The latest issue of the ISACA Journal (available here to registered members) presents a detailed case study on the long-running FAIR™ program at Rock Holdings, Inc. (parent company of Quicken Loans and Rocket Loans), and how “FAIR implementation transformed the business’ enterprise risk management (ERM) program and risk culture.”
The FAIR pioneer and program manager at Rock Holdings, Keith Weinbaum, was a speaker at the 2019 FAIR Conference – learn more about Keith in this Meet a Member interview.
Some of the key points from the ISACA case study of Rock Holdings:
- The genesis of the program was in the dissatisfaction of both senior management and information security teams that security budget requests weren’t being communicated in business terms.
- After adopting FAIR in 2012, analysis began on the company’s top information risks – and found that many of the associated security initiatives couldn’t be justified for return on investment.
- In an unusual move, the FAIR program joined early with the enterprise risk management team, which ultimately helped spread FAIR through the organization. Another driver: increasing financial regulations pushed the organization to take a quantitative approach to ERM, creating more of an opening for FAIR.
- With FAIR’s credibility established, the organization had confidence in launching its first major infosecurity initiative based on quantitative metrics, to lower the risk of confidentiality data breach below the level of ERM risk appetite.
- The team developed a roll-out strategy to bring FAIR to each of the operating companies, starting with a meeting with the CEO, identifying a risk champion on the staff and documenting the core business processes and associated risk factors, using a business process modeling notation tool.
- Currently, the ERM process is integrated with all the subsidiary companies, covering not just information risk but market, credit and operational risk, and analyzes key risk scenarios using a customized quantitative risk analysis tool based on FAIR -- though Keith is quoted as saying he would not build a similar tool today, now that an off-the-shelf solution is available (the RiskLens platform is the SaaS application purpose-built on the FAIR model).
There’s a lot more detail on FAIR implementation at Rock Holdings in the case study: Building a Rock-Solid ERM Culture on FAIR (ISACA Journal, page 38).