I’m of the firm belief that any organization, regardless of size or maturity can perform quantitative risk analysis. At first blush though, some organization’s will be hesitant to agree, assuming that they do not have enough data to consistently perform quantitative risk analysis, or that it’s just too plain hard to put into practice.
I’m here to tell you that both of those assumptions are false. On a regular basis I perform quantitative risk analysis with limited data, leveraging accurate, yet useful distributions for my inputs, and I do so with the tools, techniques, and not to mention, the only purpose-built on FAIR quantification tool out there, RiskLens.
For those that are still on the fence, a fantastic way to see first-hand how we at RiskLens make quantitative risk analysis a reality is by performing a pilot engagement. A pilot is a 4-day, onsite engagement where a member of our Professional Services team analyzes a specific concern to your organization, by gathering data from tools within your environment and SME’s within your organization, all while leveraging the RiskLens platform and reporting capabilities to help your organization make a more well-informed risk decision.
So for those organizations that are ready to test drive quantitative risk analysis using RiskLens, what makes for a good pilot engagement and what can you do with the results?
What makes for a good pilot?
What makes for a good pilot really boils down to what is concerning to your organization. What is the scary event that keeps you and/or your executives up at night? These can range from:
- Concern with the latest strain of malware and how it can exploit information on company laptops.
- Concern with a series of application vulnerabilities and how those can be leveraged to steal sensitive client information.
- Concern with insiders stealing your intellectual property.
- Concern about the GDPR regulation and what the new fine structure means for your organization.
What can I do with the results?
Once we’ve scoped an analysis, gathered all of the data and hit the run button, what do we do with the information? I’ve always heard that “information is power”, and for the most part I agree with that statement. Yet to me, the real value of that information, is what you do with it.
Thinking back to the standard four risk management strategies: accept, avoid, transfer and mitigate, let’s think about the questions we can answer with a set of quantitative risk results that we could not answer with a more qualitative and subjective approach.
Based on our quantitative results from the pilot, are we willing to accept this risk because it falls within our organization’s pre-defined risk tolerance? Even if your organization has defined your risk tolerance using a more, subjective, or gut feeling approach, odds are that it’s still stated in monetary terms. By conducting a pilot, and seeing results in dollars and cents, for the first time you’d definitively be able to state that a risk fell within our risk tolerance and can be accepted.
Given what we’ve learned from the pilot, can we avoid this risk all together? Is it worth it for us to remove X application, business process, etc. because the exposure we could potentially experience from a loss, far exceeds the benefits we receive from it? With a quantitative set of risk results, you’d be able to compare the risk in dollars and cents to the dollars and cents of revenue from the process.
Based on how the loss materialized according to the six forms of loss in the FAIR standard, can we transfer all or a portion of this exposure via our insurance policies? Insurance policies are underwritten in dollars and cents, shouldn’t your risks be expressed that way as well…food for thought.
Mitigation is really where we as risk professionals, as well as pilot engagements really shine. Rarely do we find risks that we can altogether avoid, and more often than not, a risk needs to be really rather miniscule to accept, yet we can identify a number of ways to mitigate it. Those various mitigation techniques and tools can easily be modeled within the RiskLens application, whereby we analyze the current state exposure without the mitigation in place, and quickly version the analysis to develop various future states with the mitigations in place. Upon completion, you end up with a set of quantitative risk results that allow you to more definitively state whether you're going to get the anticipated return on your investment (ROI). This is not something you can get from performing qualitative risk analysis with colors.
A pilot engagement is a fantastic way to again, take a test drive on quantitative risk analysis using RiskLens, but keep in mind that it’s just the start to the journey. With the RiskLens platform and services we frequently help organizations normalize and triage their risk register, analyze their top 10 risks and perform other quantitative risk analyses that will set your organization on the road to smarter, better informed decision-making.