Under modern occupational risk management (ORM), the primary differences between risk assessment and risk measurement are:
- the types of data used, and
- the way parameters are derived.
Where sufficient hard data is available, risk measurement is often more reliable than risk assessment. However, developing a theoretically valid method of combining hard data and soft data is a very difficult process (OpRisk Advisory and Towers Perrin, 2010).
Although the key stages of risk management frameworks and processes have not changed, the methods and procedures within each stage are evolving (as illustrated in the table below). The assessment of risk has shifted from one risk-per-risk type at a time, to multiple risk events and classes.
Summary of differences between traditional and modern ORM
Source: OpRisk Advisory and Towers Perrin, 2010.
Risk assessment methodologies
While the taxonomy of various risk assessment methods and risk management frameworks differs, their features are fundamentally the same. What’s more, current approaches to risk assessment and risk management often reduce risks to their constituent components for analysis such as:
- and exposure.
The drawbacks of risk assessment, to a large extent, relate to the subjective estimation of the risk values (the UK National Cyber Security Centre, 2016).
Some prominent risk assessment frameworks are in the cybersecurity risk management space, such as the NIST SP 800-30, OCTAVE, FAIR, TARA, and ISACA’s COBIT 5. Enterprises are expected to use the industry-accepted frameworks, as developing their own approaches is likely introduce missing segments that might skew the understanding of risk. They are also more readily accepted by assessment and audit groups, which review a risk assessment’s compliance.
Conducting a risk assessment can be a lengthy and complex process, hence it is best to split your risk assessment into defined areas of the organisation. This could be a physical location, such as a call centre, or a business process, such as order fulfilment (according to TechTarget).
The most important advantages and disadvantages of quantitative and qualitative risk analysis
Source: Rot, 2008
An enterprise’s risk assessment methodology usually comprises a combination of qualitative and quantitative techniques. Qualitative techniques are used when risks are not quantifiable or when sufficient credible data required for quantitative analysis is either not practicably available, or obtaining or analysing this data proves ineffective from a cost perspective. Quantitative techniques are typically more precise and used in more complex activities to supplement qualitative techniques. Business units within the enterprise should choose their own techniques that reflect the need for precision and the culture of the business unit. However, according to the Commission of Sponsoring Organizations of the Treadway Commission (COSO) and TechTarget, their choices of techniques should facilitate the enterprise-wide assessment of risks:
- Qualitative risk approaches: A typical example is high, medium and low risk ratings of an incident. It categorises potential risks based on either nominal or ordinal scales. You calculate the actual score by multiplying the frequency (likely, may occur, not likely, and very unlikely), and severity (high, medium and low) values, which you determine through expert opinion. The formal processes for obtaining expert opinion, such as the Delphi technique, provide consistency in qualitative information gathering (according to Coastal Wiki).
- Quantitative risk approaches: A typical example is the distribution and Monte Carlo simulation of probabilities and consequences of risk events. Risk models, such as probability analysis, Poisson distributions or Bayesian theory, determine the frequency and severity of potential losses in numerical measures (Coastal Wiki). It is more rigorous and aims to be more objective by using techniques such as benchmarking and probabilistic and non-probabilistic modelling, as seen in the financial services sector.
- Semi-quantitative approaches: A typical example is risk matrices. They are widely used as means to overcome some of the shortcomings of qualitative approaches. They are intended to provide a more detailed prioritisation of risks than qualitative risk assessments, and take the qualitative approach a step further by attributing values or multipliers to the frequency and severity groupings. However, semi-quantitative approaches are not yet standardised, according to ISO 31000 (Australian Government, 2016).
Modern risk management frameworks, such as Basel III, COSO, MIL-STD-882 or Solvency II require integrated approaches, combining both subjective and data driven risk assessment approaches that are balanced and complementary. The weight assigned to each approach is dependent on the degree of confidence given to each set of information. The integrated approaches are necessary when assessing rare risks with extreme impact, such as the World Trade Center or tsunami events (in 2004 and 2011) (Mirzai & Makarov, 2005).
In terms of the sources of risk, in relation to the boundary of the organisation, there are two broad forms of risk, internal and external:
- External risks are those that originate outside of the firm, such as economic trends, government regulation, market competition and consumer taste changes.
- Internal, or firm-specific, risks include employee performance, procedural failure, and faulty or insufficient infrastructure
External risk assessment
Mostly requires a large amount of data, as most external risks are systemic to an economic system, and are therefore outside of the control of the organisation. You can assess external risks with either qualitative or quantitative methods.
Internal risk assessment
Is more specific and controllable. Companies use ORM to assess the risk of loss from inadequate business decisions. Compliance risk assessment is crucial in tightly controlled industries, such as banking or agriculture. Internal audit risks are essential for publicly traded companies.
ORM tends to use only simplistic mathematical modelling, as the assignment of more detailed values (e.g. the estimates of frequency, severity, vulnerability and other model assumptions) have become arbitrary and the results are misleading through unsubstantiated pretensions of accuracy (Sparrow, 2000). In general, high-impact incidents should use quantitative or semi-quantitative risk assessment methods (Cioca, BĂBUŢ & Moraru, 2016). This is in line with the justified return on investment for deploying additional resources on sophisticated assessment methods.