Adopting FAIR risk analysis in your organization can seem like a bit of a leap of faith. While we all want a world with more rigor and defensibility baked into our risk management programs, how can you trust your teams to produce IT risk analysis that is accurate and useful when, at the end of the day, they often rely on the knowledge and expertise of their colleagues for digital risk analytics?
The first thing to note is you're not in this alone. A great analysis is one that's performed by people with great risk assessment training — the first step towards effective risk assessment is investing in your people.
Step 1: Enroll Your Team in FAIR Risk Analysis Training
Your team can receive FAIR™ risk analysis training taught by accredited trainers either live or online through the RiskLens Academy. The introductory course, FAIR Analysis Fundamentals, is great for all levels of the organization, from leadership to the subject matter experts who will be providing the estimates that feed into the RiskLens platform to generate FAIR-based analyses. It provides the knowledge necessary to learn and apply consistent risk terminology; use various measurement concepts to select scenarios for analysis and estimate risk factors using probability distributions; understand and interpret the results of a FAIR analysis; and more.
If you're looking for a little more know-how from the analysts who will be performing the FAIR analyses, the RiskLens Academy also offers the FAIR Analyst Learning Path, which is an advanced training course designed to take participants with a foundational understanding of FAIR to the next level with four advanced courses, each covering one phase of the risk analysis process.
Using the information gained from training, as well as the hands-on guidance provided by the RiskLens Professional Services team to our customers, your organization will be empowered to conduct FAIR quantitative risk analyses that enable risk-based decision making and, eventually, establish a tailored, repeatable risk assessment process.
Now, even with all the training in the world, if your analyst is given a bad estimate, it can result in inaccurate results. The cause of bad estimates is usually not a lack of knowledge on the subject matter expert's part, but a miscommunication made during the data gathering session. In order to avoid such miscommunications, we have a piece of advice for any quantitative risk management program: Trust but Clarify.
Step 2: Trust but Clarify: 3 Ways to Avoid Bad Estimates in FAIR Risk Analysis
At the end of day, we need to rely on historical information, industry data, and the knowledge and expertise of the subject matter experts in the organization in order to produce accurate estimates for FAIR analysis. In order to ensure those estimates are as accurate as possible, keep these three things in mind:
- Keep It in Context — What Is the Purpose of IT Risk Analysis?
In data gathering sessions, always be sure to use context-specific questions to ensure the subject matter expert knows exactly what you are talking about. For example, a question related to the threat event frequency of a database breach might look something like, "How many times in a given year do you think a malicious external actor will attempt to compromise the PII contained in XYZ database?" The question makes clear the specific scope — asset, threat, and effect — you are interested in knowing more about.
Also, always make sure the SMEs know the context of the "big picture." Why are you conducting this analysis in the first place? If they know it is related to a specific control improvement, for example, they may be able to help inform you what information is or is not relevant based on the implementation of that control.
Learn more: How To Scope A Risk Analysis Using FAIR - Gut Check — Do the Numbers Make Sense for Digital Risk Analytics?
Once the estimate has been given, take a moment to apply it to the analysis logically: do the numbers make sense? If the end result is a value that is 10x the annual revenue of the organization, there is a good chance there was an inaccurate assumption at some point. Sometimes doing some simple math can help. Even the most experienced risk professionals will make the occasional mistake, and a gut check is a great addition to any risk assessment process.
One common cause of miscommunication is a difference in measurement — make sure the SMEs are aware that frequency is measured in a given year (that is, how many events do we think will occur in the next year?), whereas magnitude is measured on a per event basis (that is, how much will it cost each time this event happens?).
Learn more: Secrets to Gathering Good Data for a Risk Analysis - When in Doubt, Rely on Your Training
Before ever conducting a FAIR risk analysis, the analyst should be thoroughly trained on all things FAIR, including calibrated estimation and the quality assurance process. It is never too far into your FAIR journey to revisit those concepts and make sure they are being applied to the analysis. If an SME provides an estimate on the fly that appears to lack rigor, try using the equivalent bet test (spinner game) to help them calibrate it to a more useful degree of precision.
And always remember — once all of the estimates have been gathered it is important to conduct a QA session with all of the SMEs so that they can do their gut check as well.
Want to learn more about FAIR risk analysis or the purpose of risk analysis? Download the (One-Page) RiskLens FAIR Analysis QA Guide.