Good to Great, the book by James C. Collins that describes the transition from just being good companies to great companies -- and how most companies fail to make the transition--is now 20 years old. Seeing it on my bookshelf reminded me of the transition we’re seeing in the risk management space.
Collins wrote about a “culture of discipline” as one of the traits of great companies. “When you combine a culture of discipline with an ethic of entrepreneurship, you get the magical alchemy of great performance.”
Thomas Lyden, on the Customer Success team at RiskLens, has 20 years of senior leadership experience in cyber at SAIC/Leidos, EY, and many startups in the security field, serving government and commercial clients.
We’re seeing the continued adoption of Factor Analysis of Information Risk (FAIR™), the international standard for quantitative risk analysis, as a disciplined way to inform better decision-making. FAIR establishes accurate probability for the frequency and magnitude of loss events, based on a tested analytical model. FAIR gained its foothold in cyber, helping business leaders better understand risks in this blurry and technical domain.
As a result of the success of FAIR in clearing up the fog of cyber risk, we’re now seeing its adoption beyond cyber. Now Enterprise Risk Management (ERM) teams seem to be the ones under pressure to mature and inform enterprise risk in business/financial terms, leveraging a consistent, standardized methodology.
Enterprise Risk Management/Cybersecurity Integration
The COSO Enterprise Risk Management Framework and NIST both recommend the use of FAIR for enterprise risk management/cybersecurity integration based on a common, quantitative understanding of risk.
There are three steps for them to get started:
- Get more education
- Establish a governance model and
- Leverage a platform that enables disciplined analysis and reporting.
More education can come from books (such as the Jack Jones book on FAIR or the How to Measure Anything books by Douglas Hubbard), online training, webinars and through organizations like the FAIR Institute. Going deeper in gaining knowledge can depend on the governance model you plan to implement, including training on the FAIR method for those who lead risk assessments for ERM and perhaps even to the level of getting certified.
Learn about FAIR training and certification from the RiskLens Academy.
The next step is to establish the governance model that is best suited for the organization and your culture. A center of excellence (CoE) model is a common approach: the ERM unit sets the vision, establishes the “why” and thus the types of information and the business questions to be answered, and supplies FAIR subject-matter experts but the individual operating units do the actual analysis.
A more autocratic approach can work where the ERM units conduct the actual analysis, driving the operating units for the inputs but then reporting out the outputs.
In the end, what matters is simply that the enterprise is better aware of the business risks, quantitatively measures the investment returns on the mitigations being proposed or implemented, and understands where risk transfer (buying insurance or contract modification) is suitable.
Lastly, the organization will need a platform (tool) suited for this mission. To date, that’s meant looking to the GRC vendors, but they’ve been weak on the “R” side. The platform needs to scale to the enterprise, be data rich with objective and relevant data to ensure consistent analysis and enable reporting at various internal consumer levels (PM, Business Ops, the ELT, and the Board).
How to Utilize a Risk Register to Bring Enterprise Risk Management/Cybersecurity Risk Management Together - Read this blog post for advice on normalizing cyber and business risk around risk scenarios based on FAIR.
Financial crisis, political and geopolitical upheaval, the explosion in cyber, and COVID and its effects on supply chain risks have all challenged organizations’ enterprise risk management practices. They are being pushed to be sharper and proactive and to produce “what-if” scenarios with consistent, objective methods. Adopting FAIR more broadly is a lever you can pull to help move you from “Good to Great.” Push forward and your organization will make better, more disciplined business decisions.
Read this next:
Introducing Cyber Risk Quantification to Your Enterprise Risk Team