There is some rumbling within the risk analysis industry regarding a shift from a Governance, Risk and Compliance (GRC) approach to more of an Integrated Risk Management (IRM) approach. The crux of the issue with a GRC-approach – the way is has been practiced so far – is the narrow mindset and focus on control/compliance objectives. IRM provides a renewed focus on risk with a priority on providing intelligence for decision-making and performance to business executives.
How to Communicate Risk Better
When beginning to develop a risk management program with the attributes associated with IRM, the need to communicate risk in business terms becomes the most important aspect. Right away, the question “Where do we get started?” arises.
Answer: Factor Analysis of Information Risk (FAIR), an industry standard used by many organizations to quantify risk in financial terms for over a decade.
The value from FAIR as the foundation of your risk management program includes:
Want to investigate this a bit more? Check out FAIR-on-a-Page to see the model and its associated terminology. Listen to my colleague Chad Weinman provide a live description of the model. Then be sure to check out the case studies from the RiskLens cyber risk quantification application to see examples of improved communication of cybersecurity risk.