Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Storage & Clustering Community Blog

Why Expected Loss? We Don’t Need To Know Probability; We know there is a Big Risk!

Created: 17 Jan 2013 • Updated: 11 Jun 2014
dennis_wenk's picture
0 0 Votes
Login to vote

Oh yes you DO need to know Probability! Many of Professional and Thought-Leaders have said that ‘there is no reason to know probabilities to know that a big risk exists’ and that it should be intuitively obvious that losing a datacenter would be very bad.  So then, if the IT-infrastructure risk is so self-intuitive then value does not lie in identifying the most serious risks, these risks are self-evident. The value lies in determining the optimal ‘investment’ to mitigate the most serious risks.  In this context, optimal means to allocate the organization’s resources to those actions that will yield the best overall performance.

So even if these self-intuitive, gut feeling about the risks are right, it is not the most effective way to justify the appropriate level of investment.  The fact, this is the reason that many in IT find it difficult to provide a valid ROI for HA/DR solutions; because they fail to understand the value that probability and the associated ‘Expected Loss’ provides to the value proposition.

Many organizations have been told that the ‘cost of downtime’ or the BIA can be used to justify HA/DR solutions.  They soon learn that the ‘cost of downtime’ and BIA come up short when making an argument for appropriate funding and resource allocation. This lack of funding creates frustration and has led many to mistakenly assume that there is can be no ROI for HA/DR solutions.   The limitation of the ‘cost of downtime’ and the BIA is that they only quantify the ‘potential-for-loss’ and systematically ignores probability of occurrence.  This probability neglect causes excessive worry of statistically small risks and distorts perceptions about serious threats. While an organization may have actually experienced downtime that cost millions of dollars; that does not mean it should be expected as a regular occurrence.  

The only rational reason to spend money on any HA/DR solution is the expectation that the benefits outweigh their costs.  But what are the benefits of HA/DR solutions that can be quantified? What does the organization get for all the money it spends on HA/DR? To understand the benefits we must go beyond the ‘potential-for-loss’ (loss potential) and understand the losses that can be reasonably expected (expected loss).  HA/DR solution reduce expected-loss.

The first thing to recognize is that investing to In HA/DR solutions is that it is a very different kind of investment decision because HA/DR solutions address operational risk.  The vast majority of business investments expect a return; an expected-gain. For these types of investments capital is ‘wagered’ with the expectation of a payoff, something greater than the original investment. This expected-gain is what makes taking the risk worthwhile. When investing to reduce an operational risk, however, there is no obvious payoff or no expected-gain; the best that can be expected when addressing operational risk is to prevent something bad from occurring, to avoid an EXPECTED-LOSS.  So when it comes to HA/DR solutions there is no upside gain; we can only limit losses.

Now, there are two ways that increase the return on investment; (1) increase the expected-gains and/or (2) reduce of expected-losses. By far, most ROI’s only estimate the increases to expected-gains.  Reductions to expected-losses, however, are just as valid as the increases to expected-gains.  Expected-loss is what provides the economic cause-and-effect relationship that is deficient in the BIA and ‘cost of downtime’.  Expected loss will ensure better priority setting of the serious risks and provides the business process to evaluate multiple alternatives using the standard ROI technique.

Expected-loss is not something subjective like ‘risk appetite’ ‘risk aversion’ or ‘risk tolerance’.  Expected loss uses the principals of ‘Expected Value’ which is a notion developed by Blaise Pascal and Pierre de Fermat during the middle of the 17th century. Simply put 'Expected Value' is the value of an event times the probability that the event will occur.  Expected Loss, therefore will be the ‘loss potential’ times the ‘probability’ that the loss will occur.  We can apply expected loss to a real business problem of HA/DR; the inherent risk of the IT-infrastructure.  The ROI of alternative HA/DR solutions can be evaluated based on their ability to either reduce the consequence of an event or reduce its occurrence rate, or both and measured by the reduce in expected loss..

Blog Author:
Mr. Wenk is Principal Resiliency Architect for Symantec’s Storage and Availability Management Group. He has consulted worldwide with large Fortune 500 customers; Generating demand for Cloud Infrastructures and architecting private cloud solutions for technology-intensive organizations in over 20 different countries; tackling some very challenging, complex, and ambiguous problems. His experience includes developing architectures and strategies for highly available, resilient and secure infrastructures in heterogeneous IT environments. He has performed quantitative operational risk assessments that were used to justify the significant investments required to build, transform and maintain resilient infrastructures; he has performed technology assessments, IT consolidation and transition strategies, and developed site selection criteria for complex heterogeneous technology consolidations. In addition, he has developed charging methodologies, performed capacity planning and performance evaluations in large, complex IT environments. Dennis has developed a number of risk-based services that quantify the return on technology investments that increase resiliency and improve continuity programs. His background includes experience with EMC Consulting as Senior Cloud Architect and with Hitachi Data Systems as Principal Global Solution Architect for High Availability Solutions, IBM Global Network as an Outsourcing Project Executive; Comdisco where he was Western of Director Technology Consulting; KPMG where he was Senior Manager, Group Leader for IT Operations and Transformations, as well as Heller Financial where he served as VP/Information Processing. Dennis Wenk earned an MBA in Accounting and Finance, BS in Computer Science from Northern Illinois University. He is a certified Information Systems Auditor (CISA), Certified Data Processor (CDP), and Certified Systems Professional (CSP), certified in ITIL Service Management. He was awarded Best Management Paper by Computer Measurement Group, and currently he sits on the Advisory Board for Continuity Insights and Serves as their Technology Chair. He has held the Cloud Special Interest Group Leader for the Outsourcing Institute and the Business Continuity Focus Expert for Information Technology Infrastructure Management Group. He is an advisor to Business Continuity Services Group. Dennis has written award-winning professional articles, white-papers and has been published in Information Week, Computer Performance Review, Trends and Topics, Continuity Insights, Infosystems, Computer Measurement Group, and DR Journal. He is a regular speaker at world-wide industry conferences. Some current topical expertise include; ‘3 Simple Complexities of Data Protection’, ‘Think About Never Failing, Not How To Recover’, ‘Focus On The Largest Source Of Risk: The Data Center’, ‘Risk Economics’, ‘Gaining Competitive Advantage: The Myth of the Resiliency Paradox’, ‘Eco-Friendly Data Center’, ‘Virtualization, a Resiliency Enabler’, ‘Economic Impact of Interruptions’, ‘Risk-based Business Continuity’, ‘High-Stakes Business Impact Analysis’, ‘A Risk-Based Approach to Internal Controls’, and ‘Resiliency: Clearing the Five Nines Hurdle’.