Posts - Integrating the
Model in the Real

1/13/09: Audit & Risk - Seeing the Forest from the Trees

9/4/08: Security ROI

6/28/08: Boise: A
Terrorist Target?

5/10/01: FFIEC Business
Continuity Planning

4/3/08: SOX 404 Audits

Pressed for time? Here are two quick introductions to the Simple Risk Model.

Introduction to the Simple Risk Model
(10 minute on-line presentation)

Risk = Cost x Probability

Risk is a function of the potential cost of a harmful or negative event and the probability that the event will occur. Risk is that simple, until you try to apply the function in the real world, especially in the area of Operational Risk (information security, business continuity planning, technology management, back office operations, etc.) Currently, there are few, if any, comprehensive, objective and simple to use risk assessment methodologies available to the operational risk practitioner. The Simple Risk Model described in this site is an attempt to provide a prototype of such a methodology. Even if you are using another risk methodology in your business such as OCTAVE, ISO/IEC 27001, or COSO, the Simple Risk Model will help you make sense of the process and the results.

Along with standard site map, tab and search functionality, this site also uses a sequential organization for most of the pages - just hit "Next" at the bottom of the page. You can also jump ahead to one of the three primary sections:

  1. Introduction to Risk - Risk 101 - A discussion of the fundamental principles and components of operational risk.
  2. Simple Risk Model - An introduction to the Simple Risk Model and how it addresses deficiencies in existing approaches to assessing operational risk.
  3. Operational Risk Framework - This site also provides a simplified Framework (based on Assess, Control, Monitor and Respond) to guide the risk manager through the process of identifying and prioritizing risk, implementing effective controls, monitoring the operating environment to identify control deficiencies and responding to those deficiencies.