Henry Ford once said, “If I asked customers what they wanted, they would have said a faster horse.” He instead went deeper and focused on understanding what job the customer was trying to do: Get from point A to point B safely and in the shortest period of time. If RiskLens asked what our customers wanted, they may have initially asked for improvements to their existing qualitative analysis process–-better heat maps or other imprecise tools. Instead, we went deeper and focused on functional jobs our customers were trying to do, and how they could analyze those jobs in quantifiable, bottom-line terms. At RiskLens, we are inspired by the “Jobs-to-be-Done” Theory as a way to sharpen the focus on true customer needs, ensuring that we deliver a platform that successfully targets a quantitative risk analysis program to an organization's core functional jobs. Jobs-to-be-done Theory provides a framework we have adapted for categorizing, defining, capturing, and organizing your objectives. We then tie your defined performance metrics (in the form of desired outcome statements) to the Job-to-be-Done. Jobs-to-be-done are defined with a very specific sentence syntax, specifically "job statement = verb + object of the verb (noun)." The job statement leads to one or more outcomes.
Jobs-to-be-Done Methodology for Cyber Risk Assessment
Jobs-to-be-Done | Outcomes |
Educate stakeholders on the FAIR model (our quantitative analysis method) while phasing-in quantitative risk analysis to standard operating procedures |
|
Analyze GRC risk register “high” findings to determine mitigation prioritization |
|
Analyze top-10 cyber risks for board of directors |
|
Demonstrate compliance with NY DFS 500.09 financial regulatory standard while managing risk and providing a basis for strategic and tactical mitigation decisions |
|
Analyze 3rd party/vendor risk to determine potential loss exposure to the organization |
|
Analyze risk to determine cyber risk insurance coverage amounts |
|
Tips for a Successful Risk Analysis Process
- Focus on “functional jobs” and limit analysis to a finite and achievable scope for your organization. When defining functional jobs, it’s critically important to document the desired outcomes. The documented outcomes are the ultimate metrics used to measure the success of your quantitative risk program.
- Be aware of “emotional jobs” and “social jobs.” We are not data-driven machines and need to acknowledge humanity and the psychological effects associated with undertaking any major project or initiative. Emotional jobs define how you or the other organization stakeholders want to feel or avoid feeling as a result of executing the core functional job. Social jobs define how you or your stakeholders want to be perceived by others. Most of the organizations that we work with don’t document the emotional and social jobs but do understand those factors play a role in the overall success of the program.
- Document “Short-term-Win” objectives, when initially defining Jobs-to-be-Done and outcomes. Many Jobs-to-be-Done definitions are long-term initiatives. Defining a few short-term goals that conform to the defined outcomes will help the firm recognize success in phases, thus improving emotional and social job factors.