10.3 QUALITATIVE AND QUANTITATIVE RISK ANALYSIS

10.3 QUALITATIVE AND QUANTITATIVE RISK ANALYSIS

It may come as no surprise that there are different ways to perform risk analysis. The most widely used methodologies of performing risk analysis are known as quantitative and qualitative risk analysis. No matter which methodology you use, the findings should include precise and unambiguous definitions that formalize expectations associated with events that have not yet occurred. While risk analysis is a science, it is also an art. Risk is a relative concept and as a result, the methods for performing risk analysis have been developed in part due to the fact that risk is a profound concept that is abstract in nature. We need to bring some order to this business of predicting loss, so we have created paradigms (risk analysis models and methodologies) to measure and control our fuzzy logic in an effort to make it not so fuzzy.

In qualitative risk analysis, risk and the likelihood of particular threats, are estimated and assessed according to pre-determined measurement scales . In quantitative risk analysis, the analyst attempts to provide financial loss calculations that can be mathematically measured. Qualitative risk analysis is more generalized, and is faster to compute. Quantitative risk analysis is more picayune, and requires a signification amount of time to assemble and collect the required metrics. Qualitative risk analysis is clearly more subjective , and two well-versed experts in risk analysis are more likely to come to different conclusions in qualitative risk analysis than in quantitative risk analysis. In spite of their differences, there is a place in the world of loss protection for both risk analysis methodologies to co-exist.

In best of all circumstances, organizations should perform both quantitative and qualitative risk analysis, and compare findings looking for trends. However, it is rare that any organization will have the time and resources to work their way through both methodologies. Therefore, one of these two methodologies should be selected and be consistently adhered to through the risk analysis process. So the next logical question is, which methodology should you use? You'll need to understand the advantages and disadvantages of both methodologies before you'll be able to make your decision.

The most obvious advantage that qualitative risk analysis has over quantitative risk analysis is that qualitative risk analysis projects take considerably less time. If you are strapped for time, and can barely afford any resources to dedicate to understanding your HIPAA risks, qualitative risk analysis is the way to go. However, if your legal counsel and CFO insist on a risk analysis process that offers numerical findings that can be measured against each other from year to year, and are specifically concerned about litigation, quantitative risk analysis is a better choice.