Skip to main content

2.7 Risk Analysis Methodologies


2.7 Risk Analysis Methodologies


  • Risk analysis is the process of ranking of various risk so that areas of high can be prioritized for treating them.

 

  • Risk can be measured and ranked by use of any of the following methods:

 

  1. Quantitative Risk Assessment
  2. Qualitative Risk Assessment
  3. Semi-quantitative Risk Assessment

 

  • Factor that influence the selection for above technique is availability of accurate data for risk assessment. When data source is accurate and reliable, organization will prefer quantitative risk assessment as it will give risk value in some numeric terms like monitory values. Monetary value is easy to evaluate to determine the risk response.




Quantitative Risk Assessment


  • In quantitative risk assessment, risk is measured on the basis on numerical values. This helps in cost benefit analysis as risk in monetary term can be easily compared to cost of various risk responses.

 

  • In quantitative risk assessment, various statistical methods are used to derive the risk.

 

  • Risk is quantified as per below formula:

                         Risk = Probability * Impact


  • CRISC aspirant should always remember that risk is quantified by combination of probability and impact. Let us understand this with help of an example: Probability of damage for an equipment costing $ 1000 is 0. Here probability is zero and impact is $ 1000. Now, risk is probability * impact i.e. P * I. In this case risk is 1000*0 i.e. 0. Now for some other asset if probability is 0.5 and asset costs $ 100, then risk will be $ 50 (0.5 * 100). Risk of equipment costing $ 100 is more than risk of equipment costing $1000. This is because probability plays an important role in quantification of risk.

 

  • However, greatest challenge for conduct of quantitative risk assessment is availability of reliable data. To quantify a risk, accurate details of probability and impact is required. Determining the probability or frequency of the occurrence of threat is a challenging aspect. Mostly, probability can be arrived on the basis of historical data. However, it is very difficult to ascertain probability of natural events such as hurricanes, earthquake, tsunami etc.

 

  • Quantitative risk assessment is not feasible for the events where probability or impact cannot be quantified or expressed in numerical terms.

 

  • Thus, a quantitative risk assessment:

§  Make use of statistical method to derive risk

§  Make use of likelihood and impact

§  Helps to derive a financial impact


Qualitative Risk Assessment


  • In a qualitative risk assessment, risks are measured on some qualitative parameters such as high, medium a low or on a scale of 1 to 5.

 

  • Qualitative assessment is considered more subjective as compared to quantitative assessment.

 

  • Few risks cannot be calculated in numeric terms. Qualitative assessment is useful in such scenarios.

 

  • For comprehensive outcome of qualitative risk assessment, a risk practitioner should use different risk scenarios with threats and impacts. Scenarios can be based on threats or vulnerabilities or impact or combination of any of these. In this approach, risk practitioner examines various internal and external scenarios and try to determine impact of each scenario on business processes. Through these scenarios, feedback is obtained from various stakeholders to determine the level of risk. This will facilitate a more informed discussion and decision.

 

  • Following table gives details of different scenario-based assessment:

 

Scenario

Description

Vulnerability-based approach

  • In this approach, vulnerabilities are determined and then threats are identified that could exploit those vulnerabilities.
  • Next step is to determine current level of control and evaluate whether they are capable to address all the threats.
  • Vulnerability-based scenarios are especially valuable after completing vulnerability assessments and penetration testing.

Asset / Impact approach

  • In this approach, critical assets are identified and all possible way that can impact the confidentiality, integrity and availability.
  • Next step is to determine current level of control and evaluate whether they are capable to address all the threats.

 

  • Qualitative risk assessment is more relevant to examine the new emerging threats and advanced persistent threats (APTs).

 

  • Qualitative risk analysis method involves conducting interviews of various stakeholders. There are some techniques like Delphi method wherein information can be gathered by way of anonymous questionnaires.


Semi-quantitative Risk Assessment


  • Semi-quantitative risk assessment is the combination of qualitative and quantitative risk assessment. It is a hybrid approach which considers input of qualitative approach combined with numerical scale to determine the impact of a quantitative risk assessment.

 

  • In semiquantitative analysis, the descriptive rankings are associated with a numeric scale.

 

  • For example, the qualitative measure of “high” may be given a quantitative weight of 5, “medium” may be given 3 and “low” may be given 1.

 

  • Such methods are frequently used when it is not possible to use a quantitative method or to reduce subjectivity in qualitative methods.

 

  • Risk practitioner should ensure that a standardized process and scale is used throughout the organization for semi quantitative risk assessment. Also risk owner should not mistake the origins of these values as coming from purely objective sources. 


Quantifying the impact of a failed equipment


  • Impact of a failed equipment is not only restricted to the cost of the equipment but also include impact on business processes due to failure of equipment. Risk practitioner should use various approaches to determine the overall impact on the business due to failure of equipment. 


Best method for Risk Analysis
 
  • A risk practitioner would always prefer quantitative approach. Quantitative approach helps in cost benefit analysis as risk in monetary term can be easily compared to cost of various risk responses. 

  • However, major challenge in conduct of a quantitative risk analysis is availability of accurate data. 

  • In absence of proper data or when data accuracy is questionable, qualitative analysis is more preferable.


Key aspects from CRISC exam perspective



CRISC Question

Possible Answer

Which factors are required  to quantify the risk?

Probability & Impact 

  • probability is also referred as possibility or likelihood  

  • impact is also referred as consequences 

In which risk analysis method, statistical method is used  to derive risk?

Quantitative Risk Analysis

In which risk analysis method, likelihood and impact is used to derive risk? 

Quantitative Risk Analysis

Which risk analysis method is used to derive financial impact of a risk?

Quantitative Risk Analysis

How to get comprehensive results when performing a qualitative risk analysis?


By determining scenarios with threats and impacts 

Primary factor that determines either to use qualitative or quantitative approach 

Availability of the data 

Most difficult data to perform a quantitative analysis is

To derive accurate frequency or probability or likelihood of occurrence 



Popular posts from this blog

2.5 Project & Program Management

2.5 Project & Program Management ·          It is very important for a risk practitioner to monitor the risk related to the management of the projects.   ·          Some of major reason for failing of IT projects are:   §   Scope creep i.e. requirements are not properly defined at the initial phase. §   Lack planning resulting into over budget and unavailability of skilled resources. §   Lack of structured project management process. §   Systems not tested before implementation §   Compliance or regulatory issues   ·          Root cause for the system failure is to be determined so the learnings can be applied to all the future projects.   ·          Major cause for a project failure is delay in completion. It may happen to make for the time lapsed...
Read more