communicate your plans to prioritize risks across the enterprise
- Invest in technology to simplify risk reporting and compliance and promote transparency by providing a single view of risk across the organization
- Commit to regular and continuous training to keep abreast of technological and legislative developments, regulations and requirements
Most practitioners recommend a tactical approach. Companies choose their top three to five issues or areas that they are struggling to decide on as a starting point. From there, they dig deeper and analyze their GRC processes to identify where and how risk quantification can prove beneficial.
1. Know when a GRC program is ready to take advantage of risk quantification
Assess the current state of your GRC program and know the status of its processes regarding maturity and coverage. Consider the following questions:
- Has your organization established roles and responsibilities for cybersecurity, data security, and privacy?
- Have you identified, documented and maintained compliance with data protection / privacy regulations and rules relevant to your business? (And is the documentation up to date?)
- When was the last time you did a risk assessment and how often do these risk assessments take place?
- Have you mitigated the findings and identified risks? Are there still outstanding risks requiring special attention?
- Do you follow information security control frameworks such as NIST CSF or ISO 27001?
2. Find a partner who can help you organize, prioritize and quantify risks using a model like FAIR
The right partner can advise – and put you in place – an appropriate cybersecurity and privacy management framework designed to support your company’s GRC program. The best executives help set priorities and balance decisions. These frameworks are:
- Well checked, continuously updated and flexible
- Risk based
- Designed to guide organizations in making decisions based on cyber / data risk and compliance risk
3. Connect quantitative data to qualitative information for better reporting
By collecting and linking qualitative and quantitative data, you can assess, rank and describe risk events based not only on “high / medium / low” terms, but on hard dollars and cents. The quantitative element provides additional benefits, such as helping companies determine the size of costs and possible mitigation measures, prioritize risks over other risks, and calculate the potential impact. Quantitative data alerts businesses to risk and provides the “why”, with more nuanced information, communicated in language everyone in the organization understands.
More and more companies have realized the value of quantifying risk – when done right. Its tactical implementation is the tricky part. The GRC industry still lacks a standard methodology for its implementation; however, the FAIR model is the most widely accepted option currently in use.
To reap the full benefits, businesses need to understand:
- What model they plan to use
- Why they chose him
- The expected results
- The data needed to feed the model
Companies that are starting to add risk quantification to their GRC programs should start small and grow. If 100 risks are currently in the risk register, do not quantify them all at once. Start with the first five and work on the others. Don’t just trust a number spitting tool without explaining how it arrived at that number.
A good risk management program with built-in risk quantification capabilities helps organizations better than strategies requiring GRC professionals to manage point solutions or data living in heavy spreadsheets. This holistic and connected approach helps prioritize risks and decide how to mitigate them.
Open FAIR is a registered trademark of The Open Group in the United States and other countries.