You’re sold on FAIR and quantitative risk analytics but until you bring your organization around, you’re just an army of one. In this panel discussion at the 2018 FAIR Conference, four successful FAIR intrapreneurs give some tips on how they built support, starting at the team level, and working their way up to the board of directors.
The panelists were:
- Evan Wheeler, CISO, Financial Engines
- Jack Freund, Director, Cyber Risk, TIAA
- Mandy Andress, CISO, Elastic
- Tim Titcomb, VP, Technology Risk, Fidelity
Watch as they relate how they handled these common issues:
View How to Get the Buy-In for a Quantitative Risk Management Program. A (free) FAIR Institute membership is required – join now.
Where and how to start?
Don’t ask permission, Mandy advises. “We quietly started a FAIR analysis effort to see if it would work,” then showed the results around. Jack started off with a PowerPoint presentation pitching FAIR, based on the superiority of its logic. It fell flat: “The big lesson is you need to meet people where they are and I was trying to push them a little farther than they were ready.”
What broke through to persuade teams outside of inforisk?
Jack says that breaking out of the typical risk team posture of “we’re here to say no” and instead presenting a range of options based on FAIR analysis, was a credibility builder. “Tailor the message,” Tim suggests. “For practitioners, this is a new tool. For executives, this is a new way to understand risk and make decisions.”
How to spread the more disciplined terminology of FAIR, while other groups use risk-related terms loosely?
“If a pen-test team comes in with a high vulnerability, we don’t correct them,” says Tim. “The important thing is how to consume it in our team and translate that into the common terminology, dollars.” Jack adds “but I do hold the line on difference between control deficiency and risk, that’s a very essential one.”
What’s a way to “productize” FAIR – build it into the routine?
Tim advises that FAIR programs “build a risk factory, churn through assessments, and identify key risks on a proactive basis.” For his team, “it got you out of arguing why FAIR is better than other methodologies. It put it into a delivery model.”
For more tips on socializing and productizing FAIR, watch the video Get the Buy-In for a Quantitative Risk Management Program.