Looking at Risk from Both Sides – Why Quantitative and Qualitative Risk Assessments Work TogetherRisk Management | 4 Min Read |04 May 22|by Patricia McParland
“I’ve looked at risk from both sides now…”
Ok – I guess I owe an apology to Judy Collins, and to all of you for damaging a great sixties music classic! But I often think about this song when thinking about cyber risk. Examining risk takes more than a one-sided view: It requires perspective, and both quantitative and qualitative analysis.
That’s especially important in today’s unsettled world, where the need to adopt a risk-based approach to business decision-making has been gaining prominence in recent years. Particularly in the wake of a series of disruptions in the past two years, including the COVID-19 pandemic, the Suez Canal blockage, geopolitical unrest, rapid digitization, and more, organizations are increasingly making efforts to improve their enterprise risk management programs. A broader view is a must.
Performing risk assessments is one of the most important steps in the enterprise risk and cyber risk management processes. Once risks have been identified, assessment and analysis are critical to unlock deeper insights into your organization’s overall risk posture, understand the factors that can have a negative impact, and take proactive steps to mitigate and minimize them.
Left Brain/Right Brain: The Qualitative vs. Quantitative Debate
Risk managers are often faced with a difficult decision – which risk assessment method should I go with? Qualitative or quantitative?
As I’ve already hinted in my introduction, I’m biased toward a combination view – using both sides of the risk brain, if you will.
But from a practical standpoint, whether to perform a qualitative or quantitative risk assessment depends on what you’re trying to assess and what you expect to learn. Consider the risk of fire hazard faced by an organization. An initial risk assessment would entail survey questions such as:
In another example, if we consider the risks posed by IT vendors, you would want to segregate the third parties into critical and non-critical categories based on their level of access to critical organizational assets.
This requires asking questions like:
Organizations can easily identify which third parties require close monitoring and define risk management and control measures.
In these examples, most of the questions usually require a yes/no response and rely on the knowledge and expertise of the assessor. Though qualitative assessments are subjective in nature and can be influenced by the assessor’s bias and perception, they are important to understand the likelihood and severity of any risk event.
Based on the initial assessment, the next step is to assess the associated controls. In the example of fire hazard, this requires asking questions such as – How many fire extinguishers are available on every floor? Is there a fire exit? Are fire sprinklers installed? Are fire safety drills conducted?
In control assessments too, a qualitative assessment is often preferred.
For example, if you need to check the effectiveness of a control, such as the fire sprinkler system, you can use a qualitative assessment using a scale of 1 to 5 (or red, yellow, or green risk assessment), where 1 could mean that the system has not been installed, 2 - installed but not working, 3 - some sprinklers are not working, 4 - all are working but the coverage is not optimum, and 5 means that they are working effectively with full coverage.
However, if we go a step further to analyze the risk exposure: that’s where quantitative risk assessment works best.
Driven by data, quantitative analysis eliminates the ambiguity and subjectivity inherent in qualitative assessments. Associating a monetary value to risk equips chief risk officers to effectively communicate the risk exposure to the executive management in a language that is easy to interpret and act upon, and helps easily prioritize risks.
In the example of fire hazard, expressing the loss exposure in monetary terms, followed by questions such as – Do you have fire insurance? How much is the fire insurance? – will help accurately understand the risk exposure and mitigation measures.
It’s Not Either Or, It’s And
The deepest insights come from the widest perspectives. For true risk assessment, perform both qualitative and quantitative risk assessments to gain real visibility into the overall organizational and cyber risk posture. You may have heard it called a 360-degree view of risk. With apologies to Judy, I like to see it as looking at risk from both – or all – sides now.
MetricStream’s latest release, Danube, brings risk quantification capabilities to the Enterprise and Operational Risk Management products – already available in our CyberGRC product line. Risk practitioners can now leverage advanced models to better quantify and prioritize risk strategies. They can easily capture values for variables (e.g. loss event frequency, loss magnitude) that can be represented in a simple format. The support for Monte Carlo simulations enables users to generate a range-based estimate and predict the probability of different outcomes for the annual loss expectancy. To request a personalized demo, click here.
To read more about the new innovations in our Danube Software Release, click here.