A question that we often see new RiskLens customers struggle with is, “where do we start analyzing risk?” The possibilities seem endless.
It's a good problem to have. But how do you choose?
Is it based on the likelihood of having good data? Which department is easiest to work with? Who screams the loudest?
And who decides?
The CISO or the person with similar responsibilities sets direction for the underlying team. Since this person is ultimately responsible for the purchase of RiskLens, he or she drives the strategic objectives and goals of the quantitative risk program.
From there, either the CISO or direct reports determine the plan to achieve these objectives. The plan specifies the people and processes that will be included in the scope of the first through nth round of implementation.
Starting a Quantitative Risk Management Program
From our experience, successful clients choose one of these four risk analyses to start:
1. Cost-Benefit Analysis of Risk Mitigation Projects
- Analyze project portfolio to determine where mitigation initiatives (personnel, tools, processes) can be most effectively and efficiently deployed to reduce organizational risk.
- Evaluate vendor proposals; when a vendor claims to “reduce risk,” run a current-state (pre-mitigation) and future-state (post-mitigation) analysis to substantiate vendor claims.
2. Top Risk Reporting to C-Levels and the Board
- Creating a top-10 risks list for the Board and C-Suite is a common exercise leveraging RiskLens' risk quantification application.
- Start with macro-level “risk themes” focusing on key company assets or business processes that could materially impact revenue generation, operational capabilities, or solvency. (Learn more: How I Analyzed the Top 10 Risks for a Financial Institution)
3. Populating a Risk Register
- Quantitatively assess risks (starting with “high” risks) to determine which cause the greatest amount of exposure to the company and thus should be mitigated first.
- Quantitatively assess all risks to verify qualitative ratings (are each of the “highs/lows” truly a “high/low”?) (Learn more: How to Unscramble Your Risk Register with FAIR [Video])
4. Treatment of Audit Findings
- Determine loss exposure associated with each audit finding. Is the amount of possible loss such that it warrants immediate remediation? Or is the organization willing to accept that risk? (Learn more: Case Study - How to Evaluate Audit Findings)
Risk Program Expansion
As the initial project of implementing quantitative risk analysis is further refined and successfully employed, efforts to expand the program within the organization begin. Often, we see other departments inquiring about these new quantitative results and asking how they can do the same for their area. As a result, the second round of implementation may very well be chosen based on the loudest squeak. Otherwise, additional options include the following:
5. Cost-Benefit Analysis of Existing Operations Focusing on Technology, Process and People
- If you question the value of risk mitigations using installed technology, people, or processes, run a pre/post analysis comparison to better understand the situation. You may find the mitigation resources could be more efficiently applied elsewhere.
6. Trending Top Risks over Time
- Aggregate and trend top risks over time to understand the organizations' evolving risk posture. The goal is developing key performance indicators for the cybersecurity teams to ensure they are efficiently and effectively managing risk.
7. Cyber Insurance
- Determine the appropriate amount of cyber insurance, based on a quantified approach to risk; this can be a byproduct of top risk reporting. (Learn more: How Much Cyber Insurance Do We Need?)
Tip: It’s OK to start small.
The risk analysis team will need time to get used to the new process. The people receiving risk analysis results in dollars and cents will need time and education to get used to seeing the information in this way and making decisions based on it. Once it catches on though, have your plan for rapid expansion ready.