What does Risk Measurement and scaling Mount Everest have in common?
In 1953, despite skepticism and the public view that no human could successfully reach Everest’s summit, Sir Edmund Hillary and Sherpa Tenzing Norgay calculated the risk and made history as the first to scale the 29,029 ft (8800 meter) summit. Today, an average of 500 climbers successfully reach the summit each year.1
For many, the task of precisely measuring and prioritizing risk is as daunting as climbing Mount Everest. We recently engaged in a lively discussion2 with two Risk Measurement and Risk Management experts, Jack Jones of the FAIR Institute and Gaurav Pal of stackArmor. Both shared interesting perspectives on the challenges that risk professionals face in quantifying risk. They also pointed out several myths that must be debunked before we can elevate the risk measurement profession to the point where risk professionals more effectively articulate risk posture and corporate priorities to their Boards and CEOs. Here are a few of these myths:
Myth #1 – Not all risk can be quantified
In a recently published survey by Aon, only 24% of the respondents said that they quantified their top ten risks. This is a shocking statistic given that “as more organizations have tightened their risk management budgets in response to changing market factors, quantification is an effective way to prioritize risks and decide what corrective actions to take.”3 Jack Jones explains that everything in our problem space (as information risk professionals) can be quantified. One of the first steps is to ensure that we are truly clarifying what risk actually is. Many refer to damage to reputation/brand as a risk, however, this is really an outcome. For example, business interruption or cyberattacks, when made public, may result in brand /reputation damage. As Jack puts it, “brand damage never happens without a loss event that catalyzes it.” The key takeaway is to clearly understand the things we can measure—the areas we can clearly define as risk.
Myth #2 – Risk measurement must be precise
As Gaurav Pal points out, the typical engineering mindset is to classify things as being either an art or a science. The science of risk management has been viewed as an art in the past, specifically as it relates to quantification because it has been so difficult to put real numbers behind the process. Jack points out that we need to “set aside the notion of measuring precisely. Accuracy is important to a certain degree of precision.” However, risk management does not have to be 100% precise. In the IT risk space, we have enough data to be able to compute risk to a fairly accurate level of precision. The FAIR methodology helps with this. This analytical model is an objective way to measure risk. FAIR decomposes risk into its discrete components and helps to define the type of data you need as inputs. This scientific approach is ground-breaking and rapidly gaining followers because of its inherent simplicity. The added value is the ability to use the experience of peers, “like Sherpas,” who through their experience and risk maturity help to identify and mitigate the risk factors that are common in the industry.
Myth #3 – Risk measurement is difficult
Like Everest with its sub-freezing temperature, extreme weather and high altitude, the risk landscape is dynamic and complex. Add to that the fact that most companies have limited resources. This is why it’s important to prioritize. If we’re not good at measuring, we won’t be good at prioritizing and won’t be able to tackle the key initiatives needed to effectively manage risk. To address the issue of accuracy versus precision, as a risk professional you must be diligent in scoping what it is you need to measure. For example, clearly define the threat agent or the asset at risk or the vector or the type of loss event. This has to be done before, and you can actually apply a methodology like FAIR. Again, Jack points out that, “FAIR with a bit of rigor around scoping makes risk measurement not nearly as difficult.”
Having full device visibility improves accuracy and precision. With a degree of certainty, risk professionals can analyze a complete list of assets and identify the ones at risk, the likely threat vectors and the potential loss events associated with that category of device.
While scaling Mount Everest is far more challenging than risk measurement, Everest is becoming safer primarily due to better gear, weather forecasting and more people climbing with commercial operations.4 We also see risk measurement becoming easier, as more people acclimate to using risk measurement methodologies like FAIR.
For more information on how device visibility helps you to improve risk, visit us September 24th and 25th at FAIRCON 2019 in National Harbor, MD.