Risk is defined as the possibility of damage or loss. The word risk denotes that a decision maker knows the possible consequences of a decision and their relative likelihood at the time he/she makes that decision.

The ultimate decisions to be made in IT investments are:

• What IT assets should be held?
• How much money should be allocated to each?

These decisions are made in two steps.

1. Estimates are prepared of the risk and return over the investment holding period. This is called investment analysis.
2. Risk-return estimates are compared to decide how to allocate available funds among these investments on a continuing basis. This may be called IT portfolio analysis, selection and management.

The primary purpose of this article is to explore the notion of risk in IT, examine what creates risk and provide a quantitative measure of risk.

What Creates Risk?

Forces that contribute to loss or damage constitute elements of risk. Some influences are external to the enterprise and other influences are internal to the enterprise. These forces cannot be completely eliminated, and, hence, the enterprise has to take a calculated risk on its IT investment. IT risks are somewhat peculiar to each industry and/or firm.

Risk can be classified into systematic and unsystematic risk.¹ Systematic risk refers to that portion of risk caused by external factors; this is common and may affect all firms. Virus, hacking, fire, natural disasters and power loss are sources of systematic risk. Their effect is felt by many of the companies that are placed in the same position. For example, a loophole in the Internet browser that is vulnerable for hacking affects all of the firms that use the browser.

Unsystematic risk is the portion of total risk that is unique to the firm. The factors such as misuse of data, loss of data, application error, human interaction, inside attack and equipment malfunction can be cited for unsystematic risk. Unsystematic factors are largely independent of factors affecting the IT industry in general. Since these factors affect one firm, they must be examined for each firm.

The proportion of systematic and unsystematic risk denotes degree of vulnerability of the firm to the external or internal factors. Systematic risk is also known as generic risk, and unsystematic risk is also known as specific risk. Even though systematic risk is common for all firms of similar nature, its effect is not the same across all firms. This may be due to differences in the level of exposure and countermeasures taken by firms.

Scientific Predictions

Uncertainty involves a situation about which the likelihood of the possible outcomes is not known. The existence of uncertainty necessitates careful and reasonable estimates of impact and some measure of the degree of uncertainty associated with these estimates of loss. Therefore, the risk needs to be quantified.

The quantification of risk is necessary to ensure uniform interpretation and comparison. Risk can be determined by calculating the product of likelihood and impact. The likelihood of an outcome can be stated in fractions or decimals. This is known as probability. A probability distribution is when the individual events are assigned probabilities. The total of probabilities assigned to individual events in a group of events must always be equal to 1.00. Assigning probabilities moves the abstract concept of likelihood to a mathematically amenable concept of probabilities, converting qualitative risk assessment (likelihood) to quantitative risk assessment (probability). Based upon the trend data available, the assessor can assign probabilities.

Similar to the likelihood, the impact has to be quantified. It is recommended that the assessor assign a percentage for each probability, 100 percent being the highest and 0 percent being the lowest. The impact may be:

• Loss of life
• Loss of money
• Loss of prestige
• Loss of market share
• Other factors

To quantify impact, there is a two-stage process:

1. Specify the impact percentage for every probability.
2. Specify the impact cost (e.g., asset value, loss of life, loss of money).

Hypothetical Risk Analysis

Risk can be measured by calculating the standard deviation of probability distribution. Figure 2 shows the variance and standard deviation of the probability distribution in figure 1.

The standard deviation is the square root of the variance, which in the case of the example here is 6.10.²

Variance is calculated by squaring each difference from the mean, multiplying the resultant sum by the related probability and summing the resulting amounts. Therefore, taking the square root of the variance results in the standard deviation. Risk can be denoted by standard deviation, which is a reasonable surrogate of risk.

Looking at the calculation of standard deviation, the following features can be stipulated. The difference between various possible values and the mean are squared. The values that are far away from the mean have a much greater effect on standard deviation than values that are close to the mean.

The squared differences are multiplied by the related probabilities. This means that the smaller the probabilities, the lower the effect on standard deviation.

Standard deviation is obtained as the square root of the sum of squared deviations. This means that mean and standard deviation are measured in the same units and the two can be used for comparison.

Assuming the value of the asset that is exposed to the previously mentioned risk is US $150,000, the impact cost in monetary terms is:
(6.10 x 150,000)/100 = US $9,150

Conclusion

Risk and return are two sides of a coin. When measuring return quantitatively, a quantitative measure for risk is needed. The method explained previously is one such measure for quantification of risk. This measure of risk can be considered with return, and a calculated decision on the risk-weighted return can be considered for any decision making where a risk-return scale is required.

Endnotes

¹ Reilly, F.K.; K. Brown; Investment Analysis and Portfolio Management, Harcourt College Publishers, 2002
² Probability and calculation of standard deviation can be found in any standard textbook on statistics, e.g., Levin, R.I.; D.S. Rubin; Statistics for Management, 7th Edition, Prentice Hall, 1997.

A.V. Rameshkumar, CISA, CISM, AICWA, ACS, CPM, OCP (Oracle Financials), OCP (Application Developer)
is the head of IT for Al Aqili Group in Dubai, UAE. He has specialized in finance, corporate law, enterprise resource planning implementations, IT security, IT governance and solution architecture.

---

Enjoying this article? To read the most current ISACA^® Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute^® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2010 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.