In the first panel session at the 2025 FAIR institute Europe Summit in London, three experienced FAIR program managers answered five basic questions about introducing and evolving quantitative cyber risk management.
Watch the session now. Note: The session recording starts at the 20-minute mark after Nick Sanna’s Keynote Address.
On the panel (from left to right)
Pierre Olodo, Cyber Risk Manager at Richemont, the manufacturer and retailer of luxury goods (Cartier, etc.)
Neil Davis, Head of Cyber Risk Management at Maersk, the shipping giant
Matt Burns, Digital Risk & Resilience Leader at Lloyds Banking Group
Nick Sanna, Founder of the FAIR Institute moderated the discussion and, posed these five questions:
1. What has been the driver for building a more mature cyber risk management program?
Matt Burns explained that banking has traditionally taken a compliance point of view, following the Basel accords for risk management, but recently there’s been a realization that “compliance is one size fits all but it’s not looking at the causes that drive impact to business processes…I think we start there and then ask what are the scenarios that affect our customers, then we apply context and controls and we get compliance as a by-product.”
For Neil Davis, the move away from compliance-first was more sudden and sharp. A global ransomware attack crippled Maersk’s operations in 2017 “and that incident jolted us to realize [compliance-first] didn’t work.” Maersk still measures maturity against compliance frameworks but “it’s the immediate threat, what’s going to happen today or tomorrow or next week that we need to focus our efforts on…as well as the question of where we can put our money without spreading ourselves too thin.” Nick added this lesson from Maersk’s experience: “Dont’t waste a crisis - great catalyst for change.”
2. What kind of questions are you being asked and what kind of business decision are you trying to empower?
Pierre Olodo, a FAIR program veteran, described the series of business decisions going back to 2020 supported by FAIR analysis. He started with two proof-of-concepts projects, one scoping the risk of moving a critical business application to the cloud, the other go/no go on acquiring a new brand. After two years of experience, Pierre presented to senior management and got the green light for a roadmap to introduce quantification to all the divisions of the company. Next up, “not a dream, we know we’ll get there”: a “fully automated process to measure our cyber risk.”
3. More and more I am hearing the three lines of defense model being challenged. Where are you on that?
Matt commented, “that model sometimes inhibits pace. I think we need to be looking at the same data set and we need to agree what a risk is and what a control is, and what risk appetite or tolerance is…Part of our strategy is trying to integrate those three teams effectively around the same story.” Nick added “there’s got to be a single source of truth rather than three truths with different methods.”
4. What made you consider adopting FAIR?
Pierre: “For us it was really the intrinsic capability of FAIR to compare things that are not usually compared. We have manufacturing, ecommerce, and shops. The only way to report about all of our value chain risks was FAIR.”
“What really helped with FAIR,” Neil said, “was having an institute with a methodology behind it, not just me with a spreadsheet saying ‘this is how it works’, there’s a framework and publications around it.”
5. What is the future of cyber risk management in your companies?
“It’s about predicting and being proactive,” Matt said, and that requires quantification and “I think agentic AI will give us a lot of power to collect information but also orchestrate the actions off the back of that information so I can also be the next step-change.”
