Presenting The Top 10 Risks To The Board

January 15, 2019  Isaiah McGowan

If you spend enough time around Jack Jones you will hear him exclaim: “70 to 90 percent of the things I encounter in Top 10 lists really aren’t risks”. In this video, Chad Weinman and I describe how to:

  • Identify the list
  • Determine the problem
  • Report results to the board
What is risk?
The first time I heard Jack talk about risk was his 2011 interview on the SecuraBit podcast. I listened to that episode several times. What stuck in my head the most was ‘exposure to loss’. To this day, my primary approach to determine if I’m talking about ‘risk’ is to validate against that phrase. I think to myself, “am I talking about something that represents exposure to loss?"
I encourage you to scrutinize your top ten with the same frame of mind. Organizations can do this using a formalized approach. Factor Analysis of Information Risk (FAIR) provides a lens you can use to spot items that do or don’t represent exposure to loss. According to FAIR, risk is the probable frequency and probable magnitude of future loss. In order for organizations to be reporting risks via top 10 lists, they must be able to express two properties about each risk:
  1. Probable frequency
  2. Probable magnitude
In other terms, they should be able to express how often the bad thing is likely to happen and how much money is at stake. Communicating risk in these terms removes a whole host of problems most organizations don’t realize they have.
Knowing is half the battle… But you still have to correct the problem  
Fixing a broken top 10 list is not always easy; but, it is an exact science. Each risk in the list can be transformed using FAIR. When I conduct these exercises I follow 3 steps:
  1. Identify what we are most concerned will happen
  2. Clearly state the threat(s), asset(s), and how the organization will experience pain (breach, outage, etc)
  3. Rework the given risk into a FAIR-friendly statement
Once organizations recognize and correct the issues surrounding what they see as top risks, they can begin measuring them using FAIR. The outcomes of FAIR analyses over the top 10 risks elevate conversations at the executive and board level, by speaking their risk language: dollars and cents. Chad and I go into more detail on these topics in this session presented at the inaugural 2016 FAIR Institute Conference.