Chief Risk Officer's Intro to FAIR and Information Risk Quantification

March 5, 2020  Jeff B. Copeland

Chart: best RiskLens reports loss exposure reportIf you’re here, we’re guessing you’ve heard something about Factor Analysis of Information Risk (or the FAIR model) and the quantification of cyber and operational risk.

And, as a chief risk officer (CRO), we’re also guessing you may have been told by your IT risk people that cyber risk can’t be quantified—the threats change so fast, the data is too hard to get, it’s fundamentally unlike other forms of risk.

We’re making one last guess that you’re hearing from your senior management or board of directors that, after so many high profile, costly data breaches and other cyber attacks, the urgency is on to inform them of cyber risk in the same sort of quantified hard money terms you use on other risks, not the squishy high-medium-low risk reporting you may be getting now from IT.

So we put together this collection of guides as a short-course introduction to FAIR (the model that drives the RiskLens application) and cyber risk quantification.

High level, FAIR is:

  • A set of standard definitions for risk and the elements that make up risk, eliminating the rampant miscommunication in the information risk field
  • A statistical, probabilistic method to understand risk, that eliminates subjectivity—by putting dollar values on risk
  • Compatible with standards, frameworks, and regulatory regimes you know from other risk fields – COSO ERM, etc.
  • A game-changer, moving risk management from a compliance-based, checklist approach to a risk-based approach

Start with this eBook… 

An Executive’s Guide to Cyber Risk Economics by Jack Jones, the creator of FAIR.

Jack lays out, in non-technical terms, how FAIR works to identify and prioritize risk, and to point the way to the most cost-effective mitigation.

How organizations use FAIR to solve business problems

Read these case studies to see the practical value of risk quantification as a decision-support tool:

How FAIR solves communication problems around risk-based decisions

Part of your job is likely riding herd on a risk committee tasked with defining...
  • “What are our top risks?”
  • “Are we doing enough? Or too much? In the right places?

...with representatives from around the business, each with a different perspective on “risk”.  Similarly, your security and audit teams may be odds on prioritization of risks.

With FAIR and risk quantification, disparate teams and departments can look at risk in the financial terms that are the basis of all their other communication about the business.  That makes prioritizing on top risks a whole lot easier.

In fact, FAIR analysis often exposes that what had been considered as risks by the organization aren’t really risks at all or at least don’t represent that much exposure to the organization.

Relevant guides:

FAIR works with your ongoing compliance and reporting processes. In fact, it makes them better.

We get asked about this a lot.  And we have a lot of answers:

Your people can do FAIR 

No graduate degree required to be a FAIR risk analyst, just good critical thinking skills and a comfort level with numbers. RiskLens offers a thorough online, video-based course in FAIR analysis. And, of course, the RiskLens platform automates  many of the steps associated with FAIR risk analysis , for both cyber and operational risk scenarios.

Relevant guides:

What Makes a Good Risk Analyst?

FAIR Training with RiskLens Academy

Schedule a RiskLens demo to see how risk quantification can serve your needs as a Chief Risk Officer