The fundamental principles of risk are commonly accepted:
Risk is a function of the potential cost of a harmful or negative event and the probability that the event will occur. Cost is based on the average expected losses and related expenses over a stated period (usually one year). Probability is a function of the vulnerabilities (defects in existing controls) and the threats (people or external events that could act on these vulnerabilities).
There is a lack of objective data: Due to the scarcity of reliable historical data and the constantly changing nature of technology and the business environment, it is exceedingly difficult to derive accurate quantitative results in the various operational risk disciplines (information security, business continuity planning, technology, back office operations, etc.). Currently, there is no simple, objective and comprehensive methodology for assessing operational risk.
We need a risk model that compensates for the lack of data: The Simple Risk Model addresses these challenges by adding a level of granularity to the risk principles to compensate for the lack of historical data and adding a repeatable and quantifiable methodology to compensate for the changing business and technology environments.
The Simple Risk Model is not an independent approach to operational risk assessment. It is a compilation of the principles from several of the methodologies currently in use in the community. The Model is designed to address the weaknesses in these methodologies and distill their principles down to a more manageable, logical and objective approach to risk.
For further information on the Simple Risk Model, see: