Posts - Integrating the
Model in the Real
1/13/09: Audit & Risk - Seeing the Forest from the Trees
9/4/08: Security ROI
6/28/08: Boise: A
5/10/01: FFIEC Business
4/3/08: SOX 404 Audits
Operational Risk is defined as, "[T]he risk of loss resulting from inadequate or failed internal processes, people and systems or from external events." Within the Simple Risk Model External Events or "Acts of God" are treated as Threats, agents of potential harm to the organization.
External Events are synonymous with the natural disasters and other similar types of emergencies that confront organizations on a daily basis - the realm of Business Continuity Planning (BCP).
External Events are prioritized on the basis of Type (hurricane, earthquake, fire, etc.), Frequency (how ofter will the External Event occur over a period of time), Duration (if the Event occurs how long will the associated processes be unavailable) and Loss (in additon to the Financial Exposure assessed under Cost, what would be the expected expenses related to loss of buildings or equipment, the cost of renting alternate facilities, etc.).
Examples of External Events ("Type
") that should be considered as part of the Business Continuity Planning risk assessment process are:
- Hurricanes (consider the various categories on the Saffir-Simpson Scale)
- Earthquakes (consider the possibility of the categories on the Richter Scale)
- Flooding (consider various sources for the flooding - from a storm, to sewage backup, to ruptured water mains, to an accidental discharge of the fire suppression system)
- Fire (fire within the building that damages property and fire in nearby locations that disrupts access to the building)
- Disease (consider threat of pandemics)
- Disruption of utilities (lack of electricity, phone, network, water for drinking or fire suppression, sewage, transportation and other utility services). Consider local regulations that require closing buildings if utilities such as water and sewage not available. Also consider implication if building is functioning, but due to transportation disruption, hazardous material spill, marshal law, etc., access to the building is denied.
- Environmental hazards (chemical spills, pollution of air or water, etc.)
- Civil disruption (war, rioting, revolution, protests, vandalism, terrorism, etc.)
The Types of External Events should be prioritized based on:
- Frequency of occurrence. For example, what is the frequency of hurricanes in your area? If the frequency is greater than "extremely remote", what is the probability based on each of the categories in the Saffir-Simpson Scale (what is the possibility that within the next x years the building will be exposed to a Category 4 hurricane)?
- Duration of the outage measured as the period during which business processes will be unavailable due to an Event. Availability is measured as a function of time (how long could the process be unavailable to the business before the outage would cause a significant loss). For example, if the business concluded that there was a reasonable possibility that a Category 4 hurricane could impact the building, the following factors would need to be addressed:
- What type of damage would occur? This question should take into account existing physical controls such as the ability of the windows, exterior walls and roof to withstand winds of 131 to 155 mph, the potential for storm surge damage, the status of the local infrastructure (will the building have power, communications and water, will the roads be open, will public transportation be available, etc.).
- Based on this damage, how long would the process be unavailable to the business? If it was determined that the building in which the process is performed would be a total loss, how long would it take to rebuild the office or find another suitable building to resume business? If the building was intact, but all the windows would need to be replaced, how long would that process take (considering that suitable window material likely would be in short supply). Note, at this point in the assessment process you should not take into account any mitigating controls available through the business continuity plan. The value of a business continuity plan in mitigating risk is addressed as part of the Control assessment. For example, the BCP may have a provision to move the operations to a backup site in another tate. The Duration of an outage from a Category 4 hurricane should be determined within the context of the Threat assessment without factoring in the BCP. Then as part of the Control assessment stage, the BCP should be evaluated on how effectively it addresses this specific type of External Event.
- Loss to capital assets (damage to buildings, technology, furnature, etc.) and business resumption expenses. While the primary focus in assessing External Events is on the lack of availability of critical business processes, some External Events can also cause significant damage to capital assets that are not directly related to the performance of a process. For example, a Category 4 hurricane could force the business to suspend processing for at least a month while it scrambles to repair damages to the building or find an alternate location. Aside from the process related losses, such as loss of sales and reputation, the business would also incur significant expenses related to repairing or replacing the building or increased rental costs at the alternate location. Alternatively, the business might conclude that the building could adequately withstand a Category 4 hurricane and not require significant repair costs. However, such a hurricane could cause significant damage to the local infrastructure (no power or communications or employees would be unable to travel to the office). In this case there would still be significant process related losses, but minimal losses associated with capital assets. Since process related losses are already identified as part of the Cost stage of the risk assessment process, we need to also factor in capital asset losses and business resumption expenses separately. See the
One further note - The Simple Risk Model treats "People" as a separate risk category from "External Events". However, there are instances of overlap. An employee can disrupt a business by maliciously pulling the main circuit breaker for the office forcing the shut down of computer and communication systems. The same result can be achieved if an employee of the local utility company by mistake misaligns the main electrical feeds to the building and causes a power outage. The first Threat falls under "People", because it is an act specifically directed at the organization. The second Threat is an "External Event", because the act was not directed specifically at the organization nor was the act performed by an employee or other person under the direct control of the organization.
This completes the detailed discussion of the Simple Risk Model.