Qualitative Assessment: Risk Analysis Process
Attaching monetary value to the elements of a risk analysis can be challenging. Incorporating qualitative components into the process will help evaluate the quantitative component. A qualitative assessment rates the degree of threats and sensitivity of confidential assets then places them into categories based on their rating. The following ratings can be applied:
- Low: When loss of a member (part) would be a minor setback that could be tolerated for a brief time.
- Medium: When loss of a member (part) could result in some degree of damage to the organization or a moderate expense to fix the damage.
- High: When loss of a member (part) would result in severe compromise of trust between the organization and its clients/employees, and could result in a legal action, or loss of profit and earnings.
Quantitative Assessment: Risk Analysis Process
A quantitative assessment measures the monetary value of all the elements combined in a risk assessment as well as the assets and threats of a risk analysis. Components of the risk analysis process include property value, residual damage, rate of occurrence (threats), safeguard effectiveness, safeguard expenses, unknowns and probabilities. All of these components need to be quantified. When doing this assessment all incurred costs such as loss of hours; repairs; damage and replacement of equipment. The three steps of quantitative assessment are as follows:
- Single loss expectancy (SLE), which is the estimated possibility for one time losses of an asset. The SLE is calculated as the asset value multiplied by its exposure factor, which is the percent of damage that a realized threat would have on the asset.
- Annual rate of occurrence (ARO), the estimated number of times an incident may occur within a year.
- Annual loss expectancy (ALE), which combines the SLE and ARO to determine the magnitude of the risk. The ALE is calculated as SLE multiplied by the ARO.
