Regulators Are Asking For More Formulaic Approaches for Measuring Risk

Recent meetings with leading banks and thrift institutions in the US have revealed that regulators such as the Office of the Comptroller of the Currency (OCC) are requiring that their capital reserves be calculated not only on assets, but increasingly consider risk management practices (ex. pillar 2 in Basel III) and the resulting actual business risk, including technology risk.

These new requirements create a new set of challenges for these financial institutions, as they have to:

  • Demonstrate the adoption of effective and defensible risk management models, including for newer technology domains such as information or cybersecurity risk
  • Transition from qualitative assessments to more formulaic and quantitative assessments of risk

The problem is that most banks and thrift institutions do not have common methods in place to quantify and manage information risk from the business perspective.

  • IT-centric perspectives: Boards and business executives rely heavily on IT security professionals to make decisions pertaining to information risk
  • Broken communication: In absence of a common risk language, the discussions among all stakeholders end up being either overly technical or very generic
  • Qualitative assessments: Qualitative risk assessments can only help in prioritizing risk in broad categories, but fail to determine actual, quantifiable risk

Some companies have their IT security professionals leverage GRC solutions with the goal of managing risk, but most of their functions are meant to help meet minimum regulatory compliance, not quantify the actual cyber risk associated with key assets and business processes.

Until recently, there were no practical models to quantify information risk in financial terms. As CISOs or Chief Information Risk Officers started to get asked about contributing to the measure of enterprise risk, they found themselves surrounded by credit risk or other operational risk professionals that showed up with sophisticated Value-at-Risk (VaR) models and the resulting risk estimates. The only thing they had to offer were gross estimations based on the mental models and the guesswork of a few risk analysts.

In the last few years, standard VaR models for information security and operational risks, such as FAIR, have emerged and are allowing leading financial institutions to:

  • Utilize a common risk taxonomy that all stakeholders can understand and adopt, instead of relying on disparate and error-prone mental models
  • Help them understand the organization’s exposure to cyber risk in financial terms
  • Provide a decision-making framework for uncovering risk concentrations, prioritizing risk mitigations and optimizing risk transfer

RiskLens is a platform that has been purpose-built from the ground-up on FAIR and is helping financial institutions to leapfrog from a qualitative to a formulaic and quantitative approach to information risk. Discover how.