FAIR Institute Blog

4 Tips to Launch Cyber Risk Quantification at a Global Company

[fa icon="calendar"] Nov 11, 2021 9:01:06 AM / by Jeff B. Copeland

News - Map Orange-1How to introduce and prove value for a FAIR™ cyber risk quantification program at an organization with 500,000 employees in 100 countries – that was the challenge faced by Gideon Knocke at an international health-related company. Gideon and his consultant on the launch, Tom Callaghan, shared their learnings at the recent 2021 FAIR Conference. 

FAIRCON21 Presentation:

FAIRCON21 - Gideon Knocke, Tom CallaghanImplementing a CRQ Program in a Global Organization

Gideon Knocke, Former Risk Manager, Fresenius

Tom Callaghan, Co-Founder & Managing Director, C-Risk, Co-Chair, Paris Chapter, FAIR Institute

FAIR Institute members can watch the video of this FAIRCON21 session in the LINK member community. Not a member yet? Join the FAIR Institute now, then sign up for LINK. 

Tom Callaghan and Christophe Foret of C-Risk won the FAIR Ambassador honor of the 2021 FAIR Institute Excellence Awards

4 Tips on FAIR Program Launch from Gideon and Tom

1.  Start small. Resist quantifying everything and build experience by taking on single use cases one at a time. Pick some issues that can’t be easily solved without quantification.

2.  Choose your risk scenarios carefully for maximum business value. Gideon and Tom focused on the value chain of the organization. With the help of business stakeholders, they mapped the key processes used to generate value and the crown jewel assets that support them.

Learn FAIR quantitative risk analysis in online training

3.  Focus your research efforts on the Loss Magnitude (or right side) of the FAIR model. You can find hard data for magnitude from internal sources, starting with the company’s annual report, and rely more on industry data for the Loss Event Frequency side of the model. Start your research by clarifying how the six forms of loss in FAIR apply to your organization.

4.  Map your scenarios to a standard controls model (they used CIS). “That’s actually key,” Gideon said, “because after the question, ‘how much risk do we have?’ there was always the question, ‘now what do we do with it?’” Tom added, “It’s important to visualize how controls can impact a scenario both in terms of frequency and impact…And that allowed us as well to take some of the scenario analysis outputs and use it in project planning.”

Register now at no charge to view the session on video.

Topics: FAIR Conference 2021

Jeff B. Copeland

Written by Jeff B. Copeland

Jeff is the Content Marketing Manager for RiskLens.

Join the FAIR Community

Subscribe to Email Updates

Learn How FAIR Can Help You
Make Better Business Decisions

Recent Posts