Under modern occupational risk management (ORM), the primary differences between risk assessment and risk measurement are:
Where sufficient hard data is available, risk measurement is often more reliable than risk assessment. However, developing a theoretically valid method of combining hard data and soft data is a very difficult process (OpRisk Advisory and Towers Perrin, 2010).
Although the key stages of risk management frameworks and processes have not changed, the methods and procedures within each stage are evolving (as illustrated in the table below). The assessment of risk has shifted from one risk-per-risk type at a time, to multiple risk events and classes.
Summary of differences between traditional and modern ORM
Source: OpRisk Advisory and Towers Perrin, 2010.
Risk assessment methodologies
While the taxonomy of various risk assessment methods and risk management frameworks differs, their features are fundamentally the same. What’s more, current approaches to risk assessment and risk management often reduce risks to their constituent components for analysis such as:
The drawbacks of risk assessment, to a large extent, relate to the subjective estimation of the risk values (the UK National Cyber Security Centre, 2016).
Some prominent risk assessment frameworks are in the cybersecurity risk management space, such as the NIST SP 800-30, OCTAVE, FAIR, TARA, and ISACA’s COBIT 5. Enterprises are expected to use the industry-accepted frameworks, as developing their own approaches is likely introduce missing segments that might skew the understanding of risk. They are also more readily accepted by assessment and audit groups, which review a risk assessment’s compliance.
Conducting a risk assessment can be a lengthy and complex process, hence it is best to split your risk assessment into defined areas of the organisation. This could be a physical location, such as a call centre, or a business process, such as order fulfilment (according to TechTarget).
The most important advantages and disadvantages of quantitative and qualitative risk analysis
Source: Rot, 2008
An enterprise’s risk assessment methodology usually comprises a combination of qualitative and quantitative techniques. Qualitative techniques are used when risks are not quantifiable or when sufficient credible data required for quantitative analysis is either not practicably available, or obtaining or analysing this data proves ineffective from a cost perspective. Quantitative techniques are typically more precise and used in more complex activities to supplement qualitative techniques. Business units within the enterprise should choose their own techniques that reflect the need for precision and the culture of the business unit. However, according to the Commission of Sponsoring Organizations of the Treadway Commission (COSO) and TechTarget, their choices of techniques should facilitate the enterprise-wide assessment of risks:
Modern risk management frameworks, such as Basel III, COSO, MIL-STD-882 or Solvency II require integrated approaches, combining both subjective and data driven risk assessment approaches that are balanced and complementary. The weight assigned to each approach is dependent on the degree of confidence given to each set of information. The integrated approaches are necessary when assessing rare risks with extreme impact, such as the World Trade Center or tsunami events (in 2004 and 2011) (Mirzai & Makarov, 2005).
In terms of the sources of risk, in relation to the boundary of the organisation, there are two broad forms of risk, internal and external:
(Investopedia, 2015)
External risk assessment
Mostly requires a large amount of data, as most external risks are systemic to an economic system, and are therefore outside of the control of the organisation. You can assess external risks with either qualitative or quantitative methods.
Internal risk assessment
Is more specific and controllable. Companies use ORM to assess the risk of loss from inadequate business decisions. Compliance risk assessment is crucial in tightly controlled industries, such as banking or agriculture. Internal audit risks are essential for publicly traded companies.
ORM tends to use only simplistic mathematical modelling, as the assignment of more detailed values (e.g. the estimates of frequency, severity, vulnerability and other model assumptions) have become arbitrary and the results are misleading through unsubstantiated pretensions of accuracy (Sparrow, 2000). In general, high-impact incidents should use quantitative or semi-quantitative risk assessment methods (Cioca, BĂBUŢ & Moraru, 2016). This is in line with the justified return on investment for deploying additional resources on sophisticated assessment methods.
Visit SafetyCloud for world-leading occupational health, safety, and environmental training in South Africa.