qualitative risk assessment [English]
n. ~ A process that uses a nominal scale to rank risks relating to likelihood (such as low, medium, high) and impact (such as insignificant, minor, moderate, severe) based on judgment, experience, and context.
The scale may be numerical (such as 1 = low, 10 = high). The assessment may be two-dimensional, with separate axes for likelihood and impact.
- Business Dictionary 2014 (†539 s.v. "qualitative risk"): Relative measure of risk or asset value based on ranking or separation into descriptive categories such as low, medium, high; not important, important, very important; or on a scale from 1 to 10.
- NIST Risk Assessment 2012 (†482 s.v. "qualitative assessment", p. B-8): Use of a set of methods, principles, or rules for assessing risk based on nonnumerical categories or levels.
- Kouns and Minoli 2010 (†404 ): The goal of using pure quantitative methods in all circumstances is impractical due to the shortage of reliable data on incidents (probabilities and impacts), although they are potentially useful in some more narrowly defined situations. One solution is to use quick/simple qualitative risk assessments followed by risk analyses on selected high-risk areas using more detailed qualitative or quantitative methods. ¶ Qualitative risk analysis: Ranking threats/exposure events on a scale. Based on the scale, one evaluates the likelihood of occurrence, the costs, and the outcomes, based on judgment, experience, and situational awareness. (†886)
- Lemieux 2004 (†405 ): Having assessed the probability and impact of a risk, the assessed level of risk maybe expressed in quantitative or qualitative terms or a mixture of the two. A qualitative risk measurement includes assigning a ranking, such as high, medium, or low, to the probability and impact of a risk, based on a predefined scale. The validity of the ranking will be based on the consistent use of a well-defined scale. A qualitative risk assessment could also be expressed numerically, with the same meanings still assigned to the rankings. (†884)
- WHO/FAO 2009 (†534 p. 23): Qualitative risk assessments are commonly used for screening risks to determine whether they merit further investigation, and can be useful in the ‘preliminary risk management activities’, but may also provide the needed information and analysis to answer specific risk management questions. ¶ The major difference between qualitative and quantitative risk characterization approaches is in the manner in which the information is synthesized and the communication of the conclusions. (†861)
- WHO/FAO 2009 (†534 p. 25): Risk assessment, at its simplest, is any method that assesses, or attempts to assess, a risk. Qualitative risk assessment is not, however, simply a literature review or description of all of the available information about a risk issue: it must also arrive at some conclusion about the probabilities of outcomes for a baseline risk and/or any reduction strategies that have been proposed. ¶ Qualitative risk assessments may be undertaken, for example, using the process of ‘expert elicitation’. Synthesizing the knowledge of experts and describing some uncertainties permits at least a ranking of relative risks, or separation into risk categories. [Citing FAO/WHO 2004)] (†863)
- Wikipedia (†387 s.v. IT risk management): Qualitative risk assessment (three to five steps evaluation, from Very High to Low) is performed when the organization requires a risk assessment be performed in a relatively short time or to meet a small budget, a significant quantity of relevant data is not available, or the persons performing the assessment don't have the sophisticated mathematical, financial, and risk assessment expertise required. Qualitative risk assessment can be performed in a shorter period of time and with less data. Qualitative risk assessments are typically performed through interviews of a sample of personnel from all relevant groups within an organization charged with the security of the asset being assessed. Qualitative risk assessments are descriptive versus measurable. Usually a qualitative classification is done followed by a quantitative evaluation of the highest risks to be compared to the costs of security measures. (†1036)