Subtitles of the Movie

Continuing on with our definitions, we have one more to look at and that's called annual loss expectancy, or ALE is how we abbreviate it. That's how much I would lose in a year, given a risk of something happening and the asset value and single-loss expectancy. So we can actually use the terms we've talked about and figure out how much money we would stand to lose if a particular event happened. The formula basically is the single-loss expectancy, how much I intend to lose if this particular event happens one time and then multiply that by how many times I expect that event to happen in a year and that's how much dollar loss I can expect in a year if a certain event happens. Let's take as an example a lightening strike. Now, let's say we have a server room in a small business, maybe it's a small warehouse and that warehouse is not protected against electrical problems. Maybe it doesn't have good grounding and maybe I haven't bought things like UPS, uninterruptable power supplies and things of that nature. Maybe I've got my servers just plugged into a wall outlet. So it's not protected against electrical storms or electrical problems such as lightening. Let's say in that server room I have two servers, each worth five grand, I paid five grand for each one of them. So their asset value together is 10,000 dollars and we don't have to combine them. We can say that their asset value is 5,000 dollars each. But let's just say for the sake of argument, we say that the asset value of, the total asset value is ten grand. Now, let's say if they're both lost, I will lose 500 dollars in business a day. So that's actually a little bit more than what I paid for the servers if it happens over time. So continuing along this line of reasoning, our single-loss expectancy would be the asset value, which we've already said is ten grand for both the servers and 500 dollars a day that their loss is in effect. Now, let's say that we already know that it would take about three days if we lost both of those servers to buy a new server, get it up and running, get it loaded with our software and our customer data and so forth, get it hooked back up to the network. Let's say it would take three days to do that. Our single-loss expectancy would be the 10,000 dollars that they would both cost us plus 500 dollars in business that we're losing per day and let's say that three days is our estimate. Well, that single-loss expectancy would be 11,500 dollars that we could have lost if we, if a bolt of lightening took out those two servers one time. Ok? So now that we know what our SLE is, let's say we've done some research in the area we've settled in. Let's say that according to the National Weather Center, lightening happens, strikes pretty bad in the area on average twice a year. That's probably a conservative estimate. Lightening probably actually strikes a lot more than that. But let's say twice a year just for the sake of argument. That means our ARO or annualized rate of occurrence is two. Twice a year is two. So using our formula, we compute the single-loss expectancy times the annualized rate of occurrence. That gives us the annualized loss expectancy. Ok? That's 11,500 dollars times twice that it could happen in a year and that means in a year, if lightening hit our facility twice the way it on average it probably will, we're going to lose 23,000 dollars. That's our loss and the likelihood that an event will happen; the lightening. So we now know that we have to come up with protection to protect 23,000 dollars worth of assets in business. Ok? Can we come up with a protection solution that's worth it? Well, possibly. We could move buildings, but that might cost us a little bit more than 23,000 dollars in one year in terms of rent, relocation expenses and so forth. So we have to compare the annual loss expectancy to what it would cost to mitigate the risk. Now, if the mitigation is greater than what we'd lose, if it, if, if the mitigation would cost 50,000 dollars and we're spending 50,000 dollars to protect 23,000 in dollars loss, that's not really worth it, is it? We're still losing money. So we don't want the mitigation or whatever it costs to reduce the risk to cost more than what we're protecting. We may in that case have to simply assume the risk or transfer it by getting insurance. But again, getting insurance may cause us to lose even more business because it takes time for the insurance to pay out. Let's say in our lightening example, though, that we can actually mitigate this risk by uninterruptable power supplies, UPS, surge suppressors. We can fix the ground in our building and so forth and let's say it would cost 10,000 dollars to install this. Now, if we spend 10,000 dollars in that first year and we reduce that risk so that even if lightening struck twice we wouldn't lose anything, we actually just cut our losses down by 13,000 dollars because we spent 10,000 dollars and we're not going to lose the 23,000 dollars. So we cut it by 13,000 dollars. Now, UPS and surge protectors and so forth, they last longer than a year. So actually the second year we wouldn't have to spend any money and we still saved that 23,000 dollars. Now, of course, this is a very simplistic example of risk. There are many other factors out there that we could have taken into account and there are other things out there, other risks that could happen. There could also be fire. There could also be tornados and so forth. So this, again, is a very simplistic example. We could have done something like bought another server and had it as a hot spare or backup preloaded with software and just transferred backup tapes to the server and restored the data and been up in a day. We could have done something like that. So there are different solutions out there and different ways to protect yourself against risk. The point is that we're trying to make is that you can't ignore risk. You must manage it. You must make the plans. You must determine what your assets are worth, both tangible and intangible and then get a list of all the possible risks that you could be exposing them to; fire, tornado, hackers, whatever. Risk should be approached from the top down. But everybody in the chain; managers, users, the technical folks, the accountants, even the salespeople, everyone should be involved because everyone needs to contribute something to determining what the risk is. Now, I haven't mentioned an expert on risk during this particular session, but I've wanted to introduce to you some of the terms out there associated with risk so you can kind of talk intelligently when talking about risk to your peers and managers and so forth, but also you need to go ahead and take a little bit more of a serious in-depth look and do some research on risk and figure out the best way for you and your organization to approach risk management. look and do some research on risk and figure out the best way for you and your organization to approach risk management.