Friday, September 11, 2009

Risk Analysis from a CISSP's view point.

One of the aspects of being a CISSP is understanding risk analysis and risk management. Below we have provided a simple example of risk analysis.
Risk Analysis Example
Remember we are using a fictional set of circumstances to illustrate this example.

You are a CISSP working for a nationwide auto parts recycler that is headquartered in Memphis, Tennessee. The warehouse at this location is located at 21 feet above normal Mississippi River level. Research tells us that the river level will flood to 30 feet above normal river level once every 10 years.

Your warehouse consists of three levels of shelving starting at the ground level with shelves separated by a height of 10 feet. The inventory value of the entire warehouse is $10 million dollars. The total value of product on the ground level is approximately $3 million dollars. Research has shown that the cost to replace the all product on the ground level as well as cleanup, maintenance, and lost business will be 40% of inventory value.

Flood insurance on this warehouse would cost $50,000 per year with $10,000 deductible per occurrence.


AV: Asset Value.  For us this will be the value of the inventory or $10 million dollars.

EF: Exposure Factor.  This is expressed as a percentage. Based on the scenario, this is 40%.

SLE: Single Loss Expectancy. Every time a flood occurs, you can expect that it will cost your business 40% of inventory value ($10 million dollars) or an SLE of $4 million. This is accomplished with the following equation.   SLE = AV ($) * EF (%) or 10,000,000 x 0.40 = 4,000,000

ARO: Annual rate of occurrence. Since the event that we are considering purchasing insurance for (river flooding) only occurs once per ten years, we get 1/10 or an ARO of 0.1

ALE: Annualized Loss Expectancy. What is your annual cost of an every 10 year event?
If we use the equation ALE = SLE x ARO ,we get $4,000,000 x .1 for an ALE of $400,000.

Would you recommend the insurance to management? Lets do the quick math on this to see if would be a good idea.

Insurance costs $50,000 per year for 10 years equals $500,000 plus an additional $10,000 for the deductible. This would make $510,000 every ten years.
We hope that you liked and more importantly understood what the example provided.


As always, if you have any questions for us please let us know.
Posted by at
Labels: , , , , , , ,

2 comments:

  1. Soma BhattamishraJanuary 18, 2011 at 1:55 AM

    Hi Jeff,

    Thankyou for sharing this example. I could understand this. The last part of the question should we suggest this insurance to mgmgt was not clear?

    ReplyDelete
  2. UnknownFebruary 3, 2011 at 5:24 AM

    I agree CISSP is understanding risk analysis and risk management

    ReplyDelete

Subscribe to: Post Comments (Atom)