Risk registers, by definition, are meant to identify, itemize and help prioritize risk. More specifically, they are intended to provide a portfolio of potential loss exposure to inform decision makers and enable them to mitigate and/or manage risk.
But risk registers are often filled with fake risks – in other words, general concerns and fears (like “the cloud”), control deficiencies, vulnerabilities or other conditions that contribute to risk but don’t themselves have the potential to cause a loss to the business.
This blog will show how the FAIR methodology provides a filter that enables fake risks to be refined into real loss events that can be measured.
The FAIR Risk Test
A good test for a risk register entry: Does this describe an event where tangible loss and/or liability would be incurred by the organization? If the answer is no, then it is lacking refinement. To help pass the test, it is helpful to apply a FAIR filter and distill the fears to actual loss events.
FAIR Filter
To equip oneself with a FAIR filter, two sets of FAIRly important tools are needed for the toolkit: definitions and structure.
Definitions
- Risk: probable frequency and probable magnitude of future loss
- Asset: a thing of value that can be affected in a manner that results in loss
- Threat: any actor or agent capable of causing harm to an asset in a manner that results in loss
- Effect: the characteristic of an asset affected by the threat (Confidentiality, Integrity, Availability)
Structure
Losses do not spontaneously materialize out of thin air. Something of value (an asset) needs to be present. Then, there has to be some acting force (threat) that causes loss to materialize to the asset. How that loss materializes is the effect of the threat’s action against the asset (i.e. it is no longer available etc.). When the asset, threat, and effect are outlined, then a loss event has been identified.
After a loss event is identified, then a frequency and a magnitudecan be associated. Now, you have a refined risk register entry that actually shows a risk, i.e. the probable frequency and probable magnitude of future loss.
Post Refinement
Once a risk register is refined, then it is primed for informing decisions and delivering value. Decision makers can evaluate the portfolio of potential loss exposure and determine what steps could be taken to mitigate the frequency and or magnitude of the adverse events. In short, the beauty of a refined risk register will enable risk to be measured and managed.
FAIR Facts to Know
- 3,000 risk professionals have joined the FAIR Institute. You should too (it’s free).
- The influential Gartner group of tech analysts named risk quantification as a must have for integrated risk management.