Risk quantification is what separates a risk conversation from a risk guess. Most organisations that run a risk assessment produce a register scored in colours or numbers on a five-point scale. Those outputs look like data but resist the questions that matter: how much should we spend on this control, is this risk above or below our insurance deductible, does patching this system this quarter beat hiring an extra analyst?
The quantitative answer runs through financial loss. Loss event frequency captures how often a given scenario is expected to produce a loss in a given year. Loss magnitude captures how much that loss costs when it lands, broken down into primary losses (direct costs: investigation, remediation, notification) and secondary losses (regulatory fines, reputational damage, lost revenue). Combining frequency and magnitude distributions, typically via Monte Carlo simulation, produces an expected annual loss range that can sit alongside other business numbers in a budget conversation.
FAIR is the methodology that made this tractable for mid-market organisations. Its decomposition tree, three-point estimation approach, and explicit treatment of control effectiveness as a factor in loss frequency are the building blocks the Risk Investigation Agent uses to produce quantified risk outputs that a board, an insurer, or an auditor can follow end to end.