How To Strike A Balance Between Governance And Analyst Expectations

Good risk analysis is key to an organization’s ability to make cost-effective decisions. This is true in the operational and cybersecurity domains.
But… Are you expecting too much from your risk analysts? Do they feel weighed down by bloated governance structures? What’s the right balance? Systematic approaches to risk analysis set analysts on the right path. We should not drag them kicking and screaming.

Don’t let drivers tune the cars too much

Governing processes for risk should treat analyses like the governor on a car treats the gas peddle. Governors limit the top speed to some number below the top speed an engine can handle. This keeps the driver from blowing the engine. It allows a controlled amount of wear and tear.

We should govern risk analysis in a similar way. If we have no governance (processes and procedures), we allow analysts to run wild. This usually results in unexpected variance in analysis results. Analysts push the pedal to the medal and run rampant with interpreting the landscape. The end result is untrustworthy analyses and often ends with bad business decisions.

Governance can also be the enemy of ‘good’

You often hear the saying, ‘perfection is the enemy of good’. Driving for perfection in governance often leads to thinking in place of the analyst. Robust governance processes usually have good intentions. But, often have unintended consequences. These processes answer questions related to the analysis. The unintended result is a system that cannot adapt to emerging issues. This is just another way to wind up making bad business decisions.

RiskLens helps find the sweet spot

There’s value in governance processes. If done right, they lay out the road for success. RiskLens puts organizations on the right track thanks to 3 key implementation practices:

  1. Establishing reusable libraries of data
  2. Publishing analysis playbooks
  3. Leveraging a proven model

Our application supports libraries for main risk components:

  • Assets
  • Threats
  • Loss Tables (think actuary tables)

Outside of the software application, the RiskLens team is well versed in best risk management practices. We help organizations draw the lines between:

  • Analyst requirements
  • Governance expectations

Finally, we leverage Factor Analysis of Information Risk (FAIR) as our foundational risk model.

  • RiskLens trains risk analysts on FAIR, so they can conduct risk analyses consistently and repeatably.

Lead with your peers

Large enterprises and government organizations leverage RiskLens to establish efficiency and consistency within their programs. RiskLens’ ultimate goal is to help people transform their risk analysis programs from qualitative in nature to quantitative. Along that journey, organizations struggle with the need to establish governance but not leash analysts. Tackling these struggles is commonplace for us. We would like to take the journey with you.