ADP, the giant processor of payrolls for business, is one of the most experienced and creative users of the FAIR risk model and the related RiskLens platform. At the recent FAIR Conference 2017, Lead Security Consultant Marta Palanques, had the audience in serious note-taking mode running through ADP’s advanced approaches to risk register management and other ways of proving the value of quantitative risk analysis to the business.
As Marta says, “analysts are usually wondering what’s the risk is in the situation. But the business is really wondering ‘Why do I care about this?’ and ‘Do I really need to do something about it?’
Some tips from Marta on getting the most business value out of FAIR and RiskLens:
Improve your risk register with FAIR
ADP looks at FAIR analysis and the GRC application as a two-way street. The data from the register feeds the analysis but Marta’s group also “takes outputs from FAIR and makes them part of the risk register,” documenting loss exposure at the depth that RiskLens offers (90th, tenth percentile, etc.) and tracking over time to sharpen up focus and “eventually start replacing those colors” from qualitative scales.
Secondly, running FAIR analyses will expose gaps in the register, “things that you’d like to know that are not there”, that over time lead to a cleaner, crisper register.
Use FAIR to identify return on investment
Marta says that the business most appreciates the use of FAIR to choose among risk responses on a kind of return on investment based on risk reduction. The steps are
- Define some realistic alternative solutions
- Estimate cost and time to get a good fix on scope
- Translate that scope into scenarios, and change variables for controls and assets to see how overall loss exposure varies among the proposed options.
This risk-driven ROI often identifies responses that are “more tactical, cheaper, shorter deployment, with less impact but help bring down risk to a more acceptable level in a shorter time.” See all the slides from Marta Palanques' talk at FAIR Conference 2017, "The Case for Business-Driven Security", in the Member Resources section of the FAIR Institute site (requires membership -- but that's free).
Carefully define your assets
Marta says that the assets and vulnerabilities in your FAIR analyses “need to relate to how your company defines value and understands revenue”. In ADP’s case that’s by product lines defined by different segments “and we involve our GRC to capture all those relationships…every asset has to eventually translate into a product.” For instance, loss of a data center knocks out servers that run applications that run products – and that means money.
Maintain a scorecard of key risk indicators, leveraging sensitivity analysis
The goal here is to show that actual loss exposure is reducing over time, and the difficulty is that the variables for your completed analyses don’t stand still. Marta says that every time the ADP team quantifies a risk, it runs the RiskLens sensitivity analysis—by tweaking variables, analysts can see the variables that most influence outcome. Those influential variables become the KRIs, and get tracked monthly.
Marta sums up: “I feel that there’s still a lot of untapped potential in what the FAIR model can offer beyond quantifying your current risk and aggregating that risk and loss exposure. We hope to find multiple ways of applying it throughout the risk management cycle.”