Posts - Integrating the
Model in the Real

1/13/09: Audit & Risk - Seeing the Forest from the Trees

9/4/08: Security ROI

6/28/08: Boise: A
Terrorist Target?

5/10/01: FFIEC Business
Continuity Planning

4/3/08: SOX 404 Audits

Allocation of Resources

The commonly accepted rationalization for risk assessments is to reduce losses. However, the actual driver for most risk assessments is limited resources. If our resources (people, processes and technology) were limitless, we could cover all the bases in risk and there would be no need for assessments and prioritization. The reality is that corporate budgets are always under constraint and the efficient and effective allocation of limited resources is critical to a business' success. Accordingly, the risk assessment process must include the proper allocation of resources as one of its primary goals.

The risk grid provides a good example of the issues associated with resource allocation. Low Risks (boxes 1 - 3) require minimal resources, since there is little or no return on investment (ROI) in controls - the losses are low enough that it is not worth devoting significant resources (i.e. expenses) to mitigating them. On the other extreme, High Risks (boxes 7 - 9) require most of the resources, since the Probability and expected Costs are significant. The three Medium Risk boxes ( boxes 4 - 6) present the greatest challenge in deciding on the proper allocation of resources. Box 5 should be addressed in any risk mitigation program. The combined potential cost and likelihood of occurrence, while not "High", are still significant enough that they should be addressed. It is arguable that the risks in box 6 only require minimal control resources. While the probability is "High" in box 6, the associated costs are "Low". However, frequency should also be factored into the decision process (see ALE). If a "High" probability is equivalent to frequent occurrences over time, the "Low" losses for individual events can add up until they become "High". If this is the case, box 6 may best be treated as a candidate for process improvement to find a way to reduce the frequency of occurrence.
Risk Grid
Box 4 is the one that keeps risk managers up at night. While the Probability of loss is low, the dollar amounts involved are significant. These are the "Long Tail" events that are difficult to predict, but are capable of causing the type of damages that can drive a company out of business. The chart to the right represents the probability and losses for an event. Based on the chart, the business would likely assign a Financial Exposure or a likely loss of $400,000, based on averaging the losses. The problem is that there is a possibility, while remote, that the losses could exceed $1 million. When allocating control resources should the business base it's assumptions on a $400,000 or a $1 million risk? Conventional thinking says to stick with the standard deviations and $400,000, but your gut likely won't let you forget about the tail. Risk Tail

My advice:

  1. Focus the majority of your resources on risks that fall in boxes 5 and 7 - 9.
  2. Make sure you have considered ways to limit the frequency of losses in box 6.
  3. Minimize any resources on boxes 1 - 3.
  4. When you are done, consider the box 4 risks. Typically, if you adequately addressed the other boxes, you likely implemented controls that will indirectly mitigate some of the the potential for extreme events. Running scenarios on box 4 risks is also a productive exercise to test the scope of your existing controls and to assist management in identifying long term strategies to reduce risk.