It was a good problem to have: The board at Government Employees Health Association (GEHA) directed the risk team to start presenting on risk in quantitative terms by the next quarter. A good problem because support from the top would open many doors – but still, the team had to adopt and implement a FAIR™ program from nearly a standing start on a tight timeframe.
In his presentation to the 2021 FAIR Conference (FAIRCON21), Seth Mowbray shared a wealth of tactical experience the GEHA team gained that should benefit any project to stand up a FAIR program that crosses business units and risk disciplines, from cyber through operational.
Case Study - Providing Visibility into Operational Risk with FAIR
Seth Mowbray, Senior Risk Analyst, Legal, Risk & Compliance, Government Employees Health Association (GEHA)
FAIR Institute members can watch the video of this FAIRCON21 session in the LINK member community. Not a member yet? Join the FAIR Institute now, then sign up for LINK.
Read more about Seth Mowbray's FAIR journey in this interview
Here’s a selection of the advice you’ll hear in this FAIR Conference session:
- Give your subject-matter experts a simplified approach for estimating the inputs for analysis and keep the risk scenarios broad in scope. Seth started by asking SMEs to identify high and low risks across a few parameters, with charts like these for frequency and magnitude:
Hint: There’s a 90% chance SMEs can’t provide the Most Likely value, Seth said.
- Carefully build consensus before you present to the board or senior leadership. Preview the quantification with the SMEs as a reality check. Preview with the risk owners to see if they want to adjust their estimates. Demonstrate the methodology to the finance and data teams and get their advice on how to present results.
Hint: Carefully document your analysis work as you go – you may not remember where you sourced some data points if challenged months later.
FAIR training approved by the FAIR Institute - online courses available now
- For every scenario the organization perceives as a risk, ask the question, “How would we lose money on this?” For example, risk register items like “internal audit risk” may just be a list of controls to mitigate losses from other risks. Similarly, “lawsuit risk” is really a secondary effect from data breach or other risks.
Hear all of Seth’s tips from GEHA’s FAIR experience: Register now at no charge to view the session on video.