There is a theme to the questions executives ask about risk assessment results. They can be summarized in two questions:
- As compared to what?
- How do you know that?
As risk practitioners, we should anticipate these questions and proactively provide defensible answers. Doing so will result in improved conversations with executives that increase trust in our findings. In this post, we will explore the first question. We will tackle the second question in a follow-up post.
A systematic approach to risk management
Before moving forward, let’s review risk management as a system. Every organization should share the same goal of enabling cost-effective risk management (figure 1).
Risk practitioners can support this goal by conducting assessments using a sound risk model such as Factor Analysis of Information Risk (FAIR).
Chapter 12 of of the award-winning book: Measuring and Managing Information Risk: A FAIR Approach describes how a systematic approach to risk management (figure 2.) requires assessing:
- How much risk do we have.
- This is where there the FAIR risk model allows us to consistently factor threats, assets, controls on assets, and impact into our quantitative risk assessments.
- The maturity of our organization's risk management practices.
- This helps understand how we got to the amount of the risk that we have today. In other words, how much risk we have today is a factor of decisions we made regarding security policies, processes and technologies and how well we are executing against them.
Understanding this system helps risk practitioners understand why decision makers ask questions such as:
- Is options A the best investment for reducing our risk?
- Did we reduce risk to an acceptable level?
- How will other options reduce our risk?
These decision-related questions are variations of the economic question 'as compared to what?'.
Ask the economic question
I call this the ‘economic question’ because it’s a mode of thinking for economists. There is a difference in knowing about economics and knowing economics. Economists remember to ask: "as compared to what?” Risk practitioners share this burden. Economists possess an inherent need to ask and answer the question. Risk practitioners must consider it because of downward pressure from decision makers, as part of the risk management system. How we approach measuring risk must ensure we can answer the question: “as compared to what?” FAIR does this well because it allows for a natural comparison of risks within the same context.
Providing value to the business by answering the economic question
Let’s consider a common operational risk: failing to follow hardware and software licensing requirements. Enterprises run the risk of improperly utilizing licenses. Product providers regularly audit their customers to ensure compliance with license terms. The costs of those audits may be purchases of new licenses. Further costs may be fines and penalties for non-compliance.
One way to treat this risk is to buy a new product designed to centralize management of license use. Using FAIR, we can quantify the current risk and compare it to the residual risk following the implementation of such a solution. The ensuing result can help an executive make a decision on whether it would be best to stay put or purchase that solution. This is the kind of cost-effective decisions that we should enable as risk analysts.
Consider adopting a systematic approach to risk management as described above, so you can address any question that sounds like “as compared to what?” with confidence and enable effective decision-making in your organization.
To see more examples of cost-effective decision analysis take a look at our case studies.