A large furniture company was evaluating whether to continue paying an annual fee of $1 million for support from the technology vendor that powered their order fulfillment system or handle the support function in-house, particularly if a privileged insider or third party vendor misconfigured the system, resulting in an outage.
To make an effective risk-based decision, management needed the ability to assess the likelihood and impact of a potential outage, and compare that to the investment cost of re-subscription to the vendor’s support.
The furniture maker’s conventional approach to risk measurement could not enable executive management’s decision. In order to answer these questions, the organization needed to start communicating risk in the financial terms best understood by business stakeholders.
The RiskLens Solution
The company called in RiskLens and engaged the services team to assist with data gathering and analysis on the RiskLens platform. The platform combines an intuitive workflow process for scoping and data collection with a sophisticated analytics engine based on Factor Analysis of Information Risk (FAIR™), the industry standard for the quantification of information security risk.
We began by focusing our analysis on the amount of risk associated with an outage of the order fulfillment system resulting from a misconfiguration. The analysts used the simple scoping capability within RiskLens to rapidly determine what data points were necessary for the analysis; effectively reducing their work load by removing research into data that did not ultimately support quantifying risk.
The analysis collected data through structured workshop questions on key risk and control factors including
- Specifics about the response efforts to this type of outage incident
- Realistic length of an outage
- Chain of events to escalate this error to the technology provider’s support team
- Litigation costs related to delayed orders
- Potential customer churn resulting from this outage
- Possible productivity damage from this outage event.
The estimates used to calculate risk have a degree of uncertainty associated with them due to the fact we are looking forward to evaluate the frequency and magnitude associated with future events. So all inputs into the RiskLens platform are made in the form of distributions with ranges that are accurate and usefully precise.
Over the course of a three-day period, the organization was able to efficiently produce both high level reporting and detailed results describing, in financial terms, the effect of a system outage of the order fulfillment system.
Figures 1 & 2 illustrate the loss exposure across several categories that incorporate incident response efforts, productivity loss, response to affected customers, litigation costs related to delayed orders, and potential reputation damage resulting from this outage. The tabular data communicated the varying range of probable outcomes.
The powerful versioning capability of RiskLens allows future-state analyses to be rapidly performed. In this scenario, the analyst leveraged the tool’s versioning capability to complete a “what-if” quantification by updating several inputs to the platform to reflect the loss event occurring with the technology provider’s support – specifically, the reduction of time of the overall outage event. This comparison is used to generate a cost benefit analysis report that provided the organization with tangible data to make a decision on the potential return on this investment.
Figure 3 compares the loss exposure for the current state environment outage and the what-if scenario. Current state loss exposure (average) was $5.1M should the outage occur - with a 25% chance of the incident occurring in a given year – translating to an annualized loss exposure of $1.3M.
Investing in re-subscribing to the technology provider’s support did not alter the likelihood of the outage occurring, but it did drastically affect the magnitude of the outage. The magnitude of the event decreased from $5.1M to $220k - with still a 25% likelihood of the outage to occur in a given year – translating to an annualized loss exposure of $52K. This reduction was driven primarily by the length of the outage being dramatically shorter. With the outage lasting for a shorter period of time, this reduced the productivity damage, reduced delayed order fulfillment, and reduced the probability of reputation damage to the organization.
These benefits from re-subscription would require a large investment, with an annual price tag of roughly $1M. Through the use of the RiskLens platform, for the first time, the analyst team could report cost benefit results to executive management that were actionable, using a language common to all stakeholders.