This paper examines risk management planning in information technology projects, focusing on the distinction between quantitative risk assessment (QRA) and qualitative approaches. It outlines the five-phase QRA process—information collection, threat identification, risk evaluation using Courtney's method, control design, and economic profitability assessment—and compares these methodologies. While quantitative approaches provide precise numerical indicators, they demand greater resources and expertise. Qualitative methods offer faster implementation and lower procedural demands but produce descriptive rather than numerical results. The paper concludes by examining market risk as a significant consideration in IT projects, where competitive pressures threaten product viability.
Risk management planning is defined as a process of documentation conducted by the project manager to forecast risks, evaluate effectiveness and efficiency, and create a plan to mitigate them. It consists of a risk assessment matrix designed to organize and prioritize potential threats.
Risk itself can be defined as an unplanned occurrence that, if it takes place, can have either a negative or positive implication on the objectives of the project. A comprehensive risk management plan includes analysis of likely risks with either high or low impacts, along with mitigation strategies to help the project avoid being derailed by similar problems in the future.
Quantitative Risk Assessment (QRA) is used by organizations to analyze and rank scenarios identified in process hazard analysis, providing quantitative data for use in decision-making about available risks. In performing quantitative risk analysis, the process is divided into five phases:
Phase 1—Information Collection: This phase involves identification and classification of Information Systems resources and collection of information concerning Information Systems (I.S.) that will undergo further analysis.
Phase 2—Threat Identification: This is the stage where potential threats are identified and systematically noted for evaluation.
Phase 3—Risk Evaluation: There is determination of risks using Courtney's method, given as:
R = P × C
Where:
Phase 4—Control Design: Design of control mechanisms which can be preventive, detective, or corrective in nature.
Phase 5—Economic Profitability Evaluation: Evaluation of the economic profitability of mechanisms is done using Return on Investment (ROI), expressed as the operational profit resulting from a given set of process options.
In quantitative risk assessment, the estimation of risk value is connected with the application of numerical measurement. The value of resources is defined in monetary amounts, the frequency of threat occurrence is expressed in number of cases, and susceptibility is expressed by the probability value of its loss. These methods present results in the shape of numerical indicators. Examples of quantitative methods include Annual Loss Expected, Courtney's method, Fisher's method, and the ISRAM model.
Qualitative risk assessment, by contrast, does not operate on numerical data. Instead, results are presented in the form of descriptions and recommendations—for instance, the Microsoft Corporate Security Group Risk Management approach. The advantages of a qualitative analysis are that it overcomes the challenge of accurately calculating figures for asset value and control costs in a way that is less demanding on staff resources. Qualitative risk management projects can normally display noteworthy results in a matter of weeks, whereas organizations that employ a quantitative approach may experience limited benefit over months or even years of effort.
However, qualitative analysis has disadvantages: the resulting data is subjective, and many strict decision-makers—particularly those with accounting or finance backgrounds—may be hesitant to use qualitative figures when making critical risk decisions. They often prefer the numerical precision that quantitative methods claim to provide.
While quantitative approaches offer detailed numerical analysis, they also have significant drawbacks:
Additionally, there exists a significant number of relationships between the risks in all information technology projects, including technology risks, financial risks, and market risks. Among these, market risks are particularly important in IT project contexts.
"Competitive threats to product viability"
You’re 68% through this paper. Sign up to read the remaining 1 section.
Sign Up Now — Instant Access Already a member? Log inAlways verify citation format against your institution’s current style guide requirements.