Example Walkthrough — Widget Trader
If you haven't watched it already, you may find it useful to watch the video demo
before working through this example.
One of the easiest ways to get started is to look at (and modify) an example.
Widget Trader is the simplest company imaginable. It has only two activites, Buying and Selling.
It also has one resource, the venerable HAL 9000 computer, although we don't know that yet so it isn't in our model.
The dependencies between these are shown in the diagram. Let's get started!
- If you haven't got a lot of screen space, print this page to make it easier to refer to.
- Start the Risk Assessment Toolkit, if you haven't already.
- Go to the File menu at the top left hand corner, and select from it Open Example. Choose the Widget Trader example.
- If you scroll down the page you will see a user-editable Notes section at the bottom which explains the example.
- Look around a bit by clicking on the underlined links. To get back to this page click on Widget Trader at the top of
the tree view on the left of the screen.
- Try clicking on some of the items on the left hand side of the screen. This gives a structured view of the elements in our analysis.
- OK, it's time to change something. Click on Widget Trader on the left hand side to return to an organization view.
- Let's change the description of our widget trading organization to something more impressive. Click on Edit underneath
the organization description. You should see a simple text editor. Change the description to something
like World-Wide Widget Merchandising and click OK.
Let's look at the Risk Register - By Annual Loss Expectancy (ALE). We've
discussed this with our local geologist, and he thinks that the chance of an
earthquake (0.01 per year or once in a hundred years) is wrong. It should be
once in a thousand years. Let's change that.
- Click on the threat (Earthquake) and we will see information about
the threat, including a timeline showing what we expect to happen after an earthquake.
The expert thinks the value should be once in a thousand years. Find the Annual Rate of Occurrence and click on Edit to change it.
Change 100 years to 1,000 years, then change the number of times to
1. Click OK and you should now see a value of
0.001 per year in the report.
Take another look at the Risk Register: you should see that the Annualized Loss Expectancy of an Earthquake has dropped from $2,597.80 to $259.78.
Adding Resources or Activities
Our IT person has just pointed out a problem with our analysis. Both Buying and Selling
depend upon our ancient HAL 9000
computer which often breaks down. Let's add that to our analysis.
On the View menu at the top of the screen, select All Resources. On the structured view on the left hand side,
right-click on All Resources and select New > Resource. Name this resource HAL 9000.
- Now click on the HAL 9000 resource so that we can set some information about it.
- First let's change its location to the Main Office. Click on Edit next to the Location and select Main Office from the list
of possible locations.
- Now change its Replacement Cost to $5000.00.
- If we had to replace this computer, it would take 7 days for the manufacturer to deliver and install it. In the Recovery Time Objective
section, change the Estimated Time Required to 7 days. Also set the Recovery Time Objective for this resource
to 7 days.
- Now let's make both Buying and Selling dependent on this
resource. Further down the page, under Dependencies, click on Add a
New Dependent Resource or Activity.
- Add Buying and repeat this process for Selling. Notice that the
recovery time objectives listed next to these activities are listed in
red. This means that either there is something
missing from our analysis, or there is something inconsistent. The problem here
is that the Recovery Time Objectives we established for these activities is less
than that of the resource they depend on. If the HAL 9000 is destroyed in an
earthquake or fire, we can't recover until a new computer has been delivered,
which will take at least seven days. Something has to be changed.
- Let's change the Recovery Time Objectives of both Buying and Selling to 7
days, to make it consistent with the HAL 9000 recovery time objective.
Our venerable HAL 9000 computer often breaks down. Let's add this to our model.
- We could at this stage go to the Tools menu at the top of the screen and select Load Common Threats
to load a list of threats which are applicable to most organizations, but for learning purposes, let's do this the hard way.
On the View menu, select All Threats. This should select the All Threats item in the structured view on the left
hand side of the screen. The left hand side is where we create or delete things. Right-click on All Threats and select
New >. Threat. Name the new threat Equipment Failure.
- Give the threat a generic description, such as Temporary failure of equipment.
- Give the threat a default frequency, say 1 time per year.
- Some threats, such as earthquakes and fires, have indefinite effects. Others, such as equipment failures and power cuts, have
a limited duration. This is one of those. Let's assume the typical equipment repair takes 1 hour. Change the default impact duration
to 1 hour.
- So far we have a threat, but it isn't threatening anything specific. We need to add this threat to the HAL 9000.
There are two ways to do this. On smaller models, such as this one, you can simply drag the threat in the structured view on
the left and drop it on the resource or activity it affects, such as the HAL 9000. Alternatively, you can select an
Activity or Resource, view the associated report, and find the Add a New Direct Threat link in the lists of threats.
As the model is small, let's simply click and drag Equipment Failure and drop it on top of HAL 9000 on the left hand side.
You should now be looking at a report that shows the effects of an Equipment Failure on the HAL 9000. If you aren't,
expand the structured view of the HAL 9000 on the left hand side. Expand Direct Threats to HAL 9000 and click on
- Now the HAL 9000 is an unreliable and tricky beast. Change the Annual Rate of Occurrence for this threat to 4 times per year,
and the expected duration of the threat to 3 hours.
- Now go back to the Risk Register by Annual Loss Expectancy. You should see threat of HAL 9000 equipment failure at the top
of the list. That old computer really needs an upgrade! Perhaps it would even be worth buying a spare to keep on standby, as it would
pay for itself in two years.
Printing, Exporting and Saving
We had better take that Risk Register By Annual Loss Expectancy to senior management so that they can authorize replacement of the
HAL 9000. Let's print a copy.
- Go the File menu, and select Print Preview. We can choose the printer, the page orientation (landscape probably works best
for this report) and scaling (95% for US Letter). Click on the printer icon on the top left of the preview to print the report.
- Let's also save all our hard work. On the File menu, click Save As... and save analysis to an appropriate place.
- Perhaps we also need to include the information in a report we are writing to really make our point.
Scroll down to the bottom of the list of risks, and click on the Copy to Clipboard button.
- Now start Microsoft Word, find the point in the text where we would like to insert our table, right-click and select Paste
to insert our table into the report. Adjust the format, width of columns in Microsoft Word, and we are are done.
We have just touched the surface of what is possible with the Risk Assessment Toolkit. Look around to see what reports
are available and what they contain.
- To learn a little more about Risk Assessment, read the Getting Started guide.
- For a quick revision of basic operations, see Basic Operations.
- Try some more examples from the File >> Open Example menu. Although the other examples do not have
detailed walkthroughs, they do have some notes about what they demonstrate in the notes section at the bottom
of the organization description.