Posts - Integrating the
Model in the Real

1/13/09: Audit & Risk - Seeing the Forest from the Trees

9/4/08: Security ROI

6/28/08: Boise: A
Terrorist Target?

5/10/01: FFIEC Business
Continuity Planning

4/3/08: SOX 404 Audits


Risk Components

As previously discussed, risk is a function of Impact and Likelihood - the importance to the business of the process or asset and the probability that a negative event or loss may occur. Likelihood can be broken down further by Vulnerabilities and Threats. Vulnerability refers to the level of defects in the control environment (how well do the controls reduce the risk that a loss will occur), while Threats equate to the people who intentionally or unintentionally could exploit those defects. As the number or severity of control weaknesses increases along with the threats from individuals who could exploit these weaknesses, the Likelihood increases. Put simply, Risk = Impact + Threat + Vulnerability. Risk Model

It is important to note that a business has real control over only one of the elements in the equation - Vulnerability. The Impact or Importance of a process to a business does not change frequently from the standpoint of operational risk. For example, a financial institution may have a mortgage unit. Over time the financial institution may decide to increase or decrease the amount of home loans it makes to "sub-prime" borrowers or borrowers with poor credit histories. From the credit risk perspective, the institution can change the Impact of the home loan process by changing lending policies. By reducing or expanding the number and type of customers to which it will lend, the financial institution can directly effect the potential for losses from defaults and potential future income. But what about the Impact to the financial institution if the personal data on its borrowers is stolen? It is unlikely that the financial institution can meaningfully reduce this Impact by changing its lending policies in response to this risk. The risk may change slightly based on the number of customers (the less customers, the less data that is available to be stolen). The risk may also change based on the types of customer data that the financial institution decides to store in it mortgage lending systems, but it is virtually impossible to eliminate all sensitive personally identifiable information on customers. Hence, the Impact from a data loss or breach of Confidentiality for this data will stay relatively constant. In addition, businesses usually have little control over the Threats (the pool of people who could cause harm) to this data. A company needs employees to process the loan applications and these employees, inadvertently or intentionally, may expose sensitive customer data to outsiders. You also can not control the number or sophistication of hackers, identity thieves and other criminals who may want access to this data.

If you can not meaningfully change the Impact or Threats to a process, what is left? Controls or Vulnerabilities. This is the one area where a business can have a direct influence on the level of risk. For example, the data base used to process the mortgage applications referred to above may be backed up each night and the backup tape set offsite for safekeeping. One of the vulnerabilities in this backup process is that the tape may be lost in transit to the offsite storage facility. The level of risk from this Vulnerability can be reduced using several controls, from the use of lock boxes, to armed guards, to encryption of the tapes. The type and effectiveness of these controls will directly effect the level of ultimate risk.

This is why controls are so important - they are the only effective tool a business has to reduce operational risk. As a further illustration, consider the distinction between Inherent and Residual Risk