The Risk Management Software market continues to move toward forward looking risk assessments that aim to resolve the uncertainties inherent in all business activities. To ensure that uncertainties are understood and managed effectively, our customers seek to define risk criteria that reflect a range of possible scenarios. Multiple risk assessment criteria, and the ability to define scenarios, are common customer case studies. We see customers more frequently requiring the ability to define iterative risk assessment processes where risk managers consider risk criteria whenever circumstances change, and use the risk information for capital allocation decisions.

We see a trend in our customr risk assessment processes to include multiple consequence dimensions, quantitative and qualitative calculations, scenario analysis and risk treatment efficiency calculations.

We empower our users with the tools to quantify potential future outcomes for what-if analysis of treatment options, and use these outcomes in their business cases for budgeting purposes.

Customer Risk Criteria

  • Financial 100%
  • Operational 90%
  • Health and Safety 75%
  • Environmental 75%
  • Trend 50%
  • Control Effectiveness 50%
  • Schedule 10%
  • Quality 10%
  • Communications 10%

The Standard

ISO 31000 explains that risk criteria should be tailored to the organiztion, and tailored to the context of each risk management practice and process. Risk criteria may include qualitative and quantitative dimensions, and therefore may include information that varies between organizational levels, domains and practices.

  • Risk is the effect of uncertainty on objectives, ISO 31000:2009
  • Objectives can be of any type, any measure
  • Risk criteria are the terms in which significance of risk is expressed
  • Level of Risk is the magnitude of a risk, or combination of risks, expressed in terms of the combination of consequences and their likelihood

ISO 31000 Risk Management Process

The Model

Risk Assessment can consist of any qualitative or quantitative criteria, including frequencies of events or probabilities of outcomes. Scenarios could be developed and used for what-if analysis, and calulated if the criteria are expressed in quantitative terms. Weighing up scenarios against each other forms part of the risk evalaution and risk treatment steps and may span all proactices and processes that manage risk. Each of these practices or processes may have risk criteria that were defined in qualitaive and/or quantitative terms, and should be considered when communicating about risk with stakeholders that are not familiar with those terms. The most effctive way to communciate risk to a broad stakeholder group, seems to be quantitative terms.

Risk-Informed Decision Making

Sources: Adapted from ISO 31000 and NASA, Risk-Informed Decision Making Handbook

The Matrix Question

Level of Risk

Level of Risk is the magnitude of a risk, or combination of risks, expressed in terms of the combination of consequences and their likelihood

ISO 31000 Definition

It seems that the ISO 31000 definition implies that the level of risk is expressed in quantitative terms because each consequence should be considered in terms of its likelihood, and can not be compared with another consequence with uniquely different criteria.

Matrix Dilemma

Even if risk criteria were accurately defined in completely qualitative terms, the traditional risk matrix is limited to its dimensions. Therefore, qualitative risk assessment cannot factor in all risk criteria needed to make informed decisions.

The Data Answer

Quantitative data does not necessarily mean currency, but it is likely the direct criterion to communicate risk to a varirty of stakeholders.

Quantitative data may include any risk criteria, and any unit of measure, usually directly related to how objectives and targets are expressed and measured.


Quantitative units of measure can be converted to a single unit (like curency) for comparison and to weigh up alternatives.

Quantitative data provides the basis to compare effectiveness vs. efficiency when weighing up alternatives in the risk informed decision making process


Quantitative data provides us with a basis of evaluating what we bought vs what we got in terms that a wider audience can understand, interpret and act upon.