Group Level FAIR MAM
To allow simpler management of FAIR MAM, the loss categories and drivers will now be available at the Group level and apply to all the group's risk scenarios. This will make managing any overrides of loss drivers at the group level easier than doing that for each risk scenario. Note that tuning cost drivers in a risk scenario will remain available.
With this change, seven loss drivers have been split into scenario-specific loss drivers, and their benchmark values have been updated to reflect current industry data. This allows end users to leverage more specific benchmarks SAFE provides for risk scenario outcomes and tune those benchmarks. This allows more accurate loss magnitudes to be calculated. As a result of these more specific benchmark values, the overall loss magnitude and ALE change may be present in some risk scenarios that use these benchmark values.
The loss drivers have been removed and replaced with split drivers, two modules, as these drivers showed a high coherence with risk scenario parameters. They are under:
Business Interruption
Network Security
The following tables detail the categories that have been modified:
Business Interruption
Deleted | Added |
|---|---|
Number of days (direct BI gross profit loss) |
|
Number of days (direct BI revenue delayed) |
|
Number of days (direct BI OpCost) |
|
Number of hours (direct BI PR revenue) |
|
Number of days (revenue generated for 3P) |
|
Impact
The addition or deletion of these drivers should have no default impact. However, if any deleted drivers were tuned in the existing model, their tuned effect would be removed, and the replacement driver’s default effect would apply.
Exceptions being
The default max value in the old model for Number of days (direct BI gross profit loss) is 21 when the revenue is greater than 5B, whereas it 10 for Number of days (direct BI gross profit loss) - [Ransomware] in the new model
The default max value in the old model for Number of days (direct BI revenue delayed) is 21 when the revenue is greater than 5B, whereas it 10 for Number of days (direct BI revenue delayed) - [Ransomware] in the new model
The default max value in the old model for Number of days (direct BI OpCost) is 21 when the revenue is greater than 5B, whereas it 10 for Number of days (direct BI OpCost) - [Ransomware]
The default max value in old model for Number of days (revenue generated for 3P) is 21 when the revenue is greater than 5B, whereas it 10 for Number of days (revenue generated for 3P) - [Ransomware] and Number of days (revenue generated for 3P) - [Wiper] in the new model
At a high level, the above driver’s max value gets impacted when the revenue is greater than 5 Billion.
Network Security
Deleted | Added |
|---|---|
Number of hours (IR forensic) |
|
Number of hours (Network IR legal) |
|
Impact
The addition or deletion of these drivers should have no default impact. However, if any deleted drivers were tuned in the existing model, their tuned effect would be removed, and the replacement driver’s default effect would apply.
Exceptions being
Defaults for old model - Number of hours (IR forensic) - [0,0,0] System Outage scenarios. New model - the defaults for DDoS and System Outage-Malicious have been updated to [15, 40, 85]
Defaults for old model - Number of hours (Network IR legal) - [0,0,0] System Outage scenarios. New model - the defaults for DDoS and System Outage-Malicious have been updated to [15, 40, 85]
At a high level, System Outage - Malicious will have an increase in loss numbers, on enabling this feature.
Note - The newly added Loss drivers listed above should be reviewed for their new values, when they are applicable in a risk scenario.