Context is King
“Context is king”, or put another way, measurement without context lacks meaning. And while we here at RiskLens are all about measuring risk through quantification, we are also all about meaningful measurements; measurements that support business decisions and defined objectives. So in this RiskLens In-Depth look at our risk quantification platform, I’ll be sharing how our platform not only provides the means to measure risk; it also supports meaningful context to examine, prioritize, and ultimately support risk management decisions and objectives.
From a practical standpoint, there are two types of metrics you can use within our platform: Metrics for Key Risk Indicators (KRI’s) and those for Key Performance Indicators (KPI’s). For this article, I’ll be focusing on KRI’s, since these largely deal with loss exposure (though our platform does support various KPI’s, which I’ll save for a future article.)
Quantification of Loss Exposure
From a Factor Analysis of Information Risk worldview, the primary measurement of risk is loss exposure. To account for uncertainty, loss exposure is displayed as a distribution. In the example below, the aggregate loss exposure for a group of related scenarios is shown.
[Figure 1. For the first time the organization's risk has been measured but is it acceptable?]
From the table and chart, you can quickly tell that the average aggregate loss exposure is $30.8 million, ranging from the 10th percentile of $19.9 million all the way to a 90th percentile of $42.7 million. By itself, this is valuable information, but begs the question, "Is it an acceptable level of loss exposure?"
“Is this an acceptable level of loss exposure? Do we have too much?
Too little? How much risk should we accept?”
Introducing Risk Appetite
That’s where the Risk Appetite metric comes in. Whether you call it “Risk Appetite”, “Risk Tolerance”, “Dictated Risk Threshold”, or simply an “Acceptable Level of Loss Exposure”, risk appetite can simply be considered the line drawn in the sand, which the organization has agreed upon, as an acceptable level of loss exposure for our organization overall, a specific line of business or a department. Once this line in the sand is drawn, business context is available when studying loss exposure to assist in making risk informed decisions.
[Figure 2. The businesses decision on acceptable levels of risk adds context to the risk landscape. In this case the average loss exposure is $5.8 million above the accepted risk appetite.]
Enabling Cyber Risk Governance
The next step in using a risk appetite statement is deciding what it should be compared to. It can be compared against the aggregate average loss exposure or percentiles; all the way to the 95th percentile for those who are exceptionally risk adverse. Again, this is a decision management has to make, but when coupled with a solid snapshot of your current risk posture, a decision can be made that is driven by the organization’s expectations.
From this single snapshot, you can now continue to measure loss exposure over time and thus measure your progress of managing your organization's risk over time. This can also be extended into the future by projecting expected loss exposure (e.g. forecasting, taking into account information security projects, increased visibility, and tracking and management of key performance indicators). More on these in a subsequent article.
[Figure 3. The organizations progress towards an acceptable level of risk.]
There are, of course, other forms of risk appetite that are useful in risk decision management. Using risk appetite to guide acceptable loss exposure for forms of loss or even more granular at the asset class can greatly increase your ability to manage risk and may be where some prefer to start.
These “closer to home” risk appetite metrics are also supported by the RiskLens platform and will be the subject of a future article.