Blog

Communicating Risk Beyond GRC

by Tim Wynkoop
January 31, 2017

There is some rumbling within the risk analysis industry regarding a shift from a Governance, Risk and Compliance (GRC) approach to more of an Integrated Risk Management (IRM) approach. The crux of the issue with a GRC-approach – the way is has been practiced so far – is the narrow mindset and focus on control/compliance objectives. IRM provides a renewed focus on risk with a priority on providing intelligence for decision-making and performance to business executives.

How to Communicate Risk Better

When beginning to develop a risk management program with the attributes associated with IRM, the need to communicate risk in business terms becomes the most important aspect. Right away, the question “Where do we get started?” arises.

Answer: Factor Analysis of Information Risk (FAIR), an industry standard used by many organizations to quantify risk in financial terms for over a decade.
The value from FAIR as the foundation of your risk management program includes:

  1. A common set of language on risk
    If we aren’t using terminology consistently within the risk team and in the reports we provide to the business, the effectiveness of our communication is limited by default.
  2. A standard model for decomposing and measuring risk
    This enables a more data-driven (objective) analysis rather than the common subjective (opinion/feeling) approach to risk management, which will increase the the credibility of your work.
  3. Results expressed in financial terms (dollars & cents)
    It is critical to provide a narrative of how risk affects the business because not everyone within your organization is a cybersecurity or a risk expert, especially at the business and board of director levels.

Want to investigate this a bit more? Check out FAIR-on-a-Page to see the model and its associated terminology. Listen to my colleague Chad Weinman provide a live description of the model. Then be sure to check out the case studies from the RiskLens cyber risk quantification application to see examples of improved communication of cybersecurity risk.

 

Recent Posts
January 05, 2021
4 Ways RiskLens Clients Will Drive Success in 2021 with Quantitative Cyber Risk Management Programs
December 28, 2020
Most Popular RiskLens Blog Post Topics of 2020 Covered Adapting to COVID, Improving on Security Frameworks, Board and C-suite Communication and More
December 21, 2020
Boards Ask, ‘What’s Our Risk from the SolarWinds Hack?’ FAIR Risk Analysis Helps You Answer Confidently
Sign Up for Blog Updates