Quality of your risk analysis is important. Establishing a consistent and efficient process for performing QA of an analysis should be viewed as a requirement.
If this process takes only 5 minutes or less - there are no excuses why each and every quantitative risk analysis using FAIR shouldn't be reviewed. In this post, I will walk you through a process each of our risk consultants uses to review their own FAIR analyses.
Step 1: Look at Aggregate Loss Exposure
Does the min, average, max look reasonable? At the aggregate level - it is often tough to identify any issues, but we tend to look for "surprises".
Step 2: Navigate to the RiskLens platform scenario explorer
The scenario explorer shows the summary results of all independently analyzed scenarios. The scenarios that have the largest and smallest average exposure should seem reasonable.
Step 3: Click into those scenarios with the largest and smallest average exposure
Both the derived Loss Event Frequency (LEF) and the single event Loss Magnitude (LM) should appear reasonable.
Step 4: If LEF appears suspiciously high, check the vulnerability percentage as well as the Threat Event Frequency (TEF)
One of those inputs may need to be refined. If single event LM appears suspiciously high or low, check the loss factor workshop questions (sensitive records, outage duration, etc.).
That is it!
If you perform any other types of QA over your analysis - the customer success team would love to know!