First, let me say I am a little biased. I think Factor Analysis of Information Risk (FAIR) should be part of every risk management program. With two different financial institutions in my work history, my hindsight is 20/20.
I can easily see now how FAIR could have been implemented to help make better risk mitigation decisions.
As I weeded through the risk register at these organizations, I found myself getting frustrated at how other risk professionals were trying to describe risk.
Most of the time, I found very vague statements about risk, as they were describing Inherent and Residual Risk. These same professionals were trying to rate them by an ordinal 1-5 scale or red/amber/green rating. My job was to review these risks to make sure the descriptions and ratings they were giving made sense. Have you ever tried to get in someone’s head to know what they were thinking? Even more specifically what they were thinking about a particularly vague risk? IT'S HARD!
To give an example of descriptions I ran across:
Risk: Inappropriate Account Opening Process
The process around the intake of new customers is inadequate.
- Inherent Risk: This is a medium risk if no controls were in place
- Residual Risk: There are metrics in place to monitor this process, so the risk rating would remain the same.
I found myself literally saying “this makes no sense” for a couple of reasons:
- How would this enable anyone to make a decision based upon this rating or statement?
- Why would we ever have no controls around this? Wouldn’t an additional approval be a control?
- Would a single metric be considered a control? (another question for another day)
I am the type of person that has the mentality to work smarter not harder. Given the nature of the risk program, it was making analysis work way harder than smarter. This is by no fault of the management at the organization as they really wanted to provide value for their risk program. I really wish I knew then what I know now.
So, what has changed between then and now? I set out to find a way to answer my doubts and questions. I found the FAIR training course and was FAIRitized. The light went on. I can no longer think about risk the same way again. Having such a logical approach to risk was a game changer, especially powered by a software solution like RiskLens.
Using the same example as before:
Risk: Breach of customer data due to a breakdown in the account opening process
- Inherent Risk: This is a medium risk as it shows a loss exposure of $10 million if there were no key controls
- Residual Risk: Considering all key controls including encryption on all outbound emails to customers and verification of the email address prior to sending. This would reduce the risk to $30,000 which would be a low level.
Having software that leverages such a smart way of thinking about risk (the FAIR model), seems like a no brainer. I have had the privilege to go on various engagements with my team at RiskLens and it was almost cathartic to see some of the people I have had the opportunity to work with go through the same struggles that I was having. The difference was I was on the other side of the mountain actually in a position to help them start to solve their risk problems.
Don’t let the limitations in your thinking about risk limit your risk program. Do something about it.
RiskLens is the only software purpose-built on the FAIR model. Learn more.