Blog

Communicating Risk Beyond GRC

by Tim Wynkoop
January 31, 2017

There is some rumbling within the risk analysis industry regarding a shift from a Governance, Risk and Compliance (GRC) approach to more of an Integrated Risk Management (IRM) approach. The crux of the issue with a GRC-approach – the way is has been practiced so far – is the narrow mindset and focus on control/compliance objectives. IRM provides a renewed focus on risk with a priority on providing intelligence for decision-making and performance to business executives.

How to Communicate Risk Better

When beginning to develop a risk management program with the attributes associated with IRM, the need to communicate risk in business terms becomes the most important aspect. Right away, the question “Where do we get started?” arises.

Answer: Factor Analysis of Information Risk (FAIR), an industry standard used by many organizations to quantify risk in financial terms for over a decade.
The value from FAIR as the foundation of your risk management program includes:

  1. A common set of language on risk
    If we aren’t using terminology consistently within the risk team and in the reports we provide to the business, the effectiveness of our communication is limited by default.
  2. A standard model for decomposing and measuring risk
    This enables a more data-driven (objective) analysis rather than the common subjective (opinion/feeling) approach to risk management, which will increase the the credibility of your work.
  3. Results expressed in financial terms (dollars & cents)
    It is critical to provide a narrative of how risk affects the business because not everyone within your organization is a cybersecurity or a risk expert, especially at the business and board of director levels.

Want to investigate this a bit more? Check out FAIR-on-a-Page to see the model and its associated terminology. Listen to my colleague Chad Weinman provide a live description of the model. Then be sure to check out the case studies from the RiskLens cyber risk quantification application to see examples of improved communication of cybersecurity risk.

 

Recent Posts
February 20, 2020
Announcing the RiskLens FAIR Enterprise Model™, Standardized Best Practices for Enterprise-wide Adoption of FAIR™
February 18, 2020
RiskLens’ Jack Freund Tells AICPA Magazine How CFOs and CISOs Can Connect on Cyber Risk
February 17, 2020
RiskLens Named in Gartner “Competitive Landscape: Integrated Risk Management” (IRM) Report
Sign Up for Blog Updates