For the purposes of the Operational Risk Assessment process "Financial Exposure" is used to assign a monetary estimate to the assumed losses and expenses from the event. Since there is little historical data available to make an exact determination of the Financial Exposure, the Simple Risk Model adds the components of Type and Scope to guide management through this portion of the assessment and provide a more comprehensive justification for the conclusion.
A harmful event will likely impact one or more of the following three elements ("Scope"):
- Confidentiality - The ability to control or restrict access to sensitive information so that only authorized individuals can view the data. What would be the loss if we are unable to limit or control access to sensitive data or if there was a loss of privacy?
- Integrity - The ability to assure the accuracy and reliability of data. What would be the loss if we can not ensure that information is accurate and correct and has not been subtly changed or tampered with by an unauthorized party?
- Availability - The availability of information and systems when required by the business or its customers. Will we suffer a loss if our systems and processes are not accessible by customers and the business? Availability requirements are measured by the organization's Recovery Time and Recovery Point Objectives (RTO's and RPO's) or the maximum length of time its systems and processes can be unavailable before the a significant loss occurs.
If there is a loss of Confidentiality, Integrity or Availability ("CIA"), the loss will likely evidence itself in one or more of the following areas within the organization ("Type"):
- Franchise – Loss of reputation, market share, or negative publicity
- Customer – Disruption of service, disclosure of confidential information, or loss of customer accounts
- Legal/Regulatory – Restrictions on business practices, fines, or criminal prosecution. High profile litigation with significant damages
- Contracts – Failure to comply with contractual provisions resulting in the payment of damages.
- Financial – Loss of income, assets, opportunity, or restatement of accounts
Once these various factors are considered, management should be able to come up with a rough estimate of the potential impact to the business if the process suffers a failure or security event. It should be noted that the assessed impact can only be an estimate. However, management will at least have weighed the various factors and recorded their thought process and this, in itself, is valuable. While the participants in the assessment may disagree with the result, it will be clear how the result will be achieved and, if there is significant disagreement, the structure of the assessment process will provide a vehicle by which these disagreements can be discussed and considered.
For an example of how these factors can be applied to a risk assessment, see the Proof-of-Concept spreadsheet.