We’ve already done the hard part, as risk is simply derived from LEF and PLM. The question is whether to articulate risk qualitatively using a matrix like the one below, or articulate risk as LEF, PLM, and worst-case. For this exercise, we’ll do both.
Assuming that the matrix below has been ‘approved’ by the leadership of our fictional bank, we can report that risk associated with this threat community is Medium based upon a low LEF (between 1 and .1 times per year) and a moderate PLM (between $10K and $100K). Furthermore, we can communicate to our decision-makers that worst-case loss could be severe, but that the probability of a worst-case outcome is very low.
In a real analysis, it’s likely that we would evaluate and report on more than one threat community.
A word of caution: Although the risk associated with any single exposure may be relatively low, that same exposure existing in many instances across an organization may represent a higher aggregate risk. Under some conditions, the aggregate risk may increase geometrically as opposed to linearly. Furthermore, low risk issues, of the wrong types and in the wrong combinations, may create an environment where a single event can cascade into a catastrophic outcome – an avalanche effect. It’s important to keep these considerations in mind when evaluating risk and communicating the outcome to decision-makers. Subsequent FAIR documentation and training will cover these issues in detail.
| Next: | Conclusions and Next Steps |
..
Leave a Reply