This is the most common “sin” we run into within the industry. Analysts, often not specifically trained on risk, focus almost solely on controls and their effectiveness.
But analyzing controls is not the same as analyzing risk. In fact, I can confidently state that it can do more harm than good.
Not convinced? Consider the following scenario that I observed:
Acme Org analyzes two separate 3rd Party vendors by providing them with a detailed control questionnaire. The vendors provide detailed responses on their state of controls back to Acme’s risk analysts.
When reviewing the results from Vendor A, the analysts found 8 responses to the control questionnaire that are below Acme’s security standards and expectations.
When reviewing the responses from Vendor B, only 2 questions were answered below the security standards and exceptions.
With just this information…. It would appear that Vendor A is more “risky”.
Doing simple math… one may even say Vendor A is 4 times more “risky”
However, what if I told you Vendor A was a small law firm that occasionally will store a very limited amount of non-public contract information for a limited period of time. Vendor B is a key marketing analytics provider that continuously stores the records of 80 million customer’s PII in multiple systems.
Shame on us for only considering controls! This is just a simple example of how not using an accurate model of risk, like FAIR can lead to unintentional but poor risk management decision-making.
Benchmark your organization's risk management and risk analysis skillset against your peers. Take the 2017 Risk Management Maturity Survey.
Risk Analysis vs Risk Assessment: What's the Difference?
