The risk and security world is moving toward cyber risk quantification (CRQ), and one question we frequently hear from prospective clients is, “Can I gain the benefits of CRQ while keeping my GRC or IRM as my system of record and the hub for my risk management workflow?”
The answer is yes and yes, and here are the key points to know:
1. The RiskLens CRQ solution based on FAIR™ works seamlessly with a GRC – no re-architecting required.
Archer, ServiceNow, LogicGate offer integrations with the RiskLens risk analytics platform so data can be passed back and forth on a GRC; with one click, a GRC item can be pulled into RiskLens, analyzed and returned to the GRC. As well, RiskLens APIs enable data exchange with any other GRC or dashboard such as Tableau.
Watch this: Video Introduction to the RiskLens Platform for ServiceNow GRC Users
But here’s a more basic benefit: For quantitative analysis, risk register items need to be phrased in terms of a FAIR risk scenario, with a threat, asset and impact. Clients tell us that requirement results in much-needed housecleaning, eliminating vague items (like “the cloud” or “ransomware”) that aren’t really risks, just areas of concern.
Learn more in this video from the FAIR Institute: How to Turn Your Risk Register Items into Risk Scenarios You Can Quantify
Author Bryan Smith is Chief Technology Officer of RiskLens
RiskLens-generated reporting for the ServiceNow GRC
2. Applying FAIR practices streamlines GRC management by prioritizing risk register items by business impact
The output of a FAIR analysis on the RiskLens platform quantifies a risk as a range of probable loss exposure in dollars, a ready way to prioritize a list of risks. Given a group of risks, say for one line of business or type of asset, an analyst can run a triage (or Rapid Risk Assessment) with the platform for a quick ranking of the risks to answer the question: Which risks matter because they exceed a risk threshold?
For risks that bubble to the top, triage is followed by a detailed assessment based on more extensive data to dig into the root causes that are driving the risk, important clues to decide on mitigation. The GRC can also be a rich source of data to feed analysis; for instance, if the GRC taps into incident response logging, that’s a great source to understand the frequency of occurrence of cyber events.
Learn how you can get the most out of your risk register with RiskLens. Request a demo.
RiskLens top-risks reporting
3. RiskLens fills in gaps in GRC capabilities, especially by aggregating risks to show top risks across a line of business or the enterprise
Without quantification, GRCs typically don’t have a way to aggregate across risks, for instance on the business unit level. RiskLens is particularly strong at generating top risks reporting, essentially multiple risk scenarios aggregated to produce a ranked list of risks based on probable loss exposure – the reporting that the board or senior management most want to see.
4. RiskLens provides a system for evaluating mitigations on a cost/benefit basis, enhancing the power of a GRC to track progress in risk reduction over time.
With the Risk Treatment Analysis capability of the RiskLens platform, a GRC user can run cost/benefit analysis on mitigations based on risk reduction in dollars vs. investment in security controls or processes, then do follow-up analyses to track performance over time compared against risk appetite or other set thresholds, with all the metrics logged in the GRC.
5. Quantifying risk with FAIR brings cyber, technology, operational and enterprise risk together on one standard for assessing risk in financial terms, increasing the strategic value of the GRC.
The National Institute of Technology and Standards (NIST) recommends the use of FAIR risk quantification to “better identify, assess, and manage their cybersecurity risks in the context of their broader mission and business objectives.” For too long, cybersecurity has been an outlier from the rest of the enterprise’s risk management, with risk reported in technical terms such as “maturity scores” or subjective ranking based on opinions, a discrepancy made glaring in risk registers. FAIR is equally applicable across risk scenarios other forms of risk, for a true apples-to-apples comparison throughout a GRC.
Learn how you can get the most out of your risk register with RiskLens. Request a demo.