Posts - Integrating the
Model in the Real

1/13/09: Audit & Risk - Seeing the Forest from the Trees

9/4/08: Security ROI

6/28/08: Boise: A
Terrorist Target?

5/10/01: FFIEC Business
Continuity Planning

4/3/08: SOX 404 Audits


Introduction to Risk

We are constantly presented with risk decisions in our daily routines. Do I have enough time to drive through that yellow light at the intersection? Have I saved enough for my retirement? Do I need life insurance? Do I really want to take up skydiving? How safe are the worn tires on my car? If I drop a piece of candy on the floor, does the Five Second Rule apply? Who should I bet on to win the Super Bowl? What's the risk if I use the wireless connection on my laptop to log to the Internet at the local coffee shop? Will I still get to work on time if I sleep in an extra half hour?

By the mere fact that you are alive and able to read this page - you have been successful (up to this point) at handling the risks that life has thrown at you. But does this make you an expert on risk, especially in the business environment? No. Risk in our personal lives does not directly equate to the risk decisions required in Operational Risk (Information Security, Continuity of Business, etc.) A higher level of discipline, training and experience is required, especially in an environment of constantly changing technology and business practices.

Let's start with the primary components of risk:

  • Risk is the possibility that something of value will suffer harm or loss. The definition includes two components
    • Probability that a harmful event will occur
      • Probability is the likelihood that an organization will suffer harm from the failure of a person, process or system or from an external event.
      • Probability is a function of
    • The amount of loss or Cost that will result from the event.
      • Cost (also referred to as Impact, Financial Exposure, Criticality or Importance) is the amount of losses an organization would potentially suffer from a negative or harmful event.
      • As used on the Simple Risk Model the calculation of Cost is based on the Annualized Loss Expectancy (ALE) or the estimated losses that a process will incur in a single event multiplied by the estimate of the number of times such event will occur in a year

Looks simple enough until you have to apply the principles in the business environment -