We are all familiar with the concepts of risks and uncertainty. Risk is a quantifiable element of doing business, whereas uncertainty is something we'd like to be prepared for but is often challenging to quantify.
Events of the past three years, including those occurring now, have exposed us to both and while we can't predict uncertainty, we can at least work towards mitigating the risks that may result from these uncertainties.
RQ vs RA
Risk quantification (RQ) is a process of evaluating the risks that have been identified and developing the data that will be needed for making decisions as to what should be done about them. The "Guide to Project Management Body of Knowledge" describes risk quantification as evaluating risks and risk interactions to assess the range of possible outcomes.
Jonathan Jackson, director of sales engineering APJ at BlackBerry, defines risk assessment (RA) as the process of identifying and analysing potential risks to an organisation or a system. It involves evaluating the likelihood and the impact of different threats and vulnerabilities.
In describing the linkages between the two, he explains that risk quantification forms part of risk assessment. "That involves assigning a numerical value to the likelihood and the impact of that risk happening. It helps to prioritise risks and determine the appropriate level of resources that you need to allocate to mitigate against those risks," he continues.
Asked how an organisation goes about assessing whether they need risk quantification as part of their assessment or risk management strategy, Jackson says an organisation needs to consider this quantification as part of the overall assessment and management strategy if they want to gain a deeper understanding of the risks and make some good business, informed decisions about how to manage those risks.
"Some of the triggers that I see that may prompt an organisation to look at risk quantification could be things like significant changes to the business environment or operations they are running in," he quips.
Are all risk quantification solutions equal, or are the approaches similar?
Jackson is adamant that not all quantification solutions are equal. "The effectiveness and the suitability of a particular risk quantification solution really will depend on several various factors. It could take into consideration the organisation size, what industry they are involved in, the complexity of that organisation," he elaborates.
"It is essential to carefully evaluate and select a quantification approach that is appropriate for your organisation’s specific needs, and your specific circumstances. There are a lot of resources available for organisations to evaluate different solutions out there. Five things that I would consider would be scope, accuracy, usability, flexibility, and cost."
Jonathan Jackson
Risk assessment is a team sport
Jackson believes that any risk assessment undertaking should involve multiple stakeholders in the organisation. He points out that governance, risks and compliance (GRC) typically is led by the chief risk officer.
"A CFO typically takes a strong look at risk, but key stakeholders, subject matter experts from various departments are really important within an organisation. It's not just specific to IT, or to the security and the legal teams," he adds.
He concedes the importance of strong leadership direction from executives. "Whether it's education, training, risk awareness, cyber awareness, or phishing campaigns, we are all quite good at being able to spot these. Ongoing training and management as part of the executive team are important to foster a good culture of risk aversion within an organisation," he continues.
Click on the PodChat player and hear Jackson elaborate on his recommendations for risk quantification strategies in 2023.
- What is risk quantification? Is it the same as risk assessment? If not what’s the difference?
- What conditions require risk quantification? Is it a one-time requirement? Perpetual? What are the triggers for needing to do risk quantification?
- How does an organisation go about assessing whether they need risk quantification as part of their assessment/management strategy?
- Are all risk quantification solutions/approaches equal?
- What questions should they be asking when evaluating a risk assessment solution?
- Who should be involved in making this evaluation?
- What is your advice for executives charged with risk assessment?
- How do you get board buy-in?
