In another milestone for acceptance of FAIR™ and cyber risk quantification, COSO has issued its first guidance document on applying the COSO Enterprise Risk Management Framework to cyber risk management – and included a reference to the FAIR model as a tool for “management to align the cyber security program to the business objectives and set targets.”
"It was exciting to see FAIR called out in COSO’s “Managing Cyber Risk in a Digital Age” document, Jack Jones, creator of the FAIR model, commented. “This is further evidence of the growing recognition that our profession needs to be able to quantify cyber risk in financial terms.
“When it comes to applying an organization’s limited resources, there always are trade-offs that need to be made between opportunities, operations, and risk. Being able to compare the options on a common basis — i.e., in financial terms — helps executives make better decisions."
For some context on COSO ERM and FAIR, we interviewed James Lam, a member of the COSO Advisory Board and author of Enterprise Risk Management (Wiley, 2003; second edition, 2014), a standard text and Amazon best seller in the ERM field, and more recently Implementing Enterprise Risk Management (Wiley, 2017). James serves as Chairman of the Risk Oversight Committee for the E*TRADE Financial Corporation board and is President of James Lam & Associates, a risk management consulting firm.
Q: What’s the story behind COSO adding the reference to FAIR? Does this represent an evolution in thinking by this standard setter regarding cyber risk or quantification?
James Lam: I commend the COSO/Deloitte team for referencing the FAIR model for cyber risk quantification and risk tolerance evaluation in this white paper. I think the white paper also did a good job in applying the COSO ERM Framework and its principles to cybersecurity.
COSO has evolved materially in its thinking about risk and risk management. That is very important because the COSO ERM Framework is the most widely used global standard. From the beginning, I was a vocal critic of the original 2004 COSO ERM Framework for both conceptual and application reasons. Surprisingly, the COSO Chair personally called and invited me to serve on the Advisory Board to guide the development of the current 2017 framework.
While no framework is perfect, there are many improvements in the new COSO ERM framework and one of the most important is the emphasis on setting a risk appetite statement and risk tolerance levels for critical risks. That is also where the FAIR model, and the quantification of potential loss, can be very useful.
Q: How does the inclusion of FAIR in the COSO documentation make this standard better, more useful guidance? Does it provide some needed analytical basis to COSO ERM, which has been more conceptual, particularly around defining “risk” and quantifying risk.
James Lam: I am a strong advocate that better risk measurement is a precondition to better risk management. I have seen this dynamic play out over 30 years in interest rate risk, market risk, credit risk, operational risk, and strategic risk. Cyber risk is now the next frontier in risk quantification. I have also seen this through the various roles that I’ve served, as a public and private corporate director, as a chief risk offer, and as a management consultant.
The FAIR Model provides the analytical solution that is critical to implementing the COSO ERM Framework, and also to aligning cybersecurity to the broader enterprise risk management process. The COSO Framework and the FAIR Model are the leading global standards in ERM and cyber risk quantification, respectively. It is helpful and important to cross reference the two frameworks.
We do not want to miss the basic lesson of ERM and allow cybersecurity to become a silo. As we have witnessed through too many corporate disasters, managing risk by silos doesn’t work.
Components of ERM from COSO’s “Managing Cyber Risk in a Digital Age”
Q: Does this move cyber risk toward the goal of inclusion in ERM? Will it help popularize FAIR?
James Lam: This is another positive step toward the integration of cyber risk into ERM. In addition to COSO, this essential practice has been advocated in guidelines and standards established by the National Association of Corporate Directors, the Internet Security Alliance, and other standard-setting organizations.
I believe COSO and FAIR are highly complementary. The FAIR Model will help companies to apply ERM to cybersecurity. The COSO ERM Framework will help FAIR practitioners connect to other key risk areas and business mission and objectives.
Q: This document mentions FAIR in the context of Strategy and Objective setting, specifically around risk appetite and tolerance. But it seems that FAIR could have much wider use in the COSO standard, including Performance (particularly assessing and prioritizing risks), Review and Communication? Where else do you see FAIR fitting in besides Strategy?
James Lam: As risk and information security professionals examine the intersection between COSO and FAIR, they will see other key areas where FAIR can be applied within the COSO ERM Framework. In addition to strategy, objective setting, and risk appetite, I can see important applications of FAIR in board risk oversight, risk mitigation strategies, risk identification and assessment, risk and performance management, and information and reporting.
Q: Any advice at the board or management level that you would recommend as next steps to implement the recommendations in this new document?
James Lam: It has often been said that directors and senior executives may not always have the right answers, but they always should ask the right questions. They should review the recommendations in this document and ask the following questions:
- Do we have the right governance, policy, and culture for cyber risk management?
- Is our cybersecurity program well aligned and integrated with our enterprise risk management?
- Can we objectively evaluate the risk/return trade-offs of cybersecurity investments and insurance strategies?
- Have we defined our risk appetite and risk tolerance levels for cyber risk in economic terms?
- What are the metrics and feedback loops that can determine if our cybersecurity program is working effectively?
- Are we getting the right information and reports at the management and board levels?
Learn more about ERM, cybersecurity oversight and FAIR – watch the video of James Lam’s keynote address to the 2018 FAIR Conference. And read the blog post How FAIR Can Ensure The Success of COSO Risk Management Programs.
Join the risk quantification movement – become a member of the FAIR Institute.