search

What are the basic formulas used in quantitative risk assessment?

1 anos atrás
Comentários: 0
Visualizações: 78

Project managers should be prepared to perform different types of risk analysis. For many projects, the quicker qualitative risk assessment is all you need. But there are occasions when you will benefit from a quantitative risk analysis.

Show

Let’s take a look at this type of analysis: What is it? Why should we perform it? When should it be performed? And how do we quantify risks?

What is Quantitative Risk Analysis?

Quantitative risk analysis is a numeric estimate of the overall effect of risk on the project objectives such as cost and schedule objectives. The results provide insight into the likelihood of project success and is used to develop contingency reserves. 

More...

Individual risks are evaluated in the qualitative risk analysis. But the quantitative analysis allows us to evaluate the overall project risk from the individual risks plus other sources of risks.

Better Business Decisions

Business decisions are rarely made with all the information or data we desire. For more critical decisions, quantitative risk analysis provides more objective information and data than the qualitative analysis. Keep in mind: While the quantitative analysis is more objective, it is still an estimate. Wise project managers consider other factors in the decision-making process.

Better Estimates

A project manager estimated a project's duration at eight months with a cost of $300,000. The project actually took twelve months and cost $380,000. What happened?

The project manager did a Work Breakdown Structure (WBS) and estimated the work. However, the project manager failed to consider the potential impact of the risks (good and bad) on the schedule and budget.

First, we identify risks. Then we can evaluate the risks qualitatively and quantitatively.

Consider using Quantitative Risk Analysis for:

  • Projects that require a Contingency Reserve for the schedule and budget.
  • Large, complex projects that require Go/No Go decisions (the Go/No Go decision may occur multiple times in a project).
  • Projects where upper management wants more detail about the probability of completing the project on schedule and within budget.

What is the Difference Between Qualitative and Quantitative Risk Analysis?

Quantitative Risk Assessment Tools & Techniques

Quantitative Risk Analysis tools and techniques include but are not limited to:

  • Three Point Estimate – a technique that uses the optimistic, most likely, and pessimistic values to determine the best estimate.
  • Decision Tree Analysis – a diagram that shows the implications of choosing one or other alternatives. 
  • Expected Monetary Value (EMV) – a method used to establish the contingency reserves for a project budget and schedule.
  • Monte Carlo Analysis – a technique that uses optimistic, most likely, and pessimistic estimates to determine the total project cost and project completion dates. For example, we could estimate the probability of completing a project at a cost of $20M. Or what is a company wanted to have an 80% probability of achieving its cost objectives. What is the cost to achieve 80%?
  • Sensitivity Analysis – a technique used to determine which risks have the greatest impact on a project.
  • Fault Tree Analysis (FMEA) – the analysis of a structured diagram which identifies elements that can cause system failure.

Quantitative Risk Analysis Example

Let’s look at a simple Expected Monetary Value (EMV) example:

Keep in mind that risks include both threats and opportunities. Threats have adverse impacts on cost. Opportunities are benefits that reduce cost. Expected Monetary Value = Probability x Impact.

RiskProbabilityCost ImpactEMV
A (Threat)20%$100,000$20,000
B (Opportunity)40%($10,000)($4,000)
C (Threat)30%$50,000$15,000
Total EMV  $31,000

Notice we subtracted the benefit of the Opportunity from the EMV. The Total EVM represents the project risk exposure and the amount of our Contingency Reserve.

Once you've performed the Quantitative Risk Analysis, be sure to update your risk register with the additional risk information.

The goal of risk management is to deliver optimal security at a reasonable cost. When diving into quantitative risk analysis, you have to think about cost versus benefit, risk handling and types of countermeasures.

Risk is related to vulnerabilities, which threaten confidentiality (C), integrity (I) and availability (A) of the assets. This is described as the CIA Triad.

Confidentiality is about not disclosing sensitive information to other people.

Integrity is about preserving the state of the system — we don’t want attackers to change our data.

We do want our systems to be up and running. Hence availability is considered.

What is quantitative analysis?

Quantitative analysis is about assigning monetary values to risk components. Let’s analyze the example of hard drive failure to better understand how it works.

Let’s first describe the threat, vulnerability and risk:

  1. Threat — hard drive failure
  2. Vulnerability — backups done rarely
  3. Risk — loss of data

The asset is data. The value of the asset (AV) is assessed first — $100,000, for example.

Let’s discuss the single loss expectancy (SLE). It contains information about the potential loss when a threat occurs (expressed in monetary values). It is calculated as follows: SLE = AV x EF, where EF is the exposure factor.

Exposure factor describes the loss that will happen to the asset as a result of the threat (expressed as percentage value). SLE is $30,000 in our example, when EF is estimated to be 0.3.

Let’s continue this case. Annualized rate of occurrence (ARO) is described as an estimated frequency of the threat occurring in one year. ARO is used to calculate ALE (annualized loss expectancy). ALE is calculated as follows: ALE = SLE x ARO. ALE is $15,000 ($30,000 x 0.5), when ARO is estimated to be 0.5 (once in two years).

As we can see, the risk is about the impact of the vulnerability on the business and the probability of the vulnerability to be exploited.

Cost and benefit analysis for risk

Let’s continue the example from the previous section. Annualized loss expectancy (ALE) is $15,000. This means that the potential loss is $15,000 in one year, when the data is lost as a result of the hard drive failure. A countermeasure can be used to reduce the potential loss. It happens when the management decides to reduce the risk. This countermeasure should not cost more than $15,000 per year. Otherwise it wouldn’t be logical from a business point of view (we don’t want to spend more money than we can potentially lose). This is basically how cost and benefit analysis works.

Let’s see how the annual value of the countermeasure to the company (COUNTERMEASURE_VALUE) can be calculated:

COUNTERMEASURE_VALUE = ALE_PREVIOUS – ALE_NOW – COUNTERMEASURE_COST, where

ALE_PREVIOUS: ALE before implementing the countermeasure

ALE_NOW: ALE after implementing the countermeasure

COUTERMEASURE_COST: annualized cost of countermeasure (please note that it’s not only purchasing cost — maintenance cost is included).

Risk handling for security

Risk can be handled in the following ways:

  • Risk reduction — risk is reduced to an acceptable level (countermeasures implemented; types of countermeasures are described in the next section).
  • Risk avoidance — stopping the activity, which leads to the risk.
  • Risk transference — the risk is transferred to the insurance company.
  • Risk acceptance — accepting the cost of potential loss (no countermeasures).

Countermeasures for risk reduction

Let’s discuss the types of countermeasures (also called controls) that are implemented in the case of risk reduction. There are three types of countermeasures:

  • Administrative (security awareness training should not be forgotten, because people are the weakest point in the security chain)
  • Technical (firewall)
  • Physical (locks)

Countermeasures are implemented to reduce the risk. We talk about total risk when no countermeasure is implemented. Let’s assume now that the countermeasure is implemented. Perfect security doesn’t exist and there is some risk left. This is a residual risk.

Quantitative risk analysis is important for every business. Single loss expectancy (SLE), exposure factor (EF), annualized rate of occurrence (ARO) and annualized loss expectancy (ALE) are all key parts of figuring out the cost and benefit associated with risk. Learning how to handle and countermeasure risk is important. 

Q&A What

Postagens relacionadas

What are some of the recommended best practices for identity and access management IAM they can put in place to make sure their accounts are secure?
What are some of the recommended best practices for identity and access management IAM they can put in place to make sure their accounts are secure?

What city in Kentucky is closest to Cincinnati?
What city in Kentucky is closest to Cincinnati?

What day of the week is february 2 2022
What day of the week is february 2 2022

What percentage of teachers will deliver shocks up to the point of being lethal in Milgrams experiment?
What percentage of teachers will deliver shocks up to the point of being lethal in Milgrams experiment?

Defibrillators have two different designs for delivering energy. what are they?
Defibrillators have two different designs for delivering energy. what are they?

What are the 2 most common cybercrime?
What are the 2 most common cybercrime?

Cash awards given to employees who achieve specific performance objectives are called ______.
Cash awards given to employees who achieve specific performance objectives are called ______.

Started a run by reaching 200 m in 30 s. she then ran 300 m in 30 s. what was her acceleration?
Started a run by reaching 200 m in 30 s. she then ran 300 m in 30 s. what was her acceleration?

What is the mass percent of urea in the solution which is prepared by dissolving 5g of urea in 95g of water?
What is the mass percent of urea in the solution which is prepared by dissolving 5g of urea in 95g of water?

What is the smallest number by which 3087 must be divided so that the quotient is a perfect cube *?
What is the smallest number by which 3087 must be divided so that the quotient is a perfect cube *?

Jogo do corinthians hoje ao vivo gratis
Jogo do corinthians hoje ao vivo gratis

Qual o pigmento responsável pela fotossíntese?
Qual o pigmento responsável pela fotossíntese?

Qual cidade do estado de São Paulo passa o Trópico de Capricórnio?
Qual cidade do estado de São Paulo passa o Trópico de Capricórnio?

Qual é a principal consequência da automação para a produtividade?
Qual é a principal consequência da automação para a produtividade?

Tem como duas pessoas assistir Netflix ao mesmo tempo no mesmo perfil?
Tem como duas pessoas assistir Netflix ao mesmo tempo no mesmo perfil?

O balanço patrimonial evidencia a situação financeira patrimonial das entidades
O balanço patrimonial evidencia a situação financeira patrimonial das entidades

Quais foram as principais alterações no balanço patrimonial trazidas pela Lei 11638 07 e a Lei das sociedades Anônimas?
Quais foram as principais alterações no balanço patrimonial trazidas pela Lei 11638 07 e a Lei das sociedades Anônimas?

Quantas vacinas O cachorro tem que tomar ao longo da vida?
Quantas vacinas O cachorro tem que tomar ao longo da vida?

Como dividir todos os valores de uma coluna no Excel
Como dividir todos os valores de uma coluna no Excel

Quais eram as condições de trabalho dos imigrantes que vieram para região Sul do Brasil?
Quais eram as condições de trabalho dos imigrantes que vieram para região Sul do Brasil?

Publicidade

ÚLTIMAS NOTÍCIAS

Is defined as two or more interacting and interdependent individuals who come together to achieve specific goals?
1 anos atrás . por InflatedHumility
If 5 men can make 5 flags in 5 minutes how many men are required to make 50 flags in 50 minutes
1 anos atrás . por TropicalPhrasing
50 workers can build 50 walls in 25 days how many days will it take for 25 workers to build 25 walls
1 anos atrás . por DamagedShoplifting
20 workers need 6 hours to build a wall how many hours will 15 workers need to build the same wall
1 anos atrás . por IncredibleLitigation
Which group would be most likely to oppose government intervention to improve the tenements
1 anos atrás . por EscapingAdvice
What is the name of the process in which one company studies the processes of another firm?
1 anos atrás . por PerverseSiding
Which one of these represents a firm that seeks to match the benefits of a successful competitor while maintaining its competitive position?
1 anos atrás . por SatiricalCrossroads
Ferrous sulfate life threatening Considerations
1 anos atrás . por DarkStandpoint
How many liters of water must be added to 21 liters of milk and water contains 20% water to make it 40% water in it?
1 anos atrás . por NostalgicTuesday
Which of the following programs can copy itself and spread from one file to another such as in word processing or spreadsheet programs?
1 anos atrás . por PlanetaryWomanhood

Toplistas

#1
Top 7 remédio para dor de ouvido infantil 6 anos 2022
1 anos atrás
#2
Top 7 folder programa para fazer 2022
1 anos atrás
#3
Top 7 o que é bom para reduzir o colesterol ruim 2022
1 anos atrás
#4
Top 8 o que é cidade local 2022
1 anos atrás
#5
Top 8 distancia entre cidades americanas e canadenses 2022
1 anos atrás
#6
Top 9 o texto apresenta uma relação entre atividade econômica e organização social marcada pelo 2022
1 anos atrás
#7
Top 5 blusas de croche verão 2022
1 anos atrás
#8
Top 6 cha de cordão de frade para que serve 2022
1 anos atrás
#9
Top 8 se a cada hora o planeta percorre 15° de longitude quantos graus ele realiza a cada rotação 2022
1 anos atrás
#10
Top 5 crie um algoritmo que calcule o valor do fatorial de um número fornecido pelo usuário 2022
1 anos atrás

Publicidade

Populer

Publicidade

Sobre

Jurídica

Ajuda

Social

direito autoral © 2024 comojogaruno Inc.