Header  

Posts - Integrating the
Model in the Real
World:

1/13/09: Audit & Risk - Seeing the Forest from the Trees



9/4/08: Security ROI

6/28/08: Boise: A
Terrorist Target?


5/10/01: FFIEC Business
Continuity Planning
Handbook


4/3/08: SOX 404 Audits

Simple Risk Model in 30 Seconds

The Simple Risk Model is based on 3 assumptions:

  1. The fundamental principles of risk are commonly accepted:Basic Risk Model Risk Cost Probability vulnerability threat
    Risk
    is a function of the potential cost of a harmful or negative event and the probability that the event will occur. Cost is based on the average expected losses and related expenses over a stated period (usually one year). Probability is a function of the vulnerabilities (defects in existing controls) and the threats (people or external events that could act on these vulnerabilities).
  2. There is a lack of objective data: Due to the scarcity of reliable historical data and the constantly changing nature of technology and the business environment, it is exceedingly difficult to derive accurate quantitative results in the various operational risk disciplines (information security, business continuity planning, technology, back office operations, etc.). Currently, there is no simple, objective and comprehensive methodology for assessing operational risk.
  3. We need a risk model that compensates for the lack of data: The Simple Risk Model addresses these challenges by adding a level of granularity to the risk principles to compensate for the lack of historical data and adding a repeatable and quantifiable methodology to compensate for the changing business and technology environments.
    Simple Risk Model

The Simple Risk Model is not an independent approach to operational risk assessment. It is a compilation of the principles from several of the methodologies currently in use in the community. The Model is designed to address the weaknesses in these methodologies and distill their principles down to a more manageable, logical and objective approach to risk.

For further information on the Simple Risk Model, see:

  • Introduction to the Simple Risk Model (10 minute on-line presentation)
  • The Introduction to Risk section of this web site
  • Start at the Home page of this site and go through the pages sequentially (see the Previous/Next buttons at the bottom of each page)
  • Review the various Tools for the Simple Risk Model, including a prototype of an automated Excel spreadsheet that uses the methodology to achieve a graphic, quantifiable assessment.
Simple Risk Model