Reason #2: Level of Granularity
There is a second reason why the distinction between quantitative and qualitative RA matters: the level of granularity required by the organization for the RA process. Since the purpose of RA is to optimize investments of limited resources in risk mitigation strategies, the output of the RA process needs to be granular enough to support the specific choices that have to be made, as well as the decision-making processes of the organization.
Let’s again consider a simple 3-tier risk classification scheme, where:
“Low” represents a risk with an expected loss of 0-$100,000 per year,
“Medium” represents a risk with an expected loss greater than $100,00 and less than $1M per year, and
“High” represents a risk with an expected loss of $1M or greater.
Now suppose we are considering a “Medium” risk. If all we know about the expected loss of this risk is what we get from the qualitative label “Medium,” then all we know is that the expected loss is somewhere between $100K and $1M, but we don’t know the expected loss with any degree of precision. For all we know, the expected loss could be $101K; it could also be $999K. Based upon the set of specific risks and proposed mitigating controls, this may or may not be a problem. If the proposed control costs only $10K (and does not itself create other risks to the organization), then the mitigating control would be a no-brainer (and a qualitative approach would be sufficient). But suppose instead that the proposed control costs $350K. In that case, the qualitative approach may not be sufficient. If we truly don’t know the expected loss for the risk in question, we have no reason for assuming that the proposed control costs less than the risk (expected loss) itself. In that case, a quantitative RA may be needed.
Conclusion
Because the qualitative vs. quantitative debate is so controversial, I want to emphasize that the preceding arguments are not intended to be arguments for the conclusion that quantitative RA is always (or even often) superior to qualitative RA. On the contrary, my opinion may be summed up as: “it depends.” The decision to choose a quantitative or a qualitative RA approach depends upon the number of risks to be evaluated, how closely the risks fit together, whether the output of a qualitative RA approach is granular enough to satisfy the needs of decision makers, organizational culture, and so forth. What I have argued is that the distinction between quantitative and qualitative RA matters, but not for the reasons that are often given.
Popularity: 19%
One Comment
Jeff Lowder’s work is great and really outstanding. I would however, criticise it on the grounds of lack of evidence (references). I am an academic and we believe in peer reviews. If jeff could add some references to his article, that will be excellent. I guess this applies to other writers too.