Search This Blog

Thursday, October 24, 2013

Is it Worth the Risk?


Managing Risks

Risk Management is crucial to the success of every company. If an organization fails to take risks – they will not be able to thrive in this competitive market. However, when a company ignores managing those risks that they can succumb to failure. Information technology systems play a large role in most organizations – a company has to properly manage their IT risks if they want to continue to do well.  Once you assess your risks and determine ways to control those risks – you should then examine the trade-offs between costs and benefits related to every control option. One way to accomplish this is through a Cost Benefit analysis (CBA).


Cost Benefit Analysis

A CBA compares the business impact with the cost to implement a control. For example, the loss of data on a fi le server may represent the loss of $1 million worth of company information. Implementing a backup plan to ensure the availability of the data may cost $10,000. In other words, you would spend $10,000 to save $1 million. This makes sense. A CBA starts by gathering data to identify the costs of the controls and benefits gained if they are implemented.


·         Cost of the control—Purchase costs plus the operational costs over the lifetime of the control.


·         Projected benefits —Potential benefits gained from implementing the control. You identify these benefits by examining the costs of the loss and how much the loss will be reduced if the control is implemented. A control doesn’t always eliminate the loss, it may only reduce the risk.
The following equation can be used to determine the CBA:

CBA = (Annualized Loss Expectancy) Loss before control  * (Annualized Loss Expectancy) loss after control - annual cost of the risk safeguard

Here is a nice video tutorial that illustrates the cost benefit analysis concept:


 

Is it Worth it?

If the costs outweigh the benefits, the control may not be worth implementing. Instead, the risk could be accepted, transferred or avoided. The cost benefit process will help to:


·         Determine the cost of protecting an asset


·         Define the economic loss if the asset remained unprotected


·         Prioritize actions and spending on security


A company should not spend more to protect an asset than the asset is worth!

Here are some useful links to help in deciphering the various costing methods:
Simple Risk Analysis
FFIEC
The Society of Information Risk Analysts
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)