Assessment of Exposure to Outages

For an organization to assess the risk of a power outage due to the threat of sabotage, natural disaster or accident, you must calculate the organization's exposure to the threat.

Exposure is a product of an organization's vulnerability due to outage, the likelihood of the occurrence of the threat, and the likelihood of the outage due to the threat. Vulnerability is a product of the probability of outage impact and the potential loss (e.g., as a dollar amount). A power backup capability would mitigate some of the risk and it would facilitate further assessment—similarly for a geographically removed backup facility. These constitute the mitigation cost.

Otherwise:

vulnerability = (impact probability) x (potential loss)

and

exposure (risk) = (vulnerability) x (threat likelihood) x (outage likelihood)

Impact probability would depend upon the redundant array of independent disks (RAID) technique, backup frequency and method and power-dependent physical security methods, people's availability during the outage, fail safety of locks, and warning time before the outage.

Potential loss will vary by the duration of the outage and may be assessed as primary (loss of services dependent upon power) and secondary (consequences of services losses). These costs would be considered two components of the total risk, both as a function of outage time. Potential loss includes the business value of the lost operations, impaired reputation, and the cost to recover.

Threat likelihood for natural disasters exists in actuarial databases, mostly for use by insurance companies for their risk calculations. Likewise, insurance companies calculate the risk of sabotage or accident.

Outage likelihood depends upon the resilience of the power supply (grid) and the resilience of the equipment to failure.

Here are the steps to assess a system's vulnerability:

  1. calculate the vulnerabilities
  2. evaluate mitigation costs
  3. assess the risk
  4. ensure that the mitigation cost is less than the cost of the risk
A graphic with four blocks with arrows going left to right that illustrates a process. First box: List the vulnerabilities. Second box: Evaluate vulnerabilities and mitigation costs. Third box: Assess the cost of system failure. Fourth box: Ensure mitigation cost is less than cost of system failure.
System Vulnerability Process