Learn something new every day More Info... by email
Risk analysis is the process that a company goes through to assess internal and external factors that may affect the business productivity, profitability and operations. Two primary types of risk analysis exist. These two broad categories are qualitative and quantitative risk analysis. By assessing these risks, companies can put plans into place on how to avoid and manage the risks.
Qualitative risk analysis is comprised of six primary parts. Elements of qualitative risk include threats, attacks, vulnerability, control, impact and business impact. A company needs to assess all of these elements as a comprehensive package to evaluate the qualitative risks the company has.
To illustrate how companies conduct qualitative risk analysis, assume that a credit card company has computer records on 10,000 to 500,000 customers, at any given time. The first risk is that numerous employees in different departments have access to all of this personal customer information.
When the auditors show up at the credit card company, the problem the auditors find, the risk is that the files do not contain encrypted information. This means that when the information is sent to the business web server and when it sits on the database, it is at risk. The information is at risk from the employees or external hackers from obtaining personal
Quantitative risk analysis is more focused on the facts, figures and data associated with the business. The two primary subcategories of quantitative analysis is the probability of the risk occurring and the likelihood of a loss if the risk in fact occurs.
For example, a health insurance company office that has 1,000 patient files in house would need to assess the risk if there is a confidentiality breach. Assume that in this case the health insurance records are housed on a single database. Further assume that the database is compromised by a hacker breaking into the database. Essentially, this exposes the 1,000 patient files, personal information, medical and insurance records to the hacker.
Assume that the insurance company office places a dollar value of $30 US Dollars (USD) for rectifying each of the patient files. The cost of $30 USD covers everything from changing the patient account numbers and printing out new health insurance cards to contacting each of the patients to inform them of what happened. When conducting a quantitative risk analysis, the answer is $30,000 USD. This is the amount of loss to the health insurance company office for the breach of its database.
Once the powers that be conduct a risk analysis, it is then important for plans to be put in place on how to manage the risk. For example, with the qualitative risk illustration, the credit card company has to employ a system or install a program that automatically encrypts its customer data.
@Melonlity -- There is an essential problem with risk analysis when it comes to banks or, indeed, any company that extends credit as a central part of its mission. Namely, allowing too much risk results in a lot of defaulting borrowers while assuming too little risk means credit is not available in such a manner that the company can turn a profit.
The trick of all creditors, then, is to find that balance. That is where the true debate is and has always been.
The quantitative risk analysis issue seemed to come into play during every housing market crisis of the 20th and 21st century. The notion is that risk analysis gone awry leads to foreclosure, chaos and recessions.
The federal government and the mortgage industry have struggled with the "risk" aspect of that business for a couple of centuries now. Expect that to continue.
One of our editors will review your suggestion and make changes if warranted. Note that depending on the number of suggestions we receive, this can take anywhere from a few hours to a few days. Thank you for helping to improve wiseGEEK!