Add to collection(s) Add to saved
  1. Business
  2. Finance

Simple Risk Model – Overview

advertisement 
Simple Risk Model – Overview
The following is a summary of the individual components of the Simple Risk Model. A detailed
explanation of the Simplified Operational Risk Assessment Model (“Simple Risk Model”) is available at
www.simpleriskmodel.com. An automated version of the Model is available as an Excel spreadsheet.
"Risk" is the possibility that something of value will suffer harm or loss. The amount of risk can be
determined by estimating the Likelihood that a harmful event will occur and the Impact or loss that
would result from the event. Once the amount of Risk is established, the organization can then decide
whether existing Controls are adequate.
Likelihood and Impact, as they are applied within Operational Risk, can be broken down as follows:
1) Cost – The amount of potential losses that a business could suffer from a negative or harmful
event (sometimes referred to as Impact or Criticality). The simplest and most effective way of
measuring Cost is to identify the potential monetary loss or Financial Exposure to the
organization. The assumption is that the greater the potential losses, the greater the importance,
criticality or impact of the process.
i) Financial Exposure is a function of the estimated loss from a single event (Amount)
multiplied by the assumed Frequency that the event may occur during a one year period
(i.e. Annualized Loss Expectancy or “ALE”).
1
V. 2.01
b) Since there is little historical operational risk data available that can be used to make accurate
Financial Exposure estimates, the Simple Risk Model adds two other components to the Cost
assessment process to guide management through the potential areas that could suffer harm.
i) Scope - A harmful event within an organization will likely effect one or more of the
following three elements:
(1) Confidentiality – The ability to control or restrict access to sensitive information so
that only authorized individuals can view the data.
(2) Integrity – The ability to assure the accuracy and reliability of data and that the data
has not been subtly changed or tampered with by an unauthorized party.
(3) Availability – The data and systems are available for use when need by the
organization or its customers.
ii) Type – If there is a loss of Confidentiality, Integrity or Availability (“CIA”), it will likely be
evidenced by a loss in one or more of the following areas:
(1) Franchise – Loss of reputation or market share or negative publicity
(2) Customer – Disruption of service, disclosure of confidential information, or loss of
customer accounts
(3) Legal/Regulatory – Restrictions on business practices, fines, or criminal prosecution.
High profile litigation with significant damages
(4) Contracts – Failure to comply with contractual provisions resulting in the payment of
damages and related expenses.
(5) Financial – Loss of income, assets, opportunity, or restatement of accounts
2) Probability – The possibility that a harmful event will occur. Likelihood is a function of the
Vulnerabilities in an organization’s systems and processes and the presence of Threats that can
exploit those Vulnerabilities.
a) Vulnerabilities – Defects in or the absence of Controls that create the potential for harm to
an organization. Vulnerabilities are a function of the status of the existing Controls, the
complexity in exploiting the Controls (“Limitations”), the extent of the harm if a Control fails
(“Scope”) and whether the organization is able to insure or otherwise assign the risk of harm
from a failed Control (“Assignment/Insurance”). The Simple Risk Model uses several subcomponents of Vulnerabilities to assist in the assessment process and add granularity.
i) Controls – Controls are the primary tools available to the organization to mitigate the level
of Risk. There are essentially three types of Controls:
(1) Preventive - These are controls that prevent the loss or harm from occurring. For
example, a control that enforces segregation of responsibilities (one person can submit a
payment request, but a second person must authorize it), minimizes the chance an
employee can issue fraudulent payments.
(2) Detective - These controls monitor activity to identify instances where practices or
procedures were not followed. For example, a business might reconcile the general
ledger or review payment request audit logs to identify fraudulent payments.
(3) Corrective - Corrective controls restore the system or process back to the state prior to
a harmful event. For example, a business may implement a partial restoration of a
database from backup tapes after evidence is found that someone has improperly
altered the payment data.
ii) Effectiveness and Efficiency – The value of a Control is directly dependent on its
effectiveness and efficiency:
(1) Effective - Effectiveness measures whether the Control provides an acceptable level of
risk mitigation to the organization.
2
V. 2.01
(2) Efficient - Efficiency measures the cost of maintaining the Control compared to the
potential loss if the Control were to fail.
iii) Scope – In order to measure the effect from a Control failure, you need to correlate the
Scope of the Control (does the Control mitigate the Risk from the loss of Confidentiality,
Integrity or Availability) with the Impact of the process (how important is a loss of
Confidentiality, Integrity or Availability to the process).
iv) Limitations – The value of a Control, especially with respect to technology controls, is also
affected by the resources required to exploit any defects and level or privilege achieved if
the exploit is successful:
(1) Complexity - How difficult is it to exploit the Control? In effect, the greater the
complexity involved in breaking the Control, the less likely the Control will be exploited.
(2) Access - What level of access to the control is required for an exploit to be successful?
Is the Control freely accessible on the Internet or is the Control protected within a
guarded data center? How many people (potential Threats) could access the Control
with the resources reasonable available to them?
(3) Privilege - Assuming the Threat can overcome the challenges of Complexity and
Access, what level of Privilege will the Threat achieve?
v) Assignment /Insurance – Can the risk of harm be assigned to another person or
business or can the organization obtain insurance to cover the potential losses?
b) Threats - A Threat is a person or natural event that can exploit a defect in a Control. A Threat
is the actor in the Risk equation, the person or thing that causes the loss, the Threat agent.
Since it is difficult to assess or predict the actions of people or God (i.e. external events), the
Simple Risk Model breaks down these agents into smaller components to assist in analysis.
i) People can act intentionally or unintentionally (i.e. commit an error) to cause harm:
(1) Unintentional Acts or Errors – The risk that an employee, vendor, etc.
unintentionally fails to follow an established process or control.
(2) Intentional Acts – The risk from intentional acts to cause harm is dependent on the
Source or type of person and their Capability to cause harm
(a) Source – Note that the following people and entities have varying motivations,
experience and resources
(i) Employee
(ii) Hacker
(iii) Criminal
(iv) Protestor
(v) Terrorist
(vi) Government
(b) Capability – The capability of a person or entity to cause harm is dependent on the
following factors:
(i) Motivation
(ii) Experience
(iii) Resources
(iv) Prevalence
ii) Natural or External Events - Natural disasters and other emergencies that confront the
organization (the realm of Business Continuity Planning or BCP).
(1) Types of External Events include:
(a) Hurricanes (consider the various categories on the Saffir-Simpson Scale)
(b) Earthquakes (consider the possibility of the categories on the Richter Scale)
(c) Tornadoes
3
V. 2.01
(d) Lightning
(e) Snow
(f) Flooding (consider various sources for the flooding from a storm, to sewage backup,
to ruptured water mains, to an accidental discharge of the fire suppression system)
(g) Fire (fire within the building that damages property and fire in nearby locations that
disrupts access to the building)
(h) Disease (consider threat of pandemics)
(i) Disruption of utilities (lack of electricity, phone, network, water for drinking or fire
suppression, sewage, transportation and other utility services)
(j) Environmental hazards (chemical spills, pollution of air or water, etc.)
(k) Civil disruption (war, rioting, revolution, protests, vandalism, terrorism, etc.)
(2) The risk of a threat from an External Event is prioritized based on the following three
factors:
(a) Frequency of occurrence. How frequently does the Type of External Event occur
at the location?
(b) Duration of the outage. If the External Event were to occur, how long would the
applicable process be unavailable to the business?
(c) Loss to Capital Assets. In addition to the potential losses to the business from the
process being unavailable, what additional expenses would be incurred due to
damage to buildings, technology, etc. and the cost of invoking the business
continuity plan?
4
V. 2.01
Related documents
DECISION MAKING MODEL
DECISION MAKING MODEL
Toolkit 10B - Definition Of Serious Harm
Toolkit 10B - Definition Of Serious Harm
Graduate Program in Socio-Legal Studies SLST 6030 3.0 “Politics of
Graduate Program in Socio-Legal Studies SLST 6030 3.0 “Politics of
Organizational Ethics - BC Children`s Hospital
Organizational Ethics - BC Children`s Hospital
protocol for responding to people threatening suicide or self harm
protocol for responding to people threatening suicide or self harm
Download
advertisement