A part of being a FAIR analyst involves frequently coming across other “risk analysts” and cynics at conferences, forums or in casual conversation that believe risk quantification is simply not possible. Their reasoning: there is no way you could ever know with CERTAINTY whether an event will occur or not. Here’s a link to one of my previous posts where I outlined the limitations of conventional qualitative approaches used throughout our industry. I believe it’s important to take a few moments to dispel this myth around certainty.
I hate to break it to people, but life is uncertain. Most people know this instinctually. They know that the plan for the day, the coming week, an event a year from now, rarely ever works out exactly as we’ve planned. And you know what, that’s okay. That’s actually better than okay, because learning to embrace uncertainty, at least in my humble opinion, leads to a less stressful life, keeps a good risk analyst at work.
A good risk analyst realizes that we’re not looking for precise answers to the inputs to our questions, because more often than not they don’t exist. You won’t know for certain how many ransomware attacks your organization is going to experience this year, or exactly how much you’ll spend on managing the response to customers, regulators, business partners, etc. if a breach were to occur. All of this is okay. What you will be able to develop through the use of key subject matter experts within your organization are numeric ranges; ranges of how frequently something is likely to occur, as well as how bad it’ll be in dollars and cents when it does. Ranges are how we account for uncertainty in an ever-changing world. The tighter the range, the more certainty we have; the wider the range, the less certainty. Again, all of which is good.
As you may have guessed, in the end, you end up with an estimated range of what a risk will cost your organization. This range truthfully represents all of the information you have to bear on that question, which is exponentially better than providing one definitive answer that is indefensible and almost invariably incorrect.
Ultimately, all we can hope for is accuracy with a useful degree of precision. It’s this level of insight that helps us make decisions, whether it be in life or in risk analysis.