Annualized Loss Expectancy

The dollar figure your CFO can budget against. For risk that's been sitting unmeasured.

Annualized Loss Expectancy — ALE — quantifies your IT risk exposure in dollars per year. It's the same unit your CFO uses for everything else. Most mid-market organizations have never calculated theirs. Preside calculates it within 30 days, then tracks the reduction quarterly.

Get Your ALE Baseline See an Example →

SLE × AROthe formula

30 daysto your baseline

20–30%annual organic growth if untreated

The Formula

ALE = SLE × ARO

A foundational concept in quantitative risk management — codified by NIST in SP 800-30 Rev. 1 and used by every quantitatively serious risk function on the planet. Two inputs, one output.

SLE

Single Loss Expectancy

The dollar impact of one occurrence of a given risk event. Asset value × exposure factor.

Example A ransomware event affecting your ERP that costs $400,000 in recovery, downtime, and remediation.

ARO

Annual Rate of Occurrence

How often the event happens per year. Once every five years = 0.20.

Example Industry telemetry suggests 0.15/yr for mid-market orgs in your sector.

ALE

Annualized Loss Expectancy

$400,000 × 0.15 = $60,000/yr for this one risk. Summed across your register, you have your ALE.

The output The dollar figure your CFO can budget against.

What a Register Looks Like

A composite mid-market risk register

Representative scenario for a 250-person professional services firm with ~$80M revenue. Numbers anonymized and rounded; full sensitivity ranges and methodology delivered in the actual engagement.

SAMPLE ALE BASELINE · TOP 8 RISKS

$80M Professional Services Firm

$680k Total ALE

Risk	SLE	ARO	ALE	Driver
Ransomware (ERP downtime)	$400k	0.15	$60k	Backup gap
SaaS account compromise	$120k	0.40	$48k	No SSO on tier-2
RC4-related outage (Kerberos)	$180k	0.60	$108k	Crypto config drift
PCI-DSS finding	$250k	0.30	$75k	Audit cycle
Shadow AI data exposure	$200k	0.50	$100k	No inventory
Insider data exfiltration	$350k	0.10	$35k	DLP gap
Vendor breach (downstream)	$220k	0.50	$110k	Third-party risk
Phishing → wire fraud	$520k	0.28	$145k	Verification process
Aggregate ALE			$681k/yr

Real engagements typically yield 18–30 line items. Top 5 risks usually contribute 70%+ of total ALE — and are usually addressable for less than the ALE they represent.

Why It Matters Now

ALE grows whether you manage it or not

Three structural reasons mid-market IT risk compounds silently — and what changes when you actually measure it.

+20–30%

Annual organic growth

Every new SaaS platform, integration, regulatory change, and AI tool adds to exposure. Without active management, ALE compounds at roughly the same rate as your tech footprint.

What most have measured

Most mid-market orgs operate without a calculated ALE. Risk-matrix colors and "high / medium / low" don't survive a board, an auditor, or a buyer asking for a number.

30d

Time to baseline with Preside

Full ALE calculation within the first 30 days of engagement. The first quarterly Δ lands inside the first quarter. Compounding turns into compounding reduction.

By Industry

Where ALE concentrates by sector

Mid-market ALE distributions vary predictably by sector. We've seen the patterns across 100+ organizations.

Financial Services

Vendor breach exposure, RC4 in legacy banking stacks, PCI-DSS compliance, customer data exfiltration. Concentration: third-party risk + compliance.

Biotech & Pharma

IP exfiltration, regulated data handling, FDA compliance posture, AI-aided research data flows. Concentration: IP protection + regulatory.

Energy & Utilities

NERC CIP compliance, OT/IT boundary exposure, legacy SCADA crypto, regulatory penalties. Concentration: NERC CIP + OT/IT.

Professional Services

Client data exfiltration, shadow AI exposure (legal/finance), email-based wire fraud, vendor compromise. Concentration: data + wire-fraud.

How Preside Reduces ALE

A four-step quarterly cycle

The same loop runs every quarter — baseline, prioritize, reduce, report. Each cycle compounds against the prior.

Baseline

Full risk register. Asset valuation. Threat modeling. SLE and ARO calculated per risk. Total ALE in dollars.

Prioritize

Rank by ALE contribution and remediation cost. Highest dollar-impact, lowest effort risks first.

Reduce

Targeted controls. Preside direct, or via specialists we source, scope, and manage.

Report

Quarterly ALE Δ in dollars to leadership and sponsors. Clear, defensible, board-ready.

References

Methodology and citations

ALE is not a Preside invention. It's a 40-year-old quantitative risk management foundation. We've codified its application for mid-market IT.

NIST SP 800-30 Rev. 1 Guide for Conducting Risk Assessments — establishes the SLE × ARO methodology used in quantitative IT risk assessments.

FAIR Institute (Factor Analysis of Information Risk) Open quantitative risk methodology that operationalizes SLE/ARO calculations for enterprise security risk.

ISO/IEC 27005 International standard for information security risk management — references quantitative methods including ALE.

Put a number on the risk that's been sitting unmeasured.

30 days from engagement to baseline. Tracked reduction every quarter thereafter.

Get Your ALE Baseline Learn About the Program