Risk analysts come from a variety of industries, backgrounds, and vary in levels of experience and skill sets. It’s just one of the beautiful things about our eclectic profession. Yet every so often, whether through their own volition, or being coerced by the norms and customs of their work environment, head down the perilous and lackluster path of becoming a “cubicle risk analyst.”
As the name suggests, a cubicle risk analyst rarely leaves their work space to venture out into the organization to conduct their risk assessments. Often believing that they don't require any more input than their own, their risk assessments are full of their assumptions and preconceived notions, which most likely are misunderstandings of whatever they are assessing. As a result, any analysis is devoid of critical thinking – completely subjective and most likely incorrect. To make matters worse, these results – which are meant to inform decisions that affect how their organization utilizes its limited resources – not only does a disservice to those that they report to, but is potentially perilous to the organization as a whole.
A good risk analyst on the other hand does not limit themselves to the confines of their cubicle, as they know answers to their analysis can't possibly be found in those four walls. A good analyst knows what they don't know, which is to say that they are not experts on the various forms in which risk materializes in their organization. So, what do they do? They venture out in search of what it is they don't know. They know that in order to assess the organization’s losses from fines and judgments, litigation costs, and resources spent can only be attained by speaking to the organization’s legal resources. Similarly, in order to assess the frequency of information security losses, they will need to speak with the organization’s incident response or SOC resources. This practice continues itself until the risk analyst has a good grasp of how frequently the loss is likely to occur, and how the loss will materialize if and when it does.
The FAIR framework gives the good risk analyst, that I described above, a powerful tool to guide them as they assess risks faced by their organizations. Let's face it, the topic of risk always gives people the opportunity to make their own assumptions. The FAIR framework allows analysts and business leaders to think critically, surface assumptions, and subsequently debate and examine those assumptions. In addition to breaking down risk, the framework also creates foundational terminology to help business people and analyst talk about risk in standardized terminology. After all, a competent banker would not confuse the terms 'debit' with 'credit,' nor would a group of scientists sending a rocket into space confuse the definitions for 'gravity' and 'velocity.'
To the cubicle risk analyst this may seem like a lot of unnecessary extra work, but a good risk analyst knows that it’s precisely this level of engagement that makes their assessments more defensible, more objective, and ultimately provides a more accurate depiction of the risks facing the organization.