Qualitative Risk Assessment Tools

Risk Analysis

• A risk analysis looks at the probability of something negative occurring. Organizations conduct a risk analysis when they are changing systems, hiring or firing employees and rolling out new products, among other dynamics. Organizations that use risk analysis are being proactive. Despite the high cost, risk analyses may end up saving money in the long run because they can help forecast and avert even more costly disasters. A risk analysis is done by identifying the cause of problems, the consequences of these problems and how probable these problems are to happen. Once the problems are identified, the organization can weigh the problems with the results and determine whether to move forward with a project.

Risk Factor Analysis

• A risk factor analysis is much like a risk analysis but instead of focusing on the problems and the consequences, it focuses on the factors that could cause the problems and consequences. Risk factors can be broken down into four different groups: the technical risk, the schedule risk, the cost risk and the funding risk. The technical risk stems from the design, construction or operation of the product. The schedule risk considers how long it will take to design and implement the project. The cost risk reviews how much money the project will cost to implement, including design and operating costs.The funding risk looks at how much money each part of the project will need and if the money will be available when needed.

Risk Probability Matrix

• Risk probability investigates the probability of risk occurring at three different levels: low, medium and high. The other part of the risk probability matrix is determining how important the project's completion is to the organization in terms of the three different levels. Once both of these questions are answered, the findings are graphed on a matrix.

  Here is an example of a company using the risk probability matrix. A factory that builds gas pumps for cars decides to implement a new line with new technology. The company needs to ask themselves a series of questions. First they need to identify the possible risks that could happen, such as having to hire new employees to run the technology. The company identified the risk as a low impact to the company risk. Then they had to decide the probability that the risk would occur. Because it is new technology they know they will need to hire new employees so the probability of the risk happening is high.

CRAMM

• CRAMM stands for the Central Computer and Telecommunications Agency's Risk Analysis and Management Method. This method was developed by CCTA but has now been used by many other organizations around the world. The CRAMM assessment tool looks at a comprehensive review of factors to determine if risk will occur. The CRAMM assessment tool considers asset identification, threat assessments and countermeasure ideas. Once the assets are identified, threats and vulnerabilities of the project and products are looked at to determine if the risk is worth the reward. If it is found that the risks total more than the reward, countermeasures will be put in place to reduce the possibility of risks occurring.