First, let me say I am a little biased. I think Factor Analysis of Information Risk (FAIR) should be part of every risk management program. With two different financial institutions in my work history, my hindsight is 20/20. I can easily see now how FAIR could have been implemented to help make better risk mitigation decisions. As I weeded through the risk register at these organizations, I found myself getting frustrated at how other risk professionals were trying to describe risk. Most of the time, I found very vague statements about risk, as they were describing Inherent and Residual Risk.
These same professionals were trying to rate them by an ordinal 1-5 scale or red/amber/green rating. My job was to review these risks to make sure the descriptions and ratings they were giving made sense. Have you ever tried to get in someone’s head to know what they were thinking? Even more specifically what they were thinking about a particularly vague risk? IT'S HARD! To give an example of descriptions I ran across: Risk: Inappropriate Account Opening Process The process around the intake of new customers is inadequate.
The light went on. I can no longer think about risk the same way again. Having such a logical approach to risk was a game changer, especially powered by a software solution like RiskLens. Using the same example as before: Risk: Breach of customer data due to a breakdown in the account opening process
These same professionals were trying to rate them by an ordinal 1-5 scale or red/amber/green rating. My job was to review these risks to make sure the descriptions and ratings they were giving made sense. Have you ever tried to get in someone’s head to know what they were thinking? Even more specifically what they were thinking about a particularly vague risk? IT'S HARD! To give an example of descriptions I ran across: Risk: Inappropriate Account Opening Process The process around the intake of new customers is inadequate.
- Inherent Risk: This is a medium risk if no controls were in place
- Residual Risk: There are metrics in place to monitor this process, so the risk rating would remain the same.
- How would this enable anyone to make a decision based upon this rating or statement?
- Why would we ever have no controls around this? Wouldn’t an additional approval be a control?
- Would a single metric be considered a control? (another question for another day)
The light went on. I can no longer think about risk the same way again. Having such a logical approach to risk was a game changer, especially powered by a software solution like RiskLens. Using the same example as before: Risk: Breach of customer data due to a breakdown in the account opening process
- Inherent Risk: This is a medium risk as it shows a loss exposure of $10 million if there were no key controls
- Residual Risk: Considering all key controls including encryption on all outbound emails to customers and verification of the email address prior to sending. This would reduce the risk to $30,000 which would be a low level.