FAIR Institute Blog

Tools and Tips to Start a FAIR Program across Your Organization

[fa icon="calendar"] Nov 16, 2021 2:00:00 PM / by Jeff B. Copeland

It was a good problem to have: The board at Government Employees Health Association (GEHA) directed the risk team to start presenting on risk in quantitative terms by the next quarter. A good problem because support from the top would open many doors – but still, the team had to adopt and implement a FAIR™ program from nearly a standing start on a tight timeframe.

In his presentation to the 2021 FAIR Conference (FAIRCON21), Seth Mowbray shared a wealth of tactical experience the GEHA team gained that should benefit any project to stand up a FAIR program that crosses business units and risk disciplines, from cyber through operational.

FAIRCON21 - Seth Mowbray - GEHAFAIRCON21 Presentation:

Case Study - Providing Visibility into Operational Risk with FAIR 

Seth Mowbray, Senior Risk Analyst, Legal, Risk & Compliance, Government Employees Health Association (GEHA)

FAIR Institute members can watch the video of this FAIRCON21 session in the LINK member community. Not a member yet? Join the FAIR Institute now, then sign up for LINK. 

Read more about Seth Mowbray's FAIR journey in this interview

Here’s a selection of the advice you’ll hear in this FAIR Conference session: 

  • Give your subject-matter experts a simplified approach for estimating the inputs for analysis and keep the risk scenarios broad in scope. Seth started by asking SMEs to identify high and low risks across a few parameters, with charts like these for frequency and magnitude:

FAIRCON 21 - FAIR Risk Analysis - Loss Event Frequency

FAIRCON21 - FAIR Risk Analysis - Loss Magnitude

Hint: There’s a 90% chance SMEs can’t provide the Most Likely value, Seth said. 

  • Carefully build consensus before you present to the board or senior leadership. Preview the quantification with the SMEs as a reality check. Preview with the risk owners to see if they want to adjust their estimates. Demonstrate the methodology to the finance and data teams and get their advice on how to present results. 

Hint: Carefully document your analysis work as you go – you may not remember where you sourced some data points if challenged months later.

FAIR training approved by the FAIR Institute - online courses available now

  • For every scenario the organization perceives as a risk, ask the question, “How would we lose money on this?” For example, risk register items like “internal audit risk” may just be a list of controls to mitigate losses from other risks. Similarly, “lawsuit risk” is really a secondary effect from data breach or other risks. 

Hear all of Seth’s tips from GEHA’s FAIR experience: Register now at no charge to view the session on video.

Topics: FAIR Conference 2021

Jeff B. Copeland

Written by Jeff B. Copeland

Jeff is the Content Marketing Manager for RiskLens.

Join the FAIR Community

Subscribe to Email Updates

Learn How FAIR Can Help You
Make Better Business Decisions

Recent Posts