The RiskLens platform and the FAIR model can be equally applied to information security risk – say the release of sensitive materials in a data breach – and operational risk – say the release of hazardous materials due to equipment failure. Likelihood of loss events happening, remediation costs, fines and judgments – the types of data and forms of analysis are essentially the same in the digital or physical worlds. In this case study, RiskLens consultant Christina Dulovich tells how a utility company saw it’s way clear to the most cost-effective solution to the risk at an aging power plant.
A utility company with over $20B in total assets needed to understand their risk exposure related to a structure failure that would potentially leak hazardous material from an older plant into the surrounding environment. This utility company, like many others, has to put safety first and ensure that their processes are functioning properly.
Executive management was faced with the challenge of deciding the best option between the following:
These different options all have vastly different costs, effort to implement, and benefits.
The organization’s conventional, qualitative approach to risk rankings could not meaningfully enable decision making by executive management. In order to answer these questions, the organization needed to start communicating risk using the method best understood by business stakeholders: dollars and cents.
The RiskLens platform combines an intuitive workflow process for scoping and data collection with a sophisticated analytics engine based on Factor Analysis of Information Risk (FAIR), the industry standard for risk quantification.
We began by focusing our analysis on the amount of risk associated with a leak at the plant with the potential to leak a large enough volume of material that would then escape into the environment. The analysts used the simple scoping capability within RiskLens to rapidly determine what data points were necessary for the analysis; effectively reducing their workload by removing research into data that did not ultimately support quantifying risk.
The analysis collected data through structured workshop questions on key risk and control factors including specifics about the containers holding the material, layout of the plant, existence of monitoring tools (both human and electronic), likely amount of material to physically escape the plant, and resources required to respond to the leak. The analysis also took into account fines that could be imposed by regulators.
Inevitably, the estimates used to calculate risk have a degree of uncertainty associated with them due to the fact we are looking forward to evaluate the frequency and magnitude associated with future events. To account for this uncertainty, all inputs into the RiskLens platform are made in the form of distributions with ranges that are accurate with a useful degree of precision.
Over the course of a three-day period, the organization was able to efficiently produce both high level reporting and detailed results describing, in financial terms, the effect of a leak of hazardous material from the plant.
Figures 1 & 2 illustrate the loss exposure materialized across several categories that incorporate incident response efforts, regulatory fines, costs of replacement of natural resources, and response efforts to the environment and persons affected by the leakage. The tabular data communicated the varying ranges of probable outcomes.
The powerful versioning capability of the RiskLens platform allows analyses of probable future states to be rapidly performed. In this scenario, the analysts leveraged the versioning capability to make several “what if” adjustments to the analysis of the current state to model future state risk in the event that either an entire plant upgrade or installation of a reactive sealant control were completed.
These comparisons were used to generate cost-benefit analysis reports that provided the organization with tangible data to make a decision on the type of control to implement. The results were telling – one type of investment clearly outweighed the other in terms of cost vs benefit.
Figure 3 compares the loss exposure for the current state environment and either of the two controls against each investment cost. Current state loss exposure (average) was $11.4M should the leak occur – with a 2% chance of the leak occurring in a given year.
Restructuring the plant with upgraded equipment did not decrease the magnitude of the event, but did decrease the likelihood of the leak occurring in a given year to .5%, driven primarily by the state-of-the-art equipment being less vulnerable to leak, therefore reducing the frequency of the loss event. This option requires a large investment – with a price tag of roughly $10M.
The more significant impact was the $7.5M per event risk reduction from installing the physical sealant. Which was driven primarily by the reduction of magnitude of the event if it were to occur. Installing the sealant reduced the volume of oil that would possibly escape the plant, decreasing the costs related to clean-up, restoration, fines and judgements, response, etc. This option additionally has a much smaller investment cost in comparison to upgrading the entire plant – with roughly a $1K price tag.
Through the use of the RiskLens platform, for the first time, the analyst team could report cost-benefit results to executive management that were actionable, using the financial language that decision-makers expect.
RiskLens is leading a revolution in the way cyber risk is assessed, measured and managed by bringing to market a Software as a Service solution that makes cyber risk quantification a reality.We help organizations translate cyber risk from the technical into the economic language of business.Schedule a Demo