In many of my conversations with organizations, I hear the same concern, “We are not sure that we are mature enough to do quantified risk analysis.” When I hear this, I remind them that FAIR is first and foremost a framework for thinking critically about risk.
As such, it acts as:
- A way to calibrate how people evaluate risk, which includes ensuring that the scope of what’s being analyzed is clear and complete. This helps to surface assumptions so that they can be examined and debated effectively
- A shared mental model for risk — i.e., everyone is operating from the same fundamental risk principles, concepts, and nomenclature. This significantly reduces confusion and unproductive debate (i.e., "religious wars")
- A means to more accurately and consistently identify and focus on the risk issues that matter most, which enables the organization to manage risk more cost-effectively
I then point out to them that these improvements do not require quantification. An organization can fully achieve the first two of these benefits simply by using FAIR with qualitative/ordinal measurements. Even the third benefit can be partially realized without quantification. As a result, there is no organization in the world, regardless of size or industry, that wouldn’t benefit from these improvements and that isn’t capable of achieving them.
The interesting thing though, is that once an organization has achieved these benefits by adopting FAIR as its standard for evaluating and measuring risk, the step to quantification is easy, and I mean brain-dead easy. The reason is because the numbers are the easy part. Here’s why:
- Analysts trained in FAIR and making calibrated estimates are able to effectively use whatever data the organization has, regardless of how much or how little there is. An organization can leverage its existing data and evolve from there as need and resources dictate.
- The FAIR model clearly lays out what data is required in an analysis. This eliminates the confusion about where to look for the numbers and how to apply them.
So if the numbers aren’t the hard part about evolving to risk quantification, then what is? Unfortunately, it’s the first two bullets in the first list above. Simply stated, changing how an organization thinks about risk can be hard. It doesn’t have to be of course, and in many cases it’s not. But there are a few things I see again and again that can become significant obstacles. In the next post in this series, I’ll outline what some of those obstacles are.