It’s commonly accepted within the FAIR community that risk assessments should not sit on the shelf and collect dust; they should drive a decision or action. That’s only part of the story. In reality, some assessments should sit on the shelf and collect dust.
I like to read about business and entrepreneurship. Among the sea of fantastic blogs and books out there, Michael Hyatt's, " How To Ensure You Never Have Another Terrible Meeting," stuck out to me. Hyatt draws from Cameron Herold’s book Meetings Suck. I immediately added the book to my own list (you should too). Upon reading the section on meeting styles, it dawned on me that risk assessments are similar in purpose.
Think about the meetings we hold to communicate risk…
The three primary styles Herold identifies are:
- Information sharing
- Creative discussion
- Consensus decision
If we are honest with ourselves, as FAIR analysts, we should recognize that risk assessments share these styles as purpose. The meetings we hold to communicate risk are not always about driving a decision – at least, not immediately.
Share information about risk
Most board presentations regarding risk are about communicating the lagging metric of how much risk we have today. The board weighs in on how much risk the company can tolerate, mostly from a guidance level. More often, they ask questions pertaining to our approach to reducing risk or our opportunities to take on more risk. In truth, the strategy and execution happens outside of the board's purview. Enterprise and Top 10 assessments are prime examples of risk assessments tailored towards information sharing.
Drive creative discussion on risks
The second purpose for an assessment revolves around discussion. Usually, these sorts of assessments highlight something happening in the risk landscape, such as:
- Emerging threats
- New technologies
- New attack vectors
- Process improvements
It is common to conduct a risk assessment of an emerging threat – such as a new malware strain – to paint a picture of how the threat may effect our risk. We leverage these assessments to spark creativity around treatment options. However, they do not commonly result in any decision being made, aside from agreement to learn and perform more analyses.
Support decisions
This is the bread and butter of quantitative risk assessments, such as those performed with RiskLens' cyber risk quantification platform. We are invoking this purpose for our risk assessment whenever we build a business case for process improvements, staffing decisions, or technology purchases. Any proponent of FAIR will tell you risk assessments should be used for this purpose. It’s here where I say: ‘Nay Nay’. FAIR assessments performed with RiskLens are suitable for any of these purposes; not just driving decisions.
Last and least….
There is one final purpose for risk assessments: to satisfy a regulatory requirement. This purpose is the ugly side of the job. Sometimes it is true that we have to perform risk assessments over a problem space that does not make obvious business sense. We may even have a requirement to use a bogus methodology. It is in these cases that the purpose of the assessment is simply to reach completion, often to be placed on the shelf and collect dust until the next assessment period. On occasion, the assessment process may uncover a nugget of wisdom useful elsewhere, yet, the result itself cannot inform, drive discussion, or action.
And the winner is: decision support!
Overwhelmingly, risk assessments performed on the RiskLens platform are leveraged to make a decision. In this way, RiskLens maximizes the value to the business of the assessments. There is truth to power in the notion that risk assessments should drive decision and action. However, that is not to say these are the only uses for assessments.
If we only make decisions on business cases without also sharing other informative analyses, we may miss the strategic movement visible in lagging indicators. Likewise, if we only look at the big picture via lagging risk indicators, we will ignore lead indicators such as ROI-oriented assessments.