Nick Sanna, CEO of RiskLens, and Rob Eslinger, Risk Transformation Advisor, participated in the International Association of Professional Risk Managers’ recent event, “Cyber Risk in a Turbulent World”, and encouraged managers to risks to challenge the status quo of cyber risk management.
“Let’s be honest and talk about the state of most risk management programs,” Nick said. “The state is not great.” Among the problems:
- Use of qualitative red/yellow/green risk ratings based on no formal risk measurement model.
- Risk registers which are a ‘dumpster’ of issues and concerns, with ‘most entries not really being risks’.
- Inability to communicate with the rest of the organization in terms the business understands – not just “trust me”.
“Risk models are important,” Nick said. They should generate analysis in a consistent and quantifiable format that allows business decision makers to prioritize risk based on loss exposure and justify investment in mitigation measures to reduce risk.
Nick introduced Factor Analysis of Risk Information (FAIR™), the international standard for quantifying risk that forms the basis, along with statistical modeling, of the risk analysis applications offered by RiskLens. FAIR breaks down loss events into factors that can be quantified and, equally important, gives organizations a common and transparent understanding of risk.
To show FAIR analysis in action, Rob presented two case studies from recent RiskLens engagements:
A tech-dependent services company investigated the risk of ransomware destroying its flagship app, then performed a cost-benefit analysis on multi-factor authentication, revealing a likely risk reduction of $17 for every $1 spent on it. this control.
To demonstrate the flexibility of FAIR analysis to analyze and integrate both cyber and operational risks, Rob presented the case study of a manufacturing company seeking to understand the risks for a earthquake facility. earth, ransomware, employee errors, and power outages – all quantifiable scenarios. -apples in financial terms.
The analysis revealed the main risks through different lenses, with surprising results. And when Rob’s team looked at the earthquake scenario, they discovered another surprise: an expensive initial refurbishment of the manufacturing plant would be a more cost-effective investment in risk reduction than paying insurance premiums over time.
With FAIR, “we can be very tangible and direct in terms of the ROI of different treatment options to inform our decision makers,” Rob concluded.
Nick concluded with a message to the risk managers in the audience: “We have seen many people leverage FAIR to elevate their careers from being a risk professional who struggles to demonstrate their value to the business. to become a strong partner and ally for the company, called upon to help with many decisions.
*** This is a syndicated blog from the Security Bloggers Network of RiskLens Resources written by Jeff B. Copeland. Read the original post at: https://www.risklens.com/resource-center/blog/integrate-cyber-risk-management-erm-risklens-prmia-presentation