I recently showed how to use
order-of-magnitude thinking and interval estimates to identify which of four
potential threats to the continuity of a hypothetical business in the San
Francisco area would actually concern a business continuity planner. They were Earthquake and Pandemic. This was the result of literally multiplying
the worst-case values for frequency of occurrence and loss magnitude. (This is “honest math,” not multiplying red
times green to get yellow, because we started with actual numbers.)
When we have an interval estimate,
such as for the probable frequency of occurrence of earthquakes being between
once every hundred years and once every ten years, that is between 0.01 and 0.1
times per year, it is another way of saying we are uncertain what the actual
value would turn out to be if we had perfect information. There is some number that if we knew it would
be between 0.01 and 0.1. We can model our
belief about this number as a random variable with some probability
distribution between those two limits.
But which of the infinite number of
probability distributions should we use?
Since I am completely unsure which number it would be, or even what it
would be near, I’ll choose a uniform distribution, so that it is equally likely
to be anywhere in the range. I did this
for all four quantities – the loss event frequencies and the loss event magnitudes
of Earthquake and Pandemic.
What I now do is randomly pick,
according to each probability distribution, numbers for loss event frequency
and loss magnitude, and multiply them together (“honest math”) to get the
annualized loss expectancy (ALE) for that
combination of frequency and magnitude.
That gives me one data point for what the ALE could be. If I did that a
jillion times, I’d get good coverage of the whole range of frequency and
magnitude, and so get a whole population of ALEs that could occur consistent with my estimates. If we plotted the distribution of ALEs, we’d
have a complete description of the risk of that BC threat. That is exactly what we mean by “risk.”
See all that stuff in the previous
paragraph? That’s a Monte Carlo
simulation. You know – Monte Carlo –
that’s the place where they spin roulette wheels to generate random
numbers. At least they are random in
honest casinos.
I did that for Earthquake and
Pandemic. Here is what I got for the
simulations of ALE for each. Each chart
summarizes the results of 1,000 simulations.
The top charts are the frequency histograms; the bottom charts are the
cumulative probabilities. If I really
did a jillion, the lines would be nice and smooth.
Now here’s the point. We may say, using our management judgment,
that the 95% point for loss expectancy (or some other point) is our benchmark
for how we will assess risk. For
Earthquake, the 95% point is about $285K of ALE, almost 30% less than the worst
case of $400K. For Pandemic, the 95%
point is $390K, or vs a max of $528K, or 27% lower than worst case. Of course the comparisons are even more
dramatic for the 90% and 80% points.
The Upshot. The net of it all is that by using some
pretty simple Monte Carlo simulations we can get a more realistic picture of
our risk than the-worst-times-the-worst, but still as conservative as we
like.
The Total
Risk. In BCP parlance, the
total risk assessment (TRA) is simply the list of the conceivable threats with
their likelihoods, loss magnitudes, and some kind of judgment combining the
two. It’s more like an inventory than a
total. But we are more sophisticated
than that. We know that risk is the
probability distribution of annual loss expectancy, not some fake-math
multiplication of red times green. With
the probability distributions of ALE for Earthquake and Pandemic in hand, we simply
use Monte Carlo to get the probability distribution of the sum, which is the
total risk. I’ve done that for
Earthquake and Pandemic, and also for the two threats that are not so
interesting, Blizzard and Aviation Accident.
Here is the cumulative probability of annual loss expectancy for all
four threats:
Here we see that, supposing these
four threats are the only ones we need be concerned with, and that they are
independent of each other, there is a 95% chance that total ALE is $550K or
less. This is less than the sum of the
95% points for the individual threats, and a whopping 40% less than the $938K
total of the maxima because, again, if you are having a bad year on one threat
you are unlikely to have a bad year on another.
Monte Carlo simulation allows us to
easily get deeper and more-realistic analysis of multiple factors, and see them
in context, than the traditional methods.
And it’s not that hard.