The RiskLens Customer Success team recently updated its guidance document for operationalizing quantitative risk analysis (we call it the OQRA blueprint). It’s a compilation of lessons we’ve learned alongside our clients to ensure both short term success with implementing quantified risk assessment as well as long term program sustainability. We added a new, modular focus for adopting FAIR and implementing the RiskLens software that includes both individual workshops for targeted projects, and more comprehensive implementations made up of combinations of workshops. Each workshop is a defined scope of work that requires multiple participants, has a set of tasks and an expected outcome.
To explain, let’s look at a combination of workshops in order to Implement a New Quantitative Risk Assessment Program – also known as the top-down or start-from-scratch method of identifying risks.
Implementing a new quantitative risk assessment program starts with Foundational Activities that are mandatory and broken out to fully explain the intent of the work and its role in long term success. The four foundational activities are:
1. Define Strategic Objectives and Desired Outcomes
C-Level executives and risk management stakeholders decide on and document short and long-term tactical and strategic objectives for their new quantitative risk assessment program.
2. FAIR Education for Executives and Risk Committees
Since FAIR is a new way of communicating about risk in terms of financial loss exposure, it’s critical that senior security and risk executives and business stakeholders get some formal training in the FAIR model and its applications.
3. FAIR Training and Certification for Risk Analysts and Practitioners
Hands-on staff should be thoroughly trained in FAIR methods by FAIR-certified instructors and ideally should themselves go for FAIR certification.
4. RiskLens Platform Onboarding
RiskLens risk consultants help configure the RiskLens platform to your specific business requirements and ensure that your analysts are fully capable to conduct quantitative risk analysis.
The following workshops are all scopes of work that can be accomplished with RiskLens Professional Services facilitation or with your own team resources.
Top Risk Identification
The first individual workshop is to identify your top enterprise risks. There are multiple ways to accomplish this which all involve facilitation or participation by your risk executive. One method is to start with your company’s strategic business goals; identify the processes that directly support those goals; identify and understand the assets that support those processes; identify the threats against those assets. Ideally, your assets and their profile are already documented, making this process a little easier.
A second method is described in one of my all-time favorite blog series by Jack Jones: Best Approach to Prioritizing Risks – Part 1. Parts 4 and 5 get into the meat of the method and provide step by step instruction on sorting your risks at a high level on a spreadsheet.
While top risk identification isn’t for the faint of heart, you have to start somewhere–so start. The resulting top risk list can be, and will be, modified along the way.
Top Risk Analysis
With the list of top risk scenarios in hand, the second individual workshop is about quantifying the financial loss exposure (risk) related to each. If your risk analysts do not have experience doing this, get help from your RiskLens Professional Services consultants either during your monthly touchpoint calls or through a dedicated engagement.
Once your risk analysts learn how to scope scenarios, collect data, run and QA quantitative analyses and communicate results, they are set for the long term. Tactical level scenario scoping will be a breeze after scoping these strategic risks.
The results of this step include quantitative results in financial terms of your top risks so that they may be prioritized and socialized. Now your risk leadership knows what matters the most and can start thinking about the most effective way to allocate resources.
With your list of top risk scenarios, the third individual workshop helps to determine how to best mitigate each of these risks. For some analyses, top risk sensitivity analysis can help focus your attention on the most impactful mitigation solution areas. For instance, the sensitivity results for an analysis may show that improving your network defenses reduces annualized loss exposure the most, or perhaps improving your incident response processes and procedures is the better option.
This is not a mandatory step and it requires the RiskLens Cyber Risk Quantification Stress Test module. As your security environment improves and the obvious gaps are filled, sensitivity analysis may help you identify how you can get the most impact (reduce loss exposure) for your investment.
Prioritization of Risk Mitigation Projects
While sensitivity analysis, or your technology team, identifies the focus area for mitigation solutions, often more than one solution can satisfy the gap. For instance, if sensitive data is being exposed by non-malicious insiders, do you need a complete DLP solution or will an email filter provide the better return on risk?
This individual workshop helps you to evaluate your mitigation projects by scoping, collecting data, and running and QA-ing the analysis for each mitigation project option. The resulting graph compares the current state versus the estimated future state of each option allowing you to easily see which has the most impact on your risk exposure.
The workshops to Implement a new Quantitative Risk Assessment Program described above are just a few examples taken from a larger list contained in the updated OQRA blueprint. The intent of the blueprint is to help you identify scopes of work pertinent to your environment that will lead to the successful adoption of FAIR and implementation of quantitative risk analysis. We encourage you to contact us with any questions or comments. We look forward to working with you!