Over the years many risk professionals have found their risk religion with Factor Analysis of Information Risk (FAIR), but how to start integrating it into your organization isn’t always obvious. Recently the Operational Risk working group of the FAIR Institute held our second virtual meeting to share tips on how to start out on the journey towards a FAIR-based risk program.
Like any model or methodology you’re considering, your success will greatly depend on how you approach it. Move too quickly and try to replace too many existing practices at once, and you may find your organization rejects the change. In fact, you may find yourself prying the red and green risk matrix out of their clenched hands … but don’t get discouraged, this is all part of the journey.
The first step is to identify what already exists for your organization. Are you starting with a complete greenfield opportunity, or are there existing risk models and methodologies to consider? Truthfully, starting from scratch has its advantages and disadvantages. You certainly don’t have to worry about weaning the organization off an approach that may be deeply embedded into the organization’s culture. But you also don’t have the short-comings of the existing model for easy comparison.
If you’re not starting from scratch, then you need to not only understand the current approach and its associated pain points, but also investigate how it evolved and what came before it. Understand any previous experiences the organization has had experimenting with different models, and be sensitive to any scars that previous failures may have left. In essence, do your homework. Understand the journey the organization has already taken before you got involved.
When you’re introducing FAIR within your organization, you’ll want to have a short summary of its benefits. A sales pitch of sorts. The following is an example provided by a member of the working group:
You can think of FAIR as having two use cases that can be leveraged together or individually based on your needs: the Analysis structure using the ontology, and theMeasurement methodology.
When evaluating your current analysis approach, some of the typical short-comings include:
- No single definition for terms
- Unclear scoping
- Undocumented assumptions
This is where FAIR shines. Not ready for Monte Carlo simulations and loss exceedance curves? No problem. Just adopting the FAIR ontology, definitions, and loss scenario scoping approach will transform your risk program.
Is risk measurement your clear pain point? Do any of these challenges sound familiar?
- Vaguely defined rating scales
- Focus on possibility vs. probability
- No adjustments for bias or confidence
- Rarely data driven
Don’t worry, you’re not alone.
Once you start to socialize the concept of truly measuring risk, there is an interesting phenomena that you’re sure to experience. Management may be perfectly happy blindly accepting your best guess supported only by vaguely defined qualitative ratings and questionable risk scales, but then you put quantitative estimates in front of them and suddenly they have a thousand questions. Let’s call this the “numerophobia syndrome.” In truth it isn’t exactly a fear of numbers, but really a distrust. This is your first lesson. Perception is everything in the early days of evangelizing your new risk methodology. Your existing red, yellow, and green dashboard may not be supported by anything more than wild hunches and interpretation of vaguely defined risk ratings, but management was comfortable with it. They made a lot of important decisions based on it. Don’t pull the rug out from under them.
Think of your management like an addicted smoker. Are you going to break their addiction with pages of statistics showing the hazards of smoking? Maybe if you show them pictures of cancerous lungs that will scare them to quit? Even many smokers who have a loved one die as a result of habitual smoking may quit temporarily, but it often doesn’t last. Counterintuitive, right? Research shows that an addict has to want to change their habits for intrinsic purposes in order to sustain long-term change without relapse. Data, fear, or guilt aren’t going to do the job. Find your organization’s pain points, and start using FAIR to help them. The beauty of FAIR’s approach to measurement is that you don’t have to go cold turkey with your existing model.
The best approach is to meet them where they’re at and iteratively move them to a better model. One way to position this is to start with a basic version of FAIR that leverages the highest level of the ontology (i.e. probably loss frequency and loss magnitude) and quantitative estimation techniques, but keep the measurements limited to predefined ranges and translate the end result back into the familiar labels of Low, Moderate, High, etc. For example the evolution of your approach may look something like this:
You’re sure to encounter quantitative skeptics … every company has one (or more). Remember the mantra of Doug Hubbard:
- Your problem is not as unique as you think.
- You have more data than you think.
- You need less data than you think.
- There is a useful measurement that is much simpler than you think.
As you progress along this journey, incorporate the concept of confidence into your analysis and reporting. You want the maturity and quality of your assessments to be transparent to your management. Be thinking about the accuracy, relevance, completeness, reliability, timeliness, an expense of the data inputs into your analysis, and include this in your reporting. This can go a long way to building trust as your program evolves, and will help your management make more informed decisions. For example, you might use this simple maturity scale to represent your confidence in your assessment:
Initial / Intuitive - Immature or developing assessment approach exists, a formal assessment model may not be established or is in early stages. Predictions are largely based on the experience of the assessors.
Repeatable - An assessment model is established and is producing consistent assessments using a standard criteria. Risks are being regularly assessed. Assessment may be based on consensus opinion, or assessors are at least engaging risk-practiced SME's, reviewing incident statistics, or referencing trend data to inform assessments.
Measurable - Assessment model is well defined and has been refined/calibrated over time, and trend data and incident statistics have been analyzed to model future predictions. Assessors are trained, practiced, and experienced analyzing risks in this area. The assessments themselves may have been revised and updated over time.
In essence, don’t underestimate how big of an adjustment FAIR may be for your organization, and be practical about how much you can bite off at a time.
Hopefully these tips and ideas are helpful to you, and will encourage you to participate in the Operational Risk workgroup. Our next virtual meeting will be on August 23, 2016 at 3:00 PM EDT, and we will be discussing Comparing FAIR to Other Risk & Control Standards.