Communicating Risk Beyond GRC

There is some rumbling within the risk analysis industry regarding a shift from a Governance, Risk and Compliance (GRC) approach to more of an Integrated Risk Management (IRM) approach. The crux of the issue with a GRC-approach – the way is has been practiced so far – is the narrow mindset and focus on control/compliance objectives. IRM provides a renewed focus on risk with a priority on providing intelligence for decision-making and performance to business executives.

How to Communicate Risk Better

When beginning to develop a risk management program with the attributes associated with IRM, the need to communicate risk in business terms becomes the most important aspect. Right away, the question “Where do we get started?” arises.

Answer: Factor Analysis of Information Risk (FAIR), an industry standard used by many organizations to quantify risk in financial terms for over a decade.
The value from FAIR as the foundation of your risk management program includes:

  1. A common set of language on risk
    If we aren’t using terminology consistently within the risk team and in the reports we provide to the business, the effectiveness of our communication is limited by default.
  2. A standard model for decomposing and measuring risk
    This enables a more data-driven (objective) analysis rather than the common subjective (opinion/feeling) approach to risk management, which will increase the the credibility of your work.
  3. Results expressed in financial terms (dollars & cents)
    It is critical to provide a narrative of how risk affects the business because not everyone within your organization is a cybersecurity or a risk expert, especially at the business and board of director levels.

Want to investigate this a bit more? Check out FAIR-on-a-Page to see the model and its associated terminology. Listen to my colleague Chad Weinman provide a live description of the model. Then be sure to check out the case studies from the RiskLens cyber risk quantification application to see examples of improved communication of cybersecurity risk.