Quantitative versus Qualitative Risk Control

Practices

Neelima
120421862018
Risk:
Exposure to the chance of injury or loss; a hazard or dangerous chance of loss.

Risk Management:
 Risk management is the process of identifying, assessing and controlling threats to an
organization's capital and earnings. These risks stem from a variety of sources including
financial uncertainties, legal liabilities, technology issues, strategic management errors,
accidents and natural disasters.

 A successful risk management program helps an organization consider the full range of
risks it faces. Risk management also examines the relationship between risks and the
cascading impact they could have on an organization's strategic goals.
 Risk management has perhaps never been more important than it is now. The risks modern
organizations face have grown more complex, fuelled by the rapid pace of globalization. New
risks are constantly emerging, often related to and generated by the now-pervasive use of digital
technology. Climate change has been dubbed a "threat multiplier" by risk experts.

 International Organization for Standardization’s five-step Risk Management Process comprises

the following and can be used by any type of entity:

1. Identify the risks.

2. Analyse the likelihood and impact of each one.

3. Prioritize risks based on business objectives.

4. Treat (or respond to) the risk conditions.

5. Monitor results and adjust as necessary.

Risk Assessment Methodologies:
 Risk assessment and analysis is a nebulous process. Unless one has studied risk and the math
that goes along with it, one might not know where to start when told by regulation that a risk
analysis must be performed. 

 Risk Assessment that can help you to make better decisions. Quantitative risk assessment
of your IT environment is a must for higher security maturity models to be achieved. It is
also a must if your organization wants to take risk management of IT seriously.

 However, there are times where you need to measure your risk based on a set of regulatory
controls. The quantitative method is not suitable for this type of risk calculation. Instead, risk
assessors use a more qualitative method.
 Qualitative risk assessment is studying an event, or regulatory control in this case, and
understanding the quality of its implementation. In the background of this type of risk assessment,
decisions have already been made about the impact to the organization if the control is not
implemented and the probability that the control will need to be exercised.

 As an example, our TRAC Tool performs qualitative risk assessment in our ISP module to give
the user an idea of how well the institution’s Information Security Program has been implemented
based on a pre-defined standard of security controls.

 Qualitative risk assessment excels at giving the risk assessor and the risk manager information
about how well the control is currently implemented. 
  For instance, on a scale from 1 to 5, a “1” rating might mean that the control hasn’t been
considered by the organization. A “2” might mean that the control has been considered but not
implemented. A “3” might mean the control has a process implemented by the organization but is
not formalized and documented. A “4” might mean the control is formalized but not documented.
Finally, a “5” means the control is fully implemented, formalized, and documented.

 Using the qualitative method of risk assessment, we can evaluate your institution based on a
particular standard or piece of guidance. we can break the standard we’re utilizing down into
sections or categories, outline the controls that the standard recommends we implement, rate our
specific implementation of those controls (on the 1 to 5 scale mentioned above), then determine
the control-implementation percentage for each section. Calculate the control-implementation
percentage by adding up the total of our ratings in that section, then dividing by the total possible
rating-number (in the case of a 1 to 5 scale, 5 being the total number of controls evaluated).
 Ultimately, the risk assessment methodology we use should depend on what we are trying to
measure and what outcomes we would like to see from that measurement. A quantitative risk
assessment focuses on measurable and often pre-defined data, whereas a qualitative risk
assessment is based more so on subjectivity and the knowledge of the assessor.

 A quantitative risk management methodology is best suited for a detailed look at comparing
like-things across our organization, while a quantitative risk assessment is best for evaluating
the implementation of a framework that does not inherently have pre-defined values. In many
cases, we can combine the two methodologies to enhance an existing risk assessment.
Knowing which methodology to use in various situations could mean the failure or the success
of our risk management program.
Benefits of risk management include the following:
 increased awareness of risk across the organization;

 more confidence in organizational objectives and goals because risk is factored into strategy;

 better and more efficient compliance with regulatory and internal compliance mandates
because compliance is coordinated;

 improved operational efficiency through more consistent application of risk processes and
control;

 improved workplace safety and security for employees and customers; and

 a competitive differentiator in the marketplace.

Challenges risk management teams should expect to encounter:
 Expenditures go up initially, as risk management programs can require expensive software
and services.

 The increased emphasis on governance also requires business units to invest time and money
to comply.

 Reaching consensus on the severity of risk and how to treat it can be a difficult and
contentious exercise and sometimes lead to risk analysis paralysis.

 Demonstrating the value of risk management to executives without being able to give them
hard numbers is difficult.