Quantitative Risk Analysis uses available relevant and verifiable data to produce a numerical value which is then used to predict the probability (and hence, acceptability) of a risk event outcome. Qualitative Risk Analysis, on the other hand, applies a subjective assessment of risk occurrence likelihood (probability) against the potential severity of the risk outcomes (impact) to determine the overall severity of a risk. (Shuttleworth, Mike, 2017)
Qualitative risk assessment excels at giving the risk assessor and the risk manager information about how well the control is currently implemented.
In qualitative risk analysis, impacts and likelihood evaluated using some established methods. After evaluation, we describe them in terms such as very high, high, moderate, low, very low.
The purpose of qualitative risk analysis is to:
Identity (or mark) risks for further analysis.
The risk which is not marked for further analysis, it identifies actions for them based on the combined effects of the probability of occurrence and impact on project objectives.
Qualitative analysis does not analyze the risks mathematically to identify the probability and likelihood. Instead, it uses stakeholders inputs to judge the impact.
Quantitative Risk Analysis uses the probability distributions to characterize the risk’s probability and impact.
The risk assessment methodology you use should depend on what you are trying to measure and what outcomes you’d like to see from that measurement. A quantitative risk assessment focuses on measurable and often pre-defined data, whereas a qualitative risk assessment is based more so on subjectivity and the knowledge of the assessor. A quantitative risk management methodology is best suited for a detailed look at comparing like-things across your organization, while a quantitative risk assessment is best for evaluating the implementation of a framework that does not inherently have pre-defined values. ( Buzz Hillestad)
A common question that companies ask during the risk management process is whether a quantitative or qualitative approach should be taken. The good news is that you can actually make your method more effective and achieve the desired level of security by using both approaches. On the other hand , quantitative risk analysis is objective. It uses comprehensible data to evaluate the impacts of risk on overruns, differences in reach, use of resources and delay schedules. In the end, the objective is the same; the difference is that a more analytical, data-intensive approach is needed.
“In layman’s terms, quantitative risk analysis assigns a numerical value to extant risks- risk A has a 40% chance of occurring, based on quantifiable data (fluctuations in resource costs, average activity completion time, logistics etc.) and a 15% chance of causing a delay of X number of days. It’s thus entirely dependent upon the quantity and accuracy of your data” (Wood, 2019)
It also enables the detection of special areas — a risk incident, for example, with a high possibility of raising or a disastrous outcome. And it can be used to manage risk in real time at any point of the project. However, there is no doubt that a combined solution is better. They are basically two sections of a single whole, so that the ‘risk stage’ of each operation can be completely defined in the project schedule.
“It’s generally accepted that qualitative risk analysis is an older form of risk management than its quantitative counterpart. Not because human civilization’s earliest project managers had any particular bias towards the qualitative methodology; the answer is actually much simpler than that” (Wood, 2019)
One issue with qualitative evaluation is that those who conduct it are highly complex both in likelihood and in effect.HR consequences are more important than qualitative impacts for HR individuals , for example, and vice versa. In terms of a probability bias, a lack of understanding of the timeframes of other procedures can lead someone to believe that mistakes and failures occur more frequently in one’s own process than others.
While the quantitative risk evaluation, relies on factual and measurable data and highly statistical and analytical basis for estimating risks and impact values, usually expressing the risk value in monetary terms, rendering their findings useful beyond the framework of the evaluation.
“To reach a monetary result, quantitative risk assessment often makes use of these concepts:SLE (Single Loss Expectancy): money expected to be lost if the incident occurs one time.ARO (Annual Rate of Occurrence): how many times in a one-year interval the incident is expected to occur.ALE (Annual Loss Expectancy): money expected to be lost in one year considering SLE and ARO (ALE = SLE * ARO). For quantitative risk assessment, this is the risk value” (Leal, 2017)
As you can see, qualitative and quantitative tests have some characteristics that enhance each for a particular risk assessment situation, but incorporating both methods can, on the wide scale, prove to be the best alternative to a risk assessment. You can easily define most of the risks under normal circumstances with the use of the qualitative method. And the fears of people about their work can be used as a simple guide for evaluating these risks as important or not. You can then use the quantitative approach to relevant risks for more comprehensive decision-making details.
Risk evaluation is one of the most important and most difficult elements of risk management – individual, technological and administrative. When done correctly, the introduction of an ISO 27001 Information Security Management Framework could undermine any effort that organizations might make about the execution of qualitative or quantitative evaluations. However, you do not rely on a single methodology because ISO 27001 makes it possible to measure both qualitative and quantitative risk.