There is a trap that many organizations new to risk quantification and FAIR fall prey to. One that I’ve seen lead to excessive time spent on analysis work, missed deadlines, SME burnout and overall frustration in the quantitative risk analysis process.
The trap…not right sizing precision for your organization.
Now although we at RiskLens always advocate for, and train organizations to value accuracy over precision, it seems that most of us, at least at first, have a difficult time taming the Uncertainty Siren, and her calls for greater and greater levels of precision.
At first hearing, the call is familiar and makes sense. “Of course, I want to use the most precise data I can find to exactly represent this risk to our organization.” Almost without thinking, the newly minted quantitative risk management team begins to scour the organization for the exact data points, tracking down, and holding sessions with SMEs and asking if they can pull data from various security tools.
For some, they will easily find a plethora of data, and eager SMEs willing to help them achieve their level of precision. Yet for many others, the precision thought bubble that formed at the onset of the engagement is popped when they come face to face with their organization and it’s limitations.
I want to make it clear here that precision is not the problem. Organization’s should aspire to greater degrees of precision and outline a road map for achieving said precision.
The problem as I see it, is that prior to implementing a quantitative risk management program, few organizations consider how precise they can get in light of the following two items:
What we are hoping to achieve (i.e. the purpose or goal of our risk analysis work)
Level of maturity
The cross section between these two elements should shine a light on the current level of precision that is achievable for your organization.
The benefits of taking this approach:
Again, I’m not advocating for complacency when it comes to gathering data points and developing estimates. All organizations should aspire to getting better, and moving their organization along the maturity spectrum.
What you should do is understand where you’re at in your quantitative risk management journey and define success accordingly. This will absolutely reduce frustrations and increase motivation across the program.