Qualitative vs. Quantitative Risk Assessment
ITT Technical Institute (Online Division)
“Companies exist on money: they need it to pay employees, buy equipment and make the expenditures necessary to keep running. Companies need to turn profits to survive, but even non-profit organizations need to manage their cash flows to assure a steady operation. Risk analysis, both qualitative and quantitative, helps organizations to identify ways in which they might lose money.” (McDunnigan, 2014)
All the elements of the risk management cycle are important but risk assessment is the headstone for all the other elements. The problem of risk assessment is an extremely complex one. When a risk assessment process is started, this process has to analyze several aspects in parallel.
First, we can talk about the stake at risk and how important vulnerabilities are in the disaster scenarios taken into account, the outcome being a way to reduce the resulting risks.
Second, we must understand that the probability of an event depends on a series of external factors as well as on internal factors of the entity (business/process/project) for which the risk assessment is made. It is essential to know and control as many of these factors as possible.
The internal factors include historical data from within the entity, collected in time, as it is necessary to keep a record of all processed data, no matter if for the moment it is thought that the data will not be useful in the future. When we talk about external factors, it is about those factors undergoing STEEP analyses (Social, Technological, Economic, Environmental, Political), factors that cannot be controlled but that could be anticipated. Here are also included the events from the company’s activity, such as natural disasters or terrorist attacks, attacks against information systems (information viruses, spam, DoS type attacks...