Risk and Compliance Management: Differences, Similarities, and How to Integrate Them
We often hear risk and compliance management bundled together as a single discipline. While it’s true that risk…
You may or may not have already listened to one of our podcasts, read our eBook, or caught one of our blog posts about risk quantification, but we’ve been talking about it a lot lately.
Why? At LogicGate, we see risk quantification as a way to help you make informed decisions about critical risk scenarios. And that’s a big deal.
Risk quantification enables you to prioritize risks by the magnitude of potential loss for better cybersecurity budget allocation, investment, and mitigation strategies.
Right now, risk quantification is experiencing wider acceptance as a methodology. One reason is the growth of companies' access to historical data. Another reason is that risk quantification makes it easier to communicate your risk posture to the board and key stakeholders. Viewing risk numerically and expressing the math in relatable and measurable terms leads to better understanding and alignment throughout your organization.
Here’s our quick guide to risk quantification.
What is risk quantification?
Risk quantification is the practice of taking a risk that your organization is facing and using statistical methods to communicate its impact in objective financial terms, rather than in more subjective qualitative terms.
How is cyber risk quantification different?
Cyber risk quantification is simply using these same methods to quantify cybersecurity risks, in particular.
What is a quantitative risk assessment?
Quantitative risk assessment refers to both applying risk quantification to individual risks, and the process for applying it methodically across your entire risk register to get a full picture of the financial impact spread out across your organization and to start prioritizing the risks that carry the highest consequences to address first.
Conducting quantitative risk assessments can provide you with a much more precise, tangible, and relatable way to communicate your organization’s risk exposure, which will make it easier to know where to focus your efforts and resources, and make it more likely leadership will support your initiatives.
What are the key elements of risk quantification?
Conceptually, risk quantification is fairly simple. It's about measuring risk and risk response in monetary terms so you can understand your company's loss exposure, communicate it clearly, and make better-informed risk decisions.
Practically, risk quantification can be a little more complicated, but it comes down to having the right process — and tools. To get there, you first need to understand the elements that comprise risk quantification.
Risk identification
To get started, you have to get the lay of your risk landscape. It's important to identify all threats specific to your organization. A global bank will face vastly different threats than a small tech company, for example.
Collaboration should be the name of the game here. After all, risk is a team sport. If you're going to pinpoint all credible risks to your organization, you need to engage with almost every business unit to learn about what they do, what data they have access to, and what people, processes, and technology controls exist in each division.
Risk analysis
Once you have your risk register in place, you should evaluate which assets will be affected if a potential risk does occur. Assess each asset, determine which are vulnerable to risk, and what controls are in place to reduce the likelihood of a risk event occurring.
For example, if your sales team has critical customer or prospect data, how likely are they to be a target of a phishing attack? Has the appropriate training occurred? Does your organization run simulations to educate the teams with access to sensitive data?
You have to explore what controls are in place to prevent a risk event from occurring. Often this can be a tedious process, but it's a necessary one.
Risk cost assessment
Next, you'll assess the monetary impact if a threat materializes for each risk. It's not always helpful to assume the worst-case scenario, but that outcome should be part of your assessment.
It's more useful to present a range of monetary loss, accounting for both internal and external sources of loss. Some internal factors could be lost revenues, or additional operating costs to remediate risk. External factors could include legal or regulatory repercussions, or even things like negative publicity affecting growth potential.
Monte Carlo simulation, for example, is one way to model the financial impact of your risk scenario thousands of times to produce a minimum, maximum, and most likely expected loss or value at risk.
Risk communication
You've estimated the monetary impact of a range of outcomes, from no event to worst-case scenario. But risk is about probability and not certainty, so it's helpful to provide insights on what the most likely outcome would be, and what the mitigation or remediation efforts look like.
You should show your team the data, the story behind it, and the model you used. You should be able to speak to the board and organizational leaders about your level of certainty based on modeling the outcomes, and make the case for allocating resources and investing capital toward risk mitigation.
At its core, this is the process behind risk quantification. It's both an art and a science, and to be able to pull it off, you'll need the support of risk quantification tools. We'll get into what those look like and specifically what they help with later in the article.
Core benefits of risk quantification
At this point, the benefits should be fairly obvious. Risk quantification improves any organization’s risk management operations in myriad ways. Here are a few.
Make better decisions with financial context
Risk quantification can reveal which of your organizational risks stand to do the most harm first, and thus should be prioritized over others, or tell you which risks you could address now in a variety of areas to proactively bring your overall risk exposure down. It can also reveal strategic risk opportunities that your organization can take to obtain a competitive advantage.
Having this information enables teams and leaders to make better decisions around where to invest your valuable and limited time and resources for managing cybersecurity risk and safeguarding the organization. You’ll also be able to report the status and success of your risk program to leadership and the board with more clarity and confidence.
Increase operational and compliance efficiency
Having a clearer understanding of the potential consequences of each risk you’re facing through risk quantification allows you to streamline your risk operations and spend less time sifting through “best guess” cyber risk analyses. Risk quantification speeds up every part of the risk management process past the very first step, identification.
Improve the speed and accuracy of risk assessments
Traditional methods of analyzing risk severity and impact have proved to be far less effective and accurate than using risk quantification. They often rely on vague, red-yellow-and-green charts or ordered lists without any context on how much more significant each risk on the list is than the others.
Risk quantification pins hard financial figures to each risk, bringing business impact context to every discussion and every decision. Plus, it’s easier to quickly update your projections by feeding the most recent data available into the risk quantification models you’ve already set up.
Common and useful risk quantification standards and frameworks
The hardest part of implementing risk quantification at any organization is getting started. Fortunately, there are a few widely accepted frameworks, standards, and models to help.
The Open FAIR™ Model
The Open FAIR (Factor Analysis of Information Risk) Model is a standardized framework for conducting cyber risk quantification. It’s among the most widely-adopted risk quantification frameworks in use today. Open FAIR takes information related to all of your organization’s threats and assets as inputs, then runs thousands of simulations to produce financial impact figures as its output. The analyses it runs under the hood are known as Monte Carlo simulations.
ISO 27005
ISO 27005 is part of the ISO 27000 series of standards from the International Organization for Standardization. This standard is designed to help organizations identify and manage information and cybersecurity risks. This standard includes advice on how to quantify risk to determine the likelihood of occurrence and the potential costs associated with them. These standards can be adopted by any organization and adapted to their unique security needs.
NIST SP 800-53
NIST SP 800-53 is a U.S. cybersecurity standard focused on information security and privacy. It’s mandatory for all U.S. federal agencies, but it can be adopted and leveraged by any private organization. It’s designed to help organizations select the most effective controls to secure their information systems. Risk quantification can inform this process by making it easier to prioritize cyber risks by severity and determine the appropriate controls for each.
OCTAVE®
OCTAVE stands for Operationally Critical Threat, Asset, and Vulnerability Evaluation. Developed for the U.S. Department of Defense, it’s a strategic planning and assessment process geared towards helping smaller organizations analyze risk and develop mitigation strategies. Like the other standards, OCTAVE benefits from the clarity and objective financial impact analyses generated by risk quantification, which can be paired with the method’s qualitative assessments.
COBIT® 5 / COBIT® 2019
COBIT (Control Objectives for Information and Related Technologies) is the Information Systems Audit and Control Association’s business-focused framework for IT and cybersecurity management and governance. COBIT 5 and COBIT 2019 are the most recent updates.
COSO ERM Framework
The COSO ERM framework (The Committee of Sponsoring Organizations Enterprise Risk Management-Integrated Framework) is another commonly used framework for identifying and managing enterprise risks. Launched in 2004 and most recently updated in 2017, the framework is designed to help organizations manage risk while driving performance.
Challenges and limitations of risk quantification
Data limitations
One of the obvious challenges facing risk leaders who want to engage in risk quantification is that the method relies heavily on having the right data available. Getting started with risk quantification means taking stock of the data sources you have at your disposal and figuring out which data you still need to obtain to be able to quantify all of your organization’s risk. No data, no quantification.
Fortunately, most organizations have implemented some form of digital transformation, and data is more readily accessible than ever before. Talk to your risk owners and other departmental stakeholders to learn where your organization’s risk data exists, then use a modern GRC platform to centralize it all. Some GRC platforms, like LogicGate Risk Cloud, include dedicated risk quantification features.
Analysis paralysis
When you have a technique as powerful as risk quantification at your disposal, the tendency is to go big and quantify each and every single risk your organization faces right out of the gate. Taking this approach runs the risk that you’ll get bogged down or overwhelmed and end up taking too long to produce meaningful analyses.
That’s why it’s better to pick a few of the risks that you think are the most important to your organization and quantify those first. Then, once you’ve got the hang of things, you can scale up and move down the rest of your risk register. As you go, you may discover risks that your qualitative methods flagged as more or less severe then they truly are!
Expecting too much
As powerful as risk quantification is, it’s never going to give you a 100% perfect assessment of the financial impact of your risks. It provides an estimate of the potential impact of a risk event, and it’s best used in conjunction with other risk assessment and management methods to ensure you’re optimizing where your risk response and mitigation resources are spent.
Failing to continuously update your quantitative risk assessments
Since risks are always emerging and evolving, your risk quantification results will quickly become outdated. It’s important to make sure you establish a regular cadence to conduct additional quantitative risk assessments and make sure your projections are as fresh as possible.
Ask the right questions to get the right answers
Risk quantification is a journey, not a sprint. To get the results your organization wants, you need to have the proper commitment and mindset. A great place to start this journey is to make sure the right questions get answered. Here are five questions to consider when thinking about your organization’s quantitative risk analysis: see a complete list of questions here.
- Which objectives could fail due to current risks and what is the financial impact on the organization?
- What does the board require from you to validate that you are making the right decisions?
- What financial impact does risk have on products and services?
- Does your organization monitor key risk indicators across critical objectives, projects, and processes?
- Is your organization optimally measuring and modeling risk in a quantifiable manner?
More risk quantification resources
Speaking of tips, I’ve pulled together some of my favorite resources so you can easily access them in one spot:
- Use a familiar language everyone understands. GRC & Me Podcast: How to Effectively Communicate Risk Stories
- Get rid of subjective assumptions and replace them with ROI-based objectivity. Blog Post: Putting $$$ to It: Can You Quantify Your Risk?
- Reduces risk by broadening the gaze to all organizational risks, not just cyber. GRC & Me Podcast: Reduce Uncertainty Around Risk with Quantification
- Having a united model and toolset leads to greater ROI efficiency and risk investments through uniform definitions and formulas to calculate risk and develop risk strategies. GRC & Me Podcast: The Secret Sauce for a Successful GRC Implementation
Using modern GRC technology to quantify risk
Getting a quantitative view of your risk landscape and being able to communicate it in financial impact terms is a game changer for any risk management strategy. As you get better and better at leveraging these methods, you’ll find that you have an easier time getting buy-in for your programs and that your team is more on top of risk than ever.
Modern GRC programs like LogicGate Risk Cloud can help you get started with risk quantification and make sure that your risk quantification programs are successful. Click here to schedule a custom demo.