When analysing risks you can basically follow three methodologies:
- Quantitative Risk Assessment – based on basic mathematical models, commonly used within Fault Tree Analysis and Event Tree Analysis.
- Qualitative Risk Assessment – based on scenarios or descriptions of situations. The main intention is to get feedback from various stakeholders. Based on Threats, Vulnerabilities and Assets. Highly dependent from expert knowledge and relative values – high, medium, low.
- Semiquantitative Risk Assessment – hybrid of both. Might be a good approach when the impact is quantifiable but the likelihood is not. Should provide a scale with a wide range.
Elements of the Risk Register:
- severity,
- potential impact,
- risk owner,
- current status,
- disposition of the risk (Risk Avoidance, Risk Mitigation, Risk Transfer, Risk Acceptance).