IT Risk Management teams are increasingly looking for help with their Risk Control Self Assessment (RCSA) process, to make it more defensible, and in turn, more useful to their organizations through the implementation of FAIR concepts.
Cody Whelan

Recent Posts
The 3 Problems with RCSA & How to Overcome Them with FAIR
[fa icon="calendar'] Oct 2, 2018 1:31:35 PM / by Cody Whelan
Control Deficiencies Are NOT Risks
[fa icon="calendar'] Jul 31, 2018 9:00:00 AM / by Cody Whelan posted in FAIR
Prior to adopting FAIR to define and quantify risks as loss events, most organizations grapple with the all too common misconception that control deficiencies are the same things as risks. This confusion not only alters the way organizations think about risk, but also the way they discuss and communicate risk
Sharpen Your Cyber Risk Analytics Skills with These Two Techniques
[fa icon="calendar'] Jun 13, 2018 8:45:00 AM / by Cody Whelan posted in FAIR
3 Ways to Gather Loss Magnitude Data (from Your Cubicle)
[fa icon="calendar'] Jan 19, 2018 11:22:57 AM / by Cody Whelan posted in Risk Management
A while back I wrote a post called The Dangers of Being a Cubicle Risk Analyst. The premise being that a good risk analyst could not gather all of the information necessary to run a sound and defensible risk analysis from what they could gather in their four walls. A good risk analyst ventures out to gather both loss event frequency and loss magnitude data from those in the know throughout the organization.
3 Ways to Get a Risk Analysis Project Off to a Bad Start
[fa icon="calendar'] Sep 6, 2017 7:15:00 AM / by Cody Whelan posted in FAIR, Risk Management
The first big step in a risk analysis is scoping. Each part of the analysis process builds on the other so if you get scoping wrong, the rest of your analysis is on shaky ground at best. Remember, scoping is where you clearly:
Where to Find Risk Scenarios to Analyze
[fa icon="calendar'] Aug 11, 2017 11:45:59 AM / by Cody Whelan posted in Risk Management
This may not come as a shock, but a big part of what a risk analyst does is analyzing the issues that an organization is concerned with occurring.
The analysis part of the job spans an entire process, but a critical part involves first finding those things that are worth conducting a risk analysis over.
Pro Tip for FAIR Risk Scenario Analysis: Map It
[fa icon="calendar'] Apr 10, 2017 10:41:26 AM / by Cody Whelan posted in FAIR, Case Studies
I just wrapped an engagement helping a really great customer identify their top ten risks. Talk about commitment: They organized a book club where members of Information Security, Privacy and Audit were actively studying the FAIR book, Measuring and Managing Information Risk.
At the last club meeting, somebody said “I love the FAIR model and risk quantification. But how do I apply this to the risks that face me and my department?”
Life's Uncertainties And The Risk Analysts
[fa icon="calendar'] Jun 23, 2016 12:30:00 PM / by Cody Whelan posted in FAIR, Risk Management
A part of being a FAIR analyst involves frequently coming across other “risk analysts” and cynics at conferences, forums or in casual conversation that believe risk quantification is simply not possible.
The Dangers of Being a Cubicle Risk Analyst
[fa icon="calendar'] Jun 13, 2016 7:30:00 AM / by Cody Whelan posted in FAIR, Risk Management
Risk analysts come from a variety of industries, backgrounds, and vary in levels of experience and skill sets.