On the Maturity of an Information Risk Management Practice and RiskLens

April 17, 2019  Nicola (Nick) Sanna

Two Common Myths

There is a common perception in the marketplace that assessing information risk in business terms, dollars and cents, requires a high level of maturity in terms of risk management practices and that having a GRC in place might be a necessary pre-requisite.

Leadership Maturity More Important Than Program Maturity

What we have learned from our customer engagements in the past year is that the level of maturity necessary to take advantage of RiskLens’ benefits is more related to the level of executive support in moving to a risk-based approach to information security than the  maturity of an organization’s risk management practices.

The reason is that, aside from data inputs coming from information security organizations that are relatively easier to get, customers need access to subject matter experts within the business side of the company for data inputs related to loss magnitude (Impact).

Examples of such information is cost of application downtime, fines and judgments, possible impact of various form of reputation loss, etc. The amount of time required to get this information from business stakeholders is usually overestimated, which adds to the perception of difficulty. If the chief information risk officer or the CISO is able to articulate internally the benefits of quantitative risk analysis, most of the battle is won.

Another reason why program maturity is not a real factor is that the RiskLens applications provide a very structured, templetized approach that guides users through the completion of risk analyses. You don’t need to be a quant or a FAIR or risk management expert to use the solution.

An analogy is that most taxpayers don’t need to be experts of the US tax code to complete their tax declaration: tools like Turbotax can guide them through the process. We do the same at RiskLens as we guide you through a quantitative risk analysis.

Quantitative Risk Analysis Helps Substantiate the ‘G’ and the ‘R’ in GRC

For customers who are contemplating the adoption of a GRC solution, RiskLens can help increase the chances of setting that initiative up for success, by:

  • Articulating risk in a language that the business can understand: dollars and cents… versus qualitative qualifiers like 'High, Medium and Low' that don’t help much with enabling executive decision making. You can read more on the reasons for this here.
  • Helping define the scope of risk governance: RiskLens will help organizations prioritize the risk scenarios that matter the most in terms of financial impact and that require the attention of executive stakeholders, including the board.
  • Supporting the definition of an organization's risk appetite: without quantification, it is very difficult to define the risk appetite other than in qualitative, subjective terms.

The bottom line is that key inputs on the ‘G' and the ‘R' of GRC cannot be substantiated and justified without quantitative inputs. This is why most GRC implementations end up just managing compliance. You can learn more on this subject in Jack Jones' white paper on the  ‘The Failure of GRC’.