Jeff Lowder

The Difference between Quantitative and Qualitative Risk Analysis and Why It Matters (Part 3)

As we saw in part 2 of this series, some of the traditional arguments used for distinguishing between quantitative and qualitative risk analysis (RA) are based upon dubious assumptions. Many writers assume that “quantitative” equals objective and numerical, while “qualitative” equals subjective and non-numerical. This is incorrect, however. Both quantitative and qualitative RA are compatible with objective and subjective approaches. Additionally, both types of RA must be numerical in order to be meaningful. So if the quantitative-qualitative distinction isn’t significant because one is objective and numerical while the other is subjective and non-numerical, then why does the distinction matter?

Reason #1: Rare But Catastrophic Threats

The expected value for events in general trends towards medium. High impact, low probability events end up having roughly the same expected utility (risk) as low impact, high probability events. This phenomenon affects both qualitative and quantitative RA. To see why, let’s examine a quantitative RA example first. Consider an ALE approach to comparing two risks. From an ALE perspective, a risk that involves a $5,000,000 loss expected once every 100 years is equivalent to a $50,000 loss expected once a year. As for qualitative RA, imagine a simple 3×3 risk matrix. The majority of the cells will fall into the middle category, 1 corner will fall into the lowest interval, and another corner will fall into the highest interval. In both the quantitative and qualitative examples just given, it is unclear, on the basis of RA, how to prioritize risks competing for the same limited security investment.

Nevertheless, it seems quite likely that this problem is more of a problem for qualitative RA than it is for quantitative RA, simply because qualitative RA tends to aggregate things into a very small number of categories, whereas it is unlikely that the expected utility (risk) of two different outcomes, as measured quantitatively, will be precisely equal. In other words, one reason the distinction between quantitative vs. qualitative RA matters is because, in some situations, quantitative RA makes it easier to prioritize risks.

One Comment

  1. Tekena Sukubo May 27, 2009 at 8:24 am | Permalink

    Jeff Lowder’s work is great and really outstanding. I would however, criticise it on the grounds of lack of evidence (references). I am an academic and we believe in peer reviews. If jeff could add some references to his article, that will be excellent. I guess this applies to other writers too.

Post a Comment

Your email is never published nor shared. Required fields are marked *