When analysts disagree in a FAIR risk analysis, begin by examining the assumptions behind each analysis.

Balancing Disagreement: The Simple Technique That Keeps FAIR Analyses Honest

If you’ve ever watched two analysts argue about a risk result, you know it can feel like a tug-of-war between numbers and gut sense. One says the risk is higher because of a big data pull; another points to different assumptions about how likely a loss would be. Here’s the core idea that often sits behind a quiet, shared breakthrough: when people disagree, look at the assumptions they’re using. Specifically, determine if any assumptions have varied between the analyses. It sounds straightforward, but it’s a powerful way to get to a fair, defensible conclusion.

Why assumptions matter in risk work

FAIR (Factor Analysis of Information Risk) helps us translate information risk into something we can measure and talk about. The framework isn’t a single formula; it’s a lens you apply to data, events, and losses. Because it relies on models, numbers aren’t just about data; they’re shaped by what you assume.

Think about a simple example: two analysts are estimating the probability that a cybersecurity incident will cause a financial loss. If Analyst A assumes a 20% chance of a certain control failing, while Analyst B assumes only 5%, their loss estimates will diverge even if both used the same dataset. The core difference isn’t “who’s right” so much as “which assumptions did you bake into the model, and how did those choices influence the outcome?”

In practice, assumptions show up everywhere: in the data you trust, in how you define loss, in the time horizon you’re looking at, and in how you model threat frequency versus impact. Aligning or at least explicitly stating those assumptions can turn a frustrating disagreement into a constructive discussion.

The technique that helps when results clash

Here’s the practical method to apply when analysts aren’t seeing eye to eye:

• Step 1: Gather the two analyses side by side. Don’t hide in the details. Put the numbers, the inputs, and the model structure on the table.

• Step 2: List every assumption. Some are obvious (e.g., this dataset represents a typical environment); others are subtle (e.g., a certain loss magnitude distribution is assumed to be normal). Don’t rush this step—consistency is the goal.

• Step 3: Compare the assumption set. Look for anything that differs between the analyses. A single assumption can tilt results more than you’d expect.

• Step 4: Focus on the big levers. Identify which varying assumptions most influence the outcome. You’ll often find that a handful of assumptions carry the weight.

• Step 5: Discuss implications. For each divergent assumption, talk through why it was chosen and what uncertainty it introduces. This isn’t about winning the argument; it’s about clarifying the basis for each conclusion.

• Step 6: Decide how to move forward. Do you reconcile the assumptions, perhaps by standardizing a shared baseline? Or do you document the rationale behind each stance and present both results with clear caveats? Either path increases trust.

• Step 7: Embed the clarifications. Update models, data sources, or documentation so future analyses don’t stumble on the same fractures.

Why this approach works better than other reflexes

• It targets roots, not symptoms. Checking assumptions gets to the core reason two analyses disagree, rather than superficial checks like “we added more data” or “we changed the order of steps.”

• It builds a shared language. When everyone can point to a concrete assumption, the conversation becomes about perceptions and evidence, not personalities.

• It manages uncertainty gracefully. Recognizing where assumptions diverge helps you quantify or at least bound the uncertainty your results carry.

A practical, real-world rhythm you can borrow

Imagine you’re evaluating a vendor risk scenario. Analyst A uses a wider loss distribution because they expect higher impact from a data breach involving personal records. Analyst B uses a narrower distribution, grounded in recent incident data that shows faster containment and lower average loss per event. The disagreement isn’t about the numbers themselves so much as the loss magnitude assumption and the containment effectiveness assumption.

How to handle that gracefully?

• Map the inputs. Create a simple matrix that lists each assumption on one axis and the two analyses on the other. It’s a plain, almost tactile tool that makes differences visible at a glance.

• Challenge the defaults. If one side assumes a distribution shape (like normal) and the other uses a different shape (like lognormal), ask why. Does the data support that choice? How sensitive is the outcome to the shape?

• Run quick sensitivity checks. Even if you can’t rebuild every model, you can test how results shift when you nudge a key assumption. If a small change in a critical assumption swings results a lot, that’s the signal worth attention.

• Document the rationale. A short note next to each assumption—why it’s there and why it might be questionable—keeps conversations focused for next time.

A few tangents that fit here

While you’re chasing the core idea, you’ll likely wander into related topics that really matter in information risk work:

• Data provenance and trust. Good assumptions depend on clean, traceable data. If you can’t prove where a data point came from or how it was processed, you’ll carry that doubt into every result.

• Model complexity versus clarity. There’s a temptation to layer on fancy calculations, but complexity can obscure why a result looks a certain way. When disagreements pop up, simpler, transparent assumptions often win the day.

• Time horizons matter. A risk assessment anchored to a 12-month window isn’t the same as a 3-year view. Different horizons change loss magnitude and frequency assumptions, and that’s a common source of conflict.

• Stakeholder perspectives. Security teams, IT operations, and executives all weigh risk differently. Making assumptions explicit helps bridge those gaps and aligns the conversation with business priorities.

What not to overlook

• Cognitive biases can creep in. People tend to cling to what they believe works in their own environment. A neutral, structured comparison helps guard against bias.

• Hidden dependencies can skew results. Sometimes two analyses share a data source or a modeling step but treat it differently. Don’t assume independence—check those links.

• Documentation isn’t optional. When the team moves on, someone will ask, “Why did we choose that assumption?” Clear notes prevent misinterpretations later.

Bringing it all together: trust, clarity, and better decisions

When analysts disagree about results, the honest path isn’t to pick a side or to bury the disagreement under more data. It’s to pull back and examine the shared engine that runs the analyses—the assumptions. By identifying, comparing, and debating the assumptions that underlie each result, you can uncover why outcomes diverge and decide how to proceed with transparency.

This approach doesn’t just tidy up a single disagreement. It improves the whole decision-making process. Stakeholders gain confidence because the team can point to specific, justified choices rather than vague disagreements. In information risk work, trust isn’t a nice-to-have; it’s part of the output. And trust grows when everyone can see how conclusions were built—from the ground up.

A few quick tips to remember

• Start with the obvious, then move to the subtle. Don’t miss the big, impact-heavy assumptions.

• Use a simple side-by-side comparison. A small matrix can reveal more than a page of notes.

• Don’t fear disagreement. It’s often a sign that you’re digging in a productive, thoughtful way.

• Keep the focus on business relevance. Every assumption should connect to real-world consequences and governance needs.

• Document and share. Clear write-ups help everyone stay aligned as projects evolve.

Final thought

Disagreement isn’t a roadblock; it’s a signal. When analysts pause to map and compare their assumptions, they turn a clash into a collaborative moment. The result isn’t just a number—it’s a clearer picture of risk, built on transparent reasoning and shared understanding. And isn’t that what good risk analysis is really all about?

If you’ve encountered a disagreement in your own work, consider starting with the assumptions. Ask, “What did we assume here, and could that differ from what someone else assumed?” You might be surprised how quickly a path to common ground emerges. And once you land there, you’ll feel the difference in every subsequent analysis—more trustworthy, more actionable, and frankly, more human.