IT Risk Management teams are increasingly looking for help with their Risk Control Self Assessment (RCSA) process, to make it more defensible, and in turn, more useful to their organizations through the implementation of FAIR concepts.
Prior to adopting FAIR to define and quantify risks as loss events, most organizations grapple with the all too common misconception that control deficiencies are the same things as risks. This confusion not only alters the way organizations think about risk, but also the way they discuss and communicate risk
A while back I wrote a post called The Dangers of Being a Cubicle Risk Analyst. The premise being that a good risk analyst could not gather all of the information necessary to run a sound and defensible risk analysis from what they could gather in their four walls. A good risk analyst ventures out to gather both loss event frequency and loss magnitude data from those in the know throughout the organization.
The first big step in a risk analysis is scoping. Each part of the analysis process builds on the other so if you get scoping wrong, the rest of your analysis is on shaky ground at best. Remember, scoping is where you clearly:
This may not come as a shock, but a big part of what a risk analyst does is analyzing the issues that an organization is concerned with occurring.
The analysis part of the job spans an entire process, but a critical part involves first finding those things that are worth conducting a risk analysis over.
I just wrapped an engagement helping a really great customer identify their top ten risks. Talk about commitment: They organized a book club where members of Information Security, Privacy and Audit were actively studying the FAIR book, Measuring and Managing Information Risk.
At the last club meeting, somebody said “I love the FAIR model and risk quantification. But how do I apply this to the risks that face me and my department?”
A part of being a FAIR analyst involves frequently coming across other “risk analysts” and cynics at conferences, forums or in casual conversation that believe risk quantification is simply not possible.