FAIR Institute Blog

3 Ways to Roll Out a FAIR Quantitative Risk Management Program

[fa icon="calendar"] Oct 12, 2022 10:06:30 AM / by Jeff B. Copeland

FAIRCON22 - Michael Meis KU Health 3 Ways to Start a FAIR Program 2Michael Meis is four months into launching a cyber risk management program based on Factor Analysis of Information Risk (FAIR™) at The University of Kansas Health System but, as he explained in his presentation to the recent FAIR Conference, the prequel started long before.  He held about 60 meetings with stakeholders to explain FAIR and risk quantification to build credibility, trust and collaboration because “rolling out FAIR is a culture change across the entire organization.”

FAIRCON22 Case Study Presentation: “Okay, Now What?” - Steps to Set Up a Quantitative Risk Management Program at Any Organization

Michael Meis, Associate CISO, KU Health

Watch the video of the presentation (a FAIR Institute Contributing Membership required -  JOIN NOW).

See a video interview with Michael Meis.

FAIR launch leaders can choose one of three approaches for their next steps, Michael recommends: 

Top Down

Begin with analyses of the top risks and scenarios on a strategic level.  

Pros: Builds momentum at the highest levels of senior management and the board. Communicates risk at the level they understand, revenue and value generation. 

Cons: Time- and labor-intensive. Takes 3-6 months to develop top cyber risks report, gain expertise in FAIR, and show some value.   

Bottom Up

Start with the cyber risks in the organization’s risk register, convert them to FAIR scenarios for quantitative risk analysis. Michael recommends this video from the FAIR Institute: How to Turn Your Risk Register Items into Risk Scenarios You Can Quantify with FAIR.

Pros: Lowest barrier to creating a FAIR program. Lower resource investment, short time to value, can produce first risk analysis in a week or two, work out the kinks in a program before giving it visibility in the organization.

Cons: Low visibility among senior levels. Can be difficult if the organization has a longstanding ERM program with expectation to follow already defined, qualitative processes. 

FAIRebluelogo-07Join the FAIR community as a Contributing Member, get access to exclusive content and learning opportunities.

Big Game Hunting

 Find a big decision to be made or problem to be defined and provide additional context with FAIR risk quantification. For instance, an audit finding, or a decision on a vendor agreement, control implementation or other security investment.

Pros: Create immediate buy-in across the organization, build a roster of friendly decision-makers who can help when you scale the program. 

Cons: Size of upfront investment can vary widely, depending on the size of the decision and the speed required to produce results.

No matter the path you take, Michael advises, “train, train and train some more” your team not just with FAIR training but other forms of modeling, as well as business communication techniques. He encouraged his conference audience to “plug into the FAIR community” for advice from peers. “This is probably the most robust community that I have ever seen within the information security space.”

Watch the video of the presentation on three ways to start a FAIR quantitative risk management program (a FAIR Institute Contributing Membership required).

Topics: FAIR Conference 2022, FAIR Program Launch

Jeff B. Copeland

Written by Jeff B. Copeland

Jeff is the Content Marketing Manager for RiskLens.

Join the FAIR Community

Subscribe to Email Updates

Learn How FAIR Can Help You
Make Better Business Decisions

Recent Posts