1

00:00:00,712 --> 00:00:03,189

<v ->To determine the exact amount of risk that exists,</v>



2

00:00:03,189 --> 00:00:07,340

we can conduct a formalized risk analysis or assessment.



3

00:00:07,340 --> 00:00:08,310

During this assessment,



4

00:00:08,310 --> 00:00:10,250

there are two different ways to measure risk,



5

00:00:10,250 --> 00:00:12,880

qualitatively and quantitatively.



6

00:00:12,880 --> 00:00:14,160

In this lesson,



7

00:00:14,160 --> 00:00:16,030

we're going to focus on the qualitative method



8

00:00:16,030 --> 00:00:17,240

of risk analysis.



9

00:00:17,240 --> 00:00:19,859

Qualitative risk analysis uses intuition,



10

00:00:19,859 --> 00:00:21,771

experience and other best practices



11

00:00:21,771 --> 00:00:25,180

to assign relative values to a given risk.



12

00:00:25,180 --> 00:00:28,219

These values could be low, medium, high and critical.



13

00:00:28,219 --> 00:00:29,851

Or you can use any other designated



14

00:00:29,851 --> 00:00:32,230

categorization system that you want.



15

00:00:32,230 --> 00:00:33,520

You can even use numbers.



16

00:00:33,520 --> 00:00:36,240

But numbers aren't really an exact measure in this case.



17

00:00:36,240 --> 00:00:38,600

For example, if I asked you to score this lesson,



18

00:00:38,600 --> 00:00:41,780

you can give it a one through a five star rating.



19

00:00:41,780 --> 00:00:43,309

This isn't a mathematical analysis,



20

00:00:43,309 --> 00:00:46,010

it's just a number that's representing your opinion,



21

00:00:46,010 --> 00:00:48,610

with five being great and one being horrible.



22

00:00:48,610 --> 00:00:50,630

Therefore, it's qualitative in nature,



23

00:00:50,630 --> 00:00:52,720

not quantitative in nature.



24

00:00:52,720 --> 00:00:54,250

The best practices here include



25

00:00:54,250 --> 00:00:55,950

techniques to measure risk such as



26

00:00:55,950 --> 00:00:58,520

brainstorming sessions, focus groups, surveys,



27

00:00:58,520 --> 00:01:02,010

interviews and estimating the likelihood of events.



28

00:01:02,010 --> 00:01:04,340

When you're conducting qualitative risk analysis



29

00:01:04,340 --> 00:01:05,540

it's important that the team



30

00:01:05,540 --> 00:01:07,490

has the required experience and education



31

00:01:07,490 --> 00:01:08,890

of the threats being analyzed,



32

00:01:08,890 --> 00:01:11,190

since this is a highly subjective thing.



33

00:01:11,190 --> 00:01:12,730

The analysts must use their experience



34

00:01:12,730 --> 00:01:13,890

to rank the threats



35

00:01:13,890 --> 00:01:15,709

based on a proposed impact severity,



36

00:01:15,709 --> 00:01:18,940

the loss potential and the likelihood of occurrence.



37

00:01:18,940 --> 00:01:21,398

The big downside when using a qualitative risk analysis



38

00:01:21,398 --> 00:01:24,090

is that dollar values are simply not provided.



39

00:01:24,090 --> 00:01:25,880

And this hinders a cost benefit analysis,



40

00:01:25,880 --> 00:01:27,870

and future budget forecasting.



41

00:01:27,870 --> 00:01:29,940

So, let's take a non technical example,



42

00:01:29,940 --> 00:01:31,149

to really drive home the idea



43

00:01:31,149 --> 00:01:33,660

of a qualitative risk assessment.



44

00:01:33,660 --> 00:01:35,640

Today I want you to imagine that you're home



45

00:01:35,640 --> 00:01:36,890

with a two year old child,



46

00:01:36,890 --> 00:01:38,550

and they're running around your house.



47

00:01:38,550 --> 00:01:39,820

You're busy cooking dinner



48

00:01:39,820 --> 00:01:41,880

and on the stove there's a pot of boiling water



49

00:01:41,880 --> 00:01:44,100

you're going to put some spaghetti noodles in.



50

00:01:44,100 --> 00:01:45,459

But, you need to go to the restroom.



51

00:01:45,459 --> 00:01:47,230

Should you walk away from the stove



52

00:01:47,230 --> 00:01:48,360

to use the restroom,



53

00:01:48,360 --> 00:01:49,710

or should you take some actions



54

00:01:49,710 --> 00:01:52,270

to prevent that two year old from running over to the stove



55

00:01:52,270 --> 00:01:53,390

while you're out of the room,



56

00:01:53,390 --> 00:01:56,250

knocking over that pot of boiling water onto themselves,



57

00:01:56,250 --> 00:01:59,170

and requiring you to take a trip to the hospital tonight?



58

00:01:59,170 --> 00:02:00,760

Well, experience probably tells you



59

00:02:00,760 --> 00:02:02,420

that you should mitigate the vulnerability



60

00:02:02,420 --> 00:02:04,270

of a hot stove and a boiling pot of water



61

00:02:04,270 --> 00:02:06,551

from the threat of this hyperactive two year old



62

00:02:06,551 --> 00:02:08,330

running around you're house.



63

00:02:08,330 --> 00:02:09,620

You didn't really need to sit down



64

00:02:09,620 --> 00:02:11,040

and calculate the temperature of the stove,



65

00:02:11,040 --> 00:02:12,940

the volume of the water in the pot,



66

00:02:12,940 --> 00:02:14,770

the speed at which the child can run,



67

00:02:14,770 --> 00:02:16,070

how fast it's boiling,



68

00:02:16,070 --> 00:02:17,950

the time it would take you to use the bathroom,



69

00:02:17,950 --> 00:02:20,358

and do some kind of complex mathematical algorithm



70

00:02:20,358 --> 00:02:22,650

to determine the risk here, right?



71

00:02:22,650 --> 00:02:25,232

After all, the numbers here really aren't that important.



72

00:02:25,232 --> 00:02:27,060

What is important is the idea



73

00:02:27,060 --> 00:02:28,571

behind qualitative risk analysis.



74

00:02:28,571 --> 00:02:30,590

We can use our experience,



75

00:02:30,590 --> 00:02:31,931

and our general categories for risk



76

00:02:31,931 --> 00:02:34,400

to determine if it's probably pretty high risk



77

00:02:34,400 --> 00:02:35,760

for us to leave this two year old,



78

00:02:35,760 --> 00:02:38,410

unattended, with a stove and a pot of boiling water.



79

00:02:38,410 --> 00:02:40,240

Most of us would agree it is.



80

00:02:40,240 --> 00:02:41,240

Using this example,



81

00:02:41,240 --> 00:02:43,030

I'm going to classify the risk as high.



82

00:02:43,030 --> 00:02:44,111

Because if I leave the room,



83

00:02:44,111 --> 00:02:46,451

there's a high probably that this threat,



84

00:02:46,451 --> 00:02:47,700

our two year old,



85

00:02:47,700 --> 00:02:48,970

is going to explore the kitchen



86

00:02:48,970 --> 00:02:50,620

and burn themselves on the stove,



87

00:02:50,620 --> 00:02:52,200

or knock that boiling water off,



88

00:02:52,200 --> 00:02:53,790

and get it on to themselves.



89

00:02:53,790 --> 00:02:55,490

Then, I consider the impact.



90

00:02:55,490 --> 00:02:57,270

If this occurs, my dinner would be ruined.



91

00:02:57,270 --> 00:02:59,100

That's a pretty low impact.



92

00:02:59,100 --> 00:03:00,810

But, there's also a good chance



93

00:03:00,810 --> 00:03:02,740

that this two year old could be badly burned,



94

00:03:02,740 --> 00:03:04,490

and that's a high impact event.



95

00:03:04,490 --> 00:03:07,300

So I have a high likelihood, and a high impact.



96

00:03:07,300 --> 00:03:09,900

Looking at this, that means that we're in the red area.



97

00:03:09,900 --> 00:03:11,861

This is a high risk event, and therefore,



98

00:03:11,861 --> 00:03:13,792

we need to put some mitigation's in place



99

00:03:13,792 --> 00:03:15,230

to lower this risk down



100

00:03:15,230 --> 00:03:17,420

to something that's medium, or low



101

00:03:17,420 --> 00:03:18,950

before I walk away from that stove



102

00:03:18,950 --> 00:03:20,530

and head to the bathroom.



103

00:03:20,530 --> 00:03:21,880

Maybe I'm going to transfer the risk



104

00:03:21,880 --> 00:03:23,350

by calling my wife downstairs,



105

00:03:23,350 --> 00:03:26,043

and have her watch the stove and keep the kid away.



106

00:03:26,043 --> 00:03:28,290

Maybe I'm going to avoid the risk all together,



107

00:03:28,290 --> 00:03:30,250

by simply deciding I'm not going to leave,



108

00:03:30,250 --> 00:03:32,130

and I'm going to hold it and not go to the rest room



109

00:03:32,130 --> 00:03:33,610

until I'm finished cooking this meal,



110

00:03:33,610 --> 00:03:35,370

and put everything away safely.



111

00:03:35,370 --> 00:03:37,530

Or, maybe I'm just going to be a horrible parent



112

00:03:37,530 --> 00:03:38,760

and I'm simply going to accept the risk,



113

00:03:38,760 --> 00:03:41,200

knowing that the child is probably going to get hurt



114

00:03:41,200 --> 00:03:42,930

and probably going to ruin my dinner.



115

00:03:42,930 --> 00:03:44,020

Now, I'm not going to do that



116

00:03:44,020 --> 00:03:45,780

because that's not a really good idea.



117

00:03:45,780 --> 00:03:47,160

But, you know, that is an option.



118

00:03:47,160 --> 00:03:48,076

You could accept the risk.



119

00:03:48,076 --> 00:03:49,563

I wouldn't recommend it in this case,



120

00:03:49,563 --> 00:03:51,501

because we don't want the kid to get hurt.



121

00:03:51,501 --> 00:03:54,510

Now, notice we never considered numbers here.



122

00:03:54,510 --> 00:03:56,390

It was all about experience, and judgment,



123

00:03:56,390 --> 00:03:57,752

and relative categories of high,



124

00:03:57,752 --> 00:03:59,352

and medium, and low that we used.



125

00:03:59,352 --> 00:04:02,483

If you see this type of relative comparison on the exam,



126

00:04:02,483 --> 00:04:05,000

this is a dead giveaway that you're being asked



127

00:04:05,000 --> 00:04:06,633

about qualitative analysis.