Can RiskLens risk quantification with FAIR™ (Factor Analysis of Information Risk) analyze operational risk as well as cyber and technology risk? That was the challenge posed to us by a multinational company recently. They asked us to show them their probable risk and make some recommendations on reducing loss exposure at their facilities from:
- Carrier strike
- Power outage
- Employee error
Rob Eslinger is a Risk Transformation Advisor for RiskLens
That list of perils may seem like a totally unrelated run of bad luck but with the RiskLens/FAIR methodology, they all can be analyzed as loss-event scenarios with a quantifiable frequency of occurrence and magnitude of financial impact based on data from the organization’s records or industry data curated by RiskLens.
Setting Up the Risk Analysis
We always start with scoping our scenarios to tightly focus analysis work, and in this case, we focused on one facility as a proxy for all of them. Even more simplifying, we realized that all the scenarios, cyber or not, were one type -- Loss of Availability for a facility – so we could use the same impact model for all. That meant we could greatly speed up analysis with the Data Helpers and Asset Library on the RiskLens platform – data was entered once and used consistently to feed all the risk scenarios for this facility.
For impact data, we relied on company records to calculate the facility’s contribution to daily revenue as a basis to quantify the productivity that would be lost in a facility outage. Realistically, shorter outages would lead to deferred revenue, not necessarily a 100% loss. But as the outage time increases, that ratio starts to shift. With the capabilities of Data Helpers, we can model scaled loss figures based on the length of the outage, enabling us to understand the impact of events with different durations, such as a carrier strike lasting three, seven or 14 days.
Running the Risk Analysis
Top risk reporting on the RiskLens platform is a fast time-to-value tool, and the starting point for new clients. The results quantify risk from a variety of viewpoints to support decision making on investments for mitigation or transfer via insurance. For instance, analysis found an earthquake would be the mostly costly single event on average but the least probable on an annual basis (at a once-in-50-years occurrence). A power outage would be the least costly but most probable and ransomware the costliest when annualized.
Decision Support from the Risk Analysis
To show the power of RiskLens CRQ analysis for decision support, we drilled down on the earthquake scenario, and asked “which investment would yield the best ROI for risk reduction, insurance or retrofitting the facility to be more earthquake resistant?”
Our impact assessment found that revenue loss would be responsible for 63% of the total cost of the event, compared to 35% for facility damage and two percent for incident response. That was an important insight for setting an insurance level – you wouldn’t want to insure for the total cost of the incident if only 35% of the loss (facility damages) would be covered.
We ran a cost/benefit analysis on the RiskLens platform for insurance vs. seismic retrofitting. The result: The upfront cost of a retrofit would buy more than 5 times the risk reduction (per dollar spent) when compared to the spend on 50 years of insurance premiums. As a bonus, retrofitting the facility to reduce the risk of damage would have a huge impact on lowering the insurance premiums.
With Data Helpers, Asset Library and Loss Tables built out, the client can efficiently replicate similar risk scenarios for more of its facilities and then, using the Portfolio Management feature of the RiskLens platform, provide comprehensive views of risk across facilities. They can group and compare risk across different facility types, facilities by business unit or facilities by geography. Or even compare a single risk, such as earthquake, across all facilities – all within completely customizable portfolios.
See how RiskLens quantitative risk analysis can reduce your risk, cyber or operational. Schedule a demo now.