We recently had an opportunity to present a webinar in conjunction with the FAIR Institute about modeling and measuring cyber risk appetite with Factor Analysis of Information Risk (FAIR™), the international standard for cyber risk quantification. Our discussion covered how FAIR supports more effective decisions about setting and managing risk appetite, and how to implement FAIR within risk management programs.
Risk management professionals can apply FAIR principles to clarify organizational risk appetite and tolerance as a basis for risk management planning. Because these professionals are often tasked with articulating risk strategy on behalf of board members and senior executives, all risk management strategy participants benefit from FAIR’s common language and specificity of metrics.
We began by exploring how to start from a strategic perspective, and then covered tactical considerations related to better risk management decision-making using FAIR.
About the authors: Daniel Stone is Associate Director and Tyler Ross is Manager – Security and Privacy for global consulting firm Protiviti, a Founding Sponsor in Advisory Services for the FAIR Institute. Learn about Protiviti’s FAIR-based risk consulting practice.
The benefits of FAIR
Often, participants in discussions about cyber risk get stuck with terms like low, medium and high to describe risk appetite and tolerance. They’re only hoping they understand one another. FAIR provides a blueprint by setting specific metrics and target ranges in risk statements, which ensure participants understand one another perfectly.
If the organization has determined that it will accept as high or moderate risk, FAIR facilitates presentation of actual scenarios to enable clarification and alignment: “Is this what you mean by high? Is this what you mean by moderate?” And if the answer is no, the team can revise statements until they reflect what the organization’s actual risk appetite is.
By attaching real numbers (like dollars) to specific risks, FAIR provides a starting point for discussing the risk management approach for every scenario. That discussion drives the team’s definition of the enterprise’s risk appetite, which informs decisions in a way that’s quantified by key performance indicators (KPIs)and key risk indicators (KRIs).
In practice, the FAIR approach delivers benefits in these ways:
- Articulating clearer risk appetite statements
- Determining what metrics will yield the most valuable monitoring information for any given enterprise
- Ensuring an organization’s risk management programs are consistent with its mission and business directives
Helping leaders get comfortable with risk management can start with a more effective risk appetite statement:
Learn FAIR risk analysis with training endorsed by the FAIR Institute - get the details.
Key FAIR definitions
For risk discussions to be effective, participants must use the same terms in the same way. FAIR focuses chiefly on risk appetite and risk tolerance, which the National Institute of Standards and Technology (NIST) defines as follows:
- Risk appetite means the types and amount of risk, on a broad level, an organization is willing to accept in its pursuit of value
- Risk tolerance means the organization’s or stakeholder’s readiness to bear the risk after risk treatment in order to achieve its objectives.
As part of your membership to the FAIR Institute, you get access to our content-filled Resource Library called FAIR Institute LINK, the robust and ever-growing collection of FAIR-based knowledge. Become a member now.
Applying FAIR to cyber risk strategy
Risk management is ultimately the responsibility of the board and senior executives. Often, key risk management strategy activity is delegated to teams tasked with presenting risk management deliverables to leaders for approval.
A FAIR risk management framework provides a blueprint for identifying and assessing risks, and that’s where most organizations excel. Some teams fall short, however, by excluding response plans and mitigation strategies for identified risks from their risk management efforts.
The board and senior executives must make a conscious decision to recognize the existence of risk and commit to planning a comprehensive risk strategy. In some cases, organizations try to do this using non-comparable, overly subjective, or arbitrary metrics which ultimately increase confusion. FAIR provides the clear metrics to ensure all risk planning participants are aligned with the organization’s risk acceptance thresholds. Risk thresholds defined via FAIR’s metrics help teams prioritize risks and plan mitigations and avoidance.
Defining risk tolerances that are aligned to corporate strategy, then defining metrics against which those tolerances can be monitored is fundamental to working within a proven risk framework. Risk management teams prepare to articulate risk tolerance first by evaluating known risks within the organization’s industry, and how that industry’s operational characteristics influence risk tradeoffs (such as selecting confidentiality versus availability of information). Risk tolerance decisions are also shaped by organizational characteristics such as legal structure, compliance obligations and capital requirements, among others.
Watch Protiviti’s webinar presented in conjunction with the FAIR Institute: Establish Your Cyber Risk Management Baseline (FAIR Institute membership required).
Next, the risk management team can distill these into individual scenarios and identify clear sources of data for each risk scenario that can be easily and regularly collected. Properly defined via FAIR, these ongoing data collection, analysis, and monitoring activities bring risk into alignment with the business risk thresholds the senior business leaders have approved.
Once risks are understood and measured, risk managers can develop solutions as part of a planned risk response. Conventional wisdom tells us that choosing to accept some risk, is always an option. For others, risk avoidance, transfer and sharing are appropriate solutions – these represent options organizations can assess using FAIR.
This talk, which discussed how FAIR supports effective decision-making about risk appetite and how FAIR can be put to use within risk management programs, will be of interest to risk management professionals who want to begin applying FAIR from a strategic perspective while also improving organizational risk management decision-making.
To learn more about our work with FAIR and how it can benefit your business, contact us.