A question that we often see new RiskLens customers struggle with is, “where do we start analyzing risk?” The possibilities seem endless.
It’s a good problem to have. But how do you choose?
Is it based on the likelihood of having good data? Which department is easiest to work with? Who screams the loudest?
And who decides?
The CISO or the person with similar responsibilities sets direction for the underlying team. Since this person is ultimately responsible for the purchase of RiskLens, he or she drives the strategic objectives and goals of the quantitative risk program.
From there, either the CISO or direct reports determine the plan to achieve these objectives. The plan specifies the people and processes that will be included in the scope of the first through nth round of implementation.
Starting a Quantitative Risk Management Program
From our experience, successful clients choose one of these four risk analyses to start:
1. Cost-Benefit Analysis of Risk Mitigation Projects
2. Top Risk Reporting to C-Levels and the Board
3. Populating a Risk Register
4. Treatment of Audit Findings
Risk Program Expansion
As the initial project of implementing quantitative risk analysis is further refined and successfully employed, efforts to expand the program within the organization begin. Often, we see other departments inquiring about these new quantitative results and asking how they can do the same for their area. As a result, the second round of implementation may very well be chosen based on the loudest squeak. Otherwise, additional options include the following:
5. Cost-Benefit Analysis of Existing Operations Focusing on Technology, Process and People
6. Trending Top Risks over Time
7. Cyber Insurance
Tip: It’s OK to start small.
The risk analysis team will need time to get used to the new process. The people receiving risk analysis results in dollars and cents will need time and education to get used to seeing the information in this way and making decisions based on it. Once it catches on though, have your plan for rapid expansion ready.