 I'd like to ask our panelists, including yourself, I hope, Alberto, to join us. If you do have access to video, that will be great. It helps connect with our audience. If not, then we'll just come to you on audio. So we have a panel of everyone who's spoken in the second half here, which is great stuff. So I'm going to kick off. We've got a number of questions here. So I'm going to kick off with one for. I think this may be in this at you to start with, Joel, if I may, since it came in while you were you were talking. But the question is, by introducing heuristics, does this not make it a quantitative rather than a quantitative model of risk assessment? If so, how will the subjectivity impact security metrics and organizational security? I guess I would need to understand before approaching that where heuristics was introduced. That may actually I may have misspoken. That may have actually been Mike and Bob's presentation then. OK, I believe so. The introduction of heuristics. Unless everyone is denying introducing heuristics to the mix. But I guess it came from somewhere. That might have been in reference, Joel, to the risk matrices in your presentation. Right. OK, so I guess in that regard, I would say what I was trying to do is take something that had been derived using heuristics, the matrix itself and from it deriving something that could then be used to apply the results of an open fair analysis against it. So if it was interpreted that I was introducing heuristics as a suggestion, I would want to certainly correct that and make sure that what I may have been talking about was the fact that a lot of those risk matrices that are in wide use from risk management organizations are often developed using those kinds of methods and approaches. And what I was trying to introduce is a. A way to approach those to extract a range from it that could then be used consistently when reporting the ALE numbers. But it was certainly not my intent to suggest introducing heuristics into into that process. Right, OK, no fair enough. Thank you. OK, let's move on. So is let's see. Yeah, do you have any this this is open to to anyone, but certainly those who've who've been using open fair in inside organizations in their practice, any suggestions for how to introduce or make the case for the introduction of open fair in my organization? Yeah, how do you how how might you go about getting your organization to to consider using something that they're not currently using like this for such an important topic? I'll take a swing at this to start off the conversation. Steve, thank you. And I've what I've seen done successfully and participated in is. Simply, you know, one approach is simply taking the output of a quantitative model, specifically something like a loss of students curve and showing it to a would be champion. And in one case, it was the VP at Enterprise risk who had been searching for a better approach to assessing risk and drives to to understanding, you know, decision making under uncertainty and really very simply to apply dollars to risk. And those are his terms. He goes, I finally, as he saw fair and as all fair used, he is his comment to the team was we finally have a way to assign dollars to risk, which which in a healthcare environment was was the exception to the rule. So the the you know, that is one approach or one tactic that you could use is show them this is what we can get from fair and probabilistic modeling in general and and let that speak for itself. And with that, if I could just add a little bit more is is definitely look for a champion, look for an executive level champion that's going to help you carry that flag, because especially if you're an analyst or someone six or seven layers deep in an org chart, that that's an uphill battle. Right. That's that's that's good advice. If I may take one step further, once you've done that and shown them that you can do it in dollars approach, I've taken it several different organizations is specifically around allocation of resources. And the idea of if you show them that lost exceedance curve and you say, listen, if you treat this as an $80 million risk just to use a number, that is a possible possibility. But it may in fact be in the 99th percentile. So while talking in terms of, well, it's possible this could be an $80 million risk, that's true. But when you show them the rest of the loss exceedance curve and say, you know, it is most likely you know, 95 percent of the values are going to be $10 million or less. The difference in that is how to how I've approached quickly showing them a return on investment with the investment of doing the quantitative risk. The return on your investment is if you treat this as an $80 million risk and then apply resources as if it were an $80 million risk versus treating it as a $10 million risk, the amount of resources you're going to allocate that difference there is a quick way. So, you know, that first showing of how it can be communicated in dollars and then to me kind of that next step is then quickly showing them the return on investment from doing the analysis work and stop treating things as, you know, if you're doing 10,000 Monte Carlo simulations, the one out of 10,000 result versus where, you know, 95 percent of the results end up. Okay, thank you, Joe. Bob, did you have something to add? Yeah, I was just going to add to the two comments is that if we're talking about a financial institution, let's say a bank, open fare fits perfectly into the framework because number one, you have to quantify the risk in terms of some percentile, let's say the 99th percentile. As Mike and I showed, you have to also use the average amount of loss and subtract one versus the other. That's the capital number as we described. And it's necessary that those numbers be calculated because we're calculating this for the other risks, the market risk and the credit risk. So it fits perfectly into the banking framework. It's something that the regulators would accept as a model as long as the model is made transparent. And the model is made transparent in terms of the assumptions built in, you know, if you're talking about running a certain number of Monte Carlo simulations, it also has certain nice features to it, which is not just only looking at the 99th percentile or some percentile, you also can calculate the risk in the tail. And that calculation of the risk in the tail or the expected risk in the tail is the way the regulatory apparatus in banking is going to. So it has all the nice features that you would otherwise want. And it does integrate well with the other types of risks. I would add somebody mentioned that it also impacts risk like strategic risk and reputational risk and so on. So it also allows once you calculate the operational risk for which cyber is, it allows you to project that risk into other risks using the quantitative framework that fits well. So I'll stop there. It just works well is the point. Great, thank you both. And I think I'll add one more point to it. I think the question was, you know, how to introduce quantitative analysis. And I think that it gets down to how does the organization make decisions? And I think there are different decision modes and models that senior executives and boards use. One of them is centered around command control and compliance where you have something like checklists and policies and procedures to follow. And you want to audit against those. Another kind of decision-making framework is around quantitative economic analysis that requires different data collected than command control and compliance. So this starts out by analyzing or looking at how does the organization make decisions or how does the organization aspire to make decisions? And then tell, influence the senior leaders there that your organization has to produce the right kind of information to support the decision style that you've committed to make. And I think if you start there, you have a solid foundation for harmonizing how the organization produces knowledge or information in the way that the organization wants to consume it in making business decisions. Right, thank you, Mike. Just a compliment in terms of experience. We are using a kind of agile techniques not to introduce everything at the same time but really to do a kind of sprints that can be weak or two weeks sprints and they have a list of kind of a backlog of different risk scenarios in using this big list of risk scenarios identified, we can select the scenarios that are most relevant and so begin doing a kind of life cycle of risk management or feature of the scenarios. So we can have a big panel with this different backlog of scenarios and each of the scenarios have different kinds of moments in terms of the steps of the risk managers. I think this agile approach can help to introduce something new because we are with the airplane flying and we have to do these changes in the middle of the process that they have already existing in the organizations. Right, absolutely. No, that's very true. Great. Okay, thank you. I think we've got that one done. Bob, you referred to this question in your answer but I think we should address it specifically. The question is in the example that Bob and Mike were talking about, cyber risk is taken as being applied to operational risk but it has other dimensions like long-term strategy. Can you comment on the use of open fare for things like long-term strategy or other dimensions other than operational risk? Maybe I'll try to give a quick answer to that, Steve. I'll give you the case where that Rayrock example, risk adjusted return on capital is a very important calculation. It's not an academic discussion. So we would use that Rayrock to make a decision to enter a business or reject a business or that kind of thing. So you can imagine a business where you're very vulnerable and the cyber risk is large. In that case, if you reject that business, then you are rejecting a strategic approach that you may otherwise want to take. And those strategic approaches are reviewed on a regular basis. So you might think of it at both a tactical level and a strategic level. So it links very nicely. You fail the risk adjusted return on capital calculation. You just don't penetrate that business. And these are both a priori discussions before you enter a business and then exports how is the business performing? So the link is nicely aligned. Okay, thank you. Anyone else got a comment on use other than for operational risk? Only that as Bob and I have worked together, what you see more and more is that risk is risk. It's, I mean, different specialties analyze it a little bit differently under different assumptions and maybe using different models. But the fundamental concepts behind it tend to stay the same. And that lets fair be used in these different contexts with relatively few modifications. Right. Okay, thank you. All right. Since this is actually about what's in the standard, I might come to you with this one initially, John. John Linford. Why is it that open fair differs in its definition of risk from ISO 31,000, which allows for a positive deviation from what is expected? I'll take the first cut at that. Yeah. I mean, really what we see with open fair when we're talking about risk, I mean, in the definition, it's probable frequency and probable magnitude of loss. So to try to have it also talk about potential benefit with that being the definition, it's maybe a little bit weird. We've done some thought experiments before kind of trying to adapt the risk tree to look at it from like an opportunity side. So rather than a loss of that frequency, it was some sort of benefit frequency. Nothing really ever came of that just due to differences in opinions and approach and sort of assumptions about how it might be used. But really the point is that if you're going to be using this for risk analysis, you want to be talking about it from the same context. So if you're always looking at it from loss, not loss or benefit, then when you know you use the word risk, you know exactly what conversation you're having. Okay, thank you. Just to compliment, because we are having in ISO internally a big discussion about the thing because some committees like equality and they change a little the definition of ISO 1000 using just the effect on objective, the effect of uncertainty. So they cut on objective, but we can think about the objects that can be everything, not a strategic objective, but also for instance, in case of security, the confidentiality, integrity and availability. And so we have this opposition between risk and opportunity, but we theoretically prefer to consider risk at the top and we can have threats and opportunities because if we apply open fair instead of loss event like a benefit event for instance, and instead to reduce the risk in some situation you'll have to increase the risk because you want to increase the benefits. What is interesting that open fair applies perfect in this situation too. Great. Good to hear. Okay, thank you. Move along, I think this one probably a good place for you to start, Joel, if we can. What advice would you give to a risk analyst in an organization that implements controls based on compliance rather than measurable risk reduction? In a couple of frameworks, I do know that the decision to do something is often predicated on a risk analysis having been performed. So this is where depending on the thing you're complying with it will be very important to understand if it is literally telling you you must do these things exactly as stated or if it's telling you here are some things to do based on a risk analysis because over the course of my career I have seen compliance organizations fail to read the fine print so to say and they just basically take the laundry list of controls as they go do order. And in fact, again upon closer reading it's based upon a risk analysis or risk assessment however they phrase it in that particular framework here are some things to do. So really the first place I started is know the thing you're complying with and know it well. Don't just automatically gravitate to the laundry list of controls because it's easier to just run around the list of 25 things to do than it is to maybe do a mature risk analysis to be able to make the case of we're not going to do this thing and here's our risk analysis that shows why it's a perfectly reasonable risk to accept. It's a little harder. I mean, doing good mature risk analysis as a part of a risk management is frankly harder to do than just chasing a laundry list of controls. So yeah, my first piece of advice based on how I understood the question was just if your list is predicated upon a risk analysis implement open fare and actually take that approach before going off and just doing the things that the framework says. In some cases it may be a law where risk analysis is a moot point. You must do these things but it's probably not gonna be all of those things that you have to do. If you can again reasonably show why you didn't. It typically becomes when a company isn't doing something there's no risk analysis behind it. There's no reason behind why they didn't do it where a risk analysis can show you that path of we chose to accept that risk and here's the analysis that led us to that conclusion. Oh, that makes sense. I don't know of any compliance framework that would expect you to go and lose money on. If you're showing there's really no risk here well, we don't care you have to do those things anyway. I mean, that's they may be out there. I haven't read them all but the ones I've read have all been based on risk analysis. Thank you. Steve, if I might add just to sort of compliment what was just said in a financial institution a compliance might be I have to have a minimum amount of regulatory capital to operate in a certain business. So I have to check am I complying with that regulation. However, what I'm really trying to do is I'm trying to optimize my risk and return relationships. So I have certain programs I can use open group to let me know that I am optimizing my risk return relationships subject to the fact that I meet certain compliance constraints like having a minimum amount of regulatory capital. So they work together nicely but they're separate. Okay, thank you. Anyone else with a comment? Otherwise, we'll move on. Okay, well, we talked about the difference in definition of risk from the ISO 31,000 standard. Question about another framework. How does open fair align with or differ from the NIST cybersecurity framework? Anyone want to tackle that one? I'll start. Steve, if you like. Thank you, Mike. The NIST cybersecurity framework describes the categorization and some other things about technology and controls and a little bit about process in terms of identifying inventory assets and such things. And it calls to do a risk analysis but it doesn't say and it allows you or asks you or suggests that you'd make risk-based decisions but it is silent on how you do that. And so fair and risk analysis gives some meat to the requirement or suggestion guidance that the NIST CSF gives that says make risk-based decisions. But the more important point is that the two are separate and they're positioned this way. The board's obligation is effective risk management and risk governance. The means to that end are your security controls that allow you to govern risk to some kind of envelope that management is comfortable with. So security and the NIST CSF is the means to the end of effective risk management. Okay, that's a good sound, Mike. Thank you. Yeah, just to compliment you. Yeah, I think that we can have this kind of categorization because some kinds of controls can affect specific factors of the open fair and so they can reduce the frequency or the magnitude depending which of the controls. And in general, not only NIST CSF but also CS and ISO and the other standards, they are more focused on implementing the control and of course one of the best practices or a control is to do a risk analysis to take decisions, et cetera. But really they are not specific how to do. So it is more the what and then the how. And I think that in case of a qualitative or a quantitative approach, we can have a big tool to really to support the decision makers to select which of the controls of the NIST or whatever framework that we can select with the better relationships in terms of risk return. Okay, thank you. Okay, so the next one, I know absolutely you tackled this in the chat a bit but I think it's an interesting example. I'd like to just go there again. And I recently experienced a healthcare cyber outage from the patient perspective, a large healthcare provider in Southern California was massively impacted by ransomware such that their x-ray systems and scheduling systems were inoperative for three weeks. Do you see risks as multi-part question? Do you see risk management being taken more seriously in healthcare? Do you see unfair being adopted more and are healthcare organizations really using a risk-based approach? Yeah, that's a great question. I'll kind of tackle this one at a time. Risk management has various parts of risk management have been mature in healthcare for a long time, especially on the clinical side, right? So there are departments, there are teams that do regular reviews of issues and near misses and all of those kind of patient safety type of events and they're really good at it. So they've gone pretty far down that path in other functions and other silos, departments of hospitals specifically, which is where my expertise is at. It's a lot more fragmented and to some cases it's a lot less mature, excuse me, finance for instance, that they're building proformas that aren't probabilistic, they're not looking at risk quantitatively, probabilistically IT, it's a mixed bag. We have seen a kind of a growing surge of interest in adoption of open fair and by IT departments and other operational areas. So it's healthcare, the anecdotally has always been five to 10 years behind other industry in terms of adoption of processed methodology and technology and I think kind of the same holds true with open fair. But again, that there is definitely growing interest and there are some leading organizations in the US at least that have adopted fair and open fair and are really kind of a center of excellence, if you will. Right, right, thank you. Any rounds, put any comments on the approach in healthcare? If not, then let me move to the financial institutions. We've obviously, Bob and Mike talked about those specifically. How commonly do you see open fair being used in financial institutions and do you expect that to increase? Why don't you start, Mike and I'll add a few words. So I think from my own personal experience, the best answer I can give is I don't know. I do know that some financial institutions have used open fair and they're big banks that have used it. I didn't work personally with them, I just know of others who have. The impression I have from that is that they were driven by their IT organizations and not the risk group within the bank that is responsible for the things like compliance and the things that Bob and I talked about in our presentation and in our paper. So I know it's being done to maybe make local decisions in bank security organizations to justify certain security control expenditures and the like. I don't know how it's going to move beyond that and that's what Bob and I spent the last year really discussing and hashing out how that could happen. And Bob maybe you'd amplify on that. Yeah, let me just try to give some color here. So I was a chief risk officer and ran the treasury function at a couple of tier one banks. A lot of the risk management that takes place in those financial institutions are based on tools like Monte Carlo simulation. So we use Monte Carlo simulation to measure market risk, we use it to measure credit risk and so on. So the fact that fair is based on a Monte Carlo simulation approach and has the same sort of output statistics is a very valuable feature to integrate with the other pieces that we would otherwise use. I as a chief risk officer was not familiar with open fair until I really met Mike and Mike and I started having conversations about it. And then through those conversations realized the applicability to what would take place in a financial institution, a bank and insurance company and so on. So I think it holds a lot of promise in terms of how it might be rolled out. And some of the vocabulary associated with it has to be harmonized with some of the bank vocabulary. I can't answer directly the question, how is it being used across the banking community? But I could tell you, I'm a co-founder of a risk organization called Premier Professional Risk Management International Association. And the kinds of tools that Premier talks about and what I'm learning and now participating in the paper, you can see how it could be rolled out in a very nice integrated way if it was exposed to the chief risk officer community. So maybe that's a long way of saying, not clear what the direct answer is but we can see the promise given what we're talking about today. I hope that works for you, Steve. It does, thank you, Bob. It does very much so. Okay, we're nearly out of time and I just wanna take one question that cycles us back nicely to what we were talking about before these sessions which was zero trust. So do you see any benefit from using OpenFair for implementing zero trust? And since you've been common to both John and Linford, I'm gonna aim at one of you first. It's perfect. Yeah, it's definitely an interesting point because the zero trust and OpenFair sort of the two big streams in the security forum and there's no reason they don't play nicely. Our open fair is that risk analysis, standard methodology framework that can help you make those decisions in implementing zero trust. If you don't know how or don't have a consistent way to manage and measure risk in your organization, it's gonna be really hard to figure out what data are the priority to try to secure? What assets do I secure first? Where do I put these secured zones and what sort of controls do I put around them to manage my risk as effectively as possible while still allowing my business to make decisions and act quickly and stay relevant and market? And especially as we see an emphasis on automation and that kind of thing. And as we're seeing more and more OpenFair tools come around in addition to the free one that the OpenGroup offers, there's a lot of promise for tie-in around some sort of getting real-time risk values using OpenFair to help you make those decisions in real-time, which is really cool. Great, thank you. Any other comments on use of OpenFair for zero trust? If not. I think John said it well. John said it very well, yeah, yeah. Okay, Bob, did you have something? I can't hear you if you're speaking. No, except I mean, I know we're coming to a close, but I have to say I've learned a lot from participating in the OpenGroup process and I've learned a lot just listening to my colleagues on the panel today. So it's a pleasure to participate. Oh, it's great to hear and we're glad to have you. And a couple of quotes I wanna share that one of the attendees put in the chat earlier. OpenFair is a powerful weapon in the cyber risk war and I loved the course I did. And OpenFair is perfect to quantify your HVA and your data tokens. So nice comments and endorsement of OpenFair. So we're gonna leave it there, gentlemen. I very much appreciate your participation and hope that the attendees have learned something too and I'm sure they have from this session. So thank each and every one of you for participating today and thank you all for the questions, folks. So thank you, our panelists. Wonderful job, thank you. Thank you. So hang on in there, folks. We are done with that particular session, but before you disappear, I do want to close up the event today and I'd like to thank again our sponsors, BizDesign, LeanIX, Mega, the Association of Enterprise Architects and VanHaren Publishing. So thank you again to those organizations. We've had a full day today, a very busy day and we're back tomorrow with a focus on digital standards. And before we leave today though, I do want to introduce something that we're quite excited about at the OpenGroup and actually includes some of the things we've been talking about today as well and that is the Architects Toolkit. So those of you who visited our website recently will hopefully have come across the Architects Toolkit. I just wanna give a bit of an introduction about what that's all about. We have many great standards at the OpenGroup and many useful tools for folks. But one of the ways in which they are more youthful is if they actually work together and we can see the synergies between them. And that's really the concept behind the Architects Toolkit is let's bring these various things together so that you have the right tool for the right job as you're doing your work, whether that's in connection with digital transformation activities or something else. So we've done some work and we'll continue to do some work on pulling these together and showing you all how they work together and how useful they can be when applied together. So we've got a series that is going to start after this introduction. Actually, August the 3rd will be the first of the sessions on the Toolkits and we're calling it Toolkit Tuesday. So every other Tuesday, for quite some time now, we're going to run, it's going to be quite a long series, some, we're going to run some short effectively broadcasts that will be on the topic of the Toolkit and there'll be some interviews over the course of the series, some presentations, some interactive activities. So there's going to be a lot in there. So please look out for Toolkit Tuesdays and the Architects Toolkit. And as we play out today, we will leave the chat running for you to connect with each other and give us any feedback you want to give. And we'll let the, got an introductory video, which unfortunately for you all has me talking, but it'll introduce the Architects Toolkit and what we're going to do with our Toolkit Tuesdays and we're really quite excited about it. There's going to be some great stuff. So look out for it and we hope to have you back watching those. And lastly, I'll just conclude by thank you all for your attendance and we're back tomorrow, as I say, for those of you who can join. We'd love to have you and I hope you've got a lot out of today and as I say, let's have some feedback in the chat if you can. And without further ado, we'll introduce the Architects Toolkit. Wherever you are in the world, thank you for joining. Be safe.