Which of the following is the process of numerically analyzing the effects of identified risks on the
overall enterprise’s objectives?

A.
Identifying Risks

B.
Quantitative Risk Assessment

C.
Qualitative Risk Assessment

D.
Monitoring and Controlling Risks

Explanation:

A quantitative risk assessment quantifies risk in terms of numbers such as dollar values. This
involves gathering data and then entering it into standard formulas. The results can help in
identifying the priority of risks. These results are also used to determine the effectiveness of
controls. Some of the terms associated with quantitative risk assessments are :
Single loss expectancy (SLE)-It refers to the total loss expected from a single incident. This
incident can occur when vulnerability is being exploited by threat. The loss is expressed as a dollar
value such as $1,000. It includes the value of data, software, and hardware.
SLE = Asset value * Exposure factor
Annual rate of occurrence (ARO)-It refers to the number of times expected for an incident to occur
in a year. If an incident occurred twice a month in the past year, the ARO is 24. Assuming nothing
changes, it is likely that it will occur 24 times next year.
Annual loss expectancy (ALE)-It is the expected loss for a year. ALE is calculated by multiplying
SLE with ARO. Because SLE is a given in a dollar value, ALE is also given in a dollar value. For
example, if the SLE is $1,000 and the ARO is 24, the ALE is $24,000. ALE = SLE * ARO
Safeguard value-This is the cost of a control. Controls are used to mitigate risk. For example,
antivirus software of an average cost of $50 for each computer. If there are 50 computers, the
safeguard value is $2,500.

Answer C is incorrect.
Unlike the quantitative risk assessment, qualitative risk assessment does not assign dollar values.
Rather, it determines risk’s level based on the probability and impact of a risk. These values are
determined by gathering the opinions of experts.
Probability- establishing the likelihood of occurrence and reoccurrence of specific risks,
independently, and combined. The risk occurs when a threat exploits vulnerability. Scaling is done
to define the probability that a risk will occur. The scale can be based on word values such as
Low, Medium, or High. Percentage can also be assigned to these words, like 10% to low and 90%
to high.
Impact- Impact is used to identify the magnitude of identified risks. The risk leads to some type of
loss. However, instead of quantifying the loss as a dollar value, an impact assessment could use
words such as Low, Medium, or High. Impact is expressed as a relative value. For example, low
could be 10, medium could be 50, and high could be 100.
Risk level= Probability*Impact
Answer A is incorrect.
The first thing we must do in risk management is to identify the areas of the project where the risks
can occur. This is termed as risk identification. Listing all the possible risks is proved to be very
productive for the enterprise as we can cure them before it can occur. In risk identification both
threats and opportunities are considered, as both carry some level of risk with them.
Answer D is incorrect. This is the process of implementing risk response plans, tracking identified
risks, monitoring residual risks, identifying new risks, and evaluating risk process effectiveness
through the project.