Risk analysis is the process that a company goes through to assess internal and external factors that may affect the business productivity, profitability and operations. Two primary types of risk analysis exist. These two broad categories are qualitative and quantitative risk analysis. By assessing these risks, companies can put plans into place on how to avoid and manage the risks.
Qualitative risk analysis is comprised of six primary parts. Elements of qualitative risk include threats, attacks, vulnerability, control, impact and business impact. A company needs to assess all of these elements as a comprehensive package to evaluate the qualitative risks the company has.
To illustrate how companies conduct qualitative risk analysis, assume that a credit card company has computer records on 10,000 to 500,000 customers, at any given time. The first risk is that numerous employees in different departments have access to all of this personal customer information.
When the auditors show up at the credit card company, the problem the auditors find, the risk is that the files do not contain encrypted information. This means that when the information is sent to the business web server and when it sits on the database, it is at risk. The information is at risk from the employees or external hackers from obtaining personal
Quantitative risk analysis is more focused on the facts, figures and data associated with the business. The two primary subcategories of quantitative analysis is the probability of the risk occurring and the likelihood of a loss if the risk in fact occurs.
For example, a health insurance company office that has 1,000 patient files in house would need to assess the risk if there is a confidentiality breach. Assume that in this case the health insurance records are housed on a single database. Further assume that the database is compromised by a hacker breaking into the database. Essentially, this exposes the 1,000 patient files, personal information, medical and insurance records to the hacker.
Assume that the insurance company office places a dollar value of $30 US Dollars (USD) for rectifying each of the patient files. The cost of $30 USD covers everything from changing the patient account numbers and printing out new health insurance cards to contacting each of the patients to inform them of what happened. When conducting a quantitative risk analysis, the answer is $30,000 USD. This is the amount of loss to the health insurance company office for the breach of its database.
Once the powers that be conduct a risk analysis, it is then important for plans to be put in place on how to manage the risk. For example, with the qualitative risk illustration, the credit card company has to employ a system or install a program that automatically encrypts its customer data.