ALE tips by Carl Mazzanti
The February 1, 2019 USA Today headline read: “Devastating fire destroys New Jersey paper plant and leaves 500 without jobs.” According to the company CEO, “Wednesday night’s cold and windy conditions overcame the factory’s fire suppression system.”
Fortunately, no one was hurt, but the loss of the factory and 500 jobs is a major tragedy. I bring it up because I want you to know about an incredibly useful tool to help prevent losses like this. It’s called Annualized Loss Expectancy or ALE.
ALE is a decision framework to help you decide what type of preventative or recovery control you’re going to put in place. Paper factories have fires. Thus, you could buy and install sprinklers throughout the whole building, but it may not be the best solution.
A paper manufacturing customer of ours has fires break out multiple times a year. The 2,000-pound rolls of paper start to decompose. They get really warm and some of them light on fire. To contain the fires, they have an employee who walks the entire factory all day, every day, seven days a week, 365 days a year.
The factory’s control is full-time employees because the sprinklers don’t always work and the water destroys the paper. They’d rather have a guy who runs up to one roll with a fire extinguisher and puts it out. While it may seem like that solution is too expensive, the practice reduces their overall prevention cost and fire losses.
ALE Puts Numbers to Decisions About Risk
Here’s where ALE comes in:
The annualized loss expectancy (ALE) is the product of the annual rate of occurrence (ARO) and the single loss expectancy (SLE). It is mathematically expressed as:
ALE = ARO × SLE
Suppose that an asset, the paper inventory, is valued at $1,000,000, and the exposure for this asset is 20%. The single loss expectancy (SLE) then is 20% * $1,000,000, or $200,000. The annual rate of occurrence (ARO) in this case is assumed to be 4.
ALE = ARO X SLE or 4 X $200,000 = $800,000
In other words, without preventative controls, the factory could expect to have four fires per year costing a total of $800,000. Thus, the decision becomes, what type of controls do I want to put in place to prevent that loss. The full-time employee solution is cost-justified by the ALE.
Better Decisions About Controls
Calculating an ALE for your major business risks means making better decisions on controls. For many, it’s the answer they have been seeking for some time to the question, “How can I make a decision in a formal way about what I need to do to protect my interests.”
Of my 1,100+ customers, I’ve connected with over half of them. Of those, only a small percentage know how to quantify the risk their firms experience and what to do about them. ALE is simple; it’s straightforward and an incredibly useful tool. Thus, it should not be optional.
A reasonable amount of business is run by gut; or it’s reactive; or based on what friends in the industry are doing, as in case studies and stories in the media.
Being able to put numbers behind the decision process not only helps my organization, but those we service make good, viable long-term decisions about their controls, both preventative and recovery for their organizations.
A major risk that confronts almost every business is catastrophic data loss. It may be caused by ransomware, hackers or a natural or human-triggered disaster. Indeed, few businesses survive catastrophic data loss without the adequate preventative and recovery controls in place.
Calculating the ALE will help you make the right decisions regarding controls to protect your data, a critical business asset. So, let’s talk about what you come up with.