FAIR Institute Blog

All-in-One Matrix: Regulatory Compliance Risk Assessment Overview for FAIR Practitioners

[fa icon="calendar"] Apr 26, 2019 8:14:36 AM / by Steve Reznik

Industry guidelines and standards often strongly recommend or even require a “risk assessment” to satisfy various regulatory and compliance requirements. However, not all assessments are created equal as one entity’s assessment of risk may be another’s control evaluation.

Since risk assessment approaches can range from simple checklists and stratification (red/yellow/green) to weighted scores and probabilistic models, the FAIR Institute Cyber Risk Management Workgroup decided it was high time for some guidance on the topic.

The Workgroup has now published a summary of risk assessment expectations and guidelines from 15 regulatory and compliance entities. This compilation is intended for use by practitioners to explore where the benefits of quantification can be used to achieve stated objectives.

Author Steve Reznik is Director, Operational Risk Management at ADP

Further, while many entities now suggest quantification of risk using a consistent model or framework to improve the overall risk assessment process, one entity (PCI-DSS) specifically references FAIR as a framework to conduct a risk analysis. These recommendations may be indicative of a future movement in the direction of risk assessments fueled by FAIR.

To summarize this trend, the Workgroup analyzed guidance from the 15 leading entities against the following criteria:

  • Language for risk assessment requirements
  • Frequency that the risk assessment should be performed
  • Does the entity recommend quantifying risk?
  • Does the entity recommend measuring risk/use of metrics?
  • Does the entity require monitoring changing risk levels over time?
  • Intended use of the risk assessment
  • Framework(s) or tools cited by entity

Download the matrix of risk assessment guidelines from FAIR Institute LINK (Institute membership required). 


2018 Cyber Risk Management Workgroup Steering Committee Members: 

Greg Rothauser, Sr. Information Risk Manager, MassMutual
Allison Seidel, Information Risk Management, PNC
Steve Reznik, Director, Operational Risk Management, ADP
Brandon Young, Managing Director, Cybersecurity Framework & Risk Assessment, Charles Schwab
Rachel Slabotsky, Risk Consultant, RiskLens, Fmr. Risk Assurance Manager, Ernst & Young

The Workgroup found both commonalities and differences and documented these in a matrix with links to the source documentation. It should be noted that this is a point-in-time document; therefore, users are responsible for keeping up with new and changing requirements.

The Workgroup concluded that in some way, shape or form, a quality risk assessment should identify risks, i.e., the “what?”, and seek an understanding of “how?”, “how much?” and “how much less if we decide to make a change to the control environment?” Since FAIR is all about those “how” questions, then whatever your regulation of choice (or no choice!) says, applying FAIR principles will enable your compliance while helping to optimize risk management decisions.

For more advice on risk assessment characterization:

Risk Analysis vs. Risk Assessment: What’s the Difference? 

Control Deficiencies Are Not Risks 

Entity specific content:

For Better Risk Assessments in SSAE 18 Audits, Try Quantification with FAIR

Pressing for FAIR: Our Comments and Recommendations on NIST CSF 1.1

The SEC's New Cyber Risk Disclosure Guidance: Textbook Case for FAIR

Does NIST CSF 1.1 Endorse Risk Quantification and FAIR?

Banks Move to FAIR for FFIEC Cybersecurity Risk Assessments

Heat Maps Don’t Support ISO 31000

Topics: FAIR, Risk Management, White Paper

Steve Reznik

Written by Steve Reznik

become a FAIR institute  Member

Subscribe to Email Updates

Learn How FAIR Can Help You
Make Better Business Decisions

Recent Posts