In part 2 of this series, I discussed the obstacles we most commonly encounter as organizations begin to adopt more mature risk measurement methods — quantification in particular. Because these obstacles tend to be cultural and behavioral, successful efforts to overcome them likewise have to be cultural and behavioral in nature.
People won’t change if they aren’t aware of the options. Even today, it is remarkable to me how often I’ll run into someone in the industry who hasn’t heard of FAIR and hasn’t even considered the possibility of more advanced risk measurements. So, the first step in overcoming obstacles is often simply making people aware of FAIR. This is particularly true for executive stakeholders who may be resigned to the belief that red, yellow, and green is as good as it gets when it comes to risk measurement. When they become aware of the much more meaningful risk intelligence that can be available, they often begin setting a higher bar that can quickly break down obstacles.
Too often, people are more comfortable sticking with the existing broken methods (especially when that’s what their neighbors are doing), rather than taking a chance on something “new”.
Overcoming this tendency can be accomplished through a combination of things:
- As more and more organizations adopt risk quantification, the herd mentality begins to take effect and what’s been “new and unusual” becomes “established and expected.” As a result, even organizations that are terrified of being outside of the herd will eventually evolve to quantification because that is the direction the industry is headed. This can be jump-started by pointing to the fact that FAIR has been adopted as an international standard, that it is being taught in universities, and that some of the largest companies in the world have begun to use it (e.g., Chevron, ADP, Bank of America, etc.).
- In many organizations, it is also possible to find strategically (i.e., politically) positioned champions for quantification. These are people at higher ranks within the organization who are critical thinkers, perhaps (but not necessarily) quantitatively inclined, and who believe in the importance of cost-effectiveness. Actively searching for these allies and enlisting their voices in the dialog can go a long way toward establishing internal political credibility.
- Emphasizing the fact that FAIR leverages well-established methods like calibration and Monte Carlo can also help people overcome their fear of its “newness.”
- Another key factor is FAIR enables the organization to account for uncertainty in their data and analyses. It is remarkable how often I have overcome objections simply by pointing out that FAIR’s use of distributions as inputs and outputs allows you to faithfully represent the quality of data being used and thus the level of confidence in the analysis.
Rapidly demonstrating the value of risk quantification can be especially powerful when overcoming objections. Maybe it’s performing a cost-benefit analysis that strongly supports an initiative for which key stakeholders are asking. Or perhaps it’s demonstrating that a “high risk” audit finding whose remediation has a large and painful price tag doesn’t, in fact, represent high risk. I’ve also used FAIR to find opportunities to reduce controls (e.g., SOX), which is almost always a big hit with executives.
The emphasis however, should be on the word “quick.” Under no circumstances should you start out by trying to boil the ocean or tackle analysis problems that are going to take a long time to generate results.
Similar to “quick wins”, it can also be important to demonstrate the relative lack of pain associated with risk quantification. This tends to come in three forms:
- Tackling analysis problems that are tightly scoped, that don’t require the involvement of a lot of people, and where (ideally) data is easy to come by. This last point is less important if it’s accepted that less data means less precision, which is simply a fact of life when doing analysis (whether quantitative or qualitative in nature).
- Starting out gradually. In some organizations, the path to maturity has to be slow for any number of reasons. For these organizations, often the best approach is to simply adopt FAIR as a way to normalize terminology, concepts, and analyst mental models. This step alone can often provide so much benefit so quickly that it develops a positive inertia of its own that can pave the way for more rapid evolution.
- Using tools. Regardless of whether they’re simple spreadsheets or more sophisticated and powerful software applications such as RiskLens, tools can go a long way toward minimizing the pain associated with adopting more sophisticated methods.
Change can be hard, but it doesn’t have to be. The key is to know your audience, understand the reasons behind their reticence to change, and then address those concerns as simply and concisely as possible.
If you’ve had the opportunity to help your organization evolve and have had to overcome obstacles along the way, please chime in through the comments section or by becoming a member of the FAIR Institute and beginning a dialog in the FAIR Institute LinkedIn group.