CRISAM Evaluation & Aggregation Methodologies

According to the CRISAM® understanding a risk is an unexpected deviation from an expected or planned situation. Therefore, it is especially important to bring together individual risks in order to calculate overall risks and to assess the potential threats to the company: Failure to meet deadlines and planned targets, cost overruns in projects as well as risks resulting from IT usage have to be assessed according to their business impact.

It is therefore not appropriate to evaluate the risk of individual events or IT systems separately without knowing in what form and to what extent damage may be caused. The potential overall impact on the planned goal has to be analysed.

Cause & Effect Analysis Method

Very often the risks of an overall system result from the interdependent character of the individual systems. IT services, for instance, are provided through a combination of server systems, networks, facilities and data centres and maintained by IT employees. Due to its interrelated character a fault in an individual system can cause a malfunction in the overall system. Thus, risks can only be evaluated when taking into account the big picture including all the individual systems with their interconnected nature.

Figure 7: Part of CRISAM® modelled fault tree.

For representing a system with its components and objects in a model as realistic as possible and for facilitating its evaluation CRISAM® uses fault tree analysis – a cause & effect analysis method which is known from the DIN 25424 (see Figure 7). An IT service, for instance, is evaluated at the root of the fault tree; all the individual systems, required for the proper performance, are added step by step –showing an in-depth evaluation.

Depending on whether there is a simple or redundant relation in between the individual systems, their cause and effect relationship is modelled and calculated. The modelling of the fault tree is performed by drag and drop in the CRISAM® Explorer. The calculation rules for the aggregation are automatically established during the process of modelling into tree structure.

Scenario Analysis Method

In addition to the cause and effect modelling of technical and organisational systems CRISAM®

provides a business logic enabling a scenario analysis based on Monte Carlo simulations.

Figure 8: Part of CRISAM® modelled business logic

With the scenario analysis method (SAM) specific calculation trees (see figure 8) for applications such as profit and loss statements, business plans or project planning can be created.

Along these tree structures scenarios are calculated with calculation formulas, which are contained in the nodes; for the statistical evaluation Monte Carlo simulations are applied.