Proving the need for GRC improvementsJoe Wilson
Proving the need for GRC improvements
Constructing an ROI business case for GRC is tough, but it can get you budget.
What follows is an approach to calculating Annual Loss Expectancy. While a bit of a scare tactic (FUD fear, uncertainty and doubt), it is a legitimate approach. It can help with senior management if presented in terms of protecting profitability.
Annualized Loss Expectancy (ALE) is the expected monetary loss anticipated for an asset due to a risk during one year. ALE is Annual Rate of Occurrence (ARO) times the Single Loss Expectancy (SLE):
Use Annualized Loss Expectancy in a cost-benefit analysis. If a risk’s ALE is $5,000, it is not worth spending $10,000/year to eliminate it. If your ALE is $25,000 then a $15,000 preventive measure is compelling.
Please remember when using the ALE, when the Annualized Rate of Occurrence is on the order of one loss per year, there can be considerable variance in the actual loss. For example, suppose the ARO is 0.5 and the SLE is $10,000. The Annualized Loss Expectancy is then $5,000, a figure you may be comfortable with. Using Poisson distribution we can calculate the probability of a specific number of losses occurring in a given year:
|Number of Losses
The table shows the probability of a loss of $20,000 is 0.0758, and the probability of losses being >$30,000 is approximately 0.0144. Depending upon our risk tolerance and our organization’s ability to withstand higher value losses, we may consider that a measure which costs $10,000 per year to implement is worthwhile, even though it is more than the expected losses due to the threat.
Annualized Rate of Occurrence (Definition)
The probability that a risk will occur in a particular year.
For example, if insurance data suggests that a serious fire is likely to occur once in 25 years, then the annualized rate of occurrence is 1/25 = 0.04. If the likelihood is once in 3 years then the ARO moves up to 0.333 which dramatically changes the calculus.
Single loss expectancy
(SLE) is the monetary value expected from the occurrence of a risk on an asset.
Single loss expectancy is expressed as:
Single Loss Expectancy (SLE) = Asset Value (AV) x Exposure Factor (EF)
Exposure factor is the impact of the risk over the asset, or percentage of asset lost. Example, if the asset value is reduced two thirds, the Exposure Factor value is .67, if completely lost, the Exposure Factor is 1.0.
The result is a monetary value. Exposure Factor is the subjective, potential percentage of loss to a specific asset if a specific threat is realized. This is a value that the person assessing risk must define.
Next time we will address how to acquire believable data for ALE.