Reviewing original assumptions helps analysts reach better agreement when analyses disagree

Title: When Two FAIR Analyses Don’t Agree: Start with the Assumptions

Let’s set the scene. You and a colleague look at the same information risk problem, but your numbers don’t line up. One result is higher; another sits a bit lower. It’s not that someone made a math error, necessarily. More often, the starting points—the assumptions—are different. And in the world of FAIR (Factor Analysis of Information Risk), those starting points matter as much as the data itself.

Here’s the thing: the quickest way to get better agreement is to conduct a review of the original assumptions made. Yes, that sounds almost too simple. But it’s the hinge for turning divergent outputs into a coherent storyline that leaders can trust. When you revisit the assumptions, you’re doing two things at once: you’re checking the foundation for consistency, and you’re inviting your teammates to align on what really matters in your organization’s context.

Why disagreements pop up in FAIR analyses

FAIR is powerful because it forces you to separate the likelihood of a loss event from the potential impact. But that division also opens doors for different interpretations. A few common culprits:

• Data quality and sources: One team uses vendor-provided incident data, another leans on internal events. They arrive at different frequency and impact estimates because the inputs don’t share a common pedigree.

• Scope and boundaries: Is the focus on a single system, a department, or the entire enterprise? A slippery boundary can tilt results in surprising ways.

• Assumptions about controls: How effective are current safeguards? If one group assumes controls are perfectly working and another assumes partial effectiveness, the risk numbers will diverge.

• Time horizons: Short-term data versus long-term trends can change the probability and magnitude of loss, especially in fast-moving environments.

• Taxonomy and terminology: Misunderstandings about what counts as a loss event or what constitutes an exposure can lead to misaligned results.

In practice, the most stubborn gaps aren’t about math; they’re about meaning. Two people can crunch the same numbers but interpret them through different lenses. That’s why the big move is to pause, compare, and align at the level of assumptions.

Why the assumption review is so effective

Revisiting assumptions is like putting a map on the table and saying, “Let’s agree on the landmarks before we walk this route.” It helps in several ways:

• It surfaces hidden disagreements early. If one team assumed a control was fully effective while another assumed partial effectiveness, you’ve got a clear conversational trigger.

• It creates a shared language. By documenting what you believe about data quality, scope, and control performance, you knit your team closer together.

• It improves transparency. Stakeholders can see exactly where numbers came from and why they differ. That trust matters when risk decisions hang in the balance.

• It directs you to the real root causes of variation. Often, the reason isn’t the math at all—it's the assumptions you baked into the model.

How to conduct the review (a practical way forward)

Think of the review as a collaborative, structured conversation. Here’s a simple, repeatable approach you can try:

1. Gather the two analyses side by side. Put them in plain language. Don’t jump to conclusions yet; just list what each analysis assumes about: the data sources, the time frame, the scope, the control effectiveness, the loss magnitude, and the treatment of uncertainty.

2. Identify the touchpoints. Where do the analyses rely on the same pieces of information, and where do they rely on different ones? Call out any assumptions that live near the same topic but diverge in meaning (for example, “control is fully effective” vs. “control reduces risk by 60–80% under certain conditions”).

3. Document the baseline assumptions. Create a simple one-page sheet for each side that captures the key starting points. Use plain terms, not jargon. This is about clarity, not clever phrasing.

4. Compare and discuss. A focused discussion helps you decide: are the differences material to the final risk figure? Are they about methodology, or just about interpretation? If a difference is material, you’ve found your culprit.

5. Decide on a path forward. You have options:

• Reconcile by adjusting assumptions to a common standard and re-running the analysis.

• Keep the two analyses but clearly annotate where the assumptions diverge and what that means for the results.

• Use sensitivity analysis to show how changes in a few key assumptions shift outcomes.

6. Document the rationale. Capture what you agreed on and why. This isn’t a paper for a committee; it’s a practical record that keeps everyone on the same page going forward.

A gentle digression about collaboration

Assumption reviews aren’t algebra tests; they’re conversations. It helps to bring in a third party or a neutral facilitator who can ask clarifying questions without attaching blame. And yes, that means you might discover that someone’s data source is more optimistic or that a process owner uses a different risk appetite. Embrace those discoveries. They’re the breadcrumbs that lead to better, more defendable risk stories.

What to do when differences persist

Sometimes, even after a thorough review, numbers still look different. That’s okay. Here are pragmatic steps:

• Run a sensitivity analysis. Show how much each key assumption moves the needle. If a single assumption drives most of the difference, you’ve pinpointed where to focus your governance.

• Seek external benchmarks. Where appropriate, bring in independent data or industry benchmarks to test assumptions in a non-biased way.

• Establish a standard vocabulary. Create agreed definitions for terms like “loss event,” “exposure,” and “control effectiveness.” A shared glossary reduces future misinterpretations.

• Keep an auditable trail. Record what changed, who approved it, and when. Traceability matters when decisions rest on those numbers.

Tiny habits that pay off big

• Start with the least risky, most impactful assumptions first. Tackle those that most influence the final risk figure.

• Use plain language first. If you can’t explain an assumption in a sentence or two, it probably needs rework.

• Favor transparency over secrecy. If a data source isn’t ideal, say so. Explain how you compensated for its limitations.

• Balance rigor with pragmatism. You don’t need perfect data to make informed decisions, but you do need clear, justifiable assumptions.

The big picture: why this matters for risk management

When teams agree on the assumptions, the risk story becomes a shared narrative. That matters because decisions—from where to invest in new controls to how to prioritize incident response—live in the conversations that follow. A clear, well-supported set of assumptions makes your risk picture more credible to business leaders, auditors, and technology teams alike. It also reduces the “you said this, I heard that” moments that erode trust.

A thought to carry forward

In information risk work, numbers don’t speak for themselves. People do. The assumptions behind those numbers are the quiet influencers, shaping how risk is understood and acted upon. By making a habit of reviewing the original assumptions, you equip your team to move from disagreement to alignment with purpose.

If you find yourself staring at two different outputs, pause. Gather the maps, compare the landmarks, and agree on what truly matters at the starting line. Then re-chart the path together. You’ll not only get closer to a consensus, you’ll also build a stronger foundation for how your organization sees, talks about, and acts on risk.

A final nudge

Let me explain one more thing: the quality of your risk decisions hinges on clear assumptions, transparent methods, and collaborative spirit. When you take the time to align those elements, you don’t just resolve a disagreement—you Sharpen the entire risk conversation. And that makes the whole organization a little more resilient, a little more confident, and a lot more prepared for whatever comes next.