We frequently get asked by clients how long they should expect it to take till they can launch a quantitative risk management program based on Factor Analysis of Information Risk (FAIR™). At RiskLens, we go by the following principles:
- Your program has successfully launched when you deliver value to your organization.
- The most concrete way you bring value in risk management is to produce a report that’s used to inform a risk-based decision, for instance to prioritize a new control/project or to accept a risk based on your analysis.
- You should deliver your first (of many) meaningful reports within 90 days.
Chad Weinman is Vice President of Professional Services for RiskLens, the technical advisor to the FAIR Institute.
The 90-day rule applies whether you’re building a FAIR risk management program for a small startup or a multinational giant. Here’s why: Organizational change is hard, involving people, processes, and platform. We have learned from experience over and over again that teams and stakeholders get motivated about change when they get excited from seeing the first outcomes.
So, when you deliver initial reports early on, and keep delivering them regularly, it starts a buzz: “Did you see the kind of report that FAIR analysis produces? Did you hear it went to the Board? We are greatly improving our risk discussions with the business.” It gains momentum for change that we can ride going forward.
Ninety days should be a sufficient period to set program goals and roles, complete training and orientation for FAIR and the analysis platform, identify a set of top risks to analyze and report on them. You’re laying the groundwork for a program that delivers value fast and often and will iterate quickly based on lessons learned.
After that, of course, program development time will continue and vary in duration based on the ambition, objectives, and complexity of your organization. You should look at building out a program as a journey. In general, there are two paths to take:1. A Simple FAIR Risk Management Program for Decision Support
Some organizations want to use risk analysis to help prioritize decisions on a routine basis and don’t focus on the traditional elements such as risk register or working out a risk appetite. As long as it is providing benefit to the business, that’s a perfectly good program. We’ve set up programs like these in two months.2. A Full-Fledged Cyber Risk Management Program
Other organizations want to build a whole cyber risk management program that integrates with ERM, enters FAIR-compliant risk scenarios in a risk register, sets risk ownership rules that escalates approvals, and develops formal risk appetites. A full-fledged program could be developed in up to a year.
No matter the path, remember that the first rule is to deliver value (actionable risk reporting) early and often.
A note on staffing a FAIR quantitative risk program: Staff size will depend on the volume/cadence and kinds of risk assessment work. We have customers who have been very successful with one dedicated employee. But the key point is to dedicate employees; tell an employee that 10% of work goes for risk analysis and risk analysis will likely not get done.