Last week we
talked about Risk Management. Controlling
Risk is the goal. Whether that is identifying the risk and then determining if
that risk is preventable, determining how to prevent it, or determining what it
would take to prevent that risk would cost more than paying for the risk. There
are several methods to determine if the risk is worth taking or not.
One of these
methods is cost benefit analysis. This looks at the annualized rate of occurrence,
or how many times this risk is expected to happen in a year, the annualized
loss expectancy, or how much an organization expects to lose over a year due to
this risk. There are also controls that can be put into place, such as new
safeguards, new software, new hardware, etc. This is all figured by the cost to
the organization pre-control, and the cost to the organization post-control.
Many times the cost of the control will reduce the annualized loss expectancy enough
to make the cost of the control worth it. Other times, the annualized loss
expectancy is not reduced that much post-control and actually makes the cost of
the control too much. Using the control would actually cost the company more
than absorbing the cost of the risk.
It is up to the
organization to determine if it is worth using a control or not.
No comments:
Post a Comment