How to Build the Capabilities of Your FAIR Risk Management Program
If you’re a leader of a FAIR quantitative risk analysis team, you can think of it as six milestones for increasing the capabilities of your team. For your stakeholders, you can present it as a menu of cyber risk quantification services. Either way, we have found this capability framework to be good guidance for FAIR program development and operation.
The FAIR Program Capability Framework
Level 1.0
1. Cyber Risk Management Program Governance and Performance
This should be the north star for your whole program to focus on the activities and capabilities that your team should achieve in the near and long term. Many organizations set themselves up for success by first creating a CRQM Program Charter which includes 1) Program Purpose; 2) Key Stakeholders and Reporting Cadence(s); 3) Program Capabilities; and 4) Measuring Success & Monitoring Program Progress.
Success markers could include engaging the board and senior leadership, socializing key risk quantification concepts (e.g., Single/Annualized Loss Expectancy) and methods (e.g., Identification, Financial Impact Data Gathering, etc.) with stakeholders, partnering with Enterprise Risk Management and conducting annual roadmap reviews.
2. Cyber Risks Quantification and Compliance
The first hands-on work for every CRQM program – quantifying top risk scenarios at the levels of enterprise, business unit, crown jewel asset/product and/or other categories of importance to the business. Establishing and quantifying top cyber risks creates a baseline that allows future iteration and comparison over time.
3. Cyber Investment PlanningYou’ve identified the top risks – now what to do about them? The capabilities/services could include project prioritization, budgeting, tech rationalization plus planning investment based on ROI for risk reduction.
Michael Smilanich is a Risk Advisory Consultant and Kevin Gust a Risk Advisory Practice Director for Safe Security
Also by Kevin and Michael: FAIR Cyber Risk Analysis for AI
Level 1.5
4. Cyber Insurance Planning
Sync your top risks with your coverage. Based on the likelihood and impact of your top cyber risks, have you purchased appropriate insurance to cover potential losses? The FAIR Institute has introduced the FAIR Materiality Assessment Model (FAIR-MAM™) to structure loss data collection for FAIR analysis.
Level 2.0 (requires the capabilities of preceding levels but also software solutions)
5. Operational Prioritization
Assumes you are on top of vulnerability management and gap analysis for controls. See the FAIR Controls Analytics Model (FAIR-CAM™) for a true picture of control efficacy for the best input to the Susceptibility factor of FAIR analysis. Also a must-have: a solution for real-time aggregation of signals from the attack surface. In a wider sense, Operational Prioritization is a subset of Cyber Investment Planning (#3).
6. Third Party Risk Management via Quantification
TPRM is fundamentally broken in the industry. Most tools in the TPRM space use manual, subjective, cumbersome questionnaires, outside-in scanning with limited telemetry and/or false positives, and do not include quantitative risk measurements.
Organizations should approach TPRM by establishing tiering thresholds for vendors based on quantitative risk metrics and align due diligence/mitigation prioritization activities accordingly. Third party/supply chain risk management is a major area of research for the FAIR Institute.
Benefits of a FAIR Program Capabilities Framework
The reason to do any quantitative risk management is to drive better decision-making. Particular advantages of this framework or menu approach:
>>FAIR adoption will be a cultural change for an organization – it helps to take it one step at a time. By offering a menu of capabilities, you will make CRQM more accessible to the uninitiated.
>>It helps to change the mindset of the organization away from risk management as a regulatory and compliance exercise and towards risk management as integrated decision support, drawing on information pulled from across the business, ideally in a seamless and automated fashion.
>>You’ll know you are succeeding by the number of decisions that have been made or influenced by risk analysis. Quantification for quantification’s sake is not the goal. Another success metric: recurring demand from stakeholders for input from the risk team.
Cautions on the FAIR Program Framework Approach
>>Make sure the risk team has indeed mastered the capabilities you offer. Over-promising on your services can be a roadblock over time.
>>Don’t boil the ocean. Make sure the services you are offering are targeted to what the business most needs.
>>Educate the organization on cyber risk quantitative analysis so stakeholders understand what you are presenting. Tip: After a presentation always check for understanding with the audience.
You might also like: How Long Does It Take to Launch a FAIR Program?