One of the aspects of being a CISSP is understanding risk analysis and risk management. Below we have provided a simple example of risk analysis.

**Risk Analysis Example**

Remember we are using a fictional set of circumstances to illustrate this example.

You are a CISSP working for a nationwide auto parts recycler that is headquartered in Memphis, Tennessee. The warehouse at this location is located at 21 feet above normal Mississippi River level. Research tells us that the river level will flood to 30 feet above normal river level once every 10 years.

Your warehouse consists of three levels of shelving starting at the ground level with shelves separated by a height of 10 feet. The inventory value of the entire warehouse is $10 million dollars. The total value of product on the ground level is approximately $3 million dollars. Research has shown that the cost to replace the all product on the ground level as well as cleanup, maintenance, and lost business will be 40% of inventory value.

Flood insurance on this warehouse would cost $50,000 per year with $10,000 deductible per occurrence.

**For us this will be the value of the inventory or $10 million dollars.**

*AV: Asset Value.***This is expressed as a percentage. Based on the scenario, this is 40%.**

*EF: Exposure Factor.***Every time a flood occurs, you can expect that it will cost your business 40% of inventory value ($10 million dollars) or an SLE of $4 million. This is accomplished with the following equation.**

*SLE: Single Loss Expectancy.***SLE = AV ($) * EF (%)**or 10,000,000 x 0.40 = 4,000,000

**Since the event that we are considering purchasing insurance for (river flooding) only occurs once per ten years, we get 1/10 or an ARO of 0.1**

*ARO: Annual rate of occurrence.**What is your annual cost of an every 10 year event?*

**ALE: Annualized Loss Expectancy.**If we use the equation

**ALE = SLE x ARO**,we get $4,000,000 x .1 for an ALE of $400,000.

Would you recommend the insurance to management? Lets do the quick math on this to see if would be a good idea.

Insurance costs $50,000 per year for 10 years equals $500,000 plus an additional $10,000 for the deductible. This would make $510,000 every ten years.

As always, if you have any questions for us please let us know.

Hi Jeff,

ReplyDeleteThankyou for sharing this example. I could understand this. The last part of the question should we suggest this insurance to mgmgt was not clear?

I agree CISSP is understanding risk analysis and risk management

ReplyDelete