Posts - Integrating the
Model in the Real

1/13/09: Audit & Risk - Seeing the Forest from the Trees

9/4/08: Security ROI

6/28/08: Boise: A
Terrorist Target?

5/10/01: FFIEC Business
Continuity Planning

4/3/08: SOX 404 Audits

About This Site

This site is devoted to the development of an objective, intuitive approach to assessing operational risk based on the Simple Risk Model. The approach is derived from commonly accepted methodologies, with an emphasis on ease of use - an assessment approach that information security, business continuity planning and other op risk officers can deploy with minimal training and resources. The Simple Risk Model also emphasizes the utilization of tools that facilitate the assessment process and the communication of risk to management.

I have spent 31 years working in financial services as a corporate attorney, back office manager, CIO, information security officer, business continuity coordinator, and operational risk specialist. In 2001 I was a department head in the information security office of a major global financial institution and responsible for the corporation's information security policy. At one of our periodic meetings of the senior information security officers one of them asked what appeared to be a reasonably simple question about how the policy treated inherent and residual risk. I thought we could dispel with the question in a matter of seconds, but after 45 minutes of heated debate I realized that I was clueless about risk. Worse, the policy I had helped write failed to provide an objective, consistent and reliable means of identifying risk and determining the optimum allocation of controls.

This rude awakening started me on a long journey. I first tried to find an industry standard for information security risk assessment. While I found several risk models, I could find little agreement within the community as to how risk should be approached. With no industry standard, I tried to adapt the best parts of the various frameworks and blend them into one consistent approach. That lead to my next "epiphany", while most of the risk frameworks focused on a specific disciple such as information security or business continuity, they were actually addressing the same issue - operational risk. This realization opened up new possibilities for leveraging these various disciplines and creating a more efficient overarching approach.

Another challenge was that the available risk frameworks tended to focus on only one for the risk components (impact, threats and vulnerabilities) instead of bringing these components together into one overall process. How do you bring together the elements of the core processes of a business, control deficiencies and potential "bad guys" into one overall model? How do you effectively assess and measure the risk from hackers exploiting a weakness in a firewall so they can surf HR's executive compensation database? It is not that difficult to assess any one of the individual components in this scenario, but how do you integrate the components into one overall assessment of the risk profile?

The final challenge was communication. Even if I was able to address these hurdles, the result would be of little value if risk officers in the field could not easily perform the assessments and communicate the results to management. We need a way to take the extremely complex components of risk and present them in a way that is "easy" to understand and implement, something equivalent to a financial statement. And that was the birth of the Simple Risk Model.

At this point I am in no position to claim that the Model is complete or the basis for an industry standard. I do hope it provides a guide for how we can ultimately develop such a standard.

Suggestions? Comments? mailto:bsewall@bsewall.com