12.- TOOLS AND TECHNIQUES FOR QUANTITATIVE RISK ANALYSIS.
Quantitative Risk Analysis is the process for numerically analyzing the effect of the identified risks on the objectives and targets of an organization. On the base of the results of the qualitative risk analysis the quantitative risk analysis is performed on risks that have been prioritized and analysizes the effects of those risks events and assignes a numerical rating to those risks. In the process of quantitative risk analysis the impacts to the whole organization will be made computable and will be computed for generating a more elaborated total ranking. Usable techniques are:
- Data gathering & representation techniques:
- Probability distributions: continuous probability distributions are used extensively in modeling and simulations. These distributions may help us perform quantitative analysis. Discrete distributions can be used to represent uncertain events (an outcome of a test or possible scenario in a decision tree).
- Quantitative risk analysis & modeling techniques: commonly used for event - oriented analysis:
- Modeling & simulation: A risk simulation, which uses a model that translates the specific detailed uncertainties of the risks into their potential impact on the organization objectives, usually iterative. Monte Carlo is an example for a iterative simulation.
- Cause and effect matrix helps identify critical steps in a process and the presence, or absence, of controls that prevent, mitigate or monitor adverse events. Numerical scores determine which activities create the greatest risk. Inputs into the process are then scored to refine the areas of potential risk.
- Failure mode and effects analysis (FMEA) helps evaluate the risk associated with steps in a process or with the steps in the implementation plan of any project. Potential failure modes and their potential resulting effects are identified and scored for severity of impact to the organization. Potential causes are then identified and scored based on frequency or likelihood of occurrence. Finally, present controls are identified and scored based on the organization’s ability to prevent, mitigate or detect these failure modes. The three scores are then multiplied together to create a risk priority number (RPN). Once the RPN has been calculated, the FMEA requires that an action plan be developed and responsibilities assigned to reduce the risk associated with the critical areas identified. Based on the RPN and the risk tolerance established by the organization, business decisions can be made to avoid or prevent the risk, reduce or mitigate the risk, share the risk, or accept the risk. A formal cost / benefit analysis of these alternatives assists leadership in defining their response. Once the action plan has been completed, a recalculation of the RPN is performed to determine if the activity now falls within the risk tolerance or if additional actions are needed.
- Cost risk analysis: cost estimates are used as input values, chosen randomly for each iteration (according to probability distributions of these values), total cost will be calculated.
- Schedule risk analysis: duration estimates & network diagrams are used as input values, chosen at random for each iteration (according to probability distributions of these values), completion date will be calculated. One can check the probability of completing the task by a certain date or within a certain cost constraint.
- Expert judgment: used for identifying potential cost & schedule impacts, evaluate probabilities, interpretation of data, identify weaknesses of the tools, as well as their strengths, defining when is a specific tool more appropriate, considering organization’s capabilities & structure.
- There are also enterprise risk management software programs that monitor risks that can be quantified.
These are some of the quantitative risk analysis outputs:
- Prioritized list of quantified risks.
- Probability of achieving the organization objectives and goals.
- Trends in risks.
- Documented list of non - critical, non - top risks.