Module in ISM : RISK ASSESSMENT AND

MANAGEMENT

Chapter 3: Risk Analysis and Evaluation

Qualitative Risk Analysis

Qualitative risk analysis is an approach used to assess risks without relying

on precise numerical data. Instead, this method focuses on subjective
judgments to estimate the likelihood (probability) of a risk event occurring
and the potential impact (severity) it would have if it does. The goal is to
identify, categorize, and prioritize risks in a way that helps decision-makers
allocate resources effectively to manage those risks. This method is
especially useful in situations where quantitative data is unavailable or
difficult to gather.

1. Probability and Impact Matrix

The Probability and Impact Matrix is a key tool in qualitative risk

analysis. It helps visualize risks by plotting them according to their likelihood
and severity. This tool allows stakeholders to assess and prioritize risks in a
more structured way, facilitating clearer decision-making about which risks
need immediate attention and which can be monitored over time.

a. The Two Dimensions:

1. Probability (Likelihood): This refers to the chance or probability that

a specific risk event will occur. It’s typically rated in qualitative terms
such as:
o High: Very likely to happen based on historical data or current
trends.

o Medium: Possible, but not as frequent or predictable.

o Low: Unlikely or rare events, based on limited history or very

specific conditions.

2. Impact (Severity): This dimension assesses the potential damage,

loss, or disruption that could result if the risk materializes. It can
include tangible impacts (like physical harm, damage to assets, or
financial losses) and intangible ones (like reputational damage). It is
also rated qualitatively, such as:
1 Prepared by: Rodrigo L. Requintina Jr., RCrim, CSP
 Module in ISM : RISK ASSESSMENT AND

MANAGEMENT

o High: Significant consequences that could severely affect

operations, financial stability, or safety.

o Medium: Moderate impact that might cause inconvenience or

moderate financial loss.

o Low: Minimal consequences, likely to have little effect on

operations or business continuity.

b. The Process of Creating a Probability and Impact Matrix

The process for performing qualitative risk analysis with the Probability and
Impact Matrix typically involves several steps:

1. Identify Risks: List out all potential risks facing the organization or
project. This could include both internal and external threats, such as
operational failures, financial risks, security breaches, or natural
disasters.
2. Assign Qualitative Ratings: For each identified risk, assign
qualitative ratings for both likelihood and impact. These ratings
could be:

o High, Medium, or Low for likelihood

o High, Medium, or Low for impact

These ratings are based on the team’s expertise, historical data, and
subjective judgment. For instance, an experienced risk manager might
use knowledge of industry trends or past experiences to assess these
values.

3. Plot on the Matrix: Once each risk has been rated for likelihood and
impact, plot these on a Probability and Impact Matrix. This is
typically a grid with likelihood on one axis and impact on the other. The
risks are then placed into one of the categories or zones:
o High Risk: Risks that have both a high likelihood and high
impact. These require immediate attention and proactive
management.

2 Prepared by: Rodrigo L. Requintina Jr., RCrim, CSP

 Module in ISM : RISK ASSESSMENT AND

MANAGEMENT

o Moderate Risk: Risks that are rated medium for either

likelihood or impact, or both. These should be managed but don’t
require as much immediate intervention as high-risk items.

o Low Risk: Risks with a low likelihood and low impact. These
are often monitored but may not need active mitigation unless
circumstances change.

c. Example of a Probability and Impact Matrix

Here’s a more concrete example of how risks might be plotted on the matrix:

3 Prepared by: Rodrigo L. Requintina Jr., RCrim, CSP

 Module in ISM : RISK ASSESSMENT AND

MANAGEMENT

In this matrix, risks such as a cyberattack might fall under High Risk,
given both the high likelihood of it occurring and the high impact it would
have on sensitive data. On the other hand, risks like low-level employee
misconduct might be placed in the Low Risk category if the likelihood and
impact are minimal.

d. Prioritization and Decision Making

Once risks are plotted on the matrix, the organization can easily prioritize
them. The focus should be on the High Risk quadrant, where both likelihood
and impact are rated high. These risks need to be addressed immediately
with mitigation strategies. Examples of actions include:

 Installing cybersecurity measures to reduce the likelihood of a

cyberattack.
 Developing disaster recovery plans to reduce the impact of natural
disasters.

For Medium Risk areas, the organization can allocate resources to reduce
either the likelihood or impact. This might involve process improvements,
training, or monitoring.

4 Prepared by: Rodrigo L. Requintina Jr., RCrim, CSP

 Module in ISM : RISK ASSESSMENT AND

MANAGEMENT

Low Risk areas typically require monitoring and periodic reviews but don’t
necessitate immediate action or large resource allocation. These risks are
often accepted, and the organization might prepare for them passively,
intervening only if the circumstances change.

e. Benefits of the Probability and Impact Matrix:

1. Simplifies Complex Data: The matrix provides an easy-to-

understand visual representation of complex risk data, helping
decision-makers quickly grasp where attention is needed.
2. Focuses Resources: By categorizing risks based on severity,
organizations can direct resources to the areas that have the highest
potential impact on operations.

3. Promotes Proactive Risk Management: This matrix helps to

anticipate risks before they become critical, allowing organizations to
take preventative measures.

4. Facilitates Communication: It serves as a common tool for

communicating risks across departments, stakeholders, and
management teams, aligning everyone with the organization’s risk
management strategy.

The Probability and Impact Matrix is an essential tool in qualitative risk

analysis. By evaluating risks based on their likelihood and potential impact,
organizations can better prioritize which risks need immediate attention and
which can be monitored. This approach fosters a more informed, structured,
and proactive method of risk management, ultimately supporting operational
resilience and helping organizations avoid or mitigate disruptions.

Quantitative Risk Analysis

Quantitative risk analysis is a data-driven approach to risk management that

utilizes numerical data, statistical models, and mathematical techniques to
evaluate and predict the likelihood and potential impact of risks more
precisely. Unlike qualitative analysis, which relies on subjective judgment
and categorical ratings, quantitative analysis aims to provide a more
5 Prepared by: Rodrigo L. Requintina Jr., RCrim, CSP
 Module in ISM : RISK ASSESSMENT AND

MANAGEMENT

objective and measurable estimate of risk, making it particularly valuable for

making high-stakes, data-driven decisions in areas such as finance, project
management, and industrial security.

1. Numerical Data and Statistical Models

The core of quantitative risk analysis is the use of numerical data and
statistical models to quantify risks. This involves collecting both historical
data (e.g., past incidents, accidents, and performance records) and real-
time data (e.g., sensor data, market trends, or operational metrics) to
estimate the likelihood of an event occurring and the possible financial,
operational, or strategic impact.

These models aim to provide a more accurate and reliable picture of risk by
incorporating real-world data and complex calculations. This can help
organizations understand the magnitude of potential risks and plan with
more precision for uncertainty.

Techniques in Quantitative Risk Analysis

Quantitative risk analysis employs various sophisticated techniques to

estimate risks. Some of the most commonly used methods include:

a. Monte Carlo Simulations

 Monte Carlo simulations involve running a large number of random

simulations (or scenarios) to predict the likelihood of different
outcomes. By generating a broad range of possible scenarios based on
input data, Monte Carlo simulations offer a way to model uncertainty
and estimate the probability of various results.
 How it works:

o A project management team, for example, could use Monte Carlo

simulations to forecast the likelihood of cost overruns on a
project. The simulation would run thousands of iterations using
different possible cost inputs (based on historical data and
estimates) to generate a distribution of potential cost outcomes.
The result is a probabilistic understanding of the potential for
6 Prepared by: Rodrigo L. Requintina Jr., RCrim, CSP
 Module in ISM : RISK ASSESSMENT AND

MANAGEMENT

cost overruns and a more data-driven approach to managing the

project’s budget.

 Example:

o A construction project might estimate the overall cost based on

potential delays, labor costs, and material prices. Monte Carlo
simulations would calculate the likelihood of different levels of
cost overruns based on random combinations of these factors,
ultimately providing a probability distribution for the cost
outcomes.

b. Decision Trees

 Decision trees are a visual and mathematical tool used to analyze

various decision paths and the risks associated with each path. Each
branch in the tree represents a potential decision or outcome, and
probabilities are assigned to each path based on historical data or
expert opinion.
 How it works:

o Decision trees are used to make decisions under uncertainty by

outlining possible future events, the likelihood of those events,
and the financial or operational consequences of each decision.
The tree’s branches help decision-makers weigh the risks of
different alternatives.

 Example:

o A company deciding whether to invest in a new product line

could use a decision tree to model different outcomes, such as
the product succeeding, failing, or breaking even. The decision
tree would include the probabilities of each outcome based on
market research, as well as the financial consequences of each.
This helps the company make a more informed decision about
whether or not to proceed with the investment.

c. Sensitivity Analysis

7 Prepared by: Rodrigo L. Requintina Jr., RCrim, CSP

 Module in ISM : RISK ASSESSMENT AND

MANAGEMENT

 Sensitivity analysis is a technique that helps assess how sensitive

the outcomes of a model are to changes in input variables. By
systematically altering one or more variables within a model,
sensitivity analysis allows decision-makers to understand how changes
in specific factors impact the risk outcomes.
 How it works:

o In sensitivity analysis, the inputs (such as cost, time, or resource

availability) are varied to determine how they affect the overall
risk or outcome. The results can indicate which variables have
the greatest influence on risk, helping organizations focus on the
most critical areas.

 Example:

o In a financial risk model for a business, sensitivity analysis could

be used to explore how changes in interest rates, raw material
costs, or labor prices impact the profitability of the business. This
would help management focus on the most sensitive variables
and take proactive measures to mitigate risks in those areas.

Example of Quantitative Risk Analysis

Let's consider a project management scenario to illustrate how

quantitative risk analysis works:

 Scenario: A project manager needs to assess the risk of exceeding the

budget for a construction project. The budget is $10 million, and there
are concerns about potential cost overruns due to unforeseen delays,
inflation in material costs, and other factors.
 Step 1: Historical data from previous projects shows that cost
overruns are likely 20% of the time and can range from 5% to 25%
over the original budget.

 Step 2: Using Monte Carlo simulations, the project team runs 10,000
simulations of potential cost overruns, considering a variety of random
variables like labor costs, material prices, and project delays.

8 Prepared by: Rodrigo L. Requintina Jr., RCrim, CSP

 Module in ISM : RISK ASSESSMENT AND

MANAGEMENT

 Step 3: The result reveals that the 95% confidence interval for cost
overruns is between $11 million and $12.5 million, with a 70%
probability that the cost will stay below $12 million.

This precise risk estimate allows the project manager to make informed
decisions about budgeting for contingencies and preparing for the likelihood
of cost overruns.

Benefits of Quantitative Risk Analysis

1. Precise Estimates: By using real data and statistical models,

quantitative analysis offers a more precise and objective
understanding of risk, especially in complex situations.
2. Data-Driven Decision Making: Quantitative methods provide
decision-makers with concrete data on the likelihood and impact of
various outcomes, reducing subjectivity in the risk management
process.

3. Resource Allocation: It helps organizations allocate resources

effectively, ensuring that the most significant risks receive the
attention and resources they deserve.

4. Risk Forecasting: Techniques like Monte Carlo simulations allow

organizations to predict risk outcomes over time, giving them a clearer
understanding of what to expect and how to prepare for uncertainties.

5. Financial Risk Management: Quantitative analysis is invaluable for

managing financial risks, such as cost overruns, market fluctuations, or
credit risks, by estimating potential financial impacts and determining
the best mitigation strategies.

Quantitative risk analysis is a powerful tool that enhances the ability to

understand and manage risks by providing a numerical basis for evaluating
risk likelihood and impact. Using statistical models like Monte Carlo
simulations, decision trees, and sensitivity analysis, organizations can make
more informed decisions, optimize resource allocation, and proactively
address potential risks. This method is particularly useful for high-stakes
decisions, where the precise management of risks can make a substantial

9 Prepared by: Rodrigo L. Requintina Jr., RCrim, CSP

 Module in ISM : RISK ASSESSMENT AND

MANAGEMENT

difference in financial outcomes, operational success, and overall

organizational resilience.

Tools and Techniques for Risk Analysis

1. SWOT Analysis
o Evaluates internal and external factors influencing risks by
categorizing them into:

 Strengths: Internal capabilities that reduce risks.

 Weaknesses: Internal vulnerabilities that increase risks.

 Opportunities: External factors that can be leveraged.

 Threats: External risks that may harm the organization.

o Example: A logistics company identifies weaknesses in its

supply chain during a SWOT analysis.

2. PESTLE Analysis

o Analyzes external macro-environmental factors influencing risks,

categorized into:

 Political: Government policies, regulations, stability.

 Economic: Market trends, inflation, exchange rates.

 Social: Demographic shifts, cultural attitudes.

 Technological: Innovations, cybersecurity threats.

 Legal: Compliance requirements, liability risks.

 Environmental: Climate change, natural disasters.

o Example: A manufacturing company uses PESTLE to assess risks

associated with shifting environmental regulations.

3. Bowtie Analysis
10 Prepared by: Rodrigo L. Requintina Jr., RCrim, CSP
 Module in ISM : RISK ASSESSMENT AND

MANAGEMENT

o A visual tool that maps:

 Causes: Factors leading to the risk event.

 Consequences: Potential outcomes of the risk event.

 Controls: Measures to prevent the event or mitigate its

impact.

o Example: A healthcare organization uses bowtie analysis to

evaluate the risks of patient data breaches.

Risk Evaluation: Criteria and Methods

Risk evaluation determines the significance of identified risks and helps

prioritize them for action.

1. Tolerance Levels
o Defines the organization’s acceptable level of risk exposure,
often linked to its risk appetite and strategic objectives.

o Example: A financial institution may have a low tolerance for

cybersecurity risks but higher tolerance for market fluctuations.
2. Prioritization Techniques

o Ranks risks based on their likelihood, impact, and organizational

priorities.

o Techniques:

 Risk Scoring: Assigns scores to risks based on predefined

criteria.

 Pareto Analysis (80/20 Rule): Focuses on the small

percentage of risks that cause the majority of issues.

 Cost-Benefit Analysis: Evaluates the cost of risk mitigation

measures against the benefits of reducing risk.

11 Prepared by: Rodrigo L. Requintina Jr., RCrim, CSP

 Module in ISM : RISK ASSESSMENT AND

MANAGEMENT

o Example:

 A construction firm prioritizes high-impact risks, such as

equipment failure, over low-impact risks, like minor delays
in material delivery.

By employing both qualitative and quantitative approaches, leveraging

analytical tools, and setting clear evaluation criteria, organizations can make
informed decisions about which risks to address first and how to allocate
resources effectively.

12 Prepared by: Rodrigo L. Requintina Jr., RCrim, CSP