Skip to main content

2.1 Risk Assessment Technique

2.1 Risk Assessment Technique


A consistent risk assessment technique should be used whenever the goal is to produce results that can   be compared over time. Each approach has certain advantages and possible weaknesses, and the risk practitioner should choose a technique appropriate for the circumstances of the assessment.


Bayesian Analysis


  • It is a method of statistical inference that uses prior distribution data to determine the probability of a result. 

  • This technique relies on the prior distribution data to be accurate in order to be effective and to produce accurate results.


Bow Tie Analysis


  • A bow tie analysis provides a diagram to communicate risk assessment results by displaying links between possible causes, controls and consequences.

  • The cause of the event is depicted in the middle of the diagram (the “knot” of the bow tie) and triggers, controls, mitigation strategies and consequences branch off of the “knot.”


Brainstorming/Structured Interview


  • The structured interview and brainstorming model gather potential risks or ideas to be ranked by a team.
  • The initial interview or brainstorming may be completed using prompts or interviews with an individual or small group.


Business Impact Analysis


  • Business impact analysis (BIA) is a process to determine the critical process of the organization and decide the recovery strategy during a disaster.


  • In addition to identifying initial impact, a comprehensive BIA seeks to establish the escalation of loss over time.


  • The goal of BIA is to provide reliable data on the basis of which senior management can make the appropriate decision.


Cause and Consequence Analysis


  • A cause and consequence analysis combines techniques of a fault tree analysis and an event tree analysis and allows for time delays to be considered.


Cause-and-effect Analysis


  • Cause and effect analysis is used to determine the factors responsible for the occurrence of the event.
  • A cause-and-effect analysis looks at the factors that contributed to a certain effect and groups the causes into categories (using brainstorming), which are then displayed using a diagram, typically a tree structure or a fishbone diagram.




  • A checklist is a list of potential or typical threats or other considerations that requires attention of the organization.  
  • The risk practitioner may use previously developed lists, codes or standards to assess the risk using this method.


Delphi Method


  • In Delphi method, opinion from expert is obtained using two or more rounds of questionnaires.
  • After each round of questioning, the results are summarized and communicated to the experts by a facilitator.
  • This collaborative technique is often used to build a consensus among experts.
  • In Delphi technique, polling or information gathering is done either anonymously or privately between the interviewer and interviewee.


Event Tree Analysis


  • Event tree is an inductive analytical diagram in which an event is analyzed to examine a chronological series of subsequent events or consequences.

  • An event tree analysis is a forward-looking model to assess the probability of different events resulting in possible outcomes.


Fault Tree Analysis


  • In a fault tree analysis, an event is identified and then possible means for the event is determined.
  • Results are displayed in a logical tree diagram.
  • This diagram can be used to generate ways to reduce or eliminate potential causes of the event.


Hazard Analysis and Critical Control Points (HACCP)


  • Originally developed for the food safety industry, HACCP is a system for proactively preventing risk and assuring quality, reliability and safety of processes.


  • The system monitors specific characteristics, which should fall within defined limits.


Human Reliability Analysis (HRA)

In human reliability analysis (HRA), attempt is made to understand the effect of human error on systems and their performance.


Layers of Protection Analysis (LOPA)


  • LOPA is a semi-quantitative risk analysis technique that uses aspects of HAZOP data to determine risk associated with risk events.
  • It also looks at controls and their effectiveness.


Markov Analysis


  • Markov analysis is a method used to forecast the value of a variable whose predicted value is influenced only by its current state.


  • The Markov model assumes that future events are independent of past events.


  • Markov analysis is often used for predicting behaviors and decisions within large groups of people


  • A Markov analysis is used to analyze systems that can exist in multiple states.



Monte-Carlo Analysis


  • Monte Carlo Analysis is a risk management technique that is used for conducting a quantitative analysis of risks.

  • This technique is used to analyze the impact of risks on your project.

  • Monte Carlo methods, or Monte Carlo experiments, are a broad class of computational algorithms that rely on repeated random sampling to obtain numerical results. 


Preliminary Hazard Analysis


Preliminary hazard analysis looks at what threats or hazards may harm an organization’s activities, facilities or systems. The result is a list of potential risk.


Reliability-centered Maintenance


Reliability-centered maintenance analyzes the functions and potential failures of a specific asset, particularly a physical asset such as equipment.


Root Cause Analysis


Root cause analysis is a process of diagnosis to establish the origins of events, which can be used for learning from consequences, typically from errors and problems.


Scenario Analysis


  • Scenario analysis examines possible future scenarios that were identified during risk identification, looking for risk associated with the scenario should it occur.


  • Scenario analysis along with vulnerability analysis helps to determine whether a particular risk is relevant to the organization and determine the likelihood of significant events impacting the organization.


Sneak Circuit Analysis


A sneak circuit analysis is used to identify design errors or sneak conditions such as latent hardware, software or integrated conditions that are often undetected by system tests and may result in improper operations, loss of availability, program delays or injury to personnel.


Structured “What If” Technique (SWIFT)


  • A structured “what if” technique uses structured brainstorming to identify risk, typically within a facilitated workshop.


  • It uses prompts and guide words and is typically used with another risk analysis and evaluation technique.


Key aspects from CRISC exam perspective


CRISC Question

Possible Answer

Which technique is used to determine the factors responsible for a loss event?

Cause and Effect Analysis 

Which technique allows the employees to identify risk anonymously? 

Delphi Method 

Process to track the metrics related to error and incident is followed in

Problem management 

Which method is used  to estimate the likelihood of occurrence of an event?

Scenario Analysis 

Statistical inference that uses prior distribution data

Bayesian Analysis

Which technique that depicts the cause of the event in the middle of the diagram (the “knot”)?

Bow Tie Analysis 

Model that assumes that future events are independent of past events.

Markov Analysis 

Technique to understand the effect of human error on systems and their performance.

Human reliability analysis (HRA)

Technique to identify design errors or sneak conditions such as latent hardware, software or integrated conditions that are often undetected by system tests

Sneak circuit analysis

 Flashcards - Risk Assessment Techniques

Popular posts from this blog

1.1 Risk Capacity, Risk Appetite and Risk Tolerance

1.1   Risk Capacity, Appetite and Tolerance First step of any risk management learning is to understand following three important terms: Risk Capacity Risk Tolerance  Risk Appetite  Let us understand the difference between Risk Capacity, Risk Appetite and Risk Tolerance:   Parameter Descriptions Risk Capacity Maximum risk an organization can afford to take. Risk Tolerance Risk tolerance levels are acceptable deviations from risk appetite. They are always lower than risk capacity. Risk Appetite Amount of risk an organization is willing to take.   Let us understand this with an practical example: Mr. A’s total saving is $1000. He wants to invest in equities to earn some income. Being risk conscious, he decides to invest only up to $700.  If the markets are good he is willing to further invest  $50.  Risk Capacity: Total amount available i.e. $1000 RIsk Appetite: His willingness to take risk i.e. $700 Risk Tolerance: Acceptance deviation from risk appetite

2.7 Risk Analysis Methodologies

2.7 Risk Analysis Methodologies Risk analysis is the process of ranking of various risk so that areas of high can be prioritized for treating them.   Risk can be measured and ranked by use of any of the following methods:   Quantitative Risk Assessment Qualitative Risk Assessment Semi-quantitative Risk Assessment   Factor that influence the selection for above technique is availability of accurate data for risk assessment. When data source is accurate and reliable, organization will prefer quantitative risk assessment as it will give risk value in some numeric terms like monitory values. Monetary value is easy to evaluate to determine the risk response. Quantitative Risk Assessment In quantitative risk assessment, risk is measured on the basis on numerical values. This helps in cost benefit analysis as risk in monetary term can be easily compared to cost of various risk responses.   In quantitative risk assessment, various statistical methods are us

Welcome to first ever Web Book on CRISC (Certified Risk & Information System Control)

We welcome you to access this web book on CRISC (Certified Risk & Information System Control) by ISACA.   Features of this web book are as follow:  This web book is designed on the basis of official resources of ISACA.  Web book is designed specifically for candidates from non-technical background. Topics are arranged segment wise and aligned with latest CRISC Review Manual.  500 + Exam oriented practice questions.  Start your preparation here: Chapter 1   Chapter 2   Chapter 3   Chapter 4   CRISC - Recorded Lectures  We are happy to announce that CRISC lectures is now made available in Udemy in recorded form. You can access them at any time as per your convenience. You will have life time access for the recorded lectures.  Following are the salient features of the lecture: This course is designed on the basis of official resources of ISACA. Course is designed specifically for candidates from non-technical background. Topics are arranged segment wise and aligned with lates