OK, first of all I'm not going to talk about the classic CISSP ALE formula in this post. You know the one, ALE = SLE x ARO. What I am talking about is expressing any loss (regardless of the formula used to derive it) as an annualized value.
One thing that is nice about ALE is that it gives you a way to compare and track the amount of overall risk that your organization is facing. If your ALE is too high, then you can work to get it down below your risk tolerance.
But ALE has a tendency to be reported as if it was the bill for each year. Your ALE is $1.8 million per year, but we know that your actual losses might be zero this year. And again the next year. And then you can get hit with about $7 million in losses. It would be one thing if these companies were actually going to save $1.8 million each year in an account to deal with these issues, but I doubt that is the case. It's kind of like paying your taxes as a lump sum rather than a little bit out of 26 paychecks.
So let's all make sure that when we're talking about ALE what we're really talking about is a metric for expressing overall risk and not the expected losses for the year.