Tactical versus informative risk analysis
Tactical Risk Analysis is a form of risk analysis focused on driving decisions and/or actions within an organization.
This should not be confused with Informative Risk Analysis, another form of analysis, that focuses on providing visibility and awareness to a given risk issue. In my experience, the majority of risk programs I encounter are predominantly informative in their objectives.
When risk analysis becomes tactical, it provides more value to decision makers and management, because it is directly involved in the decision making process. It positions the risk team and its analysts as advisers to management.
Sounds like a good place to be? If so, let’s take a look at an example of tactical risk analysis in information security.
When evaluating a new security control(s) and security initiative, the risk team will perform a current-state (residual) risk analysis. The risk team will then create an iteration of the current state analysis and adjust the factors that will change if the additional control(s) or initiative is completed. When run, the second analysis will forecast the future-state. We identify the risk reduction as the difference between the current-state and the forecasted future-state, which can then be compared with the cost of the proposed security investment. This provides a financial cost/benefit analysis that is exceptionally valuable to decision-makers.
Pretty impressive. But in order to be able to achieve this, a risk program requires the following:
- Agility: tactical risk analysis is often “not scheduled”. The risk team needs flexibility to adjust and prioritize their workload in order to handle tactical analysis requests.
- Skilled analysts - Tactical risk analysis requires an efficient and timely delivery of results. If the risk analysis is a bottleneck in the process, decision-makers may forego waiting for the results.
Case studies using FAIR
Share your own experience
Have you performed risk analyses that you believe were tactical? If so, please share any lessons learned or insights you may have for the community in the comments section below.