Taking the R in GRC Seriously

Transcription

1 Taking the R in GRC Seriously Jack Jones Chairman, The FAIR Institute

2 Why should we care about the R in GRC?

3 Current reality Complex Dynamic Limited Resources 3

4 Organizations must effectively prioritize their risk-related problems and solutions. 4

5 Prioritization requires Comparing various concerns and solution options Comparisons require measurement 5

6 As an industry, how effectively do we measure risk today? 6

7 Which of the following are risks? Disgruntled employees Data centers in coastal areas Untested recovery process Network shares containing sensitive consumer information Weak passwords Hurricanes 7

8 Actually, none of them are risks Disgruntled employees Threat community Data centers in coastal areas Untested recovery process Assets Deficient control Network shares containing sensitive consumer information Assets Weak passwords Deficient control Hurricanes Threat 8

9 What is the classic formula for risk? Risk = Likelihood x Impact Likelihood and Impact of what? Loss Events 9

10 These aren t loss events Disgruntled employees Data centers in coastal areas You can only assign likelihood and impact to loss events. Untested recovery process Network shares containing sensitive consumer information Weak passwords Hurricanes 10

11 Risk Seminar Survey 11

12 Risk Seminar Survey Confusion about risk Risk measurement 12

13 13

14 Other causes of inaccurate risk measurement v Absence of critical thinking (Reliance on best practices ) Broken models Focus on possibility vs. probability 14

15 Other causes of inaccurate risk measurement v Poorly defined measurement scales It s umm Medium risk Bad estimates Math on ordinal scales ( Red x Green ) / Yellow =? 15

16 What is the most commonly used risk measurement model? Mental models 16

17 Are we in control today? 17

18 What can/should we do differently? 18

19 A mature risk management program is one that can cost-effectively achieve and maintain an acceptable level of risk. which requires effective measurement 19

20 FAIR Ontology Risk Loss Frequency Loss Magnitude Threat Event Frequency Vulnerability Primary Loss Secondary Risk Loss Event Frequency Loss Magnitude Loss Event Frequency Loss Magnitude Open international standard thru the Open Group 20

21 Risk Risk The probable frequency and probable magnitude of future loss 21

22 Risk Loss Frequency Loss Event Frequency The probable frequency, within a given timeframe, that a threat action will result in loss 22

23 Risk Loss Frequency Threat Event Frequency Threat Event Frequency The probable frequency, within a given timeframe, that a threat will act in a manner that may result in loss 23

24 Risk Loss Frequency Threat Event Frequency Vulnerability Vulnerability The probability that a threat event will become a loss event 24

25 Risk Loss Frequency Loss Magnitude Threat Event Frequency Vulnerability Probable loss magnitude The probable magnitude of loss resulting from a threat action 25

26 Risk Loss Frequency Loss Magnitude Threat Event Frequency Vulnerability Primary Loss Primary loss Loss that occurs directly as a result of the threat act against the asset. 26

27 Risk Loss Frequency Loss Magnitude Threat Event Frequency Vulnerability Primary Loss Secondary Risk Secondary Risk Loss that occurs as a result of secondary stakeholder reaction to the primary loss event. 27

28 Risk Loss Frequency Loss Magnitude Threat Event Frequency Vulnerability Primary Loss Secondary Risk Loss Event Frequency Secondary LEF The probable frequency of loss generated by secondary threats 28

29 Risk Loss Frequency Loss Magnitude Threat Event Frequency Vulnerability Primary Loss Secondary Risk Loss Event Frequency Loss Magnitude Secondary LM The probable loss magnitude resulting from secondary threat actions 29

30 Forms of loss 30

31 Forms of loss Productivity Is the reduction in an organization s ability to generate its primary value proposition (e.g., income, goods, services, etc.) 31

32 Forms of loss Response Expenses associated with managing a loss event (e.g., internal or external person-hours, logistical expenses, etc.) 32

33 Forms of loss Replacement The intrinsic value of an asset. Typically represented as the capital expense associated with replacing lost or damaged assets (e.g., rebuilding a facility, purchasing a replacement laptop, etc.) 33

34 Forms of loss Competitive Advantage Losses associated with diminished competitive advantage. CA loss is specifically associated with assets that provide competitive differentiation between the organization and its competition. Examples would include trade secrets, merger and acquisition plans, etc. 34

35 Forms of loss Fines & Judgments Legal or regulatory actions levied against an organization. Note that this includes bail for any organization members who are arrested. 35

36 Forms of loss Reputation Losses associated with an external perception that an organization s value proposition is reduced or leadership is incompetent, criminal, or unethical. 36

37 Role/benefits of FAIR Normalizes nomenclature Provides a clear, consistent model for risk analysis/measurement Enables quantitative risk measurement in economic terms Open standard that s supported by an active community 37

38 But better risk measurement is just part of the solution 38

39 The link between risk and maturity How much risk we have today is a lagging indicator of our past ability to manage risk. Our ability to manage risk today is a leading indicator of how much risk we re likely to have in the future. 39

40 2017 Maturity Benchmark Study 114 respondents 14 questions Focused on decision-making and execution factors Average indexed score was 24 out of th percentile score was 62 out of 100 We have work to do (White paper is available) 40

41 Well-informed decision-making Visibility (data) Assets Threats Control conditions Loss implications Root cause analysis Analysis (Understanding the data) Models Skilled analysts Tools? 41

42 Reliable execution Unambiguous awareness of expectations Policies Standards Processes Appetite/objective Capability to meet expectations Motivation to meet expectations 42

43 Wrapping it up 43

44 Summary The risk landscape is complex and dynamic (and becoming more-so), and we have limited resources for dealing with it. Making well-informed decisions and executing reliably is critical to risk management success. As a profession, today we do not enable well-informed decision-making or reliable execution. Becoming truly effective as a profession requires that we mature in: Our use of nomenclature Our risk measurement practices Our focus on well-informed decision-making and reliable execution 44

45 The FAIR Institute Nonprofit dedicated to building a community of experts in more evolved and effective risk management methods No cost to join Over 2500 members to-date Annual conference in October (2018 event will be hosted by Carnegie Mellon University) Very active blog and numerous white papers Offers a free online FAIR tool and pre-defined university curriculum Local chapters in large cities globally (e.g., Chicago, NYC, San Francisco, Washington DC, Dallas, Boston, Toronto, Charlotte, London, Paris, Abu Dhabi, Melbourne, Oslo) Several active workgroups (university educators, operational risk, cyber risk, risk management, cyber insurance, etc.) 45

46 Resources The FAIR Institute The Open Group Measuring and Managing Information Risk: A FAIR Approach amazon.com How to Measure Anything (Hubbard) amazon.com 46

47 What you can do This week Become a member of the FAIR Institute Dig into the resources listed previously Within the next month Evaluate which of the risk measurement problems I described are happening in your organization Begin socializing the need to change/evolve Within the next three months Consider adopting FAIR as your organization s standard risk model Begin cleaning up your risk register 47

48 Questions? 48