Qualitative vs. Quantitative Risk Assessment

Dan Johnson · May 11, 2017

While educating myself on risk management in preparation to write a risk procedure (some years ago), I had come to the conclusion that the criteria, probability and severity, needed to be quantified. I remember determining this was a requirement rather then a "best practice" but can no longer find any reference.

Am I off track on this or can someone please point me in the right direction?

Tyler C · May 11, 2017

What standard or other reason are you looking at writing a risk management procedure?

In ISO 9001:2015, there are no explicit requirements for a risk management procedure, nor whether or not criteria, probability, and severity need to be quantified.

However, there is a statement, "Actions taken to address risks and opportunities shall be proportionate to the potential impact on the conformity of products and services." To me, this means you somehow have to determine whether or not the action you take is proportionate to the impact it may have. Quantifying the criteria, probability, and severity seem to be the only way, or most accepted way to determine this. But, if you can find a different way to determine proportion to impact, then feel free to explore it.

howste · May 11, 2017

Tyler C said:
What standard or other reason are you looking at writing a risk management procedure?

This thread is in the AS9100 forum, so I'll assume AS9100.

AS9100 Rev C (product realization) risk requirements (7.1.2):

The organization shall establish, implement and maintain a process for managing risk to the achievement of applicable requirements, that includes as appropriate to the organization and the product
a) assignment of responsibilities for risk management,
b) definition of risk criteria (e.g., likelihood, consequences, risk acceptance),
c) identification, assessment and communication of risks throughout product realization,
d) identification, implementation and management of actions to mitigate risks that exceed the defined risk acceptance criteria, and
e) acceptance of risks remaining after implementation of mitigating actions.

AS9100 Rev D (operational) risk requirements (8.1.1):

The organization shall plan, implement, and control a process for managing operational risks to the achievement of applicable requirements, which includes as appropriate to the organization and the products and services:
a. assignment of responsibilities for operational risk management;
b. definition of risk assessment criteria (e.g., likelihood, consequences, risk acceptance);
c. identification, assessment, and communication of risks throughout operations;
d. identification, implementation, and management of actions to mitigate risks that exceed the defined risk acceptance criteria;
e. acceptance of risks remaining after implementation of mitigating actions.

I don't see anything in there that specifically requires quantitative values. There's nothing in the definitions of risk in AS9100C or ISO 9000:2015 that indicate a quantitative data either. I prefer it though even though often the numbers end up being somewhat subjective.

Tyler C · May 11, 2017

Thanks Howste, I'm not very forum savvy and forget to look at things like that sometimes.

Helmut Jilling · May 11, 2017

Dan Johnson said:
While educating myself on risk management in preparation to write a risk procedure (some years ago), I had come to the conclusion that the criteria, probability and severity, needed to be quantified. I remember determining this was a requirement rather then a "best practice" but can no longer find any reference.

Am I off track on this or can someone please point me in the right direction?

There are many different types of situations that have risks and opportunities. There are many different ways to evaluate risks and opportunities. Let the situation define the methods. Some things should be quantified.... then do so. Some things are qualitative...if I order the key lime pie, what if it turns out to be commercial and not traditional style...? You don't quantify that, you just decide and go....

Dan Johnson · May 11, 2017

Thank you, gentlemen. I read it the same. The procedure I wrote a few years ago has qualitative criteria but also states its scalable to lower level programs within our organization. We have an AS certification at our corporate site but also independently certified programs at different locations. While reviewing a corrective action from a customer, the question came up and I didn't see any other reference in 9100/9110 to another standard like you see in configuration management. Hence the question.

While even criteria with quantitative metrics are somewhat subjectively determined, I feel they give a better picture to everyone across the organization of the level of risk.

Qualitative vs. Quantitative Risk Assessment

Dan Johnson

Tyler C

howste

Thaumaturge

Tyler C

Helmut Jilling

Auditor / Consultant

Dan Johnson

Similar threads