Posts - Integrating the
Model in the Real

1/13/09: Audit & Risk - Seeing the Forest from the Trees

9/4/08: Security ROI

6/28/08: Boise: A
Terrorist Target?

5/10/01: FFIEC Business
Continuity Planning

4/3/08: SOX 404 Audits


Annualized Loss Expectancy

As used on the Simple Risk Model the term "Cost" is based on the Annualized Loss Expectancy (ALE) or the estimated losses that a process will incur in a single event (Single Loss Expectancy or SLE) multiplied by the estimate of the number of times such event will occur in a year (Annual Rate of Occurrence or ARO). For example, a company may maintain an accounts payable process and every month there is at least one instance of an employee mistakenly inputting a higher amount to be paid to a vendor and the business is unable to recover the payment from the vendor. If the average overpayment is $1,000 (SLE) and the error occurs once a month (ARO), the Annualized Loss Expectancy is $12,000 or $1,000 x 12. Conversely, if on average every five years an employee defrauds the company by issuing bogus checks through the accounts payable system and the company can expect to lose $100,000 in such events, the Annual Loss Expectancy is $20,000 ($100,000 x .2).


As we will see on the following page on security ROI, it is difficult to make an accurate prediction of the amount of loss from a single event and to estimate the frequency of such events. The other problem is that such assumptions, for the purposes of determining operational risk, must be based on the assumption that there are no controls with respect to a Core Process or all existing controls for the process have failed. Most managers have difficulty with the concept that they have to ignore controls in determining the Cost or financial exposure. However, such an assumption is required by standard equation that:

Risk = Cost x (Vulnerabilities x Threats)

Controls are addressed as part of the Vulnerabilities portion of the equation. If we allow controls to creep into the Cost determination, the Controls will, in effect, be counted twice.