FAIR™ (Factor Analysis of Information Risk) got its foothold at HPE, the cloud products and services vendor, in the cybersecurity team, but the results of quantitative risk analysis looked so good, FAIR is now being handed off to enterprise risk management (ERM) to roll out organization-wide.
HPE CSO Bobby Ford said that FAIR was already “transforming [cybersecurity at HPE] from an organization that focusses on security to one that focusses on risk management.”
Now, on the ERM side, Karen Begelfer, HPE, Senior Vice President, Chief Audit Executive and ERM, added that “the quantification of risk management is a powerful tool to give contextual insight into risk, to clarify business priorities and to inform good business decisions. Our ERM program has been evolving over the years to increasing levels of maturity, and leveraging the FAIR methodology will help propel us in this journey of maturing.”
Ford and Begelfer introduced a presentation at the 2021 FAIR Conference (FAIRCON21) by HPE cyber and operational risk managers Aidan Farren, Aidan Whelan and Jay Reyna giving a look at some of the techniques they have used to upgrade their risk register and risk reporting, while building FAIR into the ongoing processes of ERM.
They showed examples of quarterly risk reports, organized around five themes of highest concern for business leadership, that start with FAIR-formula risk statements, aggregate multiple quantitative analyses combined with indicators of effectiveness of the related controls, and reports on developments in the risk landscape for an all-around look at the risk theme.
Jay Reyna of the Enterprise Risk Management team showed how HPE is applying FAIR to operational risk for supply chain, IT, crisis management, product security and more. They build on existing capabilities of qualitative risk analysis from SMEs, expected monetary (EMV) analysis complemented by decision tree modeling, and statistical sums for the quantitative inputs of Monte Carlo analysis (run on the RiskLens platform) to arrive at estimates of most probable outcomes.
Those estimates are “where you get the big return,” Reyna said. “It’s really been helpful for us to explain the risk to our leadership and give them that confidence that we are looking at it using the best tools available and the best analysis work for the best decisions for the company…
“We really believe in the FAIR methodology…We want to keep using these tools to drive our processes. Doing this helps to integrate risk management into the corporate culture of HPE.”