Qualitative methods are based on subjective judgments and opinions of experts, stakeholders, or other sources of information. They use descriptive scales, such as high, medium, or low, to rank the likelihood and impact of risks. Qualitative methods are useful when you have limited data, time, or resources, or when you want to capture the perceptions and preferences of your audience. However, qualitative methods can also be prone to biases, inconsistencies, and ambiguities, and they may not reflect the actual probabilities or consequences of risks.
Qualitative methods of risk impact assessment is common in a place where there is little/limited data to analyze effectively for the likelihood of the risk impact. Low, medium and high are common terms use to gauge the impact of risk and some place colour code are used symbolically, yellow, orange and red.
I'd advise against this for measuring impact (see my comments below). It might be useful for gaining some insight into likleihood, especially if no actual historical data is available or useful.
I would like to present another perspective to qualitative methodology. Impact to the organization goes well beyond quantitative. It may not be subjective as suggested in the narrative. There are situations whereby it is no longer necessary to work out the quantitative aspect of the impact - for example the loss of a license to operate in the jurisdiction, the breaching of a key legal requirement, unavailability of key operations that cripple all activities etc. Whilst it may be completely possible to work out the numbers, it would defeat the purpose as these are naturally survival issues for the company. It would be easier to simply use qualitative methodology here.
Quantitative methods are based on numerical data and calculations, such as probabilities, frequencies, costs, or losses. They use mathematical models, such as formulas, algorithms, or simulations, to estimate the likelihood and impact of risks. Quantitative methods are useful when you have reliable data, time, and resources, or when you want to measure the exact or expected values of risks. However, quantitative methods can also be complex, costly, and time-consuming, and they may not account for the uncertainties or variations of risks.
I think this is more useful for measuring impact, ideally over a number of criteria, using consistent parameters. It takes away the subjectivity that can often occur. It's more problematic for likelihood though, as there is always an element of subjectivity about likelihood as you're usually trying to predict the future, unless you can rely soley on historical data.
A good approach and probably the most common approach would be to make use of historical data. This would make sense if the data have been well within a normalised range. However if the data has been lumpy, it would perhaps make sense to see if there are distinctive patterns that contribute to its lumpiness. In the absence of that, one may decide to average out the numbers or to take the most likely case(I prefer the latter) - this can be profit or revenue(especially if there are years of losses) numbers. I would say that companies with distinctively normalized ranges for their annual numbers would work easily with this - as the subsequent years would be typically be about the same as the previous years barring major macro factors.
Qualitative and quantitative methods have different advantages and disadvantages, and they can complement each other in various situations. For example, you can use qualitative methods to identify and prioritize the most relevant risks, and then use quantitative methods to analyze and evaluate the selected risks in more detail. Or, you can use quantitative methods to generate and validate the data for qualitative methods, and then use qualitative methods to communicate and present the results to your audience. The choice of methods depends on your objectives, scope, and resources.
One of the best ways to work with the methods is to identify those who fall under qualitative and deal with those first. The reason is that these are typically clear cut and the organization would need to handle these catastrophic or major incidents. The rest of the situations will be measured quantitatively. The quantitative process is expensive and labor intensive. In both methodologies, it is important to consider the likelihood. Impact consideration for qualitative approach may be descriptive like regulatory, legal, reputational, operational etc. Qualitative impact would normally be a percentage of the revenue/profit numbers for the determination of a scale.
To combine qualitative and quantitative methods, you need to establish a common framework and criteria for risk assessment. For instance, you can use a risk matrix, which is a tool that plots the likelihood and impact of risks on a grid with predefined levels and colors. Assign qualitative labels, such as low, medium, or high, to each level, and then quantify them with numerical ranges, such as 0-10%, 11-50%, or 51-100%. This way, you can compare and contrast the risks using both qualitative and quantitative indicators.
In order to apply qualitative and quantitative methods, you must adhere to a systematic process that includes defining the scope and objectives of your risk assessment and identifying the sources and types of risks that could affect your business. You must also collect and analyze data and information for each risk, using qualitative and/or quantitative methods to assess the likelihood and impact of each risk. Then, rank and prioritize the risks based on their severity and urgency, and document and report the results and recommendations of your risk assessment.
To improve qualitative and quantitative methods, review and update your risk assessment regularly, and incorporate feedback and lessons learned from your experience. You also need to ensure that your methods are consistent, transparent, and accurate, and that they reflect the current and future conditions of your business environment. Use tools and techniques, such as surveys, interviews, workshops, checklists, scenarios, or sensitivity analysis, to enhance your data collection and analysis, and to validate and verify your results.
In my experience, combining qualitative and quantitative methods provides a balanced view of risk assessment. Qualitatively, I gather insights through discussions with stakeholders, analyzing historical data, and brainstorming potential scenarios. This helps capture nuances like operational challenges or reputational risks that numbers might miss. Quantitatively, I use metrics like probability scores, financial modeling, and data trends to measure risks' likelihood and impact precisely. Integrating both approaches not only refines accuracy but also highlights improvement areas. For instance, data-driven insights often reveal gaps in existing controls, while qualitative analysis offers actionable solutions.
Yes, but you have to start somewhere, right? I think the key is consistency, so that whatever you do leads you to an understanding about your risks in a way that adds value to decision-making about risk treatments and controls.
Likelihood doesnt change easily i.e. it changes over a long time. 12-13 years ago, the likelihood of a Pandemic used to be even lower than very low. Then, Swine Flu Pandemic occurred and my clients wanted to see my updated risk register where the likelihood for the Pandemic should have changed. But I didnt, with this explanation was-'Pandemics occur once in 30-50 years, and perhaps we were in 30th-50th year since the last one, so it happened. We would have to see 2-3 more Pandemics occurring at a faster frequency." Now, Covid-19 Pandemic has occurred within 10 years of the last one, the likelihood doesnt change yet. At the most increase impact value if you want to give more importance to it to make it yellow or red on your heat diagram.
If using quantitative approaches you need to be sure that the data you are using is a reliable predictor of of likelihood and scale of impact. Impact can be understood by understanding the different scale of impacts felt when the risk manifests itself - in other words, "how bad can it get? " Often judgement ( a qualitative approach ) may be better as a means of achieving consensus on both impact and likelihood when reliable data is scarce. Also consider that likelihood also increases with intrinsic exposure and that exposure can change over time. Understanding CURRENT levels of exposure can assist in better anticipating whether likelihood may be increasing or decreasing and responding accordingly