FAIR Institute Blog

Missing the Mark on Risk Analysis Without ALE

[fa icon="calendar"] Aug 14, 2017 8:00:00 AM / by Chad Weinman

missing-the-mark-with-ale.jpgAnnualized Loss Exposure (ALE) is a key output from a FAIR quantitative risk analysis. ALE is computed as:

ALE = Event Frequency x Single Loss Magnitude

Occasionally in industry, we observe organizations that more heavily focus on impact. If this is the case, take a look at the following table below

Asset

Effect

Type

Single Event Loss Magnitude (SLM)

Customer Support Site

Availability

Malicious

$12,000

eCommerce Database

Availability

Error

$246,000

Order Process System

Availability

Error

$30,000

Share Drives

Availability

Malicious

$80,000

The scenario above that looks the most significant to the organization is an outage of the  eCommerce Database. 

But beware…

If we are trying to prioritize by Risk, which means considering both Magnitude and Frequency:

Asset

Effect

Type

Single Event Loss Magnitude (SLM)

Event Frequency

ALE

Customer Support Site

Availability

Malicious

$12,000

1 per year

$12,000

eCommerce Database

Availability

Error

$246,000

1 every 10 years

$24,600

Order Process System

Availability

Error

$30,000

4 per year

$120,000

Share Drives

Availability

Malicious

$80,000

1 every 2 years

$40,000

We see the true prioritization has changed. 

In wrapping up - I am not advocating to stop communicating Single Loss Magnitude. Rather just telling a cautionary tale on forgetting about the true definition of risk, according to the FAIR standard. In reporting on risk, it is common for us to communicate both ALE as well as SLM. In doing so we are providing more information that could be valuable to key stakeholders.

Related: 

What Exactly Is Loss Exposure

4 Most Forgotten Forms of Loss

Topics: FAIR

LEARN MORE ABOUT FAIR

Subscribe to Email Updates

417NjDVYgtL._SX404_BO1204203200_.jpg
Learn How FAIR Can Help You
Make Better Business Decisions

Recent Posts