Companies exist on money: they need it to pay employees, buy equipment and make the expenditures necessary to keep running. Companies need to turn profits to survive, but even non-profit organizations need to manage their cash flows to assure a steady operation. Risk analysis, both qualitative and quantitative, helps organizations to identify ways in which they might lose money.
Quantitative Risk Analysis
Quantitative risk analysis, as its name suggests, puts a number to a particular risk. This number can represent the amount of money a company will lose if a certain event comes to pass. These events can include instances such as database penetration by intruders, investments losing money and the consequences of theft. The process analyzes the exact amount of money each incident would cost the company or organization in primary replacement costs and secondary effects from the loss itself such as lawsuits.
Chances of Loss
Knowing how much money a company could lose is useful to executives in making business decisions and contingency planning. However, a proper analysis of these kinds of decisions requires not only the dollar amount that is at stake, but the likelihood that a particular event will happen. Risk analysts can calculate these probabilities from the relevant existing data. This information can include rates of attacks and penetration against particular database software or previous market trends.
Companies like the precision that numbers provide. Accountants can use dollar amounts in budgets, and statisticians can use numbers in models and projections. Numbers can inspire confidence in potential investors and existing stockholders more effectively than adjectives can. However, it is not always possible to quantify risks. For relatively new technologies, or new markets, there simply may not be enough data on security or performance to make reliable calculations. In these cases, risk analysts have to rely on the opinion of specialists in particular fields to estimate risks in qualitative terms such as "high" or "low."
In the case of many new technologies, a risk analysis needs to include both qualitative and quantitative aspects to provide the most complete picture possible. To use the example of a hacker penetrating a database, a risk analyst might be able to assess the costs of changing the relevant user data and other costs associated with recovering from the attack. However, the database software is relatively new and untested. Consequently, the risk analysis will include the relevant figures associated with the cost of a loss coming to pass along with a qualitative estimation of how likely that loss is to occur.