I recently had a conversation with clients around a risk analysis they conducted and noticed as they walked me through it that they seemed to get hung up on the terms “inherent risk” and “residual risk” and the inherent risk definition for that particular scenario.
Rachel Slabotsky

Recent Posts
Inherent Risk vs. Residual Risk Explained in 90 Seconds
[fa icon="calendar'] Feb 15, 2023 5:09:00 PM / by Rachel Slabotsky posted in FAIR
Evaluating Data Retention Risk from GDPR Using FAIR
[fa icon="calendar'] Jul 1, 2019 8:45:00 AM / by Rachel Slabotsky posted in FAIR, Risk Management, Case Studies
Despite the increased focus and attention on data privacy triggered by GDPR that went into effect in May 2018, studies have shown that organizations still have some strides to make in order to be fully in compliance with the mandate. In fact, a recent survey by Varonis reported that many organizations continue to accumulate data that no longer needs to be retained, despite GDPR’s right-to-be forgotten clause.
Cure Your Risk Analysis Paralysis: Balance Accuracy and Precision
[fa icon="calendar'] Mar 26, 2019 8:30:00 AM / by Rachel Slabotsky posted in FAIR
I’ve heard critics of quantitative risk analysis challenge the approach, stating that it is “too difficult”, “time consuming” or that their organization is “simply not mature enough for quantification.” In my experience, a majority of such arguments can be addressed by revisiting a few fundamental FAIR concepts.
Banks Move to FAIR for FFIEC CAT Cybersecurity Risk Assessments
[fa icon="calendar'] Aug 2, 2018 9:00:00 AM / by Rachel Slabotsky posted in FAIR, Risk Management
In a previous blog post, I wrote about how the FAIR quantitative risk model can be used to meet various regulatory and compliance requirements (specifically those that indicate the need for a formal risk assessment).
The Skeptic's Guide to Cyber Risk Surveys
[fa icon="calendar'] Mar 12, 2018 9:00:00 AM / by Rachel Slabotsky posted in FAIR
I recently attended the SIRACon conference in Seattle where I had the privilege to hear leaders from prestigious companies speak about their experience using quantitative analysis of cyber risks. One of the presentations that stood out related to sources of error and bias in survey results.
For Better Risk Assessments in SSAE 18 Audits, Try Quantification with FAIR
[fa icon="calendar'] Feb 9, 2018 4:08:05 PM / by Rachel Slabotsky posted in FAIR, Risk Management
One of my final initiatives prior to leaving public accounting and entering my new role in risk management was helping organizations prepare for the changes introduced by AICPA in the SSAE 18 audit standard, which went into effect in May 2017.
How to Analyze Your Risk from GDPR: A FAIR Approach
[fa icon="calendar'] Jan 19, 2018 10:49:47 AM / by Rachel Slabotsky posted in Risk Management, FAIR Risk Model
As the final months approach before the EU's General Data Protection Regulation (GDPR) goes into effect in May, 2018, organizations are making significant investments to ensure they are prepared for the changes to come, particularly the strict rules on handling consumers’ personally identifiable information (PII).