2.7 Risk Analysis Methodologies
 Risk analysis is the process of ranking of various risk so that areas of high can be prioritized for treating them.
 Risk can be measured and ranked by use of any of the following methods:
 Quantitative Risk Assessment
 Qualitative Risk Assessment
 Semiquantitative Risk Assessment
 Factor that influence the selection for above technique is availability of accurate data for risk assessment. When data source is accurate and reliable, organization will prefer quantitative risk assessment as it will give risk value in some numeric terms like monitory values. Monetary value is easy to evaluate to determine the risk response.
Quantitative Risk Assessment
 In quantitative risk assessment, risk is measured on the basis on numerical values. This helps in cost benefit analysis as risk in monetary term can be easily compared to cost of various risk responses.
 In quantitative risk assessment, various statistical methods are used to derive the risk.
 Risk is quantified as per below formula:
Risk = Probability *
Impact
 CRISC aspirant should always remember that risk is quantified by combination of probability and impact. Let us understand this with help of an example: Probability of damage for an equipment costing $ 1000 is 0. Here probability is zero and impact is $ 1000. Now, risk is probability * impact i.e. P * I. In this case risk is 1000*0 i.e. 0. Now for some other asset if probability is 0.5 and asset costs $ 100, then risk will be $ 50 (0.5 * 100). Risk of equipment costing $ 100 is more than risk of equipment costing $1000. This is because probability plays an important role in quantification of risk.
 However, greatest challenge for conduct of quantitative risk assessment is availability of reliable data. To quantify a risk, accurate details of probability and impact is required. Determining the probability or frequency of the occurrence of threat is a challenging aspect. Mostly, probability can be arrived on the basis of historical data. However, it is very difficult to ascertain probability of natural events such as hurricanes, earthquake, tsunami etc.
 Quantitative risk assessment is not feasible for the events where probability or impact cannot be quantified or expressed in numerical terms.
 Thus, a quantitative risk assessment:
§
Make use of statistical method
to derive risk
§
Make use of likelihood and
impact
§
Helps to derive a financial
impact
Qualitative Risk Assessment
 In a qualitative risk assessment, risks are measured on some qualitative parameters such as high, medium a low or on a scale of 1 to 5.
 Qualitative assessment is considered more subjective as compared to quantitative assessment.
 Few risks cannot be calculated in numeric terms. Qualitative assessment is useful in such scenarios.
 For comprehensive outcome of qualitative risk assessment, a risk practitioner should use different risk scenarios with threats and impacts. Scenarios can be based on threats or vulnerabilities or impact or combination of any of these. In this approach, risk practitioner examines various internal and external scenarios and try to determine impact of each scenario on business processes. Through these scenarios, feedback is obtained from various stakeholders to determine the level of risk. This will facilitate a more informed discussion and decision.
 Following table gives details of different scenariobased assessment:
Scenario 
Description 
Vulnerabilitybased
approach 

Asset / Impact approach 

 Qualitative risk assessment is more relevant to examine the new emerging threats and advanced persistent threats (APTs).
 Qualitative risk analysis method involves conducting interviews of various stakeholders. There are some techniques like Delphi method wherein information can be gathered by way of anonymous questionnaires.
Semiquantitative Risk Assessment
 Semiquantitative risk assessment is the combination of qualitative and quantitative risk assessment. It is a hybrid approach which considers input of qualitative approach combined with numerical scale to determine the impact of a quantitative risk assessment.
 In semiquantitative analysis, the descriptive rankings are associated with a numeric scale.
 For example, the qualitative measure of “high” may be given a quantitative weight of 5, “medium” may be given 3 and “low” may be given 1.
 Such methods are frequently used when it is not possible to use a quantitative method or to reduce subjectivity in qualitative methods.
 Risk practitioner should ensure that a standardized process and scale is used throughout the organization for semi quantitative risk assessment. Also risk owner should not mistake the origins of these values as coming from purely objective sources.
Quantifying the impact of a failed equipment
 Impact of a failed equipment is not only restricted to the cost of the equipment but also include impact on business processes due to failure of equipment. Risk practitioner should use various approaches to determine the overall impact on the business due to failure of equipment.
Best method for Risk Analysis
 A risk practitioner would always prefer quantitative approach. Quantitative approach helps in cost benefit analysis as risk in monetary term can be easily compared to cost of various risk responses.
 However, major challenge in conduct of a quantitative risk analysis is availability of accurate data.
 In absence of
proper data or when data accuracy is questionable, qualitative analysis is more
preferable.
Key aspects from CRISC exam perspective
_{}^{}