How to Integrate Cyber Risk Management with ERM - RiskLens Presents to PRMIA on Advantages of FAIR and CRQ

June 28, 2022  Jeff B. Copeland

Nick Sanna - Founder and President - FAIR Institute (2)RiskLens CEO Nick Sanna and Risk Transformation Adviser Rob Eslinger appeared at the recent event of the Professional Risk Managers’ International Association, “Cyber Risk in a Turbulent World,” and encouraged risk managers to rise up against the status quo of cyber risk management.

“Let’s be honest and talk about the state of most risk management programs,” Nick said. “The state is not great.” Among the problems:

  • Reliance on qualitative, red/yellow/green risk ratings based on no formal risk measurement model.
  • Risk registers that are a “dumping ground” of issues and concerns, with “most of the entries not really risks.”
  • Inability to communicate to the rest of the organization in terms the business understands – not just “trust me.” 

“Risk models matter,” Nick said. They should generate analysis in a consistent, quantifiable format that enables business decision-makers to prioritize among risks based on loss exposure and justify investments in mitigations to reduce risk. 

Learn how RiskLens can help you prioritize and justify cybersecurity investments with cyber risk quantification (CRQ).

Nick introduced Factor Analysis of Information Risk (FAIR™), the international standard for risk quantification that’s the basis – along with statistical modeling – of the risk analysis applications offered by RiskLens. FAIR breaks down loss events into factors that can be quantified and, just as important, gives organizations a common, transparent understanding of risk. 

Rob Eslinger - RiskLens Risk Transformation Advisor 2 (1)To show FAIR analysis in action, Rob presented two case studies from recent RiskLens engagements: 

A technology-dependent service company investigated the risk of ransomware knocking out its flagship application, then ran a cost/benefit analysis on multi-factor authentication, revealing a probable $17 risk reduction for every dollar spent on that control.

PRMIA Presentation - Ransomware Impact 1

PRMIA Presentation - Cost Benefit Analysis Added MFA 

To demonstrate the flexibility of FAIR analysis to analyze and integrate both cyber and operational risk, Rob presented the case study of a manufacturing company looking to understand risk to a facility from earthquake, ransomware, employee error and power outage – all scenarios quantifiable apples-to-apples in financial terms.

The analysis surfaced the top risks through different lenses, with surprising results. And when Rob’s team dug into the earthquake scenario, they discovered another surprise – a high-priced retrofit upfront to the manufacturing facility would be a more cost-effective investment for risk reduction than paying out insurance premiums over time.

RiskLens FAIR Operational Risk Case Study Top Risk Report-1

RiskLens FAIR Operational Risk Case Study - Decision Support-1With FAIR, “we can be very tangible and direct in terms of the ROI is of various treatment options to inform our decision makers, Rob concluded.

Nick wrapped up with a message to the risk managers in the audience: “We have seen many people leverage FAIR to elevate their careers and be seen going from a risk professional who struggles to demonstrate value to the business to become a strong partner and ally to the business, in demand to help with many decisions.”