Risk Quantification in Compliance

Risk management helps organizations to comply with applicable laws, regulations, and operational standards, and to approach “continuous compliance” as much as possible. To manage compliance risk, however, the first step is a risk assessment that quantifies the risk you face. So how does a company do that accurately and efficiently? 

To answer that question, we first need to understand the two types of risk: quantitative and qualitative.

Qualitative Risk 

Qualitative risks are uncertain events that could have a range of possible outcomes, from harmless to severe. For example, a business might describe the risk of a major IT system failure in terms of potential likelihood (remote, unlikely, possible, almost certain) and its potential harm (none, mild, medium, severe). A qualitative risk assessment would map those factors along an x- and y-axis, so that managers can prioritize those risks with high likelihood and high severity first. 

This type of risk analysis is based on experience and subjectivity rather than quantitative measures. It is an excellent way to include executives not steeped in formal risk management practices.

Quantitative Risk 

Quantitative risks have a numerical value assigned using algorithms and actuarial data. For example, when assessing the chance of severe weather disrupting a data center, managers can consult historical weather records to gauge the likelihood of a hurricane or tornado in specific locations. Another example: when estimating the potential financial losses of an IT system outage, the company can review financial records to model lost revenue per hour or day.

While quantitative risk analysis determines a numerical value, and that’s helpful; qualitative analysis is often required to determine the full impact of business risk.

The Difference Between Risk Quantification and Risk Management

Risk quantification is a crucial part of the larger risk management process. Once you evaluate and quantify the organization’s exposure to risk, senior executives will be better prepared to mitigate those risks before they can cause damage. So risk identification, followed by risk quantification, is an essential first step in the risk management lifecycle.

Risk Evaluation Criteria

Risks can be quantified with the PERT equation: Risk = Event x Probability x Loss. This model, however, can still leave uncertainty in the final answer because the calculations are typically based on historical corporate data. If the data isn’t complete and accurate, the risk profile may be inaccurate, too. 

A better approach is a continuous risk management process to mitigate (and even prevent) risks that could inflict the most significant harm to the business. 

This involves:

• Identifying all significant risks 
• Determining the potential risk severity and the chances of the risks happening 
• Prioritizing risks by importance 
• Developing risk mitigation strategies to address the largest number of risks with the most efficient use of available resources 
• Implementing cost-effective risk management processes

Identifying risks and their associated severity can be difficult. How can you tell which risk events should be the highest priority? How many financial resources should be allocated to each risk? This often requires input and consideration from your project team to sort out risk priorities. That is, you need a qualitative risk assessment.

Next question: How should risk managers define and measure “impact”? Usually executives answer that question in financial terms and legal liability — but that’s not always the case, and the answer can depend on several variables. Once risk managers have a solution, they can use statistical models to assign a numerical value to the risk, and resources to manage it can be allocated accordingly.

This can be a complex process. Many risk management professionals use what’s known as a Monte Carlo analysis to support their quantification process. Of course, the Monte Carlo method is not the only way to quantify risk; alternative cyber risk quantification methods are available, such as the ISO 27002 and NIST SP 800-53 standards for quantifying cybersecurity risk. Most risk quantification methodologies, however, such as the FAIR (Factor Analysis of Information Risk) framework, would typically use Monte Carlo simulations, so it helps to understand how to employ the Monte Carlo simulation to your benefit.

Monte Carlo Analysis

Mathematician Stanislaw Ulam created Monte Carlo analysis in the 1940s to give decision-makers a method to handle the uncertainty involved in risk analysis. If executed accurately, a Monte Carlo simulation can provide a high confidence level for resource allocation to mitigate individual risks.

The Steps of Monte Carlo Simulations 

Step 1: Awareness

This involves informing business leaders, security teams, stakeholders, vendors, and other relevant parties of the simulation and the risk management process. (Including a risk management professional or CISOs in the business decision-making process is also wise.)

Step 2: Risk management process

The risk management lifecycle involves planning, identifying, assessing, scoring, prioritizing, analyzing, treating, and monitoring risks. All the risk parameters should be kept in a risk register, a record of information about identified risks.

The monetary value of any potential harm, such as cyber attacks and other associated cyber threats (say, a data breach), should be estimated and recorded as part of the risk assessment. This may include a range of values depending on the severity of potential outcomes. Any risk with a variable outcome should consist of a best, worst, and most probable value. 

Step 3: Initial estimates

Next in a Monte Carlo simulation is to add cost estimates to address the best, worst, and most probable outcomes (otherwise known as three-point estimates).  

Step 4: Determine correlations 

Now determine the correlations between cost estimates and possible outcomes. Correlations are typically measured within a range from 0 to 1. Positive correlations indicate that as cost increases, so does risk. Negative correlations indicate that as either the cost or the risk increases, the other value decreases. 

Step 5: Mitigation model

Monte Carlo simulation models should represent the value at risk (“How much will we lose if this happens?”) and the cost to mitigate the risk. A baseline simulation will indicate the cost factor for best, worst, and most probable risk scenarios and the correlations between cost and risk factors. 

A “pre-mitigated” model (one without any mitigation whatsoever) will include risk events and the full financial impact. This helps decision-makers allocate the appropriate budget toward the necessary risk reduction and mitigation methods with the appropriate information security controls. A post-mitigated model will include risk events and all risk treatments applied.

Step 6: Run Monte Carlo simulations

Monte Carlo simulation software will typically run 1,000 iterations to determine what your risk management project requires. When determining contingency, 80 percent of the total project value will be used to determine the final total project cost. The software will allow you to configure your charts to reflect the appropriate amounts.

Step 7: Produce and communicate results

Once the Monte Carlo simulation is complete, it’s essential to perform a risk analysis of the differences between the baseline Monte Carlo simulation and the post-mitigation outputs, to understand the true impact of your risk management protocols and whether they’re sufficient to assure compliance and remediation.

Preparing for a Monte Carlo Simulation

As you might have already concluded by now, running a Monte Carlo analysis is neither easy nor simple, especially for something as complicated as compliance risk. It requires sophisticated use of software, and there are plenty of vendors who offer Monte Carlo tools. 

When preparing for a Monte Carlo simulation, a risk assessment, or even maintaining your compliance risk overall, it’s important to be ready with thoroughly documented information. Attempting to manage your compliance data manually via spreadsheets is not sustainable for large organizations in the long term. An automation-based comprehensive GRC solution is best suited to prepare for enterprise risk scenarios with a data-driven approach.

The RiskOptic ROAR platform provides user-friendly dashboards that show you which risks need mitigating and how to do it, track workflows, collect and store the documents you’ll need at audit time, and more. 

Schedule a demo to learn more about how RiskOptics can help you prepare for a Monte Carlo simulation.