5.2 Risk Analysis
The main objective of risk analysis is to equip decision-makers/organizations with enough information using different techniques and tools to make informed decisions on the risks identified, from setting up a priority to suitable risk management approaches.
Risk Analysis Approaches
Risk Analysis evaluates the likelihood and Impact (consequence) of each potential risk and prioritizes these risks, generally determined as:
Risk = Likelihood × Consequence
When risks have been identified, they need to be evaluated, either qualitatively or quantitatively, to determine their level of influence and consequence on the organization. This will ensure that appropriate steps can be planned to mitigate or treat them.
There are several ways to assess a potential risk’s likelihood and impact (consequences), mainly divided into qualitative and quantitative analyses.
Quantitative Risk Analysis: This approach uses mathematical models and simulations to assign numerical values to risk. An objective approach that uses numerical data and statistical methods to assess and prioritize risks.
Qualitative Risk Analysis: It relies on a person’s subjective judgment to build a theoretical risk model for a given scenario and subjective assessments to evaluate risks. It aims to predict the likelihood and impact of risks.
Level of Risks and Assessing Controls
Risks are illustrated in the ‘Risk Matrix,’ which shows their current level of risk. When analyzing risks, there are three key levels are considered: inherent risk, current/residual risk, and target risk. These levels provide a comprehensive view of the risk landscape and aid in effective risk management.
Inherent Risk
Inherent risk represents the level of risk before any controls or mitigating actions are implemented. It is the risk that exists in the absence of any countermeasures or safeguards. Assessing inherent risk helps organizations understand the magnitude of potential threats or vulnerabilities if left unaddressed.
Current/Residual Risk
Current risk, also known as residual risk, is the level of risk that remains after considering the existing controls and mitigation measures currently in place. It reflects the risk exposure that the organization is currently accepting or managing with its current risk management practices and control environment.
Target Risk
Target risk represents the desired or acceptable level of risk that an organization aims to achieve or maintain. It is the risk level that aligns with the organization’s risk appetite and tolerance levels. Target risk serves as a benchmark or goal for risk management efforts, guiding the implementation of additional controls or mitigation strategies.
Analyzing these three levels together provides a comprehensive understanding of the risk landscape and enables informed decision-making. Whereas we do understand controls that may bring down the inherent risk to current/residual to the target level of risk. (Figure 5.2.1)
Image Description
A matrix grid with Likelihood on the vertical and Impact on the horizontal. Segments are Very Low, Low, Medium, High, & Very High.
Squares noted as Likelihood-Impact.
Squares Very Low-Very High, Low-Very High, Medium-Very High, Medium-High, High-Medium, High-High, High-Very High, Very High-Very Low, Very High-Low, Very High-Medium, Very High-High, Very-High-Very High coloured red.
Squares Very Low-High, Low-Medium, Low-High, Medium-Low, Medium-Medium, High-Very Low, & High, Low coloured yellow.
Squares Very Low-Very Low, Very Low-Low, Very Low-Medium, Low-Very Low, Low-Low, Medium-Very Low coloured green.
Very High-Very High noted as Inherent Risk.
Medium-Medium noted as Current Risk.
Low-Low noted as Residual Risk.
Very Low-Very Low noted as Target Risk.
