DISASTER RECOVERY 
JOURNAL

P. O. Box 510110
St. Louis, MO 63151
(314) 894-0276 
Fax: (314) 894-7474
Internet www.drj.com 
E-mail drj@drj.com

PUBLISHER &
EDITOR-IN-CHIEF
Richard L. Arnold, CBCP
richard@drj.com

SENIOR EDITOR
Janette Ballman
janette@drj.com

MANAGING EDITOR
Jon Seals
jon@drj.com

COPY EDITORS
Richard Sandhofer
richards@drj.com
Pamela Clifton
pamelaclifton@hotmail.com

ADVERTISING 
Robert Arnold
bob@drj.com

_____________

Corporate

President/CEO
Richard L. Arnold, CBCP
richard@drj.com

Vice President 
Robert Arnold
bob@drj.com

CONFERENCE COORDINATOR
Patti Fitzgerald, CBCP
patti@drj.com

CONFERENCE REGISTRAR
Merce Knese
mercedes@drj.com

CIRCULATION
Laura Baugh
laurab@drj.com

EXECUTIVE COUNCIL
Patrick Corcoran, IBM Bus. Cont. & Rec. Services
Jeff Dato, MBCP, KPMG
Edward S. Devlin, E.S. Devlin & Associates
Judith Eckles, SunGard Availability Services
James Hammill, CBCP, JMH Consulting Inc.
John Jackson, Independant


INTERNATIONAL
CONTACTS
England: Thom Hetherington
Business Continuity 
Phone: 0161-237-1007
thomh@tempus.demon.co.uk

Australia: Anthony J. Harvey
Journal of Business Continuity
Phone: 0011-613-953-0055-8
fax: 0011-613-953-0528
sector@notability.com.au

Japan: Shinji Hosotsubo
Quake Japan Co., Ltd.
Phone: 03-3215-2880
fax: 03-3215-2881

Brazil: Jose Carlos Ferreira
Disaster Recovery Mercosul
Phone: 55 11 3666-9506
conc2000@uol.com.br
www.drms.com.br

Click Here for a Printable Version

RISK ASSESSMENT

Understanding and Communicating Risk Assessment

By HENRY KALT

You have spent dozens of hours with your team listing the events that might cause a disaster or financial ruin at your company. You have identified the possible impacts through a business impact analysis. Thorough and detailed, you have lots of valuable information.
But what does it all mean? And how do you present all this great information to senior management? How do you present risk in such a way so as to retain your credibility (i.e. not be perceived as crying out, “The sky is falling”)?
The purpose of this article will be to detail a method of organizing your information in an easy to understand format that goes to the heart of the matter. We will begin by applying the model to operational risk. However, we will expand the model to encompass two other types of risk: competitive and financial.

Impact and Probability
The two key variables of risk assessment are impact and probability. Once a specific threat has been identified, say a power outage, what are the impact and probability of this event?
The question is always relative to your particular institution, since probability and impact will vary according to your location and your operations. For example, in some parts of the world, a power outage is a common occurrence; whereas in others, it is infrequent. For some businesses, even a momentary power outage can mean disaster, whereas for others, a few days are not a problem. The ultimate impact – that is, the dollars lost – is relative to the size of your organization.
Ultimately, risk can be understood to fall into one of four possible quadrants: 1) low probability – low impact; 2) high probability – low impact; 3) low probability – high impact; and 4) high probability – high impact.
Graphing these quadrants helps to visualize the possible effect of a risk. The scales, though, are relative to your institution. Depending upon your situation, you may wish to size the quadrants or scales differently (see Figure 1).

Quantifying your risk is the first step. You must first determine the probability of an event, such as power outage based upon past history. If you have not been tracking this information, this may prove difficult and you may have to contact your local utility company. You can calculate the probability of major weather events using the information that can be found on the FEMA Web site (www.fema.org).
Each probability has to be within some delimited time period that is reasonable. Just about anything can happen if you give it enough time! A rule of thumb is between one and five years. But it depends on the particular risk.
In the geographical area of my company, there have been five hurricanes that have been direct strikes in the last century. The last one was in 1986. As we get further from that date, the probability gets higher. Hence in my risk assessment of hurricanes for my company, I adjusted the time frame accordingly.
The second aspect of quantifying risk is determining impact. If you have done a business impact assessment, you already have good information to work from. On the other hand, some risks may not impact your entire business, or they may impact intangible aspects of your business. However, if you have had any crises, you will have something to work from for assessing impact.
You can adjust the impact scale to reflect your company’s risk tolerance. By setting the high end of the scale to a relatively low figure in terms of the potential impact of an event, you reflect what you believe the company can absorb in terms of loss compared to the actual revenue loss that would accompany a disaster.
Thus, probability represents an absolute scale of potential empirical events while the impact scale is relative to the risk tolerance of the management, or the ability of a company to absorb a loss.

Mapping Risk: The Quadrants and Their Options
Any threat can be mapped into this risk assessment tool. Once a threat is identified and mapped, you have assessed the risk. The next question is, having assessed the risk, what does this mean for your company. For the most part, businesses will ignore the low probability – low impact quadrant. The remaining three quadrants fall out into predictable categories.
High Probability – Low Impact: These are the types of things, somewhat like losing a light bulb, that are predictable – almost standard. You know they are going to happen and as such, procedures for dealing with them should be documented. Since there is little impact, the only worry is that the failure might, over time, have a cascade affect elsewhere.
High Probability – High Impact: These are events for which you truly ought to mitigate, for example, the loss of a CPU or critical disk drive. The drive should be mirrored and the CPU should be a part of a cluster. Or, if you live in Tampa, Fla., where there is a very high incidence of lightning, you will want to have lightning protection. It should be noted that, if a company’s risk tolerance were low, more threats would fall into this risk profile.
Low Probability – High Impact: These are the events for which you plan and test. They aren’t too likely to happen, but you need to be ready because of the potential impact.

Mapping Risk: Additional Types
So far, we have merely focused upon mapping basic operational risk types. There are essentially events that derive from nature or the day-to-day operations of a data center. However, this model and its methodology can be easily adapted to additional types of risk. We start with competitive risk.
As with operational risk, businesses will ignore the low probability – low impact quadrant for competitive risk. The remaining three quadrants fall out into predictable categories.
High Probability – Low Impact: These are the types of competitive risk that are predictable – almost standard. Competitors will continue to improve their products; competitors will try to undercut your products and services based upon price. As such, events or possible events with this risk profile should be dealt with through the continuous improvement of products/prices and services
High Probability – High Impact: Competitors will come out with new products and services. As such, companies must meet such threats with their own new products and services or have a strategy as such. If a company is very large and the products in that market are simple, they can wait for others to develop products and then simply imitate. For example, Coca Cola recently came out with a new product of lemon flavored Diet Coke. Within a matter of months Pepsi came out with the same thing.
Low Probability – High Impact: These are the events for which we must have strategic plans – disruptive technologies or hostile take-overs. They aren’t too likely to happen, but you need to be ready because of the potential impact.

Another type of risk is financial. As with operational risk, businesses will ignore the low probability – low impact quadrant for financial risk. The remaining three quadrants fall out into predictable categories of risk management instruments.
High Probability – Low Impact: These are the types of financial risk that are predictable. There are economic cycles and companies need reserves to weather these cycles. They may be relative to the specific type of market in which you have products or services, or they may be global. But, there are always economic downturns. As such, events with this risk profile should be dealt with through reserves or a “rainy day” fund.
High Probability – High Impact: These are investment risks which have a high rate of return but also engender high risk. Hence, one should have re-insurance or re-insurance instruments for such risk. Citigroup sold a re-insurance device to mitigate the risk of investing in Enron. These were bonds that paid a rate of return less than the investment return of Citigroup’s investment in Enron. As long as Enron was solvent, the bonds paid off, but when it collapsed the bonds stopped paying. This mitigated Citigroup’s risk in their Enron investment. Re-insurance is another device for mitigating such risks when a company sells life insurance for example. It should be noted that, if a company’s risk tolerance were low, more threats would fall into this risk profile.
Low Probability – High Impact: These are the events for which you have insurance, such as business interruption insurance, or re-insurance if your product is insurance. Poor actuarial experience is unlikely, but you need to be ready because of the potential impact.

Mapping Risk: Assigning Control Categories to Each Quadrant
Another advantage of presenting risk in this quadrant format is that it lends itself to a simple categorization of controls (see Figure 2).

High Probability – Low Impact: Risks that fall into this quadrant will have to be dealt with frequently and therefore should be a part of normal operations. Such threats should not impact daily operations – daily operations should anticipate and react to these events as a part of their normal jobs.
High Probability – High Impact: Unquestionably any threat that falls into this category should be mitigated. This may mean additional hardware or software, changes in back-up strategies or other tactical implementations. This is where your budget dollars should be spent.
Low Probability – High Impact: These are risks that, while not likely, would have a severe impact. This is exception processing. These are risks your organization should be prepared for through planning. Since they are unlikely, you may not want to necessarily mitigate through extensive physical controls – such as an additional “mirrored” data center. The cost simply does not justify the perceived benefit since the probability is low.
Low Probability – Low Impact: Don’t worry about it! And don’t bother listing such risks either since you will be wasting the time of your superiors.

Summary
There are a number of key variables that will be determined by the specific location, economics, psychology and business context of an institution with respect to a risk assessment of the potential threats to that institution. Working through the risk assessment process in a systematic manner will not only reveal risks but suggest ways of managing those risks as well.

©Copyright 2003 Systems Support Inc. All rights reserved. Reproduction in whole or in part in any form or medium without the express written permission of System Support Inc. is prohibited.