Case Study: Scaling FAIR for M&A and Beyond: Combining Bottom-Up and Top-Down Approaches
Cedric De Carvalho, Head of Group Cyber Risk & Advisory, Richemont
Watch the video of the presentation on overcoming objections to cyber risk quantification. A FAIR Institute Contributing Membership is required - JOIN NOW.
De Carvalho started from what we know as standard practice of Factor Analysis of Information Risk, analyzing risk scenarios one at a time for probable loss exposure – he calls it the “top-down” approach.
FAIR won a lot of approval from the organization; as one participant in an analysis workshop said, “this is the first time that I understood risk, not just cyber risk but risk.” But “we were victims of our own success,” De Carvalho said. “We have executives who want to be assessed but we are not able to deliver,” because of the time required to produce a detailed risk analysis.
Another roadblock to scaling: Difficulty updating scenarios that had been developed for the silo of one line of business.
De Carvalho started looking for efficiencies in risk analysis, with a bottom-up approach:
“We already saw some benefits where we did one assessment that took us almost one month with a person working 100% on it, reduced to less than one week.”
“We can’t automate everything; there are risk scenarios that you want to have a risk analyst look into…At least, it is enabling us to scale FAIR…I am very convinced that over time, this will enable us to answer at the speed of business any kind of request.”
This slide shows where he hopes to go, combining the two approaches with automation.
The FAIR Institute honored Cedric De Carvalho with the Business Innovator Award at the 2022 FAIR Conference for his creative work introducing FAIR to Richemont.
Cedric De Carvalho with (left to right) FAIR Institute Chairman Jack Jones, Board Member Sounil Yu and President Nick Sanna