Skip to main content

2.7 Risk Analysis Methodologies

2.7 Risk Analysis Methodologies

  • Risk analysis is the process of ranking of various risk so that areas of high can be prioritized for treating them.


  • Risk can be measured and ranked by use of any of the following methods:


  1. Quantitative Risk Assessment
  2. Qualitative Risk Assessment
  3. Semi-quantitative Risk Assessment


  • Factor that influence the selection for above technique is availability of accurate data for risk assessment. When data source is accurate and reliable, organization will prefer quantitative risk assessment as it will give risk value in some numeric terms like monitory values. Monetary value is easy to evaluate to determine the risk response.

Quantitative Risk Assessment

  • In quantitative risk assessment, risk is measured on the basis on numerical values. This helps in cost benefit analysis as risk in monetary term can be easily compared to cost of various risk responses.


  • In quantitative risk assessment, various statistical methods are used to derive the risk.


  • Risk is quantified as per below formula:

                         Risk = Probability * Impact

  • CRISC aspirant should always remember that risk is quantified by combination of probability and impact. Let us understand this with help of an example: Probability of damage for an equipment costing $ 1000 is 0. Here probability is zero and impact is $ 1000. Now, risk is probability * impact i.e. P * I. In this case risk is 1000*0 i.e. 0. Now for some other asset if probability is 0.5 and asset costs $ 100, then risk will be $ 50 (0.5 * 100). Risk of equipment costing $ 100 is more than risk of equipment costing $1000. This is because probability plays an important role in quantification of risk.


  • However, greatest challenge for conduct of quantitative risk assessment is availability of reliable data. To quantify a risk, accurate details of probability and impact is required. Determining the probability or frequency of the occurrence of threat is a challenging aspect. Mostly, probability can be arrived on the basis of historical data. However, it is very difficult to ascertain probability of natural events such as hurricanes, earthquake, tsunami etc.


  • Quantitative risk assessment is not feasible for the events where probability or impact cannot be quantified or expressed in numerical terms.


  • Thus, a quantitative risk assessment:

§  Make use of statistical method to derive risk

§  Make use of likelihood and impact

§  Helps to derive a financial impact

Qualitative Risk Assessment

  • In a qualitative risk assessment, risks are measured on some qualitative parameters such as high, medium a low or on a scale of 1 to 5.


  • Qualitative assessment is considered more subjective as compared to quantitative assessment.


  • Few risks cannot be calculated in numeric terms. Qualitative assessment is useful in such scenarios.


  • For comprehensive outcome of qualitative risk assessment, a risk practitioner should use different risk scenarios with threats and impacts. Scenarios can be based on threats or vulnerabilities or impact or combination of any of these. In this approach, risk practitioner examines various internal and external scenarios and try to determine impact of each scenario on business processes. Through these scenarios, feedback is obtained from various stakeholders to determine the level of risk. This will facilitate a more informed discussion and decision.


  • Following table gives details of different scenario-based assessment:




Vulnerability-based approach

  • In this approach, vulnerabilities are determined and then threats are identified that could exploit those vulnerabilities.
  • Next step is to determine current level of control and evaluate whether they are capable to address all the threats.
  • Vulnerability-based scenarios are especially valuable after completing vulnerability assessments and penetration testing.

Asset / Impact approach

  • In this approach, critical assets are identified and all possible way that can impact the confidentiality, integrity and availability.
  • Next step is to determine current level of control and evaluate whether they are capable to address all the threats.


  • Qualitative risk assessment is more relevant to examine the new emerging threats and advanced persistent threats (APTs).


  • Qualitative risk analysis method involves conducting interviews of various stakeholders. There are some techniques like Delphi method wherein information can be gathered by way of anonymous questionnaires.

Semi-quantitative Risk Assessment

  • Semi-quantitative risk assessment is the combination of qualitative and quantitative risk assessment. It is a hybrid approach which considers input of qualitative approach combined with numerical scale to determine the impact of a quantitative risk assessment.


  • In semiquantitative analysis, the descriptive rankings are associated with a numeric scale.


  • For example, the qualitative measure of “high” may be given a quantitative weight of 5, “medium” may be given 3 and “low” may be given 1.


  • Such methods are frequently used when it is not possible to use a quantitative method or to reduce subjectivity in qualitative methods.


  • Risk practitioner should ensure that a standardized process and scale is used throughout the organization for semi quantitative risk assessment. Also risk owner should not mistake the origins of these values as coming from purely objective sources. 

Quantifying the impact of a failed equipment

  • Impact of a failed equipment is not only restricted to the cost of the equipment but also include impact on business processes due to failure of equipment. Risk practitioner should use various approaches to determine the overall impact on the business due to failure of equipment. 

Best method for Risk Analysis
  • A risk practitioner would always prefer quantitative approach. Quantitative approach helps in cost benefit analysis as risk in monetary term can be easily compared to cost of various risk responses. 

  • However, major challenge in conduct of a quantitative risk analysis is availability of accurate data. 

  • In absence of proper data or when data accuracy is questionable, qualitative analysis is more preferable.

Key aspects from CRISC exam perspective

CRISC Question

Possible Answer

Which factors are required  to quantify the risk?

Probability & Impact 

  • probability is also referred as possibility or likelihood  

  • impact is also referred as consequences 

In which risk analysis method, statistical method is used  to derive risk?

Quantitative Risk Analysis

In which risk analysis method, likelihood and impact is used to derive risk? 

Quantitative Risk Analysis

Which risk analysis method is used to derive financial impact of a risk?

Quantitative Risk Analysis

How to get comprehensive results when performing a qualitative risk analysis?

By determining scenarios with threats and impacts 

Primary factor that determines either to use qualitative or quantitative approach 

Availability of the data 

Most difficult data to perform a quantitative analysis is

To derive accurate frequency or probability or likelihood of occurrence 

Popular posts from this blog

1.1 Risk Capacity, Risk Appetite and Risk Tolerance

1.1   Risk Capacity, Appetite and Tolerance First step of any risk management learning is to understand following three important terms: Risk Capacity Risk Tolerance  Risk Appetite  Let us understand the difference between Risk Capacity, Risk Appetite and Risk Tolerance:   Parameter Descriptions Risk Capacity Maximum risk an organization can afford to take. Risk Tolerance Risk tolerance levels are acceptable deviations from risk appetite. They are always lower than risk capacity. Risk Appetite Amount of risk an organization is willing to take.   Let us understand this with an practical example: Mr. A’s total saving is $1000. He wants to invest in equities to earn some income. Being risk conscious, he decides to invest only up to $700.  If the markets are good he is willing to further invest  $50.  Risk Capacity: Total amount available i.e. $1000 RIsk Appetite: His willingness to take risk i.e. $700 Risk Tolerance: Acceptance deviation from risk appetite

Welcome to first ever Web Book on CRISC (Certified Risk & Information System Control)

We welcome you to access this web book on CRISC (Certified Risk & Information System Control) by ISACA.   Features of this web book are as follow:  This web book is designed on the basis of official resources of ISACA.  Web book is designed specifically for candidates from non-technical background. Topics are arranged segment wise and aligned with latest CRISC Review Manual.  500 + Exam oriented practice questions.  Start your preparation here: Chapter 1   Chapter 2   Chapter 3   Chapter 4   CRISC - Recorded Lectures  We are happy to announce that CRISC lectures is now made available in Udemy in recorded form. You can access them at any time as per your convenience. You will have life time access for the recorded lectures.  Following are the salient features of the lecture: This course is designed on the basis of official resources of ISACA. Course is designed specifically for candidates from non-technical background. Topics are arranged segment wise and aligned with lates