









Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
QUALITATIVE AND QUANTITATIVE RISK ANALYSIS
Typology: Lecture notes
1 / 17
This page cannot be seen from the preview
Don't miss anything!










Risk analysis is a critical stage in the risk management process as outlined in ISO 31000. At this stage, the identified risks are examined in detail to understand their nature, sources, likelihood of occurrence and potential impact on organizational objectives. Risk analysis goes beyond mere identification by providing a structured approach to assessing the severity and consequences of each risk, often using qualitative, quantitative or semi-quantitative techniques. This enables decision-makers to prioritize risks, allocate resources effectively and determine appropriate risk treatment strategies. In the context of business organizations, effective risk analysis supports informed decision-making, enhances resilience and contributes to achieving strategic and operational goals. Purpose of Risk Analysis The purpose of risk analysis, as outlined in ISO 31000, is to develop a clear understanding of the nature and level of risks that may affect the achievement of organizational objectives. It serves as a bridge between risk identification and risk evaluation by transforming a list of identified risks into meaningful information for decision-making. More specifically, the purpose of risk analysis includes the following:
Overall, the purpose of risk analysis is to provide a systematic and structured understanding of risks so that organizations can make informed, rational and proactive decisions in managing uncertainty and achieving their objectives. QUALITATIVE AND QUANTITATIVE RISK ANALYSIS Qualitative and quantitative risk analysis are two complementary approaches to assessing and managing risks. Qualitative risk analysis uses expert judgment and subjective assessments to evaluate risks, while quantitative risk analysis relies on numerical data and statistical methods to provide more precise risk assessments. Qualitative Risk Analysis Qualitative risk analysis uses subjective assessments and expert judgment to evaluate the likelihood and impact of risks. The qualitative risk analysis methods include: - ✓ Expert Judgment: Drawing on the knowledge and experience of individuals or groups to assess risks. ✓ Data Gathering: Collecting relevant information through interviews, meetings and other methods. ✓ Risk Categorization: Organizing risks into categories based on their sources or effects. ✓ Risk Prioritization: Identifying and ranking risks based on their potential impact and probability of occurrence. ✓ Risk Matrix: Using a matrix to visually represent the likelihood and impact of risks, allowing for a quick assessment of risk levels. Advantages ✓ Quick and Easy: Relatively quick and easy to perform, requiring minimal resources and specialized tools. ✓ Subjective: Allows for the inclusion of qualitative factors that may not be easily quantifiable. ✓ Cost-Effective: Less expensive to conduct than quantitative analysis. Disadvantages ✓ Subjective: May be influenced by personal biases and opinions, potentially leading to inconsistent or inaccurate assessments. ✓ Less Precise: May not provide as accurate and detailed information as quantitative analysis. Quantitative Risk Analysis
a risk originates from internal factors (such as organizational processes, systems or human resources) or external factors (such as economic conditions, regulatory changes or technological developments). It also entails classifying risks into relevant categories such as operational, financial, strategic or compliance risks in order to enhance clarity and facilitate analysis. In addition, attention is given to the drivers of risk and the relationships between different risks, as some risks may be interconnected or may occur simultaneously. A clear understanding of the nature of risks provides a strong foundation for estimating their likelihood and impact and supports the selection of appropriate risk treatment measures in line with ISO 31000 principles. ESTIMATION OF LIKELIHOOD (PROBABILITY ASSESSMENT) Estimation of likelihood involves determining the chance that a particular risk event will occur within a specified period. In line with ISO 31000, likelihood is used as a broad concept that accommodates both qualitative descriptions and quantitative measurements. It is a key component of risk analysis and is combined with impact (consequence) to determine the overall level of risk. Meaning of Likelihood Likelihood refers to the possibility or chance of a risk occurring. It may be expressed in descriptive terms (e.g., rare, likely) or numerical values (e.g., 0.2, 20%). It can be based on past data, expert judgment or predictive analysis. It is often time-bound (e.g., likelihood per year, per project cycle) Purpose of Estimating Likelihood
✓ Bias in expert judgment ✓ Rapidly changing environments ✓ Over-reliance on historical trends ✓ Difficulty in predicting rare events Importance of Likelihood Estimation ✓ Helps prioritize risks effectively ✓ Supports informed decision-making ✓ Enhances resource allocation ✓ Improves organizational preparedness ✓ Forms the basis for risk evaluation Estimation of likelihood is a fundamental aspect of risk analysis that enables organizations to understand how probable a risk event is. By combining qualitative and quantitative approaches, organizations can improve the accuracy and reliability of their assessments, leading to better risk management decisions in accordance with ISO 31000. IMPACT ASSESSMENT IN RISK ANALYSIS Impact assessment (also referred to as consequence analysis) involves evaluating the potential effects or outcomes that may occur if a risk event materializes. In line with ISO 31000, impact focuses on the magnitude and severity of the consequences on organizational objectives. It is a critical component of risk analysis and is considered alongside likelihood to determine the overall level of risk. Meaning of Impact (Consequence) Impact refers to the extent of damage, loss or effect that a risk event may have on an organization. It may be positive or negative. Can be expressed qualitatively (e.g., minor, severe) or quantitatively (e.g., financial loss in monetary terms). May affect different aspects of the organization Purpose of Impact Assessment ✓ To determine the severity of consequences if a risk occurs ✓ To support risk prioritization and ranking ✓ To guide the selection of appropriate risk treatment strategies ✓ To enhance preparedness and contingency planning Types of Impacts Impact assessment considers different dimensions of consequences, including: ✓ Financial impacts: Loss of revenue, increased costs, reduced profitability
✓ Operational impacts: Disruption of processes, delays, inefficiencies ✓ Strategic impacts: Failure to achieve long-term goals or competitive disadvantage ✓ Legal and compliance impacts: Fines, penalties, litigation ✓ Reputational impacts: Damage to brand image and stakeholder trust ✓ Health, safety and environmental impacts: Injury, loss of life, environmental damage Approaches to Impact Assessment (a) Qualitative Impact Assessment: Uses descriptive categories to assess severity. Typical Scale: Insignificant – Minimal effect, easily manageable Minor – Small disruptions, limited impact Moderate – Noticeable impact requiring management attention Major – Serious consequences affecting key objectives Catastrophic – Severe impact threatening organizational survival Advantages: Simple and easy to apply, Useful when data is limited Limitation: Subjective and less precise (b) Quantitative Impact Assessment Uses numerical values to measure consequences. Examples:
Challenges in Impact Assessment ✓ Difficulty in estimating intangible impacts (e.g., reputation) ✓ Lack of reliable data ✓ Uncertainty about future conditions ✓ Subjectivity in qualitative assessments Thre at/ Oppo rtuni ty
Catastrophic 4 – Major 3 - Moderate 2 – Minor 1 – Insignific ant 5 – Transformativ e 4 – Major 3 - Moderate 2 – Minor 1 – Insignific ant Strategic Threa t Failure to achieve multiple strategic goals. Failure to achieve one strategic goal Limits the ability to achieve multiple strategic goals Limits the ability to achieve one strategic goal Little or no impact on strategy. Oppo rtunit y Accelerated achievement of multiple Strategic Goals. Accelerated achievement one strategic goal Enhanced ability to achieve multiple strategic goals Enhanced ability to achieve one strategic goal Little or no contributi on to long term viability Financial Threa t Reduction in income or one- off loss ≥ 10% of the annual budget. Reduction in income or one- off loss (5–10) % of the annual budget Reduction in income or one- off loss (2–5) % of the annual budget Reduction in income or one-off loss (1–2) % of the annual budget Reduction in income or one-off loss ≤ 1% of the annual budget Oppo rtunit y Increase in income or one- off saving ≥ 10% of the annual budget. Increase in income or one- off saving (5–
✓ Underestimation or overestimation of consequences Importance of Impact Assessment ✓ Helps prioritize risks based on severity ✓ Supports informed decision-making ✓ Guides resource allocation ✓ Enhances contingency and response planning ✓ Contributes to organizational resilience Impact assessment is a vital part of risk analysis that focuses on understanding the potential consequences of risk events. By evaluating the severity of impacts across different dimensions, organizations are better equipped to prioritize risks and implement appropriate risk treatment strategies in accordance with ISO 31000. DETERMINING THE LEVEL OF RISK Determining the level of risk involves combining the results of likelihood (probability) assessment and impact (consequence) assessment to establish the overall severity of each identified risk. In accordance with ISO 31000, the level of risk provides a basis for comparing risks and deciding which ones require treatment and priority attention. Meaning of Risk Level Risk level refers to the magnitude of a risk, expressed in terms of the combination of its likelihood and impact. It indicates how serious a risk is to the organization. It can be expressed qualitatively (e.g., low, medium, high) or quantitatively (numerical scores). It supports ranking and prioritization of risks Purpose of Determining Risk Level ✓ To prioritize risks based on their severity ✓ To support decision-making on risk treatment ✓ To identify which risks are acceptable and which require action ✓ To allocate resources effectively Methods of Determining Risk Level (a) Risk Matrix (Probability–Impact Matrix) The most common method used to determine risk level. Combines likelihood and impact using a grid (e.g., 3×3 or 5×5 matrix). Each cell represents a risk rating (low, medium, high, extreme) Advantages: Simple and easy to interpret, Provides visual representation of risk levels Limitations: May oversimplify complex risks
Determining the level of risk is a crucial step in risk analysis as it integrates likelihood and impact to provide a clear picture of risk severity. This enables organizations to prioritize risks effectively and take appropriate actions in line with ISO 31000, ensuring that resources are directed toward the most significant threats to organizational objectives. RISK MATRIX (IMPACT VS. PROBABILITY) A typical 5×5 Risk Matrix ranks risks based on probability and impact. A risk matrix is a visual tool used to assess and prioritize risks based on likelihood (Probability) i.e. how likely the risk is to occur and the impact (Consequence) i.e. how severe the outcome would be if it occurs. This matrix helps determine which risks require immediate attention and which can be monitored or accepted.
Catastrop hic
4 Major 4 8 12 16 20 3 Moderate 3 6 9 12 15 2 Minor 2 4 6 8 10 1 Insignific ant
Very unlikely Unlikely Moderately possible Very likely Almost Certain LIKELIHOO D
Interpretation Rare (Very unlikely) Unlikely Moderately Possible Likely Almost Certain Catastrophic M H E E E Major M M H E E Moderate L M M H H Minor L L M M H Insignificant L L L M M Key: L = Low, M = Medium, H = High, E = Extreme
Actions Based on Risk Levels ✓ Extreme Risk (E): Immediate action required. Stop activity or implement urgent controls. Escalate to executive leadership or board. Consider redesigning or eliminating risk source ✓ High Risk (H): Senior management attention required. Implement strong controls to reduce likelihood or impact. Develop detailed risk mitigation and contingency plans. Regular monitoring and formal reporting ✓ Medium Risk (M): Managed by line management. Implement cost-effective controls. Monitor periodically. May require contingency planning ✓ Low Risk (L): Acceptable risk. Maintain current controls (if any). Monitor infrequently (e.g., annually). Document rationale for acceptance Risk Response Strategies by Level ✓ Extreme: Avoid, transfer (insurance), intensive mitigation ✓ High: Mitigate, transfer, implement strong controls ✓ Medium: Accept with controls or mitigation ✓ Low: Accept with minimal or no treatment Risk Treatment Options (per ISO 31000) Strategy Description Example Avoidance Eliminate the risk source or activity Cancel risky project Reduction (Mitigation) Reduce likelihood or impact Add security controls Transfer Share the risk with others Buy insurance; outsource Acceptance Do nothing, but monitor Accept minor operational delays Enhancement (opportunity risk) Increase likelihood or benefit Invest more to exploit upside risk Risk Owner Assignment Assign clear ownership for each risk, based on its level: Extreme/High : Executives or senior managers, Medium : Functional managers, Low : Supervisors or team leaders. Risk ownership ensures accountability for mitigation, monitoring and reporting.
Rating Description Example 1 – Very Low Minimal benefit; negligible effect Small cost saving 2 – Low Marginal process improvement Slight increase in efficiency 3 – Moderate Noticeable benefit New customer segment 4 – High Significant gain Product innovation or market expansion 5 – Very High Transformational benefit Major strategic breakthrough, industry disruption Sample Opportunity Risk Matrix (5x5) Likelihood Impact Very Low Low Medium High Very High Very Likely (5)
Likely M M H H E Possible L M M H H Unlikely L L M M H Rare (1) L L L M M Key: L = Low opportunity, M = Moderate opportunity, H = High opportunity, E = Exceptional opportunity Actions Based on Assessment: Opportunity Level Action Exceptional (E) Exploit immediately; allocate resources High (H) Develop and pursue actively Moderate (M) Monitor and consider if conditions change Low (L) Watchlist or defer
The Opportunity Risk Matrix is a powerful tool for identifying and acting on positive risks that align with strategic goals. By combining impact and likelihood, organizations can prioritize high- value opportunities, integrate opportunity with risk frameworks and drive innovation and competitive advantage. Risk analysis provides an input to risk evaluation, to decisions on whether risk needs to be treated and how and on the most appropriate risk treatment strategy and methods. The results provide insight for decisions, where choices are being made and the options involve different types and levels of risk