7.3.12.4 Risk Tolerance – Loss Exceedance Curve

The risks, or expected losses, that we have computed for each event are based on the sources for each event as well as the consequences for each event on the objectives of the organization. When we consider the combined or total risk to a system of all (or a subset) of the events, we need to use Monte Carlo simulation to ascertain the probability distribution, because the combination of the risks is non-linear[1].

The results of a Monte Carlo simulation for the risk events for Monitoring the London Underground are shown in Figure 32, in what we will call a Loss Exceedance Curve.

The average loss from the simulations is $382 million. The frequency chart in the top right-hand corner of Figure 32 shows the number of trials in the simulation that resulted in a given monetary loss. We can see that there was no loss almost 50% of the time. The cumulative frequency chart, showing the percentage of time that there was a loss at least as much as a given amount, is shown at the bottom right of Figure 32. The complement of the cumulative frequency chart, which we will call the loss exceedance curve, shows the percentage of time that a loss of at least a given amount occurred. In addition to the average loss statistic, two other summary statistics of this curve are shown by a dotted vertical line and a solid green line. The dotted line is at the intersection of the curve and a 5% probability, meaning that there is only a 5% probability that the loss will exceed a given

amount, here, $1.18 billion. The solid green line has been located at a loss of $1 billion on the x- axis and the intersection with the curve occurs at a probability of 13.2% meaning that there is a 13.2% probability of the loss exceeding $1 billion. These two summaries are useful for management consideration as to whether they ‘tolerate’ losses of these amounts with the given probabilities. If management feels that they cannot tolerate the risks represented by the curve itself or the summary statistics, they can invest in controls to reduce the risks.

Suppose, for example, that management decides to implement the 12 controls that comprise an optimum portfolio of controls for an investment of $59,700. The loss exceedance curve will move down, as shown in Figure 33, where amount corresponding to a 5% probability of loss exceeding that amount has been reduced from $1.18 billion to $291.7 million and the probability of exceeding a loss of more than $1 billion has been reduced from 13.2% to almost zero. If management feels that that these risks are still not tolerable, they can ask for an even more expensive optimum portfolio of controls to reduce the risks even further.

[1] The non-linearity occurs for two reasons. First, an event may have several sources.  If one of the sources occurs, and the event occurs due to that source, the occurrence of another source of the event is irrelevant because the event has already occurred. Thus, we cannot simply add the likelihoods of the sources multiplied by the likelihoods of the event given the sources. Secondly, losses to an objective can occur due to several events. If there are several events that cause a loss to a given objective, we cannot just add them since the total cannot exceed 100%.