How to perform an easy Quantitative Risk Analysis

Measuring Risk

The definition of Risk is:  risk = likelihood x impact. This formula seems very abstract and makes some sense, but needs an impact chart to demonstrate this risk. I am going to propose a more natural and intuitive way to come up with a risk definition that we can easily do. In fact we do this formula everyday in our heads.

Intuitive Risk Formula

( impact + probability ) / risk components = risk

So go ahead and ask yourself what is at risk for my business. Specifically, we will address data loss and what the impact would pose to your business.

Let’s run through some scenarios.

What is the Probability?

1. What is the risk that my business information will be compromised (lost, stolen or unintentionally destroyed)?

Now let’s assign values based on high being 10 and low being 1.

Now the likelihood is based on your current environment. Do you have a loose or very tightly organized workflow, what type of controls are in place to prevent loss from happening and so on.  Or, is it somewhere in the middle or perhaps somewhere between? I am going to rate this as a likelihood factor of 7 (As an example).

Probability

None…………….…………….………..…………………….X………….…..………….Definitely

           1          2          3          4          5          6          7          8          9          10

Now let’s look at Impact.

2.  What are the consequences to losing data? Questions like:

Is my business highly regulated or not regulated?

Are we handling other people’s information?

Can this impact our business from a legal perspective?

Can we lose money?

Could this damage your business reputation and loss of business because people won’t trust you?

And so on…

So let’s use this chart. The impact would be low if you don’t have any data that contains sensitive information and there are no consequences if your information was lost, stolen or destroyed. But, what if you had some confidential information that could pose consequences?

Consequences

None………………….………….……………………..X………………..…..….……..Tremendous

          1          2          3          4          5          6          7          8          9          10

There would be some consequences to our business so my rating would be 6.

Calculating Risk

Now we need to correlate these numbers to develop our risk score. Let’s plug in the numbers. First we defined our probability as a 7 and our impact was 6.5, so we divide by the number of risk which is 2 (probability and impact) and that will determine our risk score.

( impact + probability ) / risk components = risk

(7 + 6.5)/ 2 = 6.75

The easiest way is average these numbers together. This would provide us with a risk score of 6.75 and putting on the scale gives us a risk rating of medium to medium high.

Risk

Low………………………………………………..…..…X……………….…..….…..…High

         1          2          3          4          5          6          7          8          9          10

0

Leave a comment