How to scale quantitative risk management from one evangelist to an enterprise-wide program built on FAIR™ (Factor Analysis of Information Risk)? At the recent 2022 FAIR Conference, Zach Cossairt, Information Risk Program Manager, Equinix, found answers in behavioral economics in The Voltage Effect: How to Make Good Ideas Great and Great Ideas Scale by John A. List.
Watch the FAIRCON video: Harnessing The Voltage Effect to Scale our FAIR Risk Programs. A FAIR Institute Contributing Membership is required to view – join the FAIR Institute now.
The Voltage Effect is a science-based attempt to isolate the factors that cause a small program to gain or lose momentum (“voltage”) as it scales with the goal of “giving every program an equal chance at success,” as Zach said.
The Voltage Effect identifies five cautions on the road to success.
1. False Positives. For instance, the small initial group you started on FAIR may not have been representative of the larger organization. Treat the experience as a science experiment and keep iterating, while watching out for confirmation bias, dismissing information contrary to what you want to believe.
2. Know Your Audience. “We are all marketers,” Zach said. Understand their goals and previous experiences, for instance, what they’ve heard about cyber risk quantification.
Learn more about Zach Cossairt in this Meet a Member interview. Zach was honored with the Business Innovator Award at the 2021 FAIR Conference.
3. Know Your Recipe. Identify the key success drivers for your program, make those non-negotiable but be open to negotiating other factors.
4. Spillovers. Be alert to unintended impact, positive or negative, of changes brought by your program.
5. Supply-side Economics. Optimum scaling achieves economies of scale; diseconomies indicate you are on the wrong track. Three questions to ask at this stage are:
- Who likes your idea?
- How much will they pay for it (in one cost or another)?
- How much does it cost to provide?
Behavioral economics also can instruct on the key deliverable of a quantitative risk management program: risk reporting to stakeholders.
“We’re all choice architects,” Zach said, meaning we design (intentionally or not) the fact and analysis environments for our decision-makers to influence the path they will take.
To succeed, we need to recognize and accommodate human nature in our risk programs.
- We’re biased, and we blunder
- We seek the easy route
- We believe then selectively confirm our beliefs
- We are averse to losses
“Build programs that work with human nature, not against it,” Zach advised.
Watch the FAIRCON22 video: Harnessing The Voltage Effect to Scale our FAIR Risk Programs.
