The folks over at the FAIR Institute were nice enough to interview me recently and turn it into a series of blog posts. Part 1 is up right now and sets the stage for how to assess quality in your Cyber Risk assessments.
Risk management is all about making forward-looking statements about things that may or may not come to pass. This is also known as forecasting. Read more about this in my latest @ISACA column.
I’m pleased to announce that I have been asked to present at the Cyber Risk North America conference on 15-16 March in NY. Its offered in conjunction with OpRisk North America where I presented last year.
I will be presenting on the theme of assessing quality using Risk Forecast Accuracy (a topic that was the subject of our article in the February ISSA Journal). Come for a great session on the practical approach of creating and measuring the accuracy of the rating tables for your organization. I’m scheduled to speak on the second day at the 11:40AM session.
In this month’s ISSA Journal, my colleagues and I wrote about Risk Forecast Accuracy. This is a practice that all mature risk functions should pursue and we offer an approach that is relatively straightforward and practical in its application.
If we accept that risk is a statement about the future, then its important to also measure how well we did at forecasting these bad things. Its a job that requires staying up to date on what is happening in the industry and to what extent it will apply to your specific organization. It provides not only a good measure of how well you did, but also a foundation upon which you can base what your risk should be going forward.
Risk work is never complete; continuous improvement should be our goal. Embrace being incomplete.