Posts - Integrating the
Model in the Real

1/13/09: Audit & Risk - Seeing the Forest from the Trees

9/4/08: Security ROI

6/28/08: Boise: A
Terrorist Target?

5/10/01: FFIEC Business
Continuity Planning

4/3/08: SOX 404 Audits


Risk as Cost & Probability

We need to start with an understanding of what "risk" means.

"Risk" is the possibility that something of value will suffer harm or loss.

The definition includes two components - the possibility that a harmful event will occur and the amount of loss that will result from the event. For example, if you find yourself driving your car in thick fog, there is a risk that you could hit a tree (the harmful event) and damage your car (the loss). The amount of risk from this dilemma can be determined by estimating the likelihood that you could hit a tree and the amount it would cost you to repair your car.

Weighing these two factors (expressed as Probability and Cost in the image) can be a complex task. If you put a million dollars in a bank vault, but leave the vault door and the bank door wide open, turn off the video cameras and send all the employees, including the security guards, home for the weekend, there is almost a 100% Probability that when you arrive at the bank on Monday the Cost will be the loss of one million dollars. What would be the Likelihood if you had left the video camera on over the weekend? What if you just locked the front door, but left the door to the vault wide open? What if you locked all the doors, turned on the detection equipment and had security guards periodically inspect the premises? Would the Probability be zero? No.


No controls are perfect. Guards can be bribed. Locks can be broken. There will always be a possibility, no matter how remote, that someone will find a way to steal the money. Unless you decide to shut down the bank and get out of the business, there will always be a risk that a crook will find a way to subvert the controls. What do you do then if you are a bank manager? You basically have four choices:

  1. Acceptance You can set the locks, turn on the monitoring equipment and hire a security guard and accept these precautions as adequate to reasonable reduce the chance of a robbery.
  2. Mitigation You can take additional steps to mitigate or minimize the risks, such as reinforcing the walls of the safe, requiring every person who enters the bank to use some form of biometric authentication like fingerprint or retinal scans, or installing a monitor that detects motion within the safe. The goal is to mitigate the risk until it reaches an acceptable level.
  3. Assignment You can assign or transfer the risk to another, such as taking out insurance that covers losses from a robbery or hiring a security company to monitor the premises and the security company agrees to cover any losses.
  4. Avoidance You can empty all cash out of the vault at the end of the day and move it to a more secure location. If the risk is still not acceptable, the only recourse may be to close the bank.

The important point to note is that you can not make a reasonable choice as to these four options unless you fully understand the underlying risk - the probability that you will suffer harm and the potential loss that would result. Once you know the level of risk you can then perform a cost/benefit analysis to determine which of the four options above is most practical.