With the opportunity to work with a variety of customers throughout their RiskLens journey, I frequently get asked the question about which of our quantitative risk reports provide the most bang for the buck when an organization is trying to make a risk-related decision.
My answer is: First, tell me what decision you are trying to make. Once you settle that question, determining what reporting to look at will be much easier. Especially for CISOs new to RiskLens, I find that one of these three reports (based on the FAIR model that powers RiskLens) will usually get you the farthest fastest:
1. Loss Exposure
This report will allow you determine the potential range of loss for your scenario. You'll see the probable minimum and probable maximum in dollars and cents; you'll also see where most of your samples came from in the Monte Carlo simulations.
Question this report can answer: How much risk do we have associated with this process?
Supports decision-making on: Assessing current vs. future state for risk, for instance, comparing your current patching process to a speedier or more optimal process.
2. Per Event Loss Exposure
This report will allow you to see the risk exposure every time the event occurs. This is especially helpful when you have a frequency that is less than once a year.
Question this report can answer: How much risk do we have if this happens once?
Supports decision-making on: For instance, should this SOX finding be rated lower than what we were given by Internal Audit?
3. Forms of Loss
Shows what types of loss pose the most potential loss. Depending on the decision this could give you enough information to choose whether or not to improve your process just based upon the amount of potential loss.
Questions this report can answer: Should we change this process? Should we add additional controls?
Supports decision-making on: Outsourcing vs. paying staff in-house, for instance for forensics.
Leveraging one or all of these reports should help give you enough information to make the decision, or best inform the decision-makers. Regardless of type of decision, you should have the right tools to help you make those decisions in an educated manner. Developing a quantitative risk program sets you up for success.
The more comfortable you are interpreting results and knowing which reports will help give you the most bang for your buck, the faster you'll move the decision-making process along–and look like a hero to the rest of the organization.
RiskLens Case Studies show how companies from a variety of industries successfully used the risk quantification platform to make business decisions.