How to Get the Most Value from a Quantitative Risk Management Program (QRMP)

December 19, 2019

If you’ve been thinking about adding cyber risk quantification to your risk management program, RiskLens CEO Nick Sanna has a plan for you in this short video.  

As Nick explains, to get the maximum value from a Quantitative Risk Management Program (QRMP), you need a systematic approach that embeds quantitative analysis in your ongoing risk management processes.

Nick lays out 5 steps to achieve maximum QRMP:

1. Define Your Goals

2. Train Your People

3. Set Up the RiskLens Platform

4. Embed Cyber Risk Quantification (CRQ) in Everyday Decision-Making

5. Measure Success

RiskLens fields the most experienced team in guiding organizations through the real-world adoption of CRQ at the enterprise level, including training and set-up of the only suite of SaaS solutions purpose-built on the FAIR™ model, the international standard for cyber risk quantification analysis.   Contact us to learn how we can help.



You may be thinking about adding cyber risk quantification to your risk management program as a way to articulate the value of cybersecurity and risk mitigation strategies to the business and the board. We’ve seen companies really benefit from building a quantitative risk management program in a systematic way. And I use the word “systematic” because like many transformative technologies, the value is realized when you are deliberate about it, when you stick with it so you can consistently make better decisions, in this case cost-effective decisions regarding prioritizing cyber decisions, cyber investments, processes, improving communication to the business and the board, approving security policy exceptions, resolving audit findings, whatever the decisions might be, you will gain from doing this is a very systematic way so that on a daily basis you can get that benefit. How do you do that? At RiskLens, with the help of our Fortune 1000 customers, we have developed what we call QRMP – a Quantitative Risk Management Program that allows you to define the goals of your program.

Step 1. Define Your Goals

What are you trying to achieve, after all, with a quantitative risk management program?

  • Are you there to improve reporting to the board or to the regulators?   
  • Are you there to make more cost-effective decisions when it comes to budgeting? 
  • Are you there trying to justify an expensive investment, people or a new shiny security product that promises to reduce risk tremendously?
  • Or are you trying to meet a regulation that’s asking you to deliver a top risk assessment.

Wherever you might be, be clear about your objectives so you can set it as a goal, and we can focus on delivering on that outcome. That’s the start of a program.

Step 2. Train Your People

Then a program needs to take into account also the training of the people that are involved, from the people that do analysis, to the people who consume those reports and make a business decision understand how to leverage this transformative technology, and get day to day benefit.

Step 3. Set Up the RiskLens Platform 

A third phase in the program would be to configure and to set up the platform. RiskLens has built probably the most scalable, and most valuable cyber risk quantification platform that allows you to do in a small amount of time a very large number of analyses with minimum data inputs So, configuring and setting up a platform is a third step that will give you unprecedented scalability.

Step 4. Embed Quantitative Risk Management in Everyday Decision-Making

A fourth step is identifying those day to day processes that are the core of your risk management program. What are those decisions that we make on a daily basis that you need to inform, that you can look at those operational decisions and start embedding a new way of decision making, based on financial analysis for cyber in those processes, and get value every day.

If you had to sort through IT audit findings – how do we sort through these audit findings? How do we triage them and determine which are really more meaningful vs. less?  So when you get that list from Audit, you know exactly what you are going to focus on the next few days and you may want to focus on the items that matter the most vs things that may be just checking the box but may not have meaningful impact in terms of risk reduction.

Step 5. Measure Success

Last, in a program, you want to measure your performance over time. How well are we doing as a program? As part of completing our goals, if we were to manage risk over time, and have defined a risk appetite, ·      

  • How well are we driving risk against that appetite? If we are deviating, why are we deviating?
  • What are the main threats? And by how much and what can we do about it?

Those kinds of decisions are what you can make as part of a program, as well as defining how do we keep the rest of the business involved and informed.  What kind of reporting do we need to provide them so they can provide their oversight role and make decisions that support our business and our security strategy?

These are just some of the elements that you should take into account in building a program that will ensure you get benefits out of cyber risk quantification day in and day out.