QUALITATIVE AND QUANTITATIVE RISK ANALYSIS, Lecture notes of Risk Analysis

QUALITATIVE AND QUANTITATIVE RISK ANALYSIS

Typology: Lecture notes

2025/2026

Available from 06/04/2026

boni-nganga
boni-nganga 🇺🇸

4 documents

1 / 17

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Page 1 of 17 By Gladys Kimutai
TOPIC FIVE: RISK ANALYSIS
Risk analysis is a critical stage in the risk management process as outlined in ISO 31000. At this
stage, the identified risks are examined in detail to understand their nature, sources, likelihood of
occurrence and potential impact on organizational objectives. Risk analysis goes beyond mere
identification by providing a structured approach to assessing the severity and consequences of
each risk, often using qualitative, quantitative or semi-quantitative techniques. This enables
decision-makers to prioritize risks, allocate resources effectively and determine appropriate risk
treatment strategies. In the context of business organizations, effective risk analysis supports
informed decision-making, enhances resilience and contributes to achieving strategic and
operational goals.
Purpose of Risk Analysis
The purpose of risk analysis, as outlined in ISO 31000, is to develop a clear understanding of the
nature and level of risks that may affect the achievement of organizational objectives. It serves as
a bridge between risk identification and risk evaluation by transforming a list of identified risks
into meaningful information for decision-making. More specifically, the purpose of risk analysis
includes the following:
1. To Understand the Nature of Risks: Risk analysis helps in examining how and why risks
arise, including their sources, causes and potential triggers. This enables organizations to gain
deeper insight into each risk beyond mere identification.
2. To Estimate Likelihood and Impact: It determines the probability of risks occurring and the
magnitude of their consequences. This allows organizations to assess how serious each risk is
in relation to their objectives.
3. To Determine the Level of Risk: By combining likelihood and impact, risk analysis
establishes the overall severity (risk level or rating) of each risk. This is essential for comparing
and prioritizing risks.
4. To Support Risk Prioritization: Not all risks require the same level of attention. Risk analysis
helps in ranking risks so that management can focus on the most critical ones first.
5. To Inform Decision-Making: It provides a sound basis for making informed decisions about
risk treatment options such as avoiding, reducing, transferring or accepting risks.
6. To Evaluate Existing Controls: Risk analysis considers the effectiveness of current controls
and identifies gaps or weaknesses that may expose the organization to greater risk.
7. To Enhance Resource Allocation: By identifying high-priority risks, organizations can
allocate time, money and effort more efficiently to areas that need it most.
8. To Improve Organizational Preparedness: It enables organizations to anticipate potential
problems and take proactive measures, thereby enhancing resilience and continuity.
9. To Provide Input for Risk Evaluation: Risk analysis generates the information needed to
compare risks against established criteria and determine which risks are acceptable or require
treatment.
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff

Partial preview of the text

Download QUALITATIVE AND QUANTITATIVE RISK ANALYSIS and more Lecture notes Risk Analysis in PDF only on Docsity!

TOPIC FIVE: RISK ANALYSIS

Risk analysis is a critical stage in the risk management process as outlined in ISO 31000. At this stage, the identified risks are examined in detail to understand their nature, sources, likelihood of occurrence and potential impact on organizational objectives. Risk analysis goes beyond mere identification by providing a structured approach to assessing the severity and consequences of each risk, often using qualitative, quantitative or semi-quantitative techniques. This enables decision-makers to prioritize risks, allocate resources effectively and determine appropriate risk treatment strategies. In the context of business organizations, effective risk analysis supports informed decision-making, enhances resilience and contributes to achieving strategic and operational goals. Purpose of Risk Analysis The purpose of risk analysis, as outlined in ISO 31000, is to develop a clear understanding of the nature and level of risks that may affect the achievement of organizational objectives. It serves as a bridge between risk identification and risk evaluation by transforming a list of identified risks into meaningful information for decision-making. More specifically, the purpose of risk analysis includes the following:

  1. To Understand the Nature of Risks : Risk analysis helps in examining how and why risks arise, including their sources, causes and potential triggers. This enables organizations to gain deeper insight into each risk beyond mere identification.
  2. To Estimate Likelihood and Impact: It determines the probability of risks occurring and the magnitude of their consequences. This allows organizations to assess how serious each risk is in relation to their objectives.
  3. To Determine the Level of Risk: By combining likelihood and impact, risk analysis establishes the overall severity (risk level or rating) of each risk. This is essential for comparing and prioritizing risks.
  4. To Support Risk Prioritization: Not all risks require the same level of attention. Risk analysis helps in ranking risks so that management can focus on the most critical ones first.
  5. To Inform Decision-Making: It provides a sound basis for making informed decisions about risk treatment options such as avoiding, reducing, transferring or accepting risks.
  6. To Evaluate Existing Controls : Risk analysis considers the effectiveness of current controls and identifies gaps or weaknesses that may expose the organization to greater risk.
  7. To Enhance Resource Allocation : By identifying high-priority risks, organizations can allocate time, money and effort more efficiently to areas that need it most.
  8. To Improve Organizational Preparedness: It enables organizations to anticipate potential problems and take proactive measures, thereby enhancing resilience and continuity.
  9. To Provide Input for Risk Evaluation : Risk analysis generates the information needed to compare risks against established criteria and determine which risks are acceptable or require treatment.

Overall, the purpose of risk analysis is to provide a systematic and structured understanding of risks so that organizations can make informed, rational and proactive decisions in managing uncertainty and achieving their objectives. QUALITATIVE AND QUANTITATIVE RISK ANALYSIS Qualitative and quantitative risk analysis are two complementary approaches to assessing and managing risks. Qualitative risk analysis uses expert judgment and subjective assessments to evaluate risks, while quantitative risk analysis relies on numerical data and statistical methods to provide more precise risk assessments. Qualitative Risk Analysis Qualitative risk analysis uses subjective assessments and expert judgment to evaluate the likelihood and impact of risks. The qualitative risk analysis methods include: - ✓ Expert Judgment: Drawing on the knowledge and experience of individuals or groups to assess risks. ✓ Data Gathering: Collecting relevant information through interviews, meetings and other methods. ✓ Risk Categorization: Organizing risks into categories based on their sources or effects. ✓ Risk Prioritization: Identifying and ranking risks based on their potential impact and probability of occurrence. ✓ Risk Matrix: Using a matrix to visually represent the likelihood and impact of risks, allowing for a quick assessment of risk levels. Advantages ✓ Quick and Easy: Relatively quick and easy to perform, requiring minimal resources and specialized tools. ✓ Subjective: Allows for the inclusion of qualitative factors that may not be easily quantifiable. ✓ Cost-Effective: Less expensive to conduct than quantitative analysis. Disadvantages ✓ Subjective: May be influenced by personal biases and opinions, potentially leading to inconsistent or inaccurate assessments. ✓ Less Precise: May not provide as accurate and detailed information as quantitative analysis. Quantitative Risk Analysis

a risk originates from internal factors (such as organizational processes, systems or human resources) or external factors (such as economic conditions, regulatory changes or technological developments). It also entails classifying risks into relevant categories such as operational, financial, strategic or compliance risks in order to enhance clarity and facilitate analysis. In addition, attention is given to the drivers of risk and the relationships between different risks, as some risks may be interconnected or may occur simultaneously. A clear understanding of the nature of risks provides a strong foundation for estimating their likelihood and impact and supports the selection of appropriate risk treatment measures in line with ISO 31000 principles. ESTIMATION OF LIKELIHOOD (PROBABILITY ASSESSMENT) Estimation of likelihood involves determining the chance that a particular risk event will occur within a specified period. In line with ISO 31000, likelihood is used as a broad concept that accommodates both qualitative descriptions and quantitative measurements. It is a key component of risk analysis and is combined with impact (consequence) to determine the overall level of risk. Meaning of Likelihood Likelihood refers to the possibility or chance of a risk occurring. It may be expressed in descriptive terms (e.g., rare, likely) or numerical values (e.g., 0.2, 20%). It can be based on past data, expert judgment or predictive analysis. It is often time-bound (e.g., likelihood per year, per project cycle) Purpose of Estimating Likelihood

  • To determine how often a risk may occur
  • To support risk prioritization and ranking
  • To assist in decision-making regarding risk treatment
  • To improve planning and preparedness Approaches to Estimating Likelihood (a) Qualitative Approach: Uses descriptive scales rather than numbers. Typical Scale:
  • Rare – May occur only in exceptional circumstances
  • Unlikely – Could occur at some time
  • Possible – Might occur occasionally
  • Likely – Will probably occur in most circumstances
  • Almost Certain – Expected to occur frequently Advantages:
  • Simple and easy to understand
  • Useful where data is limited Limitations:
  • Subjective and less precise (b) Quantitative Approach Uses numerical values to express likelihood. Examples:
  • Probability values (e.g., 0.7 or 70%)
  • Frequency (e.g., 3 times per year) Advantages:
  • More precise and objective
  • Allows statistical analysis Limitations:
  • Requires reliable data and expertise (c) Semi-Quantitative Approach Combines qualitative descriptions with numerical scores. Example:
  • Rare = 1
  • Unlikely = 2
  • Possible = 3
  • Likely = 4
  • Almost Certain = 5 Advantages:
  • Balances simplicity and comparability
  • Useful for ranking risks

✓ Bias in expert judgment ✓ Rapidly changing environments ✓ Over-reliance on historical trends ✓ Difficulty in predicting rare events Importance of Likelihood Estimation ✓ Helps prioritize risks effectively ✓ Supports informed decision-making ✓ Enhances resource allocation ✓ Improves organizational preparedness ✓ Forms the basis for risk evaluation Estimation of likelihood is a fundamental aspect of risk analysis that enables organizations to understand how probable a risk event is. By combining qualitative and quantitative approaches, organizations can improve the accuracy and reliability of their assessments, leading to better risk management decisions in accordance with ISO 31000. IMPACT ASSESSMENT IN RISK ANALYSIS Impact assessment (also referred to as consequence analysis) involves evaluating the potential effects or outcomes that may occur if a risk event materializes. In line with ISO 31000, impact focuses on the magnitude and severity of the consequences on organizational objectives. It is a critical component of risk analysis and is considered alongside likelihood to determine the overall level of risk. Meaning of Impact (Consequence) Impact refers to the extent of damage, loss or effect that a risk event may have on an organization. It may be positive or negative. Can be expressed qualitatively (e.g., minor, severe) or quantitatively (e.g., financial loss in monetary terms). May affect different aspects of the organization Purpose of Impact Assessment ✓ To determine the severity of consequences if a risk occurs ✓ To support risk prioritization and ranking ✓ To guide the selection of appropriate risk treatment strategies ✓ To enhance preparedness and contingency planning Types of Impacts Impact assessment considers different dimensions of consequences, including: ✓ Financial impacts: Loss of revenue, increased costs, reduced profitability

Operational impacts: Disruption of processes, delays, inefficiencies ✓ Strategic impacts: Failure to achieve long-term goals or competitive disadvantage ✓ Legal and compliance impacts: Fines, penalties, litigation ✓ Reputational impacts: Damage to brand image and stakeholder trust ✓ Health, safety and environmental impacts: Injury, loss of life, environmental damage Approaches to Impact Assessment (a) Qualitative Impact Assessment: Uses descriptive categories to assess severity. Typical Scale:  Insignificant – Minimal effect, easily manageable  Minor – Small disruptions, limited impact  Moderate – Noticeable impact requiring management attention  Major – Serious consequences affecting key objectives  Catastrophic – Severe impact threatening organizational survival  Advantages: Simple and easy to apply, Useful when data is limited Limitation: Subjective and less precise (b) Quantitative Impact Assessment Uses numerical values to measure consequences. Examples:

  • Financial loss (e.g., KES 5 million loss)
  • Time delays (e.g., 3-month project delay)
  • Percentage reduction in output Advantages:
  • More precise and measurable
  • Supports detailed analysis and comparisons Limitations:
  • Requires reliable data and technical expertise (c) Semi-Quantitative Assessment Combines descriptive scales with numerical scoring. Example: Insignificant = 1

Challenges in Impact Assessment ✓ Difficulty in estimating intangible impacts (e.g., reputation) ✓ Lack of reliable data ✓ Uncertainty about future conditions ✓ Subjectivity in qualitative assessments Thre at/ Oppo rtuni ty

Catastrophic 4 – Major 3 - Moderate 2 – Minor 1 – Insignific ant 5 – Transformativ e 4 – Major 3 - Moderate 2 – Minor 1 – Insignific ant Strategic Threa t Failure to achieve multiple strategic goals. Failure to achieve one strategic goal Limits the ability to achieve multiple strategic goals Limits the ability to achieve one strategic goal Little or no impact on strategy. Oppo rtunit y Accelerated achievement of multiple Strategic Goals. Accelerated achievement one strategic goal Enhanced ability to achieve multiple strategic goals Enhanced ability to achieve one strategic goal Little or no contributi on to long term viability Financial Threa t Reduction in income or one- off loss ≥ 10% of the annual budget. Reduction in income or one- off loss (5–10) % of the annual budget Reduction in income or one- off loss (2–5) % of the annual budget Reduction in income or one-off loss (1–2) % of the annual budget Reduction in income or one-off loss ≤ 1% of the annual budget Oppo rtunit y Increase in income or one- off saving ≥ 10% of the annual budget. Increase in income or one- off saving (5–

  1. % of the annual budget Increase in income or one- off saving (2–5) % of the annual budget Increase in income or one-off saving (1–2) % of the annual budget Increase in income or one-off saving ≤ 1% of the budget

✓ Underestimation or overestimation of consequences Importance of Impact Assessment ✓ Helps prioritize risks based on severity ✓ Supports informed decision-making ✓ Guides resource allocation ✓ Enhances contingency and response planning ✓ Contributes to organizational resilience Impact assessment is a vital part of risk analysis that focuses on understanding the potential consequences of risk events. By evaluating the severity of impacts across different dimensions, organizations are better equipped to prioritize risks and implement appropriate risk treatment strategies in accordance with ISO 31000. DETERMINING THE LEVEL OF RISK Determining the level of risk involves combining the results of likelihood (probability) assessment and impact (consequence) assessment to establish the overall severity of each identified risk. In accordance with ISO 31000, the level of risk provides a basis for comparing risks and deciding which ones require treatment and priority attention. Meaning of Risk Level Risk level refers to the magnitude of a risk, expressed in terms of the combination of its likelihood and impact. It indicates how serious a risk is to the organization. It can be expressed qualitatively (e.g., low, medium, high) or quantitatively (numerical scores). It supports ranking and prioritization of risks Purpose of Determining Risk Level ✓ To prioritize risks based on their severity ✓ To support decision-making on risk treatment ✓ To identify which risks are acceptable and which require action ✓ To allocate resources effectively Methods of Determining Risk Level (a) Risk Matrix (Probability–Impact Matrix) The most common method used to determine risk level. Combines likelihood and impact using a grid (e.g., 3×3 or 5×5 matrix). Each cell represents a risk rating (low, medium, high, extreme) Advantages: Simple and easy to interpret, Provides visual representation of risk levels Limitations: May oversimplify complex risks

Determining the level of risk is a crucial step in risk analysis as it integrates likelihood and impact to provide a clear picture of risk severity. This enables organizations to prioritize risks effectively and take appropriate actions in line with ISO 31000, ensuring that resources are directed toward the most significant threats to organizational objectives. RISK MATRIX (IMPACT VS. PROBABILITY) A typical 5×5 Risk Matrix ranks risks based on probability and impact. A risk matrix is a visual tool used to assess and prioritize risks based on likelihood (Probability) i.e. how likely the risk is to occur and the impact (Consequence) i.e. how severe the outcome would be if it occurs. This matrix helps determine which risks require immediate attention and which can be monitored or accepted.

  1. Risk Evaluation Matrix IMPACT (CONSEQUENCE)

Catastrop hic

4 Major 4 8 12 16 20 3 Moderate 3 6 9 12 15 2 Minor 2 4 6 8 10 1 Insignific ant

Very unlikely Unlikely Moderately possible Very likely Almost Certain LIKELIHOO D

Interpretation Rare (Very unlikely) Unlikely Moderately Possible Likely Almost Certain Catastrophic M H E E E Major M M H E E Moderate L M M H H Minor L L M M H Insignificant L L L M M Key: L = Low, M = Medium, H = High, E = Extreme

Actions Based on Risk Levels ✓ Extreme Risk (E): Immediate action required. Stop activity or implement urgent controls. Escalate to executive leadership or board. Consider redesigning or eliminating risk source ✓ High Risk (H): Senior management attention required. Implement strong controls to reduce likelihood or impact. Develop detailed risk mitigation and contingency plans. Regular monitoring and formal reporting ✓ Medium Risk (M): Managed by line management. Implement cost-effective controls. Monitor periodically. May require contingency planning ✓ Low Risk (L): Acceptable risk. Maintain current controls (if any). Monitor infrequently (e.g., annually). Document rationale for acceptance Risk Response Strategies by Level ✓ Extreme: Avoid, transfer (insurance), intensive mitigation ✓ High: Mitigate, transfer, implement strong controls ✓ Medium: Accept with controls or mitigation ✓ Low: Accept with minimal or no treatment Risk Treatment Options (per ISO 31000) Strategy Description Example Avoidance Eliminate the risk source or activity Cancel risky project Reduction (Mitigation) Reduce likelihood or impact Add security controls Transfer Share the risk with others Buy insurance; outsource Acceptance Do nothing, but monitor Accept minor operational delays Enhancement (opportunity risk) Increase likelihood or benefit Invest more to exploit upside risk Risk Owner Assignment Assign clear ownership for each risk, based on its level: Extreme/High : Executives or senior managers, Medium : Functional managers, Low : Supervisors or team leaders. Risk ownership ensures accountability for mitigation, monitoring and reporting.

Rating Description Example 1 – Very Low Minimal benefit; negligible effect Small cost saving 2 – Low Marginal process improvement Slight increase in efficiency 3 – Moderate Noticeable benefit New customer segment 4 – High Significant gain Product innovation or market expansion 5 – Very High Transformational benefit Major strategic breakthrough, industry disruption Sample Opportunity Risk Matrix (5x5) Likelihood Impact Very Low Low Medium High Very High Very Likely (5)

M H H E E

Likely M M H H E Possible L M M H H Unlikely L L M M H Rare (1) L L L M M Key: L = Low opportunity, M = Moderate opportunity, H = High opportunity, E = Exceptional opportunity Actions Based on Assessment: Opportunity Level Action Exceptional (E) Exploit immediately; allocate resources High (H) Develop and pursue actively Moderate (M) Monitor and consider if conditions change Low (L) Watchlist or defer

The Opportunity Risk Matrix is a powerful tool for identifying and acting on positive risks that align with strategic goals. By combining impact and likelihood, organizations can prioritize high- value opportunities, integrate opportunity with risk frameworks and drive innovation and competitive advantage. Risk analysis provides an input to risk evaluation, to decisions on whether risk needs to be treated and how and on the most appropriate risk treatment strategy and methods. The results provide insight for decisions, where choices are being made and the options involve different types and levels of risk