Quantitative Risk Assessment Software
Magnhild Mongolo
WHO releases a quantitative assessment of the health impacts of climate change. This constitutes an update and a further development of the assessment that was first published by WHO for the year 2000, now with a wider range of health impacts, and projections for future years.
The assessment takes into account a subset of the possible health impacts, and assumes continued economic growth and health progress. Even under these conditions, it concludes that climate change is expected to cause approximately 250 000 additional deaths per year between 2030 and 2050; 38 000 due to heat exposure in elderly people, 48 000 due to diarrhoea, 60 000 due to malaria, and 95 000 due to childhood undernutrition. Results indicate that the burden of disease from climate change in the future will continue to fall mainly on children in developing countries, but that other population groups will be increasingly affected.
Risk assessment is the overall process of identifying and analyzing risk, and evaluating how it might be modified maintain appropriate levels of safety and to satisfy regulatory and corporate criteria.
A QRA is a formal and systematic approach to estimating the likelihood and consequences of hazardous events, and expressing the results quantitatively as risk to people, the environment or your business. It also assesses the robustness and validity of quantitative results, by identifying critical assumptions and risk driving elements.
You may need to demonstrate acceptable risk levels during the approval of major hazard plant construction plans, or when making significant changes to operations (including plant modification) or manning levels.
QRA studies are typically required for production and processing facilities, high-pressure pipelines, and storage and importation sites, including liquefied natural gas (LNG). They contribute to improved decision-making by highlighting the accident scenarios that contribute most to overall risk. Focusing on these will help you meet acceptability criteria and demonstrate that risks are as low as reasonably practicable (ALARP).
Relationships between assets, processes, threats, vulnerabilities and other factors are analyzed in the risk assessment approach. There are many methods available, but quantitative and qualitative analysis are the most widely known and used classifications. In general, the methodology chosen at the beginning of the decision-making process should be able to produce a quantitative explanation about the impact of the risk and security issues along with the identification of risk and formation of a risk register. There should also be qualitative statements that explain the importance and suitability of controls and security measures to minimize these risk areas.3
Although a qualitative risk analysis is the first choice in terms of ease of application, a quantitative risk analysis may be necessary. After qualitative analysis, quantitative analysis can also be applied. However, if qualitative analysis results are sufficient, there is no need to do a quantitative analysis of each risk.
Quantitative Risk
A quantitative risk analysis is another analysis of high-priority and/or high-impact risk, where a numerical or quantitative rating is given to develop a probabilistic assessment of business-related issues. In addition, quantitative risk analysis for all projects or issues/processes operated with a project management approach has a more limited use, depending on the type of project, project risk and the availability of data to be used for quantitative analysis.10
To conduct a quantitative risk analysis on a business process or project, high-quality data, a definite business plan, a well-developed project model and a prioritized list of business/project risk are necessary. Quantitative risk assessment is based on realistic and measurable data to calculate the impact values that the risk will create with the probability of occurrence. This assessment focuses on mathematical and statistical bases and can express the risk values in monetary terms, which makes its results useful outside the context of the assessment (loss of money is understandable for any business unit).15 The most common problem in quantitative assessment is that there is not enough data to be analyzed. There also can be challenges in revealing the subject of the evaluation with numerical values or the number of relevant variables is too high. This makes risk analysis technically difficult.
There are also some basic (target, estimated or calculated) values used in quantitative risk assessment. Single loss expectancy (SLE) represents the money or value expected to be lost if the incident occurs one time, and an annual rate of occurrence (ARO) is how many times in a one-year interval the incident is expected to occur. The annual loss expectancy (ALE) can be used to justify the cost of applying countermeasures to protect an asset or a process. That money/value is expected to be lost in one year considering SLE and ARO. This value can be calculated by multiplying the SLE with the ARO.17 For quantitative risk assessment, this is the risk value.18
By relying on factual and measurable data, the main benefits of quantitative risk assessment are the presentation of very precise results about risk value and the maximum investment that would make risk treatment worthwhile and profitable for the organization. For quantitative cost-benefit analysis, ALE is a calculation that helps an organization to determine the expected monetary loss for an asset or investment due to the related risk over a single year.
In this case, the organization has an annual risk of suffering a loss of US$100,000 for hardware or US$25,000 for software individually in the event of the loss of its virtualization system. Any implemented control (e.g., backup, disaster recovery, fault tolerance system) that costs less than these values would be profitable.
Using both approaches can improve process efficiency and help achieve desired security levels. In the risk assessment process, it is relatively easy to determine whether to use a quantitative or a qualitative approach. Qualitative risk assessment is quick to implement due to the lack of mathematical dependence and measurements and can be performed easily. Organizations also benefit from the employees who are experienced in asset/processes; however, they may also bring biases in determining probability and impact. Overall, combining qualitative and quantitative approaches with good assessment planning and appropriate modeling may be the best alternative for a risk assessment process (figure 2).20
Has more than 20 years of professional experience in information and technology (I&T) focus areas including information systems and security, governance, risk, privacy, compliance, and audit. He has held executive roles on the management of teams and the implementation of projects such as information systems, enterprise applications, free software, in-house software development, network architectures, vulnerability analysis and penetration testing, informatics law, Internet services, and web technologies. He is also a part-time instructor at Bilkent University in Turkey; an APMG Accredited Trainer for CISA, CRISC and COBIT 2019 Foundation; and a trainer for other I&T-related subjects. He can be reached at vol...@evrin.net.
Effective risk analysis and management are fundamental to project success. Irrespective of the size or scale of your project, delivering it on time and within budget (not to mention preserving stakeholder confidence) is impossible if you don't take the time to identify, analyze, categorize, prioritize, and gauge the impact of external risks before work commences.
Two well-established methodologies dominate risk analysis: qualitative and quantitative. Yet, despite their universality, a surprising number of people within the project management bubble struggle to understand how best to deploy these methodologies.
Qualitative risk analysis tends to be more subjective. It focuses on identifying risks to measure both the likelihood of a specific risk event occurring during the project life cycle and the impact it will have on the overall schedule should it hit.
The goal is to determine severity. Results are then recorded in a risk assessment matrix (or any other form of an intuitive graphical report) in order to communicate outstanding hazards to stakeholders.
The typical expression of uncertainty is in multiplicative terms such as 90%, 105%, and 120%, where the most likely value is expressing a 5% correction for optimistic bias in the durations of the schedule analyzed.
Quantifying an identified risk using Risk Drivers represents the probability that the risk will occur on this project and the impact the risk has on the duration of the activities it affects if it occurs.
Impact percentage is a multiplicative factor chosen from a probability distribution (e.g., 90%, 100%, 120%). Due to proportionality, the multiplicative factor can be applied to long and short duration activities equally.
The quantitative approach to risk analysis is better for managing the risk of modern projects. It provides a better means of understanding how risk and uncertainty affect project outcomes. But that doesn't mean that qualitative risk analysis is totally useless.
Fortunately, as technology has evolved, so too has the way we perform quantitative risk analysis. New tools are available to help improve the validity of your risk analysis and understand the steps needed to mitigate potential issues.
Safran Risk provides best-in-class quantitative risk analysis, resulting in the best possible insight into the risks and their potential impact on the successful execution of your project or portfolio.
Safran Risk gives you all the data you need to perform effective analysis from a single platform.
Safran Risk Manager is a powerful qualitative risk analysis platform that has earned its place in the project control community.