Quantitative Risk Assessment: More Precision, Less Subjectivity

Risk management is evolving toward more analytical, automated, and evidence-based models. Organizations no longer rely solely on static risk matrices, but seek mechanisms that integrate historical information, loss-based quantification, and customizable assessment windows to update risk ratings in an objective and consistent manner.

With this purpose in mind, Pirani introduces its new Automated Quantitative Risk Assessment Model, a feature that allows you to periodically evaluate your risks using the historical database of recorded events and losses, along with user-configured events, losses, and variables. This reduces subjectivity in the assessment and decreases operational workload.

What Is Quantitative Risk Assessment?

It is a configurable model that uses historical data, materialized events, and actual losses to calculate a suggested rating for impact, frequency, and overall risk level.

The suggestion includes the assessment of:

• Impact based on gross loss.

• Frequency as the number of events.

• Severity (I×F) as the final result.

Available Models

Pirani offers different ways to parameterize the rating, depending on the need:

• Direct Quantitative:
  The direct method quantifies impact and frequency in a consolidated way, using the total losses and events associated with the risk.

• By Quantitative Variables:
  Applied to each impact variable (economic, reputational, etc.).

• By Mixed Variables:
  Allows having some variables quantified and others qualitative, both for impact and frequency.

Additionally, for the Quantitative and Mixed Variable models, the impact configuration allows classifying losses according to variable type (financial, legal, operational, reputational) to better reflect the actual distribution of losses within the event.

Types of Loss Distribution for Quantitative Impact Ratings

1. Percentage Distribution by Variable

In this method, the user defines what percentage of the event’s total loss corresponds to each impact variable.
It is mainly used when the organization does not classify losses directly but recognizes that an event can have simultaneous effects (economic, reputational, environmental, etc.).

2. Direct Loss Classification

In this method, each recorded loss within an event is explicitly classified as belonging to a specific impact variable.
It is the most objective method because it shows exactly which dimension each loss corresponds to.

It is recommended when the organization can separate losses by the nature of the impact (e.g., fines → environmental, legal expenses → reputational, revenue reduction → economic).

• Each loss is automatically assigned to the chosen variable at the time of registration or editing.

• If a loss is not classified, it is excluded from the quantitative calculation for that variable, which may result in the variable having a “zero” impact if no values are assigned.

For the Mixed model, the system allows distribution only for impact variables that will be handled as quantifiable; the remaining variables are assessed qualitatively through expert judgment.

How Does Automatic Assessment Work?

Currently, the model is semi-automatic. This means that the ratings are suggested automatically, but they are only applied when the user initiates a re-evaluation process, ensuring business control and governance.

• Create an evaluation plan in the “Evaluations” module.

• Select the risks to be assessed.

• For each risk included in your evaluation plan, the system automatically suggests the rating and its justification.

• The system identifies events and losses within the configured time window (6, 12, 24, or 36 months).

• Review the suggestion, add to the justification if needed, and you are now ready to complete the evaluation workflow as you normally would.

Note: Pirani automates the calculations, suggests objective justifications, and allows you to ensure governance and traceability of decisions related to risk assessment.

Technical and Operational Benefits

• Evidence-based accuracy: integrates actual loss amounts and number of events.

• Reduced subjective bias: decisions are based on historical evidence and quantified losses.

• Alignment with international best practices: compliant with ISO 31000 and COSO.

• Full traceability: every calculation, data point, and decision is documented, facilitating auditing and compliance.

• Flexibility: users maintain control and can adjust suggestions based on context or professional judgment.

• Readiness for full automation: the current model lays the foundation for future versions with fully automated assessments.

• Dynamic integration: the system evolves with the event history, adapting to the organization’s operational reality.

• Temporal consistency: the same risk is evaluated consistently in future periods under the same time window.

What’s Coming Next: Full Automation

The semi-automatic version is only the beginning.

• Automatically generate risk assessments.

• Suggest risks to be evaluated without manual intervention.

• Maintain full traceability, governance, and control of the entire cycle.

• However, assessments will always require acceptance, adjustment, or justification.

This will significantly reduce operational workload, accelerate risk management, and consolidate a systematic, reliable, and efficient process.

Are You Already Using Quantitative Risk Assessments?

Available in the ORM, ISMS, and Compliance systems.

Try it now!

Don’t have the Enterprise plan?
Schedule a demo with our commercial team!