Qualitative vs Quantitative Risk Assessments


Risk assessments are basically risk management on a singular level; it is the point in time where a company examines its threat landscape to see if new threats have arisen, if old threats are still relevant, as well how to best mitigate these threats. It is critical for optimal organizational efficiency that risk assessments are planned and take place at regular intervals – the initiative that we call risk management.

How do risk assessments provide value to your organization?

  • Reduces chances of a security breach/stolen information, as it allows companies to react quicker to potential threats
  • Saves money
  • Better prepares a company to handle adverse situations
    • Prevents reputational loss associated with a security breach
  • Identifies threats and opportunities
  • Assists with improving organizational security posture
  • Instills a more proactive organizational mindset rather than a reactive approach

Qualitative risk assessments

Qualitative risk assessments centre on the probability of a risk occurring and the impact it would have on the organization (e.g. financial, reputational, etc.). Another common aspect of qualitative risk assessments is the categorization of the risks, either based on the source of the risk/vulnerability or the effect the risk/vulnerability will have on the organization or stakeholders that it concerns.

An effective qualitative risk assessment relies on the risk assessor’s experience within their industry, risk management and knowledge of their organization’s strengths, weaknesses, opportunities and threats. This dependency is a result of the subjective rating system within qualitative assessments. However, with a solid risk management process and experienced risk assessors, the subjective rating system does not diminish the assessment’s results.

Quantitative risk assessments

Unlike qualitative risk assessments, quantitative risk assessments require measurable and objective data for determining asset value, probability and risk values. For example, let’s say you’re in the retail industry and you have a risk scenario that leads to thousands of customers’ credit card information being released. A quantitative risk assessment would attach a monetary value to the losses the company would experience through this data leak and determine the probability of it occurring based on past occurrences within the organization or industry. While a quantitative risk assessment process provides a more accurate reflection of an organization’s risks and their potential impact, they are most often very difficult to implement and/or impractical for many organizations due to the data requirements.