At the 2025 FAIR Conference, Liberty Mutual’s Ashley Campbell and Chase Buckner walked through a practical journey many cyber risk teams recognize immediately: starting with spreadsheet-driven reporting and evolving toward a scalable, decision-supporting cyber risk quantification (CRQ) program based on the FAIR model.
Watch on Demand: From Risk Chaos to Risk Mastery: How We Ditched the Spreadsheet Graveyard
Ashley Campbell, Director, Cybersecurity, Liberty Mutual
Chase Buckner, Solutions Specialist, Liberty Mutual
Their message was straightforward. Most organizations begin with manual risk reporting processes that struggle to keep up with the pace of cyber threats. But with the right steps—standardization, partnerships, and automation—those programs can evolve into dynamic, forward-looking risk intelligence capabilities.
Many cybersecurity risk programs begin with what the presenters called the “manual era.” In this stage, teams spend months gathering inputs from across the organization, consolidating spreadsheets, conducting meetings, and assembling a year-end risk report.
The process is familiar to many practitioners.
“You deliver the enterprise cyber risk report in January, walk out of the meeting, and immediately start thinking about all the improvements you need to make for next year,” Ashley said.
The challenge is not just effort—it is timeliness. Data collected mid-year may already be outdated by the time the report is finalized. Risk information often comes from multiple teams using different methods, creating inconsistencies that must be reconciled manually.
The result is a retrospective report describing what already happened rather than helping leaders decide what to do next.
Yet even this stage serves a purpose. It provides a starting point and helps organizations begin collecting risk data and building institutional awareness.
The first major step toward a FAIR-based cyber risk program is consolidation.
Organizations often have multiple risk teams embedded across business units. Bringing these teams together—or at least standardizing their processes—creates a shared understanding of risk across the enterprise.
Centralization provides several advantages:
However, consolidation introduces its own challenge: where and how to manage the data.
Without a centralized tool or platform, teams simply replace multiple spreadsheets with one giant spreadsheet. That may improve visibility, but it does not solve scalability.
The presenters warned that before organizations begin measuring everything, they must define what they actually want to measure.
“If someone asked you to analyze the moon but didn’t give you a telescope—or tell you what to analyze—you couldn’t do it,” Ashley said.
Cyber risk programs face the same issue when teams attempt to ingest large volumes of vulnerability or control data without a clear measurement framework.
As risk programs mature, organizations begin moving from compliance-driven reporting toward risk-based decision support.
This is where the FAIR model becomes essential.
Using scenario-based analysis and Monte Carlo simulations allows cyber risk teams to quantify potential financial impact and evaluate tradeoffs. Rather than discussing risks in abstract terms, teams can model specific scenarios and estimate probable loss exposure.
This shift changes how risk is discussed with executives.
Instead of answering questions about what happened last year, analysts can begin answering forward-looking questions:
At this stage, cybersecurity teams begin functioning as decision advisors, helping leadership evaluate the economic impact of cyber risk decisions.
A major inflection point in building a FAIR-based program is recognizing the limits of spreadsheets.
Excel is often where FAIR analysis begins—but it rarely scales.
As the presenters explained, teams eventually “max out the capacity in Excel.” Models become difficult to maintain, simulations slow down, and analysts spend most of their time aggregating data rather than analyzing risk.
In spreadsheet-driven environments:
This leads to a cycle where risk analysis takes too long to support real decisions.
The goal is to move toward data-driven automation, where risk models ingest telemetry from controls, vulnerabilities, and operational systems to update risk insights continuously.
From the Liberty Mutual session at FAIRCON25
Once quantification and automation mature, the role of the cyber risk team expands significantly.
A well-designed CRQ program provides decision support across the organization, not just within GRC.
Examples include:
One practical example illustrated how quantification supports business decisions.
In a scenario where a system generates $25 million in annual revenue but carries $1–10 million in annualized loss exposure, leadership can evaluate whether remediation costs are justified. If remediation costs $250,000 while materially reducing risk, the decision becomes economically clear.
This kind of analysis reframes cyber risk management as a business decision problem, not just a security problem.
Another key lesson from Liberty Mutual’s experience is that cyber risk programs cannot mature in isolation.
Successful CRQ programs require collaboration with:
Partnerships ensure that quantification aligns with enterprise risk frameworks and that insights influence real decisions across the organization.
Importantly, organizations should bring these stakeholders along on the journey. When other risk functions adopt similar quantification approaches, the entire enterprise gains stronger decision-making capabilities.
The Outcome: From Risk Reporting to Cyber Risk Intelligence
Ultimately, the journey from spreadsheets to a mature FAIR-based program is about shifting the purpose of cyber risk management.
Traditional programs produce periodic reports.
Mature CRQ programs deliver continuous decision intelligence.
Executives no longer receive static snapshots of cyber risk. Instead, they gain timely insights that guide budgeting, prioritization, and strategy.
“A CISO should be able to walk into a budgeting discussion with quantifiable data showing how risk will change based on the dollars being spent,” Chase said.
For cyber risk analysts, this shift is equally transformative. Rather than spending time collecting and reconciling data, they focus on scenario modeling, control effectiveness, and emerging risk areas.
The destination is what Ashley and Chase described as risk mastery: a program built on quantification, automation, and enterprise alignment—capable of delivering the risk context leaders need at the moment decisions are made.
More on the 2025 FAIR Conference.