Building a Quantitative Risk Management Program with FAIR and RiskLens

January 24, 2019  Steven Tabacek

A growing number of organizations are leveraging the FAIR standard and the RiskLens software platform to build a quantitative risk management program that allows them to prioritize risks and make cost-effective decisions regarding security investments to ensure resources go where they matter the most.

The momentum for analyzing risk in quantitative/financial terms is accelerating across the cybersecurity, technology and operational risk disciplines, driven by the need to:
  • Communicate risk to the business and the board in a language they understand
  • Prioritize risk mitigation resources based on business impact
  • Calculate the ROI of security initiatives
  • Meet new and more stringent regulatory requirements

Following my earlier blog post titled The Five Phases of Successful Cyber Risk Quantification Programs, we - in Customer Success at RiskLens - have continued to learn from organizations that have successfully implemented quantitative risk analysis as part of their risk programs, in industries as diverse as finance, retail, energy, manufacturing, services, and healthcare.

We decided to document those lessons learned in an actionable blueprint for success, that many organizations are already following to build their own quantitative risk management program.

The OQRA blueprint is complementary to standard risk and   compliance frameworks and maturity models including  NIST CSF and  ISO 2700x.

A blueprint for operationalizing quantitative risk analysis (OQRA)

The blueprint has been organized into stages with work themes. The foundational stage is a prerequisite to any successful implementation, while the work themes included in the subsequent stages (building block, analysis options, and risk management) don't have to be addressed sequentially and can be timed based on business imperatives.

RiskLens' Customer Success team can guide organizations through the planning process, while Professional Services comprised of FAIR-certified risk consultants can help implement all or parts of this blueprint.





Setting Program Goals and Establishing Criteria for Measuring Success: C-Level executives and risk management stakeholders need to clearly articulate and document short and long-term tactical and strategic objectives for their new quantitative risk management program.

FAIR Training and Cultural Adaptation: FAIR provides a consistent (new) method for communicating about risk and can revolutionize how decisions are made, by aligning them to business impact. To ensure success, senior security and risk executives need to embody and drive change, business stakeholders need to raise their expectations, and analysts and management alike need to feel comfortable in presenting and discussing risk as financial loss exposure to the IT security council, the business and the board alike. This is much easier to do if executives are familiar with the FAIR model, and are then supported by risk managers and analysts trained on FAIR. Learn about FAIR training from RiskLens.

RiskLens Application Onboarding : Professional onboarding services accompany all new subscriptions to the  RiskLens software. FAIR-certified risk consultants help configure the RiskLens platform with careful consideration to your assets, threat communities, and loss exposure variables. These services also provide your risk analysts with the required knowledge, practical application, and supporting services to conduct quantitative analyses.


Normalize Risk Register Scenarios : The initial phase of this work task is defining risk scenarios in a consistent manner throughout the risk management organization. A result of this work effort is a formal definition and consistent structure for normalizing risk register entries into a FAIR compliant scenario. For a little more context to this work task, refer to What Belongs in a Risk Register.

Triage of Risk Register: Once the risk register is normalized and formally defined, the loss events are efficiently re-evaluated from a risk perspective. The loss exposure of all normalized scenarios is assessed and the goal is to prioritize the risk scenarios that matter the most. The RiskLens application has a Risk Triage function that makes this process easy and efficient.

Identify and Define Top Risks: This is a workshop led by senior risk analysts with the purpose of identifying top cyber, technology or operational risk scenarios. This initial rough prioritization forms the basis of subsequent quantitative analysis to assess the actual financial loss exposure associated with each risk scenario (a highly recommended next step). To gain a little deeper context of this task, refer to Pro Tip for FAIR Risk Scenario Analysis: Map It 





Top-5 or Top-10 Risk Analysis : In this work theme, a detailed quantitative analysis is performed for each of the top triaged risk scenarios.  Analysts decompose the quantitative risk analysis process into several key activities which are to be completed for each of the identified risk scenarios. Selecting and performing a detailed scoping of the risk scenarios is the first step. Once scoping is completed, the analyst begins gathering data to drive the analysis. Data, including associated rationale, are input into the RiskLens application and the analyses are run. The RiskLens platform outputs results that are reviewed and refined as necessary prior to finalization.

The RiskLens Platform is utilized during this work effort. The platform is the system of record for the risk scenario scope, data collected, and is where analysis processing occurs.

Top 5 Projects - ROI or Prioritization Analysis: This work effort includes analyses on key, large risk mitigation initiatives for the current or future budget cycle. Each initiative is assessed in two phases (current state + a forecasted future state). This work effort includes analysis formal scoping, data collection, running, review/QA of results, and final reporting. The typical deliverable of this work effort is a report identifying ROI of mitigation resources and risk reduction derived in financial terms for each initiative.

Ad-Hoc Tactical Risk Analysis: This work theme covers the numerous tactical day-to-day risk or spending decisions that can often be the source of much aggravation, when the opinions on the significance of risks or efficacy of controls differ greatly around the table. These analysis help assess the significance of individual audit findings, the efficacy of given controls, and can also help justify investments and resource allocations based on cost-benefit.


Control Framework Mapping to Risk Analysis: Most organizations have audited their cyber security policies and practices against a risk or control framework (NIST CSF, for instance) and have an efficacy baseline. The next step is to understand the relationship between their framework of choice and the level of risk the organization faces. The mapping of FAIR to risk or controls maturity frameworks helps an organization understand which controls can reduce risk and should be prioritized.

Define Risk Appetite: This work theme requires the participation of senior management and the discussion is strategically focused. Executive workshops help identify risk appetite thresholds for loss magnitude—for instance, number of compromised consumer records. Frequency and probability thresholds for each event type are agreed upon, such as no greater than 10% chance of a compromise of this size in a year. The final step involves identifying the applications/systems that, if compromised, could potentially exceed these thresholds. The result of this work effort are clearly defined risk appetite measures for confidentiality, availability, and integrity loss events.

To learn more about how the FAIR model and the RiskLens platform can operationalize quantitative risk management in your organization,  Contact Us.