Conclusions and Next Steps

Conclusions

Our profession has recognized all along that perfect security isn’t possible, nor would it be practical if it were possible. Our fundamental purpose as professionals is to help our employers manage the frequency and magnitude of loss. Unfortunately, the methods and concepts many of us have followed for years don’t reflect the true nature of risk, and have limited our ability to be effective. We haven’t been able to credibly answer some very basic questions:

  • How much risk management is enough?
  • How much risk do we have?
  • How much less risk will we have if we employ solution X, Y, or Z?

Each of these questions implies an ability to measure risk. Yet without a solid understanding of fundamental risk concepts and factors, we can’t begin to credibly measure it. FAIR seeks to provide the necessary foundation through its taxonomy, definitions, and analysis methods.

As I’ve incubated and applied these concepts and processes to real-world risk scenarios where I work, and as I’ve begun to train others within my organization, the results have been significant:

  • Much more consistent, higher quality analyses
  • A greater feeling of confidence by those performing the analyses
  • A greater feeling of confidence by decision-makers
  • A significantly improved ability to cost-effectively manage risk

Of those who have been introduced to FAIR and have had a chance to see it used, most are very enthusiastic in their support. It’s natural, though, for people to accept change at different speeds. Some of us hold our beliefs very firmly, and it can be difficult and uncomfortable to adopt a new approach. Ultimately, not everyone is going to agree with the principles or methods that underlie FAIR. A few have called it nonsense. Others appear to feel threatened by it.

Their concerns tend to revolve around one or more of the following issues:

  • The absence of hard data. There’s no question that an abundance of good data would be useful. Unfortunately, that’s not our current reality. Consequently, we need to find another way to approach the problem, and FAIR is one solution.
  • The lack of precision. Here again, precision is nice when it’s achievable, but it’s not realistic within this problem space. Reality is just too complex. Consider the following illustrations:

The target on the left has a relatively precise shot pattern, but the placement isn’t accurate. The target on the right has a less precise shot pattern, but the placement reflects far better accuracy. Many of the assessment methods and best practices used today provide a relatively high degree of precision, but only address control state. Unfortunately, control state often doesn’t accurately reflect risk. FAIR represents an attempt to gain far better accuracy, while recognizing that the fundamental nature of the problem doesn’t allow for a high degree of precision. My experience has been that decision makers strongly prefer accuracy.

  • It takes some of the mystery out of the profession. The fact is, there are those who prefer to be artists – in some cases because an artist can never be judged as “wrong.”
  • FAIR analysis appears to be hard work. The good news is that it gets easier with practice. After awhile, our quick, “intuitively guided” risk judgments become much higher quality because of our deeper understanding. We’re better calibrated. It’s also worth noting that even simple prototype FAIR software applications make complex analyses significantly easier.
  • FAIR appears complicated. There’s no question that most of us like simple solutions when we can find them. In fact, simple solutions are more effective than complex solutions in many cases. Fortunately, we can choose to use the framework at whatever level of abstraction suits our needs. The advantage comes from knowing more about factors that exist at lower levels of abstraction, which enables us to make better judgments at higher levels of abstraction.
  • Some people just don’t like change – particularly change as profound as this represents.

It isn’t surprising that some people react negatively, because FAIR represents a disruptive influence within our profession. My only request of those who offer criticism is that they also offer rational reasons and alternatives. In fact, I encourage hard questions and constructive criticism because:

  • Weaknesses in the framework can be identified and corrected, or
  • The framework may provide an answer to the question or criticism, which strengthens its credibility

Where to go from here

This document barely scratches the surface of development and research spanning four years. More comprehensive documentation, prototype tools, and risk analysis training materials are being developed so that the framework can be applied against the complex real-world issues we face every day. Future documentation will cover the following topics:

  • A much deeper dive into controls, threat communities, and loss
  • Data capture and analysis
  • Complex scenario modeling
  • Broad-spectrum threat analysis
  • Fragility and instability concepts
  • Aggregate risk
  • Error, failure, and acts of God
  • Evaluating risk at the organizational level
  • Integrating FAIR concepts into an organizational risk management program
  • Using FAIR concepts to evaluate other types of risk (e.g., market risk, investment risk, legal risk, etc.)

Your feedback, questions, and insights are most welcome, and I will respond in as timely a manner as workload permits. Please submit e-mails to:

jonesj1{at}riskmanagementinsight-dot-com

Please include “FAIR” in the subject line.

“…and the end of all of our exploring will be to arrive where we started and know the place for the first time.”
- T.S. Eliot

..

Posted by Filed in Site Business
No Comments »

Leave a Reply