Example Walkthrough — Widget Trader

If you haven't watched it already, you may find it useful to watch the video demo before working through this example.

One of the easiest ways to get started is to look at (and modify) an example.

Widget Trader Activities and Resources

Widget Trader is the simplest company imaginable. It has only two activites, Buying and Selling. It also has one resource, the venerable HAL 9000 computer, although we don't know that yet so it isn't in our model. The dependencies between these are shown in the diagram. Let's get started!

  1. If you haven't got a lot of screen space, print this page to make it easier to refer to.
  2. Start the Risk Assessment Toolkit, if you haven't already.
  3. Go to the File menu at the top left hand corner, and select from it Open Example. Choose the Widget Trader example.
  4. If you scroll down the page you will see a user-editable Notes section at the bottom which explains the example.
  5. Look around a bit by clicking on the underlined links. To get back to this page click on Widget Trader at the top of the tree view on the left of the screen.
  6. Try clicking on some of the items on the left hand side of the screen. This gives a structured view of the elements in our analysis.

Simple Changes

  1. OK, it's time to change something. Click on Widget Trader on the left hand side to return to an organization view.
  2. Let's change the description of our widget trading organization to something more impressive. Click on Edit underneath the organization description. You should see a simple text editor. Change the description to something like World-Wide Widget Merchandising and click OK.
  3. Let's look at the Risk Register - By Annual Loss Expectancy (ALE). We've discussed this with our local geologist, and he thinks that the chance of an earthquake (0.01 per year or once in a hundred years) is wrong. It should be once in a thousand years. Let's change that.
  4. Click on the threat (Earthquake) and we will see information about the threat, including a timeline showing what we expect to happen after an earthquake.
  5. The expert thinks the value should be once in a thousand years. Find the Annual Rate of Occurrence and click on Edit to change it. Change 100 years to 1,000 years, then change the number of times to 1. Click OK and you should now see a value of 0.001 per year in the report.
  6. Take another look at the Risk Register: you should see that the Annualized Loss Expectancy of an Earthquake has dropped from $2,597.80 to $259.78.

Adding Resources or Activities

  1. Our IT person has just pointed out a problem with our analysis. Both Buying and Selling depend upon our ancient HAL 9000 computer which often breaks down. Let's add that to our analysis.
  2. On the View menu at the top of the screen, select All Resources. On the structured view on the left hand side, right-click on All Resources and select New > Resource. Name this resource HAL 9000.
  3. Now click on the HAL 9000 resource so that we can set some information about it.
  4. First let's change its location to the Main Office. Click on Edit next to the Location and select Main Office from the list of possible locations.
  5. Now change its Replacement Cost to $5000.00.
  6. If we had to replace this computer, it would take 7 days for the manufacturer to deliver and install it. In the Recovery Time Objective section, change the Estimated Time Required to 7 days. Also set the Recovery Time Objective for this resource to 7 days.
  7. Now let's make both Buying and Selling dependent on this resource. Further down the page, under Dependencies, click on Add a New Dependent Resource or Activity.
  8. Add Buying and repeat this process for Selling. Notice that the recovery time objectives listed next to these activities are listed in red. This means that either there is something missing from our analysis, or there is something inconsistent. The problem here is that the Recovery Time Objectives we established for these activities is less than that of the resource they depend on. If the HAL 9000 is destroyed in an earthquake or fire, we can't recover until a new computer has been delivered, which will take at least seven days. Something has to be changed.
  9. Let's change the Recovery Time Objectives of both Buying and Selling to 7 days, to make it consistent with the HAL 9000 recovery time objective.

Adding Threats

  1. Our venerable HAL 9000 computer often breaks down. Let's add this to our model.
  2. We could at this stage go to the Tools menu at the top of the screen and select Load Common Threats to load a list of threats which are applicable to most organizations, but for learning purposes, let's do this the hard way.
  3. On the View menu, select All Threats. This should select the All Threats item in the structured view on the left hand side of the screen. The left hand side is where we create or delete things. Right-click on All Threats and select New >. Threat. Name the new threat Equipment Failure.
  4. Give the threat a generic description, such as Temporary failure of equipment.
  5. Give the threat a default frequency, say 1 time per year.
  6. Some threats, such as earthquakes and fires, have indefinite effects. Others, such as equipment failures and power cuts, have a limited duration. This is one of those. Let's assume the typical equipment repair takes 1 hour. Change the default impact duration to 1 hour.
  7. So far we have a threat, but it isn't threatening anything specific. We need to add this threat to the HAL 9000. There are two ways to do this. On smaller models, such as this one, you can simply drag the threat in the structured view on the left and drop it on the resource or activity it affects, such as the HAL 9000. Alternatively, you can select an Activity or Resource, view the associated report, and find the Add a New Direct Threat link in the lists of threats. As the model is small, let's simply click and drag Equipment Failure and drop it on top of HAL 9000 on the left hand side.
  8. You should now be looking at a report that shows the effects of an Equipment Failure on the HAL 9000. If you aren't, expand the structured view of the HAL 9000 on the left hand side. Expand Direct Threats to HAL 9000 and click on Equipment Failure.
  9. Now the HAL 9000 is an unreliable and tricky beast. Change the Annual Rate of Occurrence for this threat to 4 times per year, and the expected duration of the threat to 3 hours.
  10. Now go back to the Risk Register by Annual Loss Expectancy. You should see threat of HAL 9000 equipment failure at the top of the list. That old computer really needs an upgrade! Perhaps it would even be worth buying a spare to keep on standby, as it would pay for itself in two years.

Printing, Exporting and Saving

  1. We had better take that Risk Register By Annual Loss Expectancy to senior management so that they can authorize replacement of the HAL 9000. Let's print a copy.
  2. Go the File menu, and select Print Preview. We can choose the printer, the page orientation (landscape probably works best for this report) and scaling (95% for US Letter). Click on the printer icon on the top left of the preview to print the report.
  3. Let's also save all our hard work. On the File menu, click Save As... and save analysis to an appropriate place.
  4. Perhaps we also need to include the information in a report we are writing to really make our point. Scroll down to the bottom of the list of risks, and click on the Copy to Clipboard button.
  5. Now start Microsoft Word, find the point in the text where we would like to insert our table, right-click and select Paste to insert our table into the report. Adjust the format, width of columns in Microsoft Word, and we are are done.

Where Next

We have just touched the surface of what is possible with the Risk Assessment Toolkit. Look around to see what reports are available and what they contain.

Back to Help Index
Purchasing Information