LOGBOOK

HELP

Quiz Entry - updated: 2026.05.31

What does a FAIR-style risk report for a real organisation look like, and what does it answer?

A one-page card per risk: scenario description, owner, value-at-risk in CHF (distribution, not point), affected business unit, mitigation status, and the strategy chosen.

The Swisscom case study (published in ISACA Journal 2020 about a "Customer Portal Data Breach" scenario) shows the format:

Top of report — quantitative results:

  • Distribution of Losses histogram (e.g. min CHF 38k, most-likely CHF 195k, 90th percentile CHF 549k, max CHF 904k)
  • Annualised Loss Exceedance curve
  • Per-event Primary and Secondary loss breakdowns
  • Vulnerability %

Bottom — narrative + treatment:

  • Risk scenario description (e.g. "data breach due to weak authentication — potential DSG/FMG violation")
  • Risk Owner (Product Owner) and Security Responsible (Security Officer)
  • Status of mitigations (Monitoring, throttling, identity management)
  • Risk mitigation strategy chosen (Avoid / Reduce / Transfer / Accept)
  • Bar chart: Current Risk vs Residual Risk after IT investment (e.g. CHF 800k → CHF 320k via CHF 120k investment = CHF 480k average risk reduction)

Why this format: it answers the executive's only question — "how much CHF will this cost us, and how much does the proposed control buy us?" — in one page.

From Quiz: ISF / Risk Management | Updated: May 31, 2026