RiskLens CEO Nick Sanna and Risk Transformation Adviser Rob Eslinger appeared at the recent event of the Professional Risk Managers’ International Association, “Cyber Risk in a Turbulent World,” and encouraged risk managers to rise up against the status quo of cyber risk management.
“Let’s be honest and talk about the state of most risk management programs,” Nick said. “The state is not great.” Among the problems:
- Reliance on qualitative, red/yellow/green risk ratings based on no formal risk measurement model.
- Risk registers that are a “dumping ground” of issues and concerns, with “most of the entries not really risks.”
- Inability to communicate to the rest of the organization in terms the business understands – not just “trust me.”
“Risk models matter,” Nick said. They should generate analysis in a consistent, quantifiable format that enables business decision-makers to prioritize among risks based on loss exposure and justify investments in mitigations to reduce risk.
Nick introduced Factor Analysis of Information Risk (FAIR™), the international standard for risk quantification that’s the basis – along with statistical modeling – of the risk analysis applications offered by RiskLens. FAIR breaks down loss events into factors that can be quantified and, just as important, gives organizations a common, transparent understanding of risk.
To show FAIR analysis in action, Rob presented two case studies from recent RiskLens engagements:
A technology-dependent service company investigated the risk of ransomware knocking out its flagship application, then ran a cost/benefit analysis on multi-factor authentication, revealing a probable $17 risk reduction for every dollar spent on that control.
To demonstrate the flexibility of FAIR analysis to analyze and integrate both cyber and operational risk, Rob presented the case study of a manufacturing company looking to understand risk to a facility from earthquake, ransomware, employee error and power outage – all scenarios quantifiable apples-to-apples in financial terms.
The analysis surfaced the top risks through different lenses, with surprising results. And when Rob’s team dug into the earthquake scenario, they discovered another surprise – a high-priced retrofit upfront to the manufacturing facility would be a more cost-effective investment for risk reduction than paying out insurance premiums over time.
With FAIR, “we can be very tangible and direct in terms of the ROI is of various treatment options to inform our decision makers, Rob concluded.