At the FAIR Institute Breakfast meeting that ran parallel to the recent Gartner Security and Risk Management Summit, Matthew R. Martin, Senior Vice President Information Security and Technology, LPL Financial, gave a candid assessment of the challenges and opportunities in introducing FAIR to his organization.
The big win, Matt said is that "Everything it touches matures, because what you find out is that people don’t really know" about the organization's risks. In some cases, there's shock that "we don’t have a backup for this, or in other cases, we thought this was really critical, and it actually isn’t...So it’s been very interesting to see this peripheral maturity...It never would have happened before."
As Matt told the story, the journey to quantification at LPL (a platform for independent financial analysts, with $615 billion in assets) has taken this path:
Scroll down to watch the video of Matt's talk at the FAIR Breakfast
Starting with the language around risk
“Everybody spoke a different language and we had different risk scales for how we measured things. This is where I think FAIR is the biggest value.” Teams for enterprise and technology risk and audit had no consistent definitions, often interchanging terms for risk, threat, vulnerability and impact. Matt successfully crusaded to focus conversations around consistent FAIR terminology. “The last one that we are still struggling with is a consistent risk tolerance. I’m hoping when I come back here next year we will have some ideas on how to tackle that.”
Defining the risk scenario
“We’ve defined as a company that we are going to use the most likely scenario” (in FAIR terms of Asset, Threat, Effect) as the basis for discussion and decision-making. Matt gave the example that in analyzing results of a pen test, discussions would fall into trap of “what-aboutism…What about this scenario, what about that scenario? If you can get everybody talking about the same scenario then it’s a much better conversation around, for instance, do we have the right controls?”
Merging FAIR with ERM methodology
Matt admits his early attempts to present FAIR analysis failed. The enterprise risk management team uses a qualitative matrix with risk likelihood and impact scales. “One of our biggest mistakes was we stared showing them those numbers and they said ‘What in the world is this?’ They started questioning whether we knew what we were talking about because they didn’t understand it.” Matt’s solution: Fit the FAIR results into the matrix first, and then show the data behind it that motivates the rating,
Putting FAIR to regular use for prioritization
“Every internal audit finding that comes across, we run it through RiskLens to see if FAIR analysis jibes with what they’re seeing.” Matt’s team also manages technology risks - “FAIR is how we prioritize that investment: “We’ll get every team to give us a business case on the risk they want to address and we’ll run that through and see how we are reducing residual risk by that investment and then that’s how we prioritize our portfolio...
“This is something that I’m pretty proud of: The risk-rated projects accounted for 99% of our approved portfolio.”
Solving the communication problem
“The biggest thing I can tell you is the we don’t get pushback. When we go to the CFO, to our chief risk officer and say here’s what we want to find, they’re like ‘OK, I get it.’ And that’s saved us so much time in back and forth.”
Watch the video of Matt's talk at the FAIR Breakfast:
More from Matt in the Q&A session at the FAIR Breakfast:
Leave those old, qualitative ways behind and elevate your risk game! Join us for the 2019 FAIR Conference, the premiere risk management conference, on September 24 & 25 at the Gaylord Convention Center at National Harbor, MD, just south of Washington, DC. Register now!