While FAIR is primarily known for cyber and technology risk analytics, its principles and quantification methods apply equally to operational, strategic and other forms of risk in the enterprise. If you’re looking to grow a FAIR program outward from cyber – or looking to start from the other direction with quantitative operational risk management – attend the FAIR Conference presentation by Seth Mowbray, Senior Risk Analyst, Legal, Risk & Compliance, Government Employees Health Association (GEHA):
Case Study - Providing Visibility into Operational Risk with FAIR, Tuesday, October 19 from 1:15-1:45 PM
Seth came out of risk and compliance in the financial world to GEHA, the non-profit health plan for federal employees, and was tasked with building up the risk management function. The organization began with FAIR on the cyber side a few years ago but didn’t advance it beyond cyber until Seth developed a framework that enabled the risk team to gather quantitative data for FAIR analysis across the organization (Seth will share the framework in his presentation). They rolled out the program focused on their perceived top 10 risks.
“We actually started with third-party vendors because we knew that was going to be the biggest one. We just tried to look at all different ways to experience loss from vendors. That analysis took a lot of time. That flowed into cybersecurity, strategy and political threats. It got pretty big, pretty fast. But once everyone understood what we were doing and how it would work they got on board a little faster.”
Seth says one big challenge was establishing credibility among business leaders for the numbers, when they hadn’t seen risk quantified before. “In some cases, I had to sit down with the risk owner and walk through exactly a loss scenario we expected,” covering the probable frequency and impact in ranges. “When you are working through it line by line, and you’re adding it up for them, they realize there is a lot more [loss exposure] there…”
“That’s why I think quantification is so great. We are able to lay out the facts, the assumptions and the ranges. People can look at it and make adjustments, but they can’t just reject the results outright.”