FAIR Institute Blog

A Crash Course on Capturing Loss Magnitude with the FAIR Model

[fa icon="calendar"] Oct 20, 2017 2:32:01 PM / by Teresa Suarez

Crash-Course-Capturing-Loss-Magnitude.pngIn the FAIR model for risk analysis, Loss Magnitude—i.e. the monetary impact of a loss event—is bucketed in six Forms of Loss: Productivity, Response, Replacement, Competitive Advantage, Fines & Judgements, and Reputation.

On this conceptual level, everything seems simple and straightforward. However, having assisted new FAIR practitioners with finding, placing, and piecing together the puzzle pieces that compose the Forms of Loss (hereafter abbreviated, FOL), I’ve learned that the devil is in the details.

New FAIR practitioners sometime struggle with details such as, “Is this considered a Primary or Secondary FOL?” and, “Which FOL bucket does this cost belong to etc.?” The struggle is real. In an attempt to end the struggle and simplify the details, this crash course will address/provide: 

  • Which FOL are typically Primary vs. Secondary
  • Forms of Loss definitions
  • A color-coded FOL mind-map


Download an infographic showing the FAIR model and the Forms of Loss



Primary vs. Secondary

FOL are labeled as Primary (P) and Secondary (S) because of how they relate to Loss Flow. For the purposes of this crash course, let it suffice to summarize P Loss as loss that the P Stakeholder (PSH) incurs directly as a result of the threat action against the asset. In contrast, S Loss is the loss incurred by the PSH as a result of the fallout/retaliation of S Stakeholders in reaction to the primary event.  As a general rule, this is typically how the FOL unfold: 

  • Primary: Productivity, Response, Replacement
  • Secondary: Competitive Advantage, Fines and Judgements, Reputation 

Please note: Response is italicized because this is the FOL that most often occurs as both a P and S FOL. And of course, like any other general rule, there are always atypical situations that merit exceptions. There will be occasional times when the typical P-FOL appear as S-FOL and vice versa. 

Just a friendly practitioner’s comment: not all FOL manifest in each analysis. The scope of the analysis will dictate which FOL are applicable.

FOL Definitions:  

Knowing the definitions of each FOL will provide perspective when sifting through the details of loss event costs: 

Productivity: Loss that results from an operational inability to deliver products or services

Response: Loss associated with the costs of managing an event

Replacement: Loss that results from an organization having to replace capital assets

Competitive Advantage: Losses resulting from intellectual property or other key competitive differentiators that are compromised or damaged

Fines and Judgements: Fines or judgments levied against the organization through civil, criminal, or contractual actions

Reputation: Loss resulting from an external stakeholder perspective that an organization's value has decreased and/or that its liability has increased

FOL in Color:  

Having an understanding of the distinction between Primary and Secondary, as well as the definitions of the FOL, provides a great foundational knowledge for successfully tackling the details of Loss Magnitude. Also, for any fellow visual learners out there, I’ve created a mind map that captures the FOL in color and gives various examples:

 

Loss Magnitude Mind Map Suarez.png 

Please note: the mind map does not include an exhaustive list of FOL subcomponents but merely offers examples. For a more thorough elucidation, reference Measuring and Managing Information Risk: A FAIR Approach by Jack Freund and Jack Jones. 

Crash Course Conclusion 

Remember, risk = probable frequency and probable magnitude of future loss. Piecing the FOL puzzle pieces together is crucial for providing visibility into Loss Magnitude and subsequently, risk. Hopefully this crash course helps dispel the devilish details and empower FAIR practitioners to capture the Loss Magnitude.

Related:

4 Most Forgotten Forms of Loss in a Risk Analysis

Pro Tip for FAIR Risk Scenario Analysis: Map It

 

Topics: FAIR, Risk Management

Teresa Suarez

Written by Teresa Suarez

Teresa Suarez is a Risk Consultant for RiskLens

Learn More in the FAIR Book