FAIR-CAM addresses the question FAIR itself does not directly answer: if you invest in a specific control, by how much does the risk go down? Base FAIR gives you a loss expectancy range for a scenario. FAIR-CAM adds the controls layer, mapping each control's strength and coverage to adjustments in the loss event frequency factor, so the model can express the risk delta between a current state and a proposed control investment.
The mechanics work by breaking down controls into effectiveness and coverage dimensions. Effectiveness captures how well the control performs its function when invoked. Coverage captures how consistently it applies across the relevant attack surface. Both dimensions feed into the probability that a threat event produces a loss event. When a control improves, the loss event frequency goes down; when coverage is partial, the risk reduction is proportionally smaller. This makes it possible to model the difference between, say, deploying MFA for all users versus for privileged accounts only.
For organisations that have already built out a FAIR risk register, FAIR-CAM is the mechanism that makes the register useful for procurement and investment decisions rather than just for reporting. It answers the question a CFO or a board risk committee will eventually ask: we have a hundred thousand euros to spend on security this year, which control investment reduces our exposure the most? The Risk Investigation Agent uses FAIR-CAM as the analytic layer that connects control proposals to quantified risk outcomes.