| Risk Measurement |
| Getting Down to Business |
In a business context, risk is "exposure to the chance of loss".
Key words are exposure, chance and loss.
So, if you jump out of a high-flying airplane without a parachute, there is no risk: you
are going to die (there is no chance of death -- it is a 100% certainty).
Key words are exposure, chance and loss.
So, if you jump out of a high-flying airplane without a parachute, there is no risk: you
are going to die (there is no chance of death -- it is a 100% certainty).
|
| Professional Engagements |
| Financial Services |
Developed implementation specifications for Service Provider
(3rd parties) Risk Assessment. This was especially interesting --
dividing the providers into various services, the services into
various providers and then mapping to the bank's business
hierarchy. Business units responded to a survey, as did the service
provider, and the responses were quantitatively measured. This
provided a view of the 3rd party concentration, the duplication of
services and the risk measures associated with each service, each
provider, each business unit. Aggregation up the business
hierarchy followed directly.
(3rd parties) Risk Assessment. This was especially interesting --
dividing the providers into various services, the services into
various providers and then mapping to the bank's business
hierarchy. Business units responded to a survey, as did the service
provider, and the responses were quantitatively measured. This
provided a view of the 3rd party concentration, the duplication of
services and the risk measures associated with each service, each
provider, each business unit. Aggregation up the business
hierarchy followed directly.
Developed specifications for Application Software Risk
Assessment. Application owners responded to a survey, opined by
SMEs from Info Security, DBMS, audit, BCP, etc., and the responses
and SME opinions were quantified. Application risk was
determined as a relative numeric value. Aggregation to business
units utilizing the Application was applied.
Assessment. Application owners responded to a survey, opined by
SMEs from Info Security, DBMS, audit, BCP, etc., and the responses
and SME opinions were quantified. Application risk was
determined as a relative numeric value. Aggregation to business
units utilizing the Application was applied.
Provided risk measurement algorithm for business and process
hierarchy. In this model, the business and process hierarchies are
defined as:
The RCSA was performed at the Functional Process Level,
inheriting risk measures downward and toward the Resources.
Likelihoods of events (process/people failures) occur at the
Resource level. Inheritance is captured through a process we
named "aggregation in context", meaning that the risk measures
had to be tracked as to their quantities and their origin. Measures
from identical origins are not summed, but their maximum
contribution is taken.
hierarchy. In this model, the business and process hierarchies are
defined as:
The RCSA was performed at the Functional Process Level,
inheriting risk measures downward and toward the Resources.
Likelihoods of events (process/people failures) occur at the
Resource level. Inheritance is captured through a process we
named "aggregation in context", meaning that the risk measures
had to be tracked as to their quantities and their origin. Measures
from identical origins are not summed, but their maximum
contribution is taken.
| Manufacturing |
A micro chip manufacturer had encountered a situation where
an industrial accident caused a plant close down for several
weeks. Although other facilities owned by this manufacturer could
have taken over the bulk of the orders, there was no mechanism
for inserting the waiting orders into the operational facilities.
The manufacturer asked for a risk analysis of catastrophic events
that could disable or impede any of their worldwide facilities. The
analysis required utilization of Extreme Value Theory, applied to a
series of vulnerabilities -- weather, political environment, labor,
procedures, facilities, infrastructure, etc. The analysis was coupled
with a Business Continuity Plan, also described in this website.
an industrial accident caused a plant close down for several
weeks. Although other facilities owned by this manufacturer could
have taken over the bulk of the orders, there was no mechanism
for inserting the waiting orders into the operational facilities.
The manufacturer asked for a risk analysis of catastrophic events
that could disable or impede any of their worldwide facilities. The
analysis required utilization of Extreme Value Theory, applied to a
series of vulnerabilities -- weather, political environment, labor,
procedures, facilities, infrastructure, etc. The analysis was coupled
with a Business Continuity Plan, also described in this website.
 |  |  |  |  |  |
| Major bank |
| Major bank |
| Major bank |
Micro Chip
Manufacturer
Manufacturer