5 questions the board wants answered during risk assessments

NATIONAL HARBOR, Md. — The current iteration of risk evaluation heat maps are akin to slow-to-pixelate Doppler radars. They don't do cyber risk evaluation justice, nor do they convey impact in a thoughtful manner for a board of directors.

The heat map, divided by green, yellow and red, is a near-elementary tool for color coding risk.

"I've seen heat maps since the '90s … and I still don't know what to make of them," James Lam, head of risk committee and board of directors member for E*Trade, while speaking at the FAIR Conference in National Harbor, Maryland Wednesday.

Looking at a heat map, the board is left to question the placement of risk.

"Heat maps are one of the worst things that happened to risk assessment," said Lam. "If I look at something in yellow, should I want it in the green? … or do I want to get closer to orange or red if I can get a return on the risk?"

With a less-than-reliable visual display of potential risk, assigning a dollar value — let alone an action — to a risk is impossible for the board. The board of directors wants risk articulated in terms of trade offs and return on investment.

"These charts are designed to make us uncomfortable" and to give decision makers confidence into what "risks we're enjoying," said Chris Inglis, member of the board of directors for FedEx, while speaking at the event.

Traditional risk heat map

Wikimedia Commons

The board likely sits in about six sessions a year on risk and the lack of exposure creeps into areas that make the board uncomfortable, said Inglis. If someone asks for $5 million for multifactor authentication, the board won't know how to respond.

What the board wants

Traditional color-coded risk assessments fail to quantify risk in a manner boards are prepared to understand. Additionally, all labels on a heat map constitute risk, whether it's in the green or the red section, according to Inglis. The only true non-risk labels are the ones left off the heat map entirely.

Inglis wants his risk assessment team and cyber defense to be able to answer five questions during a pitch:

Are you defending the business or a component of the business, like digital infrastructure?
Are the people authorized to take risk the ones who mitigate the risk?
Has the security organization done everything defensible?
How are they defending the business?
Have you used all the instruments of power at your disposal?

The board doesn't know what to do with traditional heat maps because they fail to use enough precision in locking down solutions, said Inglis. There's also the chance that when risk is defined by different contexts — either cyber or digital business — they miss the overlap.

"Can you imagine a CEO coming in saying 'our sales was green and our expenses were yellow so profitability was orange,'" said Lam. While he understands the difficulty of assessing risk, the same argument was true for cyber. Heat maps do not justly service governance and oversight, he said.

Having a methodology behind risk assessment, like factor analysis of information risk (FAIR) provides consistency in evaluation and quantification. From there, a risk team can use data to make scenarios and assumptions.

Then the team can tie the context of the risk appetite back to a place the board can understand:

How do we tie that to whether we should go to the cloud?
How will it impact insurance?
Do we need to add more controls? And so on.

Models like FAIR are not meant to be used as scripts, they are a building block, meant to aid "people who aren't cynical, but meant to be skeptical," said Inglis, referring to the board of directors. It's a "breath-taking moment" when someone from IT can say they read the business plan during a board pitch.