“Let’s be honest and talk about the state of most risk management programs,” Nick said. “The state is not great.” Among the problems:
“Risk models matter,” Nick said. They should generate analysis in a consistent, quantifiable format that enables business decision-makers to prioritize among risks based on loss exposure and justify investments in mitigations to reduce risk.
Nick introduced Factor Analysis of Information Risk (FAIR™), the international standard for risk quantification that’s the basis – along with statistical modeling – of the risk analysis applications offered by RiskLens. FAIR breaks down loss events into factors that can be quantified and, just as important, gives organizations a common, transparent understanding of risk.
A technology-dependent service company investigated the risk of ransomware knocking out its flagship application, then ran a cost/benefit analysis on multi-factor authentication, revealing a probable $17 risk reduction for every dollar spent on that control.
To demonstrate the flexibility of FAIR analysis to analyze and integrate both cyber and operational risk, Rob presented the case study of a manufacturing company looking to understand risk to a facility from earthquake, ransomware, employee error and power outage – all scenarios quantifiable apples-to-apples in financial terms.
The analysis surfaced the top risks through different lenses, with surprising results. And when Rob’s team dug into the earthquake scenario, they discovered another surprise – a high-priced retrofit upfront to the manufacturing facility would be a more cost-effective investment for risk reduction than paying out insurance premiums over time.