In this video from the 2022 FAIR Conference, Cedric De Carvalho, Head of Group Cyber Risk & Advisory for Richemont, talks scaling quantitative risk management across the 26 lines of business of the fashion conglomerate.
Case Study: Scaling FAIR for M&A and Beyond: Combining Bottom-Up and Top-Down Approaches
Cedric De Carvalho, Head of Group Cyber Risk & Advisory, Richemont
De Carvalho started from what we know as standard practice of Factor Analysis of Information Risk, analyzing risk scenarios one at a time for probable loss exposure – he calls it the “top-down” approach.
FAIR won a lot of approval from the organization; as one participant in an analysis workshop said, “this is the first time that I understood risk, not just cyber risk but risk.” But “we were victims of our own success,” De Carvalho said. “We have executives who want to be assessed but we are not able to deliver,” because of the time required to produce a detailed risk analysis.
Another roadblock to scaling: Difficulty updating scenarios that had been developed for the silo of one line of business.
Join the FAIR Institute as a Contributing Member, enjoy access to the community of information risk officers, cyber security leaders and business executives growing the discipline of quantitative risk management.
The Bottom-up Approach to Use FAIR
De Carvalho started looking for efficiencies in risk analysis, with a bottom-up approach:
- Grouping assets across lines of business by similarities in controls environments, types of data, geographic region, and other characteristics
- Working with the red team and other SMEs to scope common types of risk scenarios
- Digging into the risk scenarios to identify “reusable blocks” that can be used across new scenarios to be analyzed. “When we have a new asset, we just pick what we need and we already have risk analysis behind it, and data we can use.”
“We already saw some benefits where we did one assessment that took us almost one month with a person working 100% on it, reduced to less than one week.”
“We can’t automate everything; there are risk scenarios that you want to have a risk analyst look into…At least, it is enabling us to scale FAIR…I am very convinced that over time, this will enable us to answer at the speed of business any kind of request.”
This slide shows where he hopes to go, combining the two approaches with automation.
The FAIR Institute honored Cedric De Carvalho with the Business Innovator Award at the 2022 FAIR Conference for his creative work introducing FAIR to Richemont.
Cedric De Carvalho with (left to right) FAIR Institute Chairman Jack Jones, Board Member Sounil Yu and President Nick Sanna