Note, this site advocates a compromise between quantitative and qualitative assessment factors. At this point in the development in the discipline of operational risk there is not enough universally accepted objective data that can serve to identify the probability of loss events. Conversely, there is an over abundance of subjective, "gut feel" data that is utilized as the basis for risk decisions. While breaking down risk into specific, detailed components yields a better understanding of the issues, there needs to be framework to support this process of analysis that will insure the result is repeatable and follows a commonly agreed form of assessment. Put another way, if we are going to break risk down into ever finer components, we need a method to reassemble those components into an overall assessment.
The model to the right represents the method endorsed on this site for conducting risk assessments of operational risk (including information security). As we will see on the following pages, the model is based on the concept of breaking down Cost and Likelihood/Probability into their detailed elements. By placing a risk value on each of the detailed elements, we can then consolidate the values into an overall appraisal of risk.