|
Step 1:
Silently collect individual opinions: each expert writes down his/her assess-
ment or answer to a question.
Step 2:
Disclose the overall set of estimates to all participants: answers are collated
and redistributed to all participants, who can then compare their answers to
everyone else’s.
Step 3:
Participants have the option to reassess their views: each respondent is free to
modify his/her answers following disclosure. If the responses have changed
significantly, reassessment can be repeated until a greater convergence is
reached. However, in the case of operational risk scenarios, I would not recom-
mend forcing convergence. The variety of answers and the levels of disparity
or agreement can be informative. Strong agreement, or convergence, may give
some comfort about the reliability of the results, while strong disparity may
indicate the need for more data and changes to the questions. If there is a
single outlier in the group, you should investigate the reasons for the devi-
ation. Perhaps this person is the only expert in the room or is a newcomer
(see Figure 7.1).
Step 4:
The final estimate is the average value of the responses, weighted by the lowest
and highest estimates, that is:
Final estimate
= (
lowest response
+ (
n
−
2
) ×
average response
)
+
highest response
)∕
number of participants
(
n
)
F a u l t T r e e A n a l y s i s ( F T A )
Fault tree analysis is a technique of deductive failure analysis developed in the 1960s.
It is used predominantly in safety engineering: high-risk industries such as aerospace,
2
See, for instance, Hubbard Decision Research and the calibration techniques; or for a more
academic approach, SHELF, the Sheffield Elicitation Framework by Tony O’Hagan from the
University of Sheffield.
68
RISK ASSESSMENT
10
High cohesion
9
8
7
6
5
4
3
2
1
0
0
1
2
3
4
5
10
One outlier
9
8
7
6
5
4
3
2
1
0
0
1
2
3
4
5
10
High dispersion
9
8
7
6
5
4
3
2
1
0
0
1
2
3
4
5
F I G U R E 7 . 1
Delphi study – different configurations
of opinions
nuclear energy and pharmaceuticals. Fault trees decompose scenarios into the various
conditions (and failures) that need to take place for a disaster to happen. This method,
which originally focused on safety failures and control breakdowns, is gradually mak-
ing its way into the financial sector.
There are many parallels between the series of successive failures that are neces-
sary for a plane to crash, or perhaps a gas to explode, and large accidents that occur
Scenario Assessment
69
in banks, such as internal fraud on large-value transfer ($500 million-plus), successful
cyberattacks or sustained systems disruptions. In lax organizations, disasters are not
unlikely, they are waiting to happen. Even used in a simplified format, fault tree analy-
sis, in my view, is one of the most fruitful techniques for assessing likelihood of events.
Most importantly, it orients debates toward controls, their number, their effectiveness
and their mutual interdependence.
When events are fully independent, the probability that they will all happen simul-
taneously is equal to the product of their individual probabilities of occurrence. This
mathematical reality is at the center of layering independent controls in high-reliability
organizations (HROs). Consider three independent controls that each fail 10% of the
time but are individually sufficient to prevent an incident. The likelihood of the inci-
dent happening is the same as the likelihood of the three controls failing at the same
time; that is: 10%
×
10%
×
10%
=
0.1% or 1/1000. This simple example shows that
when protection layers are truly independent, good safety levels can be achieved even
with rather weak individual controls.
If applied to the scenario of data theft by an insider, we have, in a simplified set-
ting, four conditions needed for the scenario to take place: (1) a dishonest employee,
(2) access to confidential information, (3) the possibility to take a large amount of
confidential information, and (4) the ability to sell this information to criminal parties
(Figure 7.2).
Rogue staff
P
1
Honest staff
(1-P
1
)
No access
(1-P
2
)
No exit
(1-P
3
)
No buyer
(1-P
4
)
Buyer
P
4
Event
4
3
2
Access
P
2
Exit
P
3
1
F I G U R E 7 . 2
Criminal selling
confidential data: a simple
fault tree
70
RISK ASSESSMENT
In a simple case, let’s assume that these four conditions are independent from each
other; the likelihood of the scenario is thus the product of the four probabilities of these
conditions realizing:
Do'stlaringiz bilan baham: |
